Bug#854711: Unblocking package netkit-ftp-ssl, resolving #854460.
Package: release.debian.org Severity: important Tags: patch Being the maintainer of netkit-ftp-ssl, I request an unblocking of netkit-ftp-ssl in version 0.17.34+0.2-4. This upload resolves successfully the bug #854460 of severity 'important'. The problem is interoperability with TLS-able FTP servers, like Proftpd, which mandate that the data connection reuse the session identity set by the control channel. The presently available version in testing, 0.17.34+0.2-3, is not able to fetch files or get listings with TLS protection due to an accidental inactivation of function SSL_copy_session_id(). This is a legacy function, not documented in any manual page, and only mentioned in one file 'ssleay.txt' of the openssl archive. The debdiff reactivates this function call, which was commented out by me due to a misunderstanding. In addition, it turns out to be decisive to forbid the use of libssl in version 1.1 for the binary package. The reason being that libssl (>= 1.1.0) only succeeds to reuse the session identity a single time, yes really a single time, with the present unintrusive and long time used solution. Therefore I had to change the build dependency to read libssl1.0-dev | libssl-dev (<< 1.1.0~) Both changes are necessary and they lead also to a package that can be built directly in Wheezy without any changes, allowing trivial backporting. The packages netkit-ftp-ssl, linux-ftpd-ssl and netkit-telnet-ssl have seen substantial improvement for certificate verification and identification for this Debian release, but only the binary ftp-ssl is affected by the present issue. Best regards, Mats Erik Andersson, DM diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/changelog netkit-ftp-ssl-0.17.34+0.2/debian/changelog --- netkit-ftp-ssl-0.17.34+0.2/debian/changelog 2017-01-18 19:33:56.0 +0100 +++ netkit-ftp-ssl-0.17.34+0.2/debian/changelog 2017-02-08 18:39:46.0 +0100 @@ -1,3 +1,14 @@ +netkit-ftp-ssl (0.17.34+0.2-4) unstable; urgency=medium + + * Correctly reuse SSL session identity in data connection. +This suffices for libssl1.0, not for libssl1.1. (Closes: #854460) ++ debian/patches/700_prefer_tls.diff: Reactivate commented out + function call to SSL_copy_session_id(). ++ debian/control: Prefer libssl1.0-dev and condition libssl-dev + on "<< 1.1.0~" for trivial backporting. + + -- Mats Erik Andersson <mats.anders...@gisladisker.se> Wed, 08 Feb 2017 18:39:46 +0100 + netkit-ftp-ssl (0.17.34+0.2-3) unstable; urgency=low * Allow verification mode to print additional details about the diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/control netkit-ftp-ssl-0.17.34+0.2/debian/control --- netkit-ftp-ssl-0.17.34+0.2/debian/control 2017-01-10 15:37:21.0 +0100 +++ netkit-ftp-ssl-0.17.34+0.2/debian/control 2017-02-08 18:30:50.0 +0100 @@ -4,7 +4,7 @@ Maintainer: Mats Erik Andersson <mats.anders...@gisladisker.se> Uploaders: Alberto Gonzalez Iniesta <a...@inittab.org> Standards-Version: 3.9.8 -Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev, libssl-dev | libssl1.0-dev +Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev, libssl1.0-dev | libssl-dev (<< 1.1.0~) Package: ftp-ssl Architecture: any diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff --- netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff 2017-01-18 19:33:41.0 +0100 +++ netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff 2017-02-08 15:39:49.00000 +0100 @@ -23,7 +23,7 @@ . Author: Mats Erik Andersson <deb...@gisladisker.se> Forwarded: no -Last-Update: 2017-01-18 +Last-Update: 2017-02-07 diff -Naurp netkit-ftp-0.17.debian/ftp/cmds.c netkit-ftp-0.17/ftp/cmds.c --- netkit-ftp-0.17.debian/ftp/cmds.c 2016-12-23 00:05:51.820239257 +0100 @@ -190,20 +190,8 @@ .Xr ftpd 8 , diff -Naurp netkit-ftp-0.17.debian/ftp/ftp.c netkit-ftp-0.17/ftp/ftp.c --- netkit-ftp-0.17.debian/ftp/ftp.c 2016-12-23 00:05:52.380213160 +0100 -+++ netkit-ftp-0.17/ftp/ftp.c 2017-01-18 19:19:27.145786765 +0100 -@@ -1672,7 +1672,10 @@ dataconn(const char *lmode) -* this quick assuming Eric has this going -* okay! ;-) -*/ -- SSL_copy_session_id(ssl_data_con,ssl_con); -+ /* MEA: Do not use deterministic session identities -+ * in a subordinate connection. -+ */ -+ //SSL_copy_session_id(ssl_data_con,ssl_con); - - /* we are doing I/O and not using select so -* it is "safe" to read ahead -@@ -1686,12 +1689,17 @@ dataconn(const char *lmode) netkit-ftp-0.17/ftp/ftp.c 2017-02-07 23:35:32.871433587 +0100 +@@ -1686,12 +1686,17 @@ dataconn(const char *lmode) if ((ret=SSL_connect(ssl_data_con))<=0) { static char errbuf[1024]; @@ -224,7
Bug#790692: wheezy-pu: package ftpd-ssl/0.17.33+0.3-1+deb7u1
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hello all, I would like to proceed with an update also to oldstable/wheezy of the SSL-enhanced FTP server built from linux-ftpd-ssl. It deals with the same denial of service as was established in the report #788331, and the remedy is identical to the one applied to testing as well has been queued for jessie-pu. The relevant debdiff is herewith attached. Best regards, Mats Erik Andersson, present maintainer of linux-ftpd-ssl. diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/changelog linux-ftpd-ssl-0.17.33+0.3/debian/changelog --- linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2011-04-20 03:47:23.0 +0200 +++ linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2015-06-30 01:04:24.0 +0200 @@ -1,3 +1,11 @@ +linux-ftpd-ssl (0.17.33+0.3-1+deb7u1) wheezy; urgency=medium + + * QA Upload + * NLST of empty directory results in segfault. (Closes: #788331) ++ debian/patches/500-ssl.diff: Updated. + + -- Mats Erik Andersson mats.anders...@gisladisker.se Tue, 30 Jun 2015 01:04:03 +0200 + linux-ftpd-ssl (0.17.33+0.3-1) unstable; urgency=low * Update to linux-ftpd 0.17-33. diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff --- linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2011-04-20 03:47:23.0 +0200 +++ linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2015-06-16 13:46:42.0 +0200 @@ -3,7 +3,7 @@ Origin: ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/linux-ftpd-0.17+ssl-0.3.diff.gz Forwarded: not-needed Author: Tim Hudson t...@cryptsoft.com -Last-Update: 2010-06-21 +Last-Update: 2015-06-11 Index: linux-ftpd-ssl/ftpd/Makefile === @@ -917,10 +917,12 @@ byte_count += strlen(nbuf) + 1; } } -@@ -2705,6 +3193,13 @@ +@@ -2704,8 +3193,16 @@ + reply(226, Transfer complete.); transflag = 0; - if (dout != NULL) +- if (dout != NULL) ++ if (dout != NULL) { +#ifdef USE_SSL +if (ssl_data_active_flag (ssl_data_con!=NULL)) { + SSL_free(ssl_data_con); @@ -929,8 +931,10 @@ + } +#endif /* USE_SSL */ (void) fclose(dout); ++ } data = -1; pdata = -1; + out: @@ -2792,3 +3287,223 @@ } #endif/* TCPWRAPPERS */
Bug#790245: jessie-pu: package ftpd-ssl/0.17.33+0.3-1deb8u1
Saturday den 27 June 2015 klockan 23:11 skrev Adam D. Barratt detta: Please go ahead, thanks (bearing in mind the notes above). I have uploaded a built package to 'mentors.debian.net'. It is the only location known to be accessible to me. Tell me if I should deposit the package somewhere else. Well, it'll need to get to ftp-master in order to be accepted, but mentors is likely as good a place as any to make it available for potential sponsors. This reminds me that there is a short time window at ftp-master where my package is available also without an accepted GPG-key. I have just uploaded the built package to '/pub/UpLoadQueue/'. It remains to see whether it stays available long enough, and whether a suitable manual intervention is possible. Best regards, Mats E A -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150628130058.ga49...@aun.utmark.mea
Bug#790245: jessie-pu: package ftpd-ssl/0.17.33+0.3-1deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Dear all, the SSL-enhanced FTP server built from linux-ftpd-ssl was recently uncovered to produce a denial of service, as was demonstrated in #788331. The package has been updated in testing and unstable, but since the error is present ever since at least June, 2010 [sic!], I would like to propose an update also to the stable package release. The needed change can be made verbatim with the alteration to unstable. The corresponding debdiff output and a description is attached. Best regards, Mats Erik Andersson, present maintainer -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This proposed change protects against #788331, which in an identical form has been applied to version 0.17.35+0.3+2, present in testing. Observe that the update of the source patch 'debian/patches/500-ssl.diff' is the first change during five years of time, so the very same change is applicable to old-old-stable! The problem is that the present server crashes when the client asks for a name listing, using the command 'nl', i.e., NLST, of an empty directory. The cause is missing code block in the original patch, which can cause the execution of 'fclose(NULL)' and a segmentation fault. This results in a denial of service since the server side executable dies. diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/changelog linux-ftpd-ssl-0.17.33+0.3/debian/changelog - --- linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2011-04-20 03:47:23.0 +0200 +++ linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2015-06-16 14:00:05.0 +0200 @@ -1,3 +1,11 @@ +linux-ftpd-ssl (0.17.33+0.3-1deb8u1) jessie; urgency=medium + + * QA Upload + * NLST of empty directory results in segfault. ++ debian/patches/500-ssl.diff: Updated. + + -- Mats Erik Andersson mats.anders...@gisladisker.se Tue, 16 Jun 2015 13:47:15 +0200 + linux-ftpd-ssl (0.17.33+0.3-1) unstable; urgency=low * Update to linux-ftpd 0.17-33. diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff - --- linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff2011-04-20 03:47:23.0 +0200 +++ linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2015-06-16 13:46:42.0 +0200 @@ -3,7 +3,7 @@ Origin: ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/linux-ftpd-0.17+ssl-0.3.diff.gz Forwarded: not-needed Author: Tim Hudson t...@cryptsoft.com - -Last-Update: 2010-06-21 +Last-Update: 2015-06-11 Index: linux-ftpd-ssl/ftpd/Makefile === @@ -917,10 +917,12 @@ byte_count += strlen(nbuf) + 1; } } - -@@ -2705,6 +3193,13 @@ +@@ -2704,8 +3193,16 @@ + reply(226, Transfer complete.); transflag = 0; - - if (dout != NULL) +- if (dout != NULL) ++ if (dout != NULL) { +#ifdef USE_SSL +if (ssl_data_active_flag (ssl_data_con!=NULL)) { + SSL_free(ssl_data_con); @@ -929,8 +931,10 @@ + } +#endif /* USE_SSL */ (void) fclose(dout); ++ } data = -1; pdata = -1; + out: @@ -2792,3 +3287,223 @@ } #endif/* TCPWRAPPERS */ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlWJ6asACgkQG7N1M011A3anNwCgyPrqn5d2yohLGIFoywmPytA7 HaUAnRX79aB4IjjCY/RUpmUVXNIO81K0 =vgHI -END PGP SIGNATURE-
Bug#790245: jessie-pu: package ftpd-ssl/0.17.33+0.3-1deb8u1
Saturday den 27 June 2015 klockan 19:27 skrev Adam D. Barratt detta: On Sat, 2015-06-27 at 19:47 +0200, Mats Erik Andersson wrote: was recently uncovered to produce a denial of service, as was demonstrated in #788331. That bug should be closed in the changelog. Right, for unstable it was closed by 0.17.35+0.3-2. While at it, I added a 'found' also for the presently relevant version 0.17.33+0.3-1. +linux-ftpd-ssl (0.17.33+0.3-1deb8u1) jessie; urgency=medium That should be 0.17.33+0.3-1+deb8u1. Corrected. since the error is present ever since at least June, 2010 [sic!], I would like to propose an update also to the stable Please go ahead, thanks (bearing in mind the notes above). I have uploaded a built package to 'mentors.debian.net'. It is the only location known to be accessible to me. Tell me if I should deposit the package somewhere else. The new deb diff is attached. Have you considered preparing updates for wheezy and squeeze-lts? Yes, but I need to prepare clean build environments to do so. Best regards, Mats E A diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/changelog linux-ftpd-ssl-0.17.33+0.3/debian/changelog --- linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2011-04-20 03:47:23.0 +0200 +++ linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2015-06-27 22:27:06.0 +0200 @@ -1,3 +1,11 @@ +linux-ftpd-ssl (0.17.33+0.3-1+deb8u1) jessie; urgency=medium + + * QA Upload + * NLST of empty directory results in segfault. (Closes: #788331) ++ debian/patches/500-ssl.diff: Updated. + + -- Mats Erik Andersson mats.anders...@gisladisker.se Sat, 27 Jun 2015 22:17:53 +0200 + linux-ftpd-ssl (0.17.33+0.3-1) unstable; urgency=low * Update to linux-ftpd 0.17-33. diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff --- linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2011-04-20 03:47:23.0 +0200 +++ linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2015-06-16 13:46:42.0 +0200 @@ -3,7 +3,7 @@ Origin: ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/linux-ftpd-0.17+ssl-0.3.diff.gz Forwarded: not-needed Author: Tim Hudson t...@cryptsoft.com -Last-Update: 2010-06-21 +Last-Update: 2015-06-11 Index: linux-ftpd-ssl/ftpd/Makefile === @@ -917,10 +917,12 @@ byte_count += strlen(nbuf) + 1; } } -@@ -2705,6 +3193,13 @@ +@@ -2704,8 +3193,16 @@ + reply(226, Transfer complete.); transflag = 0; - if (dout != NULL) +- if (dout != NULL) ++ if (dout != NULL) { +#ifdef USE_SSL +if (ssl_data_active_flag (ssl_data_con!=NULL)) { + SSL_free(ssl_data_con); @@ -929,8 +931,10 @@ + } +#endif /* USE_SSL */ (void) fclose(dout); ++ } data = -1; pdata = -1; + out: @@ -2792,3 +3287,223 @@ } #endif /* TCPWRAPPERS */
Updating rush_1.7+dfsg-1 due to CVE-2013-6889.
Dear supervisors, I would like to pledge for an update of the package rush_1.7+dfsg-1 within the stable release. The cause is CVE-2013-6889: http://bugs.debian.org/733505 The matter concerns file access elevation due to SUID-bit when running the software in test mode. The issue has been resolved and uploaded to unstable by rush_1.7+dfsg-4 and I propose the identical patching for the package kept in the stable release. The upstream project has incorporated my patch verbatim in its repository. Best regards, Mats Erik Andersson, maintainer of GNU Rush diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog --- rush-1.7+dfsg/debian/changelog 2011-07-06 17:48:31.0 +0200 +++ rush-1.7+dfsg/debian/changelog 2014-01-24 13:15:27.0 +0100 @@ -1,3 +1,10 @@ +rush (1.7+dfsg-1+deb7u1) stable-security; urgency=high + + * Attend to CVE-2013-6889, file access escalation. ++ debian/patches/cve_2013_6889.diff: New file. + + -- Mats Erik Andersson mats.anders...@gisladisker.se Fri, 24 Jan 2014 13:13:09 +0100 + rush (1.7+dfsg-1) unstable; urgency=low * Initial release. (Closes: #515198) diff -Nru rush-1.7+dfsg/debian/patches/cve_2013_6889.diff rush-1.7+dfsg/debian/patches/cve_2013_6889.diff --- rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 1970-01-01 01:00:00.0 +0100 +++ rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 2014-01-19 16:42:45.0 +0100 @@ -0,0 +1,27 @@ +Description: CVE-2013-6889, elevated access. + The executable will, when used with SUID-bit set, + allow opening and reading access to every system + file also by an unprivileged user, whenever invocation + is done in testing mode, i.e., using '-t' without '-u'. + . + Prevent this mistake by resetting the effective user + identification to the real user identification when- + ever testing mode is asked for. +Author: Mats Erik Andersson deb...@gisladisker.se +Forwarded: yes +Bug-Debian: http://bugs.debian.org/733505 +Last-update: 2014-01-16 + +--- rush-1.7+dfsg.debian/src/rush.c rush-1.7+dfsg/src/rush.c +@@ -913,6 +913,10 @@ main(int argc, char **argv) + } else if (argc optind) + die(usage_error, NULL, _(invalid command line)); + ++ /* Step down from SUID when running in test mode. */ ++ if (lint_option) ++ setuid(getuid()); ++ + if (test_user_name) { + struct passwd *pw = getpwnam(test_user_name); + if (!pw) diff -Nru rush-1.7+dfsg/debian/patches/series rush-1.7+dfsg/debian/patches/series --- rush-1.7+dfsg/debian/patches/series 2011-04-18 14:07:15.0 +0200 +++ rush-1.7+dfsg/debian/patches/series 2014-01-24 13:12:34.0 +0100 @@ -1,2 +1,3 @@ dfsg_reduction.diff tcpmux_service.diff +cve_2013_6889.diff
Bug#736562: pu: package rush_1.7+dfsg-1+deb7u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertag: pu Dear supervisors, I would like to pledge for an update of the package rush_1.7+dfsg-1 within the stable release. The cause is CVE-2013-6889: http://bugs.debian.org/733505 The matter concerns file access elevation due to SUID-bit when running the software in test mode. The issue has been resolved and uploaded to unstable in rush_1.7+dfsg-4 and I propose the identical patching for the package kept in the stable release. The upstream project has incorporated my patch verbatim in its repository. The solution was to reset the effective user identification then running in test mode, thus cancelling all ill effects. The complete debdiff of the package, as deposited at mentors.d.n, is included below. Best regards, Mats Erik Andersson, maintainer of GNU Rush diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog --- rush-1.7+dfsg/debian/changelog 2011-07-06 17:48:31.0 +0200 +++ rush-1.7+dfsg/debian/changelog 2014-01-24 22:10:50.0 +0100 @@ -1,3 +1,10 @@ +rush (1.7+dfsg-1+deb7u1) stable; urgency=high + + * Attend to CVE-2013-6889, file access escalation. ++ debian/patches/cve_2013_6889.diff: New file. + + -- Mats Erik Andersson mats.anders...@gisladisker.se Fri, 24 Jan 2014 22:01:24 +0100 + rush (1.7+dfsg-1) unstable; urgency=low * Initial release. (Closes: #515198) diff -Nru rush-1.7+dfsg/debian/patches/cve_2013_6889.diff rush-1.7+dfsg/debian/patches/cve_2013_6889.diff --- rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 1970-01-01 01:00:00.0 +0100 +++ rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 2014-01-19 16:42:45.0 +0100 @@ -0,0 +1,27 @@ +Description: CVE-2013-6889, elevated access. + The executable will, when used with SUID-bit set, + allow opening and reading access to every system + file also by an unprivileged user, whenever invocation + is done in testing mode, i.e., using '-t' without '-u'. + . + Prevent this mistake by resetting the effective user + identification to the real user identification when- + ever testing mode is asked for. +Author: Mats Erik Andersson deb...@gisladisker.se +Forwarded: yes +Bug-Debian: http://bugs.debian.org/733505 +Last-update: 2014-01-16 + +--- rush-1.7+dfsg.debian/src/rush.c rush-1.7+dfsg/src/rush.c +@@ -913,6 +913,10 @@ main(int argc, char **argv) + } else if (argc optind) + die(usage_error, NULL, _(invalid command line)); + ++ /* Step down from SUID when running in test mode. */ ++ if (lint_option) ++ setuid(getuid()); ++ + if (test_user_name) { + struct passwd *pw = getpwnam(test_user_name); + if (!pw) diff -Nru rush-1.7+dfsg/debian/patches/series rush-1.7+dfsg/debian/patches/series --- rush-1.7+dfsg/debian/patches/series 2011-04-18 14:07:15.0 +0200 +++ rush-1.7+dfsg/debian/patches/series 2014-01-24 13:12:34.0 +0100 @@ -1,2 +1,3 @@ dfsg_reduction.diff tcpmux_service.diff +cve_2013_6889.diff
Copyright issue in rush_1.7+dfsg-1.
Hallo all, the initial release of rush_1.7+dfsg-1 happened a year ago. The package has a minute user base, but when I returned to the package recently I happened to notice that there was a clear mistake in the recording of copyright terms for one of the files. The published package claims GPL, whereas a scrutiny of the text reveals a custom license, very close to a public domain attribution, intended to allow linking with LGPL. My sponsor Sven Hoexter suggests that this might be classified as a release critical deviation. Presently he has uploaded the package to experimental while we await guidance from this list. However, the updated packaging rush_1.7+dfsg-2, which I have uploaded to debian.mentors.net, happens to also address the hardened build of the contained binary executables. It is a priori not obvious that this composite package update would qualify for inclusion in the upcoming release, this late in the process. Personally I regard the hardening valuable to a security relevant service like GNU Rush, so I now seek conclusive advice on this matter, as to the prospects of unblocking the package and getting it into testing. The debdiff between the published package and my proposed update is included in this message. As said, the full package is deposited at experimental since a week's time. I am writing this query encouraged by my sponsor Sven Hoexter. Best regards, Mats Erik Andersson, DM changelog | 19 +++ control |5 +++-- copyright | 56 +++- rules |5 + 4 files changed, 70 insertions(+), 15 deletions(-) diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog --- rush-1.7+dfsg/debian/changelog 2011-07-06 17:48:31.0 +0200 +++ rush-1.7+dfsg/debian/changelog 2012-08-02 20:47:09.0 +0200 @@ -1,3 +1,22 @@ +rush (1.7+dfsg-2) unstable; urgency=low + + * Hardened builds: ++ debian/rules: Set compiler flags using dpkg-buildflags. ++ debian/control: Build depends on dpkg-dev (= 1.15.7). + * debian/control: Standards 3.9.3, no changes. + * debian/copyright: ++ Update to valid URL in format specification. ++ Remove commata in file lists. ++ Insert conditions of two public-domain attributions. ++ Add plus character in standalone license's names + GPL-2+ and GPL-3+. Express terms of the former. ++ The file po/Makefile.in.in was mistakenly named as + using GPL. In fact, the file uses a custom license, + implicitly public domain like. The conditions of use + are now copied verbatim. + + -- Mats Erik Andersson mats.anders...@gisladisker.se Thu, 02 Aug 2012 20:45:15 +0200 + rush (1.7+dfsg-1) unstable; urgency=low * Initial release. (Closes: #515198) diff -Nru rush-1.7+dfsg/debian/control rush-1.7+dfsg/debian/control --- rush-1.7+dfsg/debian/control 2011-07-06 17:48:31.0 +0200 +++ rush-1.7+dfsg/debian/control 2012-08-02 18:47:29.0 +0200 @@ -2,8 +2,9 @@ Section: shells Priority: extra Maintainer: Mats Erik Andersson mats.anders...@gisladisker.se -Build-Depends: debhelper (= 8.0.0), dh-autoreconf, autopoint -Standards-Version: 3.9.2 +Build-Depends: debhelper (= 8.0.0), dh-autoreconf, autopoint, + dpkg-dev (= 1.15.7) +Standards-Version: 3.9.3 Homepage: http://puszcza.gnu.org.ua/projects/rush/ Package: rush diff -Nru rush-1.7+dfsg/debian/copyright rush-1.7+dfsg/debian/copyright --- rush-1.7+dfsg/debian/copyright 2011-06-14 21:12:14.0 +0200 +++ rush-1.7+dfsg/debian/copyright 2012-08-02 19:50:32.0 +0200 @@ -1,4 +1,4 @@ -Format: http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn?revision=174 +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: GNU rush Upstream-Contact: Sergey Poznyakoff g...@gnu.org.ua Source: http://puszcza.gnu.org.ua/projects/rush/ @@ -9,15 +9,10 @@ Copyright: 2008-2010, Sergey Poznyakoff g...@gnu.org.ua License: GPL-3+ -Files: build-aux/*, gnu/*, m4/* +Files: build-aux/* gnu/* m4/* Copyright: 1992-2010, Free Software Foundation, Inc. License: GPL-3+ -Files: build-aux/install-sh -Copyright: Free Software Foundation -Comment: The major part is copyrighted by the X Consortium; see below -License: public-domain - Files: build-aux/mdate-sh Copyright: 1995-2010, Free Software Foundation, Inc. 1995, Ulrich Drepper drep...@gnu.ai.mit.edu @@ -31,8 +26,15 @@ Files: gnu/alloca.c Copyright: D A Gwyn License: public-domain + (Mostly) portable public-domain implementation -- D A Gwyn + . + This implementation of the PWB library alloca function, + which is used to allocate space off the run-time stack so + that it is automatically reclaimed upon procedure exit, + was inspired by discussions with J. Q. Johnson of Cornell. + J.Otto Tennant j...@cray.com contributed the Cray support. -Files: po/*.po, po/rush.pot +Files: po/*.po po/rush.pot Copyright: 2010, Free Software Foundation, Inc. 2009-2010, Sergey
Possible migration of twofish.
Dear Release Managers, during Summer I adopted the orphaned library package twofish and I extended it to build also a shared library as well as providing the very first documentation in the form of Docbook source for a manual page. Last week I expanded the documentation and I also removed the macro invokation -D_REENTRANT according to policy 3.9.1. That package build is not yet aged into ten days, but in case you intend to reject it in testing, please tell me. Since it essentially only involves improves documentation I was thinking it to be a natural candidate for testing. However, now I got the idea of a final touch to this package, really making it worthy for Squeeze, namely adding to twofish.h the standard C++-wrapper #ifdef __cplusplus extern C { #endif Before building and seeking a sponsor for such a package, I would like to make sure that such a change would not make the Release Team reject the corresponding change, thus also invalidating the update that already has passed into unstable. Best regards, Mats Erik Andersson, fil. dr Abonnerar på: debian-mentors, debian-devel-games, debian-perl, debian-ipv6, debian-qa -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101026081001.ga11...@mea.homelinux.org