Bug#854711: Unblocking package netkit-ftp-ssl, resolving #854460.
Package: release.debian.org
Severity: important
Tags: patch
Being the maintainer of netkit-ftp-ssl, I request an unblocking
of netkit-ftp-ssl in version 0.17.34+0.2-4. This upload resolves
successfully the bug #854460 of severity 'important'.
The problem is interoperability with TLS-able FTP servers, like
Proftpd, which mandate that the data connection reuse the session
identity set by the control channel.
The presently available version in testing, 0.17.34+0.2-3, is
not able to fetch files or get listings with TLS protection due
to an accidental inactivation of function SSL_copy_session_id().
This is a legacy function, not documented in any manual page,
and only mentioned in one file 'ssleay.txt' of the openssl archive.
The debdiff reactivates this function call, which was commented
out by me due to a misunderstanding. In addition, it turns out
to be decisive to forbid the use of libssl in version 1.1 for
the binary package. The reason being that libssl (>= 1.1.0)
only succeeds to reuse the session identity a single time,
yes really a single time, with the present unintrusive and
long time used solution. Therefore I had to change the build
dependency to read
libssl1.0-dev | libssl-dev (<< 1.1.0~)
Both changes are necessary and they lead also to a package that
can be built directly in Wheezy without any changes, allowing
trivial backporting.
The packages netkit-ftp-ssl, linux-ftpd-ssl and netkit-telnet-ssl
have seen substantial improvement for certificate verification
and identification for this Debian release, but only the binary
ftp-ssl is affected by the present issue.
Best regards,
Mats Erik Andersson, DM
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/changelog
netkit-ftp-ssl-0.17.34+0.2/debian/changelog
--- netkit-ftp-ssl-0.17.34+0.2/debian/changelog 2017-01-18 19:33:56.0
+0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/changelog 2017-02-08 18:39:46.0
+0100
@@ -1,3 +1,14 @@
+netkit-ftp-ssl (0.17.34+0.2-4) unstable; urgency=medium
+
+ * Correctly reuse SSL session identity in data connection.
+This suffices for libssl1.0, not for libssl1.1. (Closes: #854460)
++ debian/patches/700_prefer_tls.diff: Reactivate commented out
+ function call to SSL_copy_session_id().
++ debian/control: Prefer libssl1.0-dev and condition libssl-dev
+ on "<< 1.1.0~" for trivial backporting.
+
+ -- Mats Erik Andersson <mats.anders...@gisladisker.se> Wed, 08 Feb 2017
18:39:46 +0100
+
netkit-ftp-ssl (0.17.34+0.2-3) unstable; urgency=low
* Allow verification mode to print additional details about the
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/control
netkit-ftp-ssl-0.17.34+0.2/debian/control
--- netkit-ftp-ssl-0.17.34+0.2/debian/control 2017-01-10 15:37:21.0
+0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/control 2017-02-08 18:30:50.0
+0100
@@ -4,7 +4,7 @@
Maintainer: Mats Erik Andersson <mats.anders...@gisladisker.se>
Uploaders: Alberto Gonzalez Iniesta <a...@inittab.org>
Standards-Version: 3.9.8
-Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev, libssl-dev
| libssl1.0-dev
+Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev,
libssl1.0-dev | libssl-dev (<< 1.1.0~)
Package: ftp-ssl
Architecture: any
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
--- netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
2017-01-18 19:33:41.0 +0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
2017-02-08 15:39:49.00000 +0100
@@ -23,7 +23,7 @@
.
Author: Mats Erik Andersson <deb...@gisladisker.se>
Forwarded: no
-Last-Update: 2017-01-18
+Last-Update: 2017-02-07
diff -Naurp netkit-ftp-0.17.debian/ftp/cmds.c netkit-ftp-0.17/ftp/cmds.c
--- netkit-ftp-0.17.debian/ftp/cmds.c 2016-12-23 00:05:51.820239257 +0100
@@ -190,20 +190,8 @@
.Xr ftpd 8 ,
diff -Naurp netkit-ftp-0.17.debian/ftp/ftp.c netkit-ftp-0.17/ftp/ftp.c
--- netkit-ftp-0.17.debian/ftp/ftp.c 2016-12-23 00:05:52.380213160 +0100
-+++ netkit-ftp-0.17/ftp/ftp.c 2017-01-18 19:19:27.145786765 +0100
-@@ -1672,7 +1672,10 @@ dataconn(const char *lmode)
-* this quick assuming Eric has this going
-* okay! ;-)
-*/
-- SSL_copy_session_id(ssl_data_con,ssl_con);
-+ /* MEA: Do not use deterministic session identities
-+ * in a subordinate connection.
-+ */
-+ //SSL_copy_session_id(ssl_data_con,ssl_con);
-
- /* we are doing I/O and not using select so
-* it is "safe" to read ahead
-@@ -1686,12 +1689,17 @@ dataconn(const char *lmode)
netkit-ftp-0.17/ftp/ftp.c 2017-02-07 23:35:32.871433587 +0100
+@@ -1686,12 +1686,17 @@ dataconn(const char *lmode)
if ((ret=SSL_connect(ssl_data_con))<=0) {
static char errbuf[1024];
@@ -224,7
Bug#790692: wheezy-pu: package ftpd-ssl/0.17.33+0.3-1+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
Hello all,
I would like to proceed with an update also to
oldstable/wheezy of the SSL-enhanced FTP server
built from linux-ftpd-ssl. It deals with the
same denial of service as was established in
the report #788331, and the remedy is identical
to the one applied to testing as well has been
queued for jessie-pu. The relevant debdiff is
herewith attached.
Best regards,
Mats Erik Andersson, present maintainer of linux-ftpd-ssl.
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/changelog
linux-ftpd-ssl-0.17.33+0.3/debian/changelog
--- linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2011-04-20 03:47:23.0
+0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2015-06-30 01:04:24.0
+0200
@@ -1,3 +1,11 @@
+linux-ftpd-ssl (0.17.33+0.3-1+deb7u1) wheezy; urgency=medium
+
+ * QA Upload
+ * NLST of empty directory results in segfault. (Closes: #788331)
++ debian/patches/500-ssl.diff: Updated.
+
+ -- Mats Erik Andersson mats.anders...@gisladisker.se Tue, 30 Jun 2015
01:04:03 +0200
+
linux-ftpd-ssl (0.17.33+0.3-1) unstable; urgency=low
* Update to linux-ftpd 0.17-33.
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff
linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff
--- linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2011-04-20
03:47:23.0 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2015-06-16
13:46:42.0 +0200
@@ -3,7 +3,7 @@
Origin:
ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/linux-ftpd-0.17+ssl-0.3.diff.gz
Forwarded: not-needed
Author: Tim Hudson t...@cryptsoft.com
-Last-Update: 2010-06-21
+Last-Update: 2015-06-11
Index: linux-ftpd-ssl/ftpd/Makefile
===
@@ -917,10 +917,12 @@
byte_count += strlen(nbuf) + 1;
}
}
-@@ -2705,6 +3193,13 @@
+@@ -2704,8 +3193,16 @@
+ reply(226, Transfer complete.);
transflag = 0;
- if (dout != NULL)
+- if (dout != NULL)
++ if (dout != NULL) {
+#ifdef USE_SSL
+if (ssl_data_active_flag (ssl_data_con!=NULL)) {
+ SSL_free(ssl_data_con);
@@ -929,8 +931,10 @@
+ }
+#endif /* USE_SSL */
(void) fclose(dout);
++ }
data = -1;
pdata = -1;
+ out:
@@ -2792,3 +3287,223 @@
}
#endif/* TCPWRAPPERS */
Bug#790245: jessie-pu: package ftpd-ssl/0.17.33+0.3-1deb8u1
Saturday den 27 June 2015 klockan 23:11 skrev Adam D. Barratt detta: Please go ahead, thanks (bearing in mind the notes above). I have uploaded a built package to 'mentors.debian.net'. It is the only location known to be accessible to me. Tell me if I should deposit the package somewhere else. Well, it'll need to get to ftp-master in order to be accepted, but mentors is likely as good a place as any to make it available for potential sponsors. This reminds me that there is a short time window at ftp-master where my package is available also without an accepted GPG-key. I have just uploaded the built package to '/pub/UpLoadQueue/'. It remains to see whether it stays available long enough, and whether a suitable manual intervention is possible. Best regards, Mats E A -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150628130058.ga49...@aun.utmark.mea
Bug#790245: jessie-pu: package ftpd-ssl/0.17.33+0.3-1deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Dear all,
the SSL-enhanced FTP server built from linux-ftpd-ssl
was recently uncovered to produce a denial of service,
as was demonstrated in #788331. The package has been
updated in testing and unstable, but since the error
is present ever since at least June, 2010 [sic!],
I would like to propose an update also to the stable
package release. The needed change can be made verbatim
with the alteration to unstable. The corresponding
debdiff output and a description is attached.
Best regards,
Mats Erik Andersson, present maintainer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This proposed change protects against #788331,
which in an identical form has been applied
to version 0.17.35+0.3+2, present in testing.
Observe that the update of the source patch
'debian/patches/500-ssl.diff' is the first
change during five years of time, so the very
same change is applicable to old-old-stable!
The problem is that the present server crashes
when the client asks for a name listing, using
the command 'nl', i.e., NLST, of an empty directory.
The cause is missing code block in the original
patch, which can cause the execution of 'fclose(NULL)'
and a segmentation fault. This results in a denial
of service since the server side executable dies.
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/changelog
linux-ftpd-ssl-0.17.33+0.3/debian/changelog
- --- linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2011-04-20
03:47:23.0 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2015-06-16 14:00:05.0
+0200
@@ -1,3 +1,11 @@
+linux-ftpd-ssl (0.17.33+0.3-1deb8u1) jessie; urgency=medium
+
+ * QA Upload
+ * NLST of empty directory results in segfault.
++ debian/patches/500-ssl.diff: Updated.
+
+ -- Mats Erik Andersson mats.anders...@gisladisker.se Tue, 16 Jun 2015
13:47:15 +0200
+
linux-ftpd-ssl (0.17.33+0.3-1) unstable; urgency=low
* Update to linux-ftpd 0.17-33.
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff
linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff
- --- linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff2011-04-20
03:47:23.0 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2015-06-16
13:46:42.0 +0200
@@ -3,7 +3,7 @@
Origin:
ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/linux-ftpd-0.17+ssl-0.3.diff.gz
Forwarded: not-needed
Author: Tim Hudson t...@cryptsoft.com
- -Last-Update: 2010-06-21
+Last-Update: 2015-06-11
Index: linux-ftpd-ssl/ftpd/Makefile
===
@@ -917,10 +917,12 @@
byte_count += strlen(nbuf) + 1;
}
}
- -@@ -2705,6 +3193,13 @@
+@@ -2704,8 +3193,16 @@
+ reply(226, Transfer complete.);
transflag = 0;
- - if (dout != NULL)
+- if (dout != NULL)
++ if (dout != NULL) {
+#ifdef USE_SSL
+if (ssl_data_active_flag (ssl_data_con!=NULL)) {
+ SSL_free(ssl_data_con);
@@ -929,8 +931,10 @@
+ }
+#endif /* USE_SSL */
(void) fclose(dout);
++ }
data = -1;
pdata = -1;
+ out:
@@ -2792,3 +3287,223 @@
}
#endif/* TCPWRAPPERS */
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iEYEARECAAYFAlWJ6asACgkQG7N1M011A3anNwCgyPrqn5d2yohLGIFoywmPytA7
HaUAnRX79aB4IjjCY/RUpmUVXNIO81K0
=vgHI
-END PGP SIGNATURE-
Bug#790245: jessie-pu: package ftpd-ssl/0.17.33+0.3-1deb8u1
Saturday den 27 June 2015 klockan 19:27 skrev Adam D. Barratt detta:
On Sat, 2015-06-27 at 19:47 +0200, Mats Erik Andersson wrote:
was recently uncovered to produce a denial of service,
as was demonstrated in #788331.
That bug should be closed in the changelog.
Right, for unstable it was closed by 0.17.35+0.3-2.
While at it, I added a 'found' also for the presently
relevant version 0.17.33+0.3-1.
+linux-ftpd-ssl (0.17.33+0.3-1deb8u1) jessie; urgency=medium
That should be 0.17.33+0.3-1+deb8u1.
Corrected.
since the error is present ever since at least June, 2010
[sic!], I would like to propose an update also to the stable
Please go ahead, thanks (bearing in mind the notes above).
I have uploaded a built package to 'mentors.debian.net'.
It is the only location known to be accessible to me.
Tell me if I should deposit the package somewhere else.
The new deb diff is attached.
Have you considered preparing updates for wheezy and squeeze-lts?
Yes, but I need to prepare clean build environments to do so.
Best regards,
Mats E A
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/changelog linux-ftpd-ssl-0.17.33+0.3/debian/changelog
--- linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2011-04-20 03:47:23.0 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2015-06-27 22:27:06.0 +0200
@@ -1,3 +1,11 @@
+linux-ftpd-ssl (0.17.33+0.3-1+deb8u1) jessie; urgency=medium
+
+ * QA Upload
+ * NLST of empty directory results in segfault. (Closes: #788331)
++ debian/patches/500-ssl.diff: Updated.
+
+ -- Mats Erik Andersson mats.anders...@gisladisker.se Sat, 27 Jun 2015 22:17:53 +0200
+
linux-ftpd-ssl (0.17.33+0.3-1) unstable; urgency=low
* Update to linux-ftpd 0.17-33.
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff
--- linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2011-04-20 03:47:23.0 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2015-06-16 13:46:42.0 +0200
@@ -3,7 +3,7 @@
Origin: ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/linux-ftpd-0.17+ssl-0.3.diff.gz
Forwarded: not-needed
Author: Tim Hudson t...@cryptsoft.com
-Last-Update: 2010-06-21
+Last-Update: 2015-06-11
Index: linux-ftpd-ssl/ftpd/Makefile
===
@@ -917,10 +917,12 @@
byte_count += strlen(nbuf) + 1;
}
}
-@@ -2705,6 +3193,13 @@
+@@ -2704,8 +3193,16 @@
+ reply(226, Transfer complete.);
transflag = 0;
- if (dout != NULL)
+- if (dout != NULL)
++ if (dout != NULL) {
+#ifdef USE_SSL
+if (ssl_data_active_flag (ssl_data_con!=NULL)) {
+ SSL_free(ssl_data_con);
@@ -929,8 +931,10 @@
+ }
+#endif /* USE_SSL */
(void) fclose(dout);
++ }
data = -1;
pdata = -1;
+ out:
@@ -2792,3 +3287,223 @@
}
#endif /* TCPWRAPPERS */
Updating rush_1.7+dfsg-1 due to CVE-2013-6889.
Dear supervisors,
I would like to pledge for an update of the package
rush_1.7+dfsg-1
within the stable release. The cause is CVE-2013-6889:
http://bugs.debian.org/733505
The matter concerns file access elevation due to SUID-bit
when running the software in test mode.
The issue has been resolved and uploaded to unstable by
rush_1.7+dfsg-4
and I propose the identical patching for the package kept
in the stable release. The upstream project has incorporated
my patch verbatim in its repository.
Best regards,
Mats Erik Andersson, maintainer of GNU Rush
diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog
--- rush-1.7+dfsg/debian/changelog 2011-07-06 17:48:31.0 +0200
+++ rush-1.7+dfsg/debian/changelog 2014-01-24 13:15:27.0 +0100
@@ -1,3 +1,10 @@
+rush (1.7+dfsg-1+deb7u1) stable-security; urgency=high
+
+ * Attend to CVE-2013-6889, file access escalation.
++ debian/patches/cve_2013_6889.diff: New file.
+
+ -- Mats Erik Andersson mats.anders...@gisladisker.se Fri, 24 Jan 2014 13:13:09 +0100
+
rush (1.7+dfsg-1) unstable; urgency=low
* Initial release. (Closes: #515198)
diff -Nru rush-1.7+dfsg/debian/patches/cve_2013_6889.diff rush-1.7+dfsg/debian/patches/cve_2013_6889.diff
--- rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 1970-01-01 01:00:00.0 +0100
+++ rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 2014-01-19 16:42:45.0 +0100
@@ -0,0 +1,27 @@
+Description: CVE-2013-6889, elevated access.
+ The executable will, when used with SUID-bit set,
+ allow opening and reading access to every system
+ file also by an unprivileged user, whenever invocation
+ is done in testing mode, i.e., using '-t' without '-u'.
+ .
+ Prevent this mistake by resetting the effective user
+ identification to the real user identification when-
+ ever testing mode is asked for.
+Author: Mats Erik Andersson deb...@gisladisker.se
+Forwarded: yes
+Bug-Debian: http://bugs.debian.org/733505
+Last-update: 2014-01-16
+
+--- rush-1.7+dfsg.debian/src/rush.c
rush-1.7+dfsg/src/rush.c
+@@ -913,6 +913,10 @@ main(int argc, char **argv)
+ } else if (argc optind)
+ die(usage_error, NULL, _(invalid command line));
+
++ /* Step down from SUID when running in test mode. */
++ if (lint_option)
++ setuid(getuid());
++
+ if (test_user_name) {
+ struct passwd *pw = getpwnam(test_user_name);
+ if (!pw)
diff -Nru rush-1.7+dfsg/debian/patches/series rush-1.7+dfsg/debian/patches/series
--- rush-1.7+dfsg/debian/patches/series 2011-04-18 14:07:15.0 +0200
+++ rush-1.7+dfsg/debian/patches/series 2014-01-24 13:12:34.0 +0100
@@ -1,2 +1,3 @@
dfsg_reduction.diff
tcpmux_service.diff
+cve_2013_6889.diff
Bug#736562: pu: package rush_1.7+dfsg-1+deb7u1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertag: pu
Dear supervisors,
I would like to pledge for an update of the package
rush_1.7+dfsg-1
within the stable release. The cause is CVE-2013-6889:
http://bugs.debian.org/733505
The matter concerns file access elevation due to SUID-bit
when running the software in test mode.
The issue has been resolved and uploaded to unstable in
rush_1.7+dfsg-4
and I propose the identical patching for the package kept
in the stable release. The upstream project has incorporated
my patch verbatim in its repository. The solution was to reset
the effective user identification then running in test mode,
thus cancelling all ill effects.
The complete debdiff of the package, as deposited at mentors.d.n,
is included below.
Best regards,
Mats Erik Andersson, maintainer of GNU Rush
diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog
--- rush-1.7+dfsg/debian/changelog 2011-07-06 17:48:31.0 +0200
+++ rush-1.7+dfsg/debian/changelog 2014-01-24 22:10:50.0 +0100
@@ -1,3 +1,10 @@
+rush (1.7+dfsg-1+deb7u1) stable; urgency=high
+
+ * Attend to CVE-2013-6889, file access escalation.
++ debian/patches/cve_2013_6889.diff: New file.
+
+ -- Mats Erik Andersson mats.anders...@gisladisker.se Fri, 24 Jan 2014 22:01:24 +0100
+
rush (1.7+dfsg-1) unstable; urgency=low
* Initial release. (Closes: #515198)
diff -Nru rush-1.7+dfsg/debian/patches/cve_2013_6889.diff rush-1.7+dfsg/debian/patches/cve_2013_6889.diff
--- rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 1970-01-01 01:00:00.0 +0100
+++ rush-1.7+dfsg/debian/patches/cve_2013_6889.diff 2014-01-19 16:42:45.0 +0100
@@ -0,0 +1,27 @@
+Description: CVE-2013-6889, elevated access.
+ The executable will, when used with SUID-bit set,
+ allow opening and reading access to every system
+ file also by an unprivileged user, whenever invocation
+ is done in testing mode, i.e., using '-t' without '-u'.
+ .
+ Prevent this mistake by resetting the effective user
+ identification to the real user identification when-
+ ever testing mode is asked for.
+Author: Mats Erik Andersson deb...@gisladisker.se
+Forwarded: yes
+Bug-Debian: http://bugs.debian.org/733505
+Last-update: 2014-01-16
+
+--- rush-1.7+dfsg.debian/src/rush.c
rush-1.7+dfsg/src/rush.c
+@@ -913,6 +913,10 @@ main(int argc, char **argv)
+ } else if (argc optind)
+ die(usage_error, NULL, _(invalid command line));
+
++ /* Step down from SUID when running in test mode. */
++ if (lint_option)
++ setuid(getuid());
++
+ if (test_user_name) {
+ struct passwd *pw = getpwnam(test_user_name);
+ if (!pw)
diff -Nru rush-1.7+dfsg/debian/patches/series rush-1.7+dfsg/debian/patches/series
--- rush-1.7+dfsg/debian/patches/series 2011-04-18 14:07:15.0 +0200
+++ rush-1.7+dfsg/debian/patches/series 2014-01-24 13:12:34.0 +0100
@@ -1,2 +1,3 @@
dfsg_reduction.diff
tcpmux_service.diff
+cve_2013_6889.diff
Copyright issue in rush_1.7+dfsg-1.
Hallo all, the initial release of rush_1.7+dfsg-1 happened a year ago. The package has a minute user base, but when I returned to the package recently I happened to notice that there was a clear mistake in the recording of copyright terms for one of the files. The published package claims GPL, whereas a scrutiny of the text reveals a custom license, very close to a public domain attribution, intended to allow linking with LGPL. My sponsor Sven Hoexter suggests that this might be classified as a release critical deviation. Presently he has uploaded the package to experimental while we await guidance from this list. However, the updated packaging rush_1.7+dfsg-2, which I have uploaded to debian.mentors.net, happens to also address the hardened build of the contained binary executables. It is a priori not obvious that this composite package update would qualify for inclusion in the upcoming release, this late in the process. Personally I regard the hardening valuable to a security relevant service like GNU Rush, so I now seek conclusive advice on this matter, as to the prospects of unblocking the package and getting it into testing. The debdiff between the published package and my proposed update is included in this message. As said, the full package is deposited at experimental since a week's time. I am writing this query encouraged by my sponsor Sven Hoexter. Best regards, Mats Erik Andersson, DM changelog | 19 +++ control |5 +++-- copyright | 56 +++- rules |5 + 4 files changed, 70 insertions(+), 15 deletions(-) diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog --- rush-1.7+dfsg/debian/changelog 2011-07-06 17:48:31.0 +0200 +++ rush-1.7+dfsg/debian/changelog 2012-08-02 20:47:09.0 +0200 @@ -1,3 +1,22 @@ +rush (1.7+dfsg-2) unstable; urgency=low + + * Hardened builds: ++ debian/rules: Set compiler flags using dpkg-buildflags. ++ debian/control: Build depends on dpkg-dev (= 1.15.7). + * debian/control: Standards 3.9.3, no changes. + * debian/copyright: ++ Update to valid URL in format specification. ++ Remove commata in file lists. ++ Insert conditions of two public-domain attributions. ++ Add plus character in standalone license's names + GPL-2+ and GPL-3+. Express terms of the former. ++ The file po/Makefile.in.in was mistakenly named as + using GPL. In fact, the file uses a custom license, + implicitly public domain like. The conditions of use + are now copied verbatim. + + -- Mats Erik Andersson mats.anders...@gisladisker.se Thu, 02 Aug 2012 20:45:15 +0200 + rush (1.7+dfsg-1) unstable; urgency=low * Initial release. (Closes: #515198) diff -Nru rush-1.7+dfsg/debian/control rush-1.7+dfsg/debian/control --- rush-1.7+dfsg/debian/control 2011-07-06 17:48:31.0 +0200 +++ rush-1.7+dfsg/debian/control 2012-08-02 18:47:29.0 +0200 @@ -2,8 +2,9 @@ Section: shells Priority: extra Maintainer: Mats Erik Andersson mats.anders...@gisladisker.se -Build-Depends: debhelper (= 8.0.0), dh-autoreconf, autopoint -Standards-Version: 3.9.2 +Build-Depends: debhelper (= 8.0.0), dh-autoreconf, autopoint, + dpkg-dev (= 1.15.7) +Standards-Version: 3.9.3 Homepage: http://puszcza.gnu.org.ua/projects/rush/ Package: rush diff -Nru rush-1.7+dfsg/debian/copyright rush-1.7+dfsg/debian/copyright --- rush-1.7+dfsg/debian/copyright 2011-06-14 21:12:14.0 +0200 +++ rush-1.7+dfsg/debian/copyright 2012-08-02 19:50:32.0 +0200 @@ -1,4 +1,4 @@ -Format: http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn?revision=174 +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: GNU rush Upstream-Contact: Sergey Poznyakoff g...@gnu.org.ua Source: http://puszcza.gnu.org.ua/projects/rush/ @@ -9,15 +9,10 @@ Copyright: 2008-2010, Sergey Poznyakoff g...@gnu.org.ua License: GPL-3+ -Files: build-aux/*, gnu/*, m4/* +Files: build-aux/* gnu/* m4/* Copyright: 1992-2010, Free Software Foundation, Inc. License: GPL-3+ -Files: build-aux/install-sh -Copyright: Free Software Foundation -Comment: The major part is copyrighted by the X Consortium; see below -License: public-domain - Files: build-aux/mdate-sh Copyright: 1995-2010, Free Software Foundation, Inc. 1995, Ulrich Drepper drep...@gnu.ai.mit.edu @@ -31,8 +26,15 @@ Files: gnu/alloca.c Copyright: D A Gwyn License: public-domain + (Mostly) portable public-domain implementation -- D A Gwyn + . + This implementation of the PWB library alloca function, + which is used to allocate space off the run-time stack so + that it is automatically reclaimed upon procedure exit, + was inspired by discussions with J. Q. Johnson of Cornell. + J.Otto Tennant j...@cray.com contributed the Cray support. -Files: po/*.po, po/rush.pot +Files: po/*.po po/rush.pot Copyright: 2010, Free Software Foundation, Inc. 2009-2010, Sergey
Possible migration of twofish.
Dear Release Managers,
during Summer I adopted the orphaned library package twofish
and I extended it to build also a shared library as well as
providing the very first documentation in the form of Docbook
source for a manual page.
Last week I expanded the documentation and I also removed the
macro invokation -D_REENTRANT according to policy 3.9.1.
That package build is not yet aged into ten days, but in case
you intend to reject it in testing, please tell me. Since it
essentially only involves improves documentation I was thinking
it to be a natural candidate for testing.
However, now I got the idea of a final touch to this package,
really making it worthy for Squeeze, namely adding to twofish.h
the standard C++-wrapper
#ifdef __cplusplus
extern C {
#endif
Before building and seeking a sponsor for such a package, I would
like to make sure that such a change would not make the Release Team
reject the corresponding change, thus also invalidating the update
that already has passed into unstable.
Best regards,
Mats Erik Andersson, fil. dr
Abonnerar på: debian-mentors, debian-devel-games, debian-perl,
debian-ipv6, debian-qa
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101026081001.ga11...@mea.homelinux.org
