Bug#775521: unblock: condor/8.2.3~dfsg.1-6
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package condor
After you positive feedback I want to upload a package update that
fixes:
https://bugs.debian.org/775276
I am attaching the debdiffs for source and binary packages.
Thanks!
unblock condor/8.2.3~dfsg.1-6
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (650, 'testing'), (600, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru condor-8.2.3~dfsg.1/debian/changelog condor-8.2.3~dfsg.1/debian/changelog
--- condor-8.2.3~dfsg.1/debian/changelog 2014-12-05 21:10:33.0 +0100
+++ condor-8.2.3~dfsg.1/debian/changelog 2015-01-16 18:59:28.0 +0100
@@ -1,3 +1,12 @@
+condor (8.2.3~dfsg.1-6) unstable; urgency=medium
+
+ [Alex Waite]
+ * Upstream security fix: Authenticated users could execute arbitrary code as
+the condor user due to a bug in the way the condor daemon sent email
+notifications (CVE-2014-8126). (Closes: #775276)
+
+ -- Michael Hanke m...@debian.org Fri, 16 Jan 2015 18:59:12 +0100
+
condor (8.2.3~dfsg.1-5) unstable; urgency=medium
* Fix wrong default SPOOL location introduced with 8.2.3~dfsg.1-4. Whenever
diff -Nru condor-8.2.3~dfsg.1/debian/patches/CVE-2014-8126.patch condor-8.2.3~dfsg.1/debian/patches/CVE-2014-8126.patch
--- condor-8.2.3~dfsg.1/debian/patches/CVE-2014-8126.patch 1970-01-01 01:00:00.0 +0100
+++ condor-8.2.3~dfsg.1/debian/patches/CVE-2014-8126.patch 2015-01-16 18:53:02.0 +0100
@@ -0,0 +1,224 @@
+From e891cea9970496aac74caf72604475a2b7e6a0ca Mon Sep 17 00:00:00 2001
+From: Florian Weimer fwei...@redhat.com
+Date: Tue, 9 Dec 2014 16:09:03 -0600
+Subject: [PATCH] Update command line flags for modern /bin/mail and add option
+ to use sendmail. #4764
+
+---
+ src/condor_utils/email.cpp | 137 -
+ 1 file changed, 110 insertions(+), 27 deletions(-)
+
+diff --git a/src/condor_utils/email.cpp b/src/condor_utils/email.cpp
+index 574d0bb..396d287 100644
+--- a/src/condor_utils/email.cpp
b/src/condor_utils/email.cpp
+@@ -45,12 +45,21 @@ static FILE *email_open_implementation(char *Mailer,
+ static FILE *email_open_implementation(const char * final_args[]);
+ #endif
+
++static void email_write_headers(FILE *stream,
++const char *FromAddress,
++const char *FinalSubject,
++const char *Addresses,
++int NumAddresses);
++static void email_write_header_string(FILE *stream, const char *data);
++
++
+ extern DLL_IMPORT_MAGIC char **environ;
+
+ FILE *
+ email_open( const char *email_addr, const char *subject )
+ {
+- char *Mailer;
++ char *Sendmail = NULL;
++ char *Mailer = NULL;
+ char *SmtpServer = NULL;
+ char *FromAddress = NULL;
+ char *FinalSubject;
+@@ -61,12 +70,6 @@ email_open( const char *email_addr, const char *subject )
+ int arg_index;
+ FILE *mailerstream;
+
+- if ( (Mailer = param(MAIL)) == NULL ) {
+- dprintf(D_FULLDEBUG,
+- Trying to email, but MAIL not specified in config file\n);
+- return NULL;
+- }
+-
+ /* Take care of the subject. */
+ if ( subject ) {
+ size_t prolog_length = strlen(EMAIL_SUBJECT_PROLOG);
+@@ -92,7 +95,6 @@ email_open( const char *email_addr, const char *subject )
+ if ( (SmtpServer=param(SMTP_SERVER)) == NULL ) {
+ dprintf(D_FULLDEBUG,
+ Trying to email, but SMTP_SERVER not specified in config file\n);
+- free(Mailer);
+ free(FinalSubject);
+ if (FromAddress) free(FromAddress);
+ return NULL;
+@@ -110,7 +112,6 @@ email_open( const char *email_addr, const char *subject )
+ if ( (FinalAddr = param(CONDOR_ADMIN)) == NULL ) {
+ dprintf(D_FULLDEBUG,
+ Trying to email, but CONDOR_ADMIN not specified in config file\n);
+- free(Mailer);
+ free(FinalSubject);
+ if (FromAddress) free(FromAddress);
+ if (SmtpServer) free(SmtpServer);
+@@ -136,7 +137,6 @@ email_open( const char *email_addr, const char *subject )
+ }
+ if (num_addresses == 0) {
+ dprintf(D_FULLDEBUG, Trying to email, but address list is empty\n);
+- free(Mailer);
+ free(FinalSubject);
+ if (FromAddress) free(FromAddress);
+ if (SmtpServer) free(SmtpServer);
+@@ -144,6 +144,19 @@ email_open( const char *email_addr, const char *subject )
+ return NULL;
+ }
+
++ Sendmail = param(SENDMAIL);
++ Mailer = param(MAIL);
++
++ if ( Mailer == NULL Sendmail == NULL ) {
++ dprintf(D_FULLDEBUG,
++ Trying to email, but MAIL and SENDMAIL not specified in config file\n);
++ free(FinalSubject);
++ free(FromAddress);
++ free(SmtpServer);
++ free(FinalAddr);
++ return NULL;
++ }
++
+ /* construct the argument vector for the mailer */
+ //char const * const * final_args;
+ const char * * final_args;
+@@ -152,23 +165,40 @@ email_open( const char *email_addr, const char
Bug#772176: unblock: condor/8.2.3~dfsg.1-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package condor The previously unblocked (#771419) version 8.2.3~dfsg.1-4 that was intended to fix #769100 inadvertently introduced another (grave) bug in the default configuration (#772170). The new upload 8.2.3~dfsg.1-5 fixes this bug with the patch that is available from #772170. The full changlog entry is: diff --git a/debian/changelog b/debian/changelog index 8bff6c1..6cb318b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +condor (8.2.3~dfsg.1-5) unstable; urgency=medium + + * Fix wrong default SPOOL location introduced with 8.2.3~dfsg.1-4. Whenever +not overwritten by an explicit SPOOL setting, this version relocated +SPOOL to /var/lib/condor/lib. Consequently, existing job and usage logs +where inaccessible by HTcondor. This update reverts this unintentional +change and sets SPOOL explicitly to /var/spool/condor again. +(Closes: #772170) + + -- Michael Hanke m...@debian.org Fri, 05 Dec 2014 20:32:17 +0100 + condor (8.2.3~dfsg.1-4) unstable; urgency=medium * Adjust mechanism to apply the default Debian configuration to cope with Except for the changelog and the reported patch the debdiff is identical to the one reported in (#771419). Please let me know if you need a full debdiff nevertheless. Thanks and sorry for the hassle! unblock condor/8.2.3~dfsg.1-5 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (650, 'testing'), (600, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141205205758.9345.63453.reportbug@meiner
Bug#772176: unblock: condor/8.2.3~dfsg.1-5
Hi Adam, thanks for taking processing my request: On Fri, Dec 5, 2014 at 10:42 PM, Adam D. Barratt a...@adam-barratt.org.uk wrote: Control: tags -1 + moreinfo On Fri, 2014-12-05 at 21:57 +0100, Michael Hanke wrote: The previously unblocked (#771419) version 8.2.3~dfsg.1-4 that was intended to fix #769100 inadvertently introduced another (grave) bug in the default configuration (#772170). [...] Except for the changelog and the reported patch the debdiff is identical to the one reported in (#771419). That doesn't appear to be the case: diff -Nru condor-8.2.3~dfsg.1/debian/rules condor-8.2.3~dfsg.1/debian/rules --- condor-8.2.3~dfsg.1/debian/rules2014-11-29 08:52:02.0 + +++ condor-8.2.3~dfsg.1/debian/rules2014-12-05 19:23:32.0 + @@ -106,13 +106,6 @@ chrpath -d debian/libclassad*/usr/lib/libclassad.so.*.* # kill the default local config -- debconf will handle that rm debian/htcondor/etc/condor/condor_config.local - # modify condor config file with default Debian config - # no default chatter to upstream - echo CONDOR_DEVELOPERS = NONE debian/htcondor/etc/condor/condor_config - echo CONDOR_DEVELOPERS_COLLECTOR = NONE debian/htcondor/etc/condor/condor_config - # SSH template is a config file - echo SSH_TO_JOB_SSHD_CONFIG_TEMPLATE = /etc/condor/condor_ssh_to_job_sshd_config_template \ -debian/htcondor/etc/condor/condor_config I am not sure I understand. I think this change is accounted for in https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=spool_fix.patch;att=1;bug=772170 Functionally equivalent lines are now included in a patch for src/condor_examples/condor_config.generic.debian.patch The mixture of in-place modification at runtime and patches has proven to be unreliable. Hence to move towards putting as much as possible into patches. I am missing something? Thanks, Michael
Bug#772176: unblock: condor/8.2.3~dfsg.1-5
On Fri, Dec 5, 2014 at 11:12 PM, Adam D. Barratt a...@adam-barratt.org.uk wrote: On Fri, 2014-12-05 at 22:56 +0100, Michael Hanke wrote: The mixture of in-place modification at runtime and patches has proven to be unreliable. Hence to move towards putting as much as possible into patches. Right, but the section I mentioned, which is removed in the patch, was only added in the -4 package I previously unblocked. So removing it again with no explanation seems slightly odd. Even in -4 it wasn't really added. If you inspect the long sed expression that was removed in -4 (which, in combination with a changed configuration file, was the cause for #769100), you'll see that all configuration variable are set to identical values. The section was added as the actual configuration file had no corresponding variables to modify anymore. (Looking at it, yes the items it contains are indeed in the other patch, but that just makes things even more confusing. Why was it added in the first place, and why isn't the removal documented?) I hope I answered why it was added. As for why it was removed or turned into a patch: Only for having the entire configuration setup in a patch (as in-place modification is apparently fragile). As the freeze policy states that only the diff between the version in testing and the one to be unblocked is relevant, I went for this modification in order to have the end result less complicated. Granted that the way towards it was a bit convoluted. I am sorry that you had to witness it that closely. In any case, this may be academic, as condor appears to have picked up a dependency on the new version of globus-io, which is still blocked. That is unfortunate. I hope for the best. thanks in any case, Michael
Bug#771419: unblock: condor/8.2.3~dfsg.1-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package condor This update fixes RC bug #769100, which is a synonym for a whole family of unreported bugs caused by a (now) inappropriate procedure to apply the default configuration. The default config is now applied as a dedicated patch, instead of assuming the existance of all relevant config variable in a monolithic file -- like it used to be. This update also include the Dutch Debconf translation #766067. This update does not include all available fixes from the upstream bugfix release 8.2.4 -- the diff is relatively large, although most changed lines affect literal strings in the code. In the interest of a quick RC bug fix, these bugs are left as is for now. unblock condor/8.2.3~dfsg.1-4 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (650, 'testing'), (600, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru condor-8.2.3~dfsg.1/debian/changelog condor-8.2.3~dfsg.1/debian/changelog --- condor-8.2.3~dfsg.1/debian/changelog 2014-10-17 20:47:37.0 +0200 +++ condor-8.2.3~dfsg.1/debian/changelog 2014-11-29 10:53:23.0 +0100 @@ -1,3 +1,19 @@ +condor (8.2.3~dfsg.1-4) unstable; urgency=medium + + * Adjust mechanism to apply the default Debian configuration to cope with +the removal of the monolithic configuration file in the 8.2.x series. +The default configuration is now applied as a patch to the table of +parameters in the HTCondor sources (Closes: #769100). +The report of leaving behind an unowned directory is merely a symptom of +this bug. + * Adjust default configuration to make HTCondor work with Debian's +ganglia (also see Ticket #4709). Thanks to Alex Waite for the fix. + * Add Debconf template translation: +- Dutch -- courtesy of Frans Spiesschaert frans.spiesscha...@yucom.be. + (Closes: #766067) + + -- Michael Hanke m...@debian.org Sat, 29 Nov 2014 09:57:27 +0100 + condor (8.2.3~dfsg.1-3) unstable; urgency=medium * Modify the DMTCP shim script to work with the 2.x series of DMTCP. @@ -98,7 +114,7 @@ script. * Bumped Standards-version to 3.9.4; no changes necessary. * Add new dependency on libboost-test-dev. - * Disable installation of obsolete Pearl modules. + * Disable installation of obsolete Perl modules. * Fix DEP5 syntax error in debian/copyright. -- Michael Hanke m...@debian.org Tue, 31 Dec 2013 10:22:08 +0100 diff -Nru condor-8.2.3~dfsg.1/debian/patches/default_debian_config condor-8.2.3~dfsg.1/debian/patches/default_debian_config --- condor-8.2.3~dfsg.1/debian/patches/default_debian_config 1970-01-01 01:00:00.0 +0100 +++ condor-8.2.3~dfsg.1/debian/patches/default_debian_config 2014-11-29 10:32:03.0 +0100 @@ -0,0 +1,92 @@ +Description: Specify default config in the table of parameters + Previously, this configuration was shipped as a big config file. + This changed in the 8.2.x series and now needs to go into the table of + parameters -- which is not (yet) comprehensive. Hence, a few variables + still need to be present in the default config file too. +Forwarded: not-needed +Bug-Debian: http://bugs.debian.org/769100 +Author: Michael Hanke m...@debian.org + +--- a/src/condor_utils/param_info.in b/src/condor_utils/param_info.in +@@ -1175,7 +1175,7 @@ + tags=accountant,Accountant + + [SPOOL] +-default=$(LOCAL_DIR)/spool ++default=$(LOCAL_DIR)/spool/condor + type=path + reconfig=true + customization=seldom +@@ -2169,7 +2169,7 @@ + tags=daemon_core,daemon_core_main + + [COLLECTOR_NAME] +-default=My Pool - $(CONDOR_HOST) ++default=Debian Condor Pool - $(CONDOR_HOST) + type=string + reconfig=true + customization=seldom +@@ -2773,7 +2773,7 @@ + + [MAIL] + # default location for mail on RHEL is /bin/mail, default on debian is /usr/bin/mail +-default=/bin/mail ++default=/usr/bin/mail + win32_default=$(BIN)\condor_mail.exe + type=path + reconfig=true +@@ -3572,7 +3572,7 @@ + tags=c++_util,condor_config + + [REQUIRE_LOCAL_CONFIG_FILE] +-default=true ++default=false + win32_default=false + type=bool + reconfig=true +@@ -4102,7 +4102,7 @@ + tags=starter,StarterHookMgr + + [JAVA_BENCHMARK_TIME] +-default=2 ++default=0 + type=int + reconfig=true + customization=seldom +@@ -6607,7 +6607,7 @@ + tags=c++_util,condor_config + + [GANGLIA_LIB64_PATH] +-default=/lib64,/usr/lib64,/usr/local/lib64 ++default=/lib,/usr/lib,/usr/local/lib + type=string + reconfig=true + customization=seldom +@@ -6634,7 +6634,7 @@ + tags=c++_util,condor_config + + [GANGLIAD_METRICS_CONFIG_DIR] +-default=$(RELEASE_DIR)/etc/condor/ganglia.d ++default=/etc/condor/ganglia.d + type=path + reconfig=true + customization=seldom +@@ -6834,7 +6834,7 @@ + review=? + + [CONDOR_ADMIN] +-default=root
Minimal vs. proper fix of #769100 (htcondor is marked for auto-removal from testing)
Thanks for the report. I am CC'ing the Debian release team to get feedback regarding an acceptable fix Debian testing. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769100 This bug is caused by the (now invalid) assumption of the Debian packaging to find all relevant config variables in the main condor_config file (see the various sed expressions in debian/rules). However, as explained in https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=4325 the mechanism for specifying the default configuration changed leading up to the 8.2.x series. The proper way to fix this is to move all default configuration settings from debian/rules into a patch of src/condor_utils/param_info.in. Alternatively, a CRED_STORE_DIR variable could be reintroduced into the default config file shipped with the package, which would override this particular (broken) default. The changes to the source package would be minimal, but the general invalid approach to specifying a default configuration would be kept. While I have the attention of the release time, I'd like to ask for feedback on pushing an upstream update into jessie. HTCondor uses the odd/even version setup for stable and development releases. The 8.2.x series is the stable branch that only sees fixes and no feature additions. After the freeze of jessie, htcondor 8.2.4 has been released which contains numerous bug fixes. An exhaustive list to the respective tickets can be found here. http://research.cs.wisc.edu/htcondor/manual/v8.2.4/10_3Stable_Release.html If approved, I'd like to update the package to 8.2.4, change the default configuration handling to a generally valid approach, and include the new translation available from the bug tracker. Thanks in advance for your feedback. Michael -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141123092042.GU10892@meiner
Re: Bug#688210: condor: Multiple security issues
Hi, On Wed, May 8, 2013 at 10:22 AM, Julien Cristau jcris...@debian.org wrote: On Fri, Sep 21, 2012 at 13:40:13 +0200, Michael Hanke wrote: [CC the release team to get an opinion on incorporating bugfixes from upstream stable/bugfix releases during the freeze] So this wasn't resolved properly for wheezy. If you feel that changing this (i.e. accepting minor upstream versions of condor) should be done for jessie, could we have that discussion (e.g. by filing a bug against release.debian.org) before the freeze, not right in the middle of it? I'm hoping that will have a better chance of getting somewhere. Thanks for revisiting this issue. It was resolved by not doing it this time. A better coordination would be good and I'll do what you suggested. The issue came up too late for all involved parties this time, but I am sure we can get this streamlined for the next round. The Condor package will see some changes over the next weeks and upstream will get even more involved in the Debian packaging. Improved mutual awarness of procedures should help for jessie. Cheers, Michael
Bug#691155: unblock: fsl/4.1.9-7
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package fsl
It fixes http://bugs.debian.org/689166 (prevent regeneration of
TclIndex). The full source diff is attached. It basically removes the
postinst script that performed the regeneration. All other changes are
necessary to prevent failure due to the removal of the postinst script.
Full source diff to 4.1.9-6 is attached.
unblock fsl/4.1.9-7
-- System Information:
Debian Release: wheezy/sid
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog
index 72fd4f8..3b037a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+fsl (4.1.9-7) unstable; urgency=low
+
+ * Stop regenerating tclIndex during postinst. This is no longer necessary
+since libfslio and its TCL scripts are built from the FSL source package
+-- which is since 4.1.1 or four years (Closes: #689166).
+
+ -- Michael Hanke m...@debian.org Thu, 06 Sep 2012 09:10:33 +0200
+
fsl (4.1.9-6) unstable; urgency=low
* Declare a conflict to pre-4.1.9-5 fsl4.1-doc packages. Otherwise,
diff --git a/debian/fsl-4.1.postinst b/debian/fsl-4.1.postinst
deleted file mode 100644
index 70cd86c..000
--- a/debian/fsl-4.1.postinst
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-# postinst script for FSL
-# This script is used to regenerate the tclIndex file after placing a link to
-# fslio.tcl in the main tcl path of FSL.
-
-set -e
-
-case $1 in
- configure)
- ( cd /usr/share/fsl/4.1/tcl echo 'auto_mkindex . *.tcl' | tclsh )
- ;;
-
- abort-upgrade|abort-remove|abort-deconfigure)
- #nothing
- ;;
-
- *)
- echo postinst called with unknown argument \`$1' 2
- exit 1
- ;;
-esac
-
-#DEBHELPER#
-
-exit 0
-
-
diff --git a/debian/rules b/debian/rules
index 6cde284..7ca22e6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -76,7 +76,7 @@ controlfiles:
debian/$$(basename $$f) ; \
done
# renamed files that need to have a version-specific name
- for suffix in 1 desktop dirs install links lintian-overrides manpages menu postinst docs; do \
+ for suffix in 1 desktop dirs install links lintian-overrides manpages menu docs; do \
for prefix in fsl fsl-doc nudge; do \
[ -f debian/$$prefix.$$suffix ] \
mv debian/$$prefix.$$suffix debian/$$prefix-$(FSLMAJORVERSION).$$suffix || true ; \
@@ -95,7 +95,7 @@ cleancontrolfiles:
done
rm -f debian/fsl.preinst
# versioned files
- rm -f debian/{fsl,fsl-doc,nudge}-$(FSLMAJORVERSION).{1,desktop,dirs,install,links,lintian-overrides,manpages,menu,postinst,preinst,docs}
+ rm -f debian/{fsl,fsl-doc,nudge}-$(FSLMAJORVERSION).{1,desktop,dirs,install,links,lintian-overrides,manpages,menu,preinst,docs}
# build and install extra
biextra-%:
diff --git a/debian/templates/fsl.postinst b/debian/templates/fsl.postinst
deleted file mode 100644
index ca112a6..000
--- a/debian/templates/fsl.postinst
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-# postinst script for FSL
-# This script is used to regenerate the tclIndex file after placing a link to
-# fslio.tcl in the main tcl path of FSL.
-
-set -e
-
-case $1 in
- configure)
- ( cd /usr/share/fsl/#FSLMVERSION#/tcl echo 'auto_mkindex . *.tcl' | tclsh )
- ;;
-
- abort-upgrade|abort-remove|abort-deconfigure)
- #nothing
- ;;
-
- *)
- echo postinst called with unknown argument \`$1' 2
- exit 1
- ;;
-esac
-
-#DEBHELPER#
-
-exit 0
-
-
Bug#688945: unblock: condor/7.8.2~dfsg.1-1+deb7u1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package condor. thanks!
The version in unstable fixes four CVE issues that are present in the
current version in wheezy.
Changelog
-
condor (7.8.2~dfsg.1-1+deb7u1) unstable; urgency=high
* Security update. This release addresses four CVE issues (Closes: #688210):
- Security Item: Some code that was no longer used was removed. The presence
of this code could expose information which would allow an attacker to
control another user's job. (CVE-2012-3493)
- Security Item: Some code that was no longer used was removed. The presence
of this code could have lead to a Denial-of-Service attack which would
allow an attacker to remove another user's idle job. (CVE-2012-3491)
- Security Item: Filesystem (FS) authentication was improved to check the
UNIX permissions of the directory used for authentication. Without this,
an attacker may have been able to impersonate another submitter on the
same submit machine. (CVE-2012-3492)
- Security item: Check setuid return value (CVE-2012-3490)
-- Michael Hanke m...@debian.org Wed, 26 Sep 2012 16:10:17 +0200
Debdiff
---
% debdiff condor_7.8.2\~dfsg.1-1_i386.changes
condor_7.8.2\~dfsg.1-1+deb7u1_i386.changes
File lists identical (after any substitutions)
Control files of package condor: lines which differ (wdiff format)
--
Installed-Size: [-12465-] {+12464+}
Version: [-7.8.2~dfsg.1-1-] {+7.8.2~dfsg.1-1+deb7u1+}
Control files of package condor-dbg: lines which differ (wdiff format)
--
Depends: condor (= [-7.8.2~dfsg.1-1)-] {+7.8.2~dfsg.1-1+deb7u1)+}
Version: [-7.8.2~dfsg.1-1-] {+7.8.2~dfsg.1-1+deb7u1+}
Control files of package condor-dev: lines which differ (wdiff format)
--
Version: [-7.8.2~dfsg.1-1-] {+7.8.2~dfsg.1-1+deb7u1+}
Control files of package condor-doc: lines which differ (wdiff format)
--
Installed-Size: [-6132-] {+6133+}
Version: [-7.8.2~dfsg.1-1-] {+7.8.2~dfsg.1-1+deb7u1+}
Control files of package libclassad-dev: lines which differ (wdiff format)
--
Depends: libclassad3 (= [-7.8.2~dfsg.1-1)-] {+7.8.2~dfsg.1-1+deb7u1)+}
Installed-Size: [-2158-] {+2159+}
Version: [-7.8.2~dfsg.1-1-] {+7.8.2~dfsg.1-1+deb7u1+}
Control files of package libclassad3: lines which differ (wdiff format)
---
Version: [-7.8.2~dfsg.1-1-] {+7.8.2~dfsg.1-1+deb7u1+}
Added patches are attached.
unblock condor/7.8.2~dfsg.1-1+deb7u1
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120927073326.9831.317.reportbug@meiner
Bug#688945: unblock: condor/7.8.2~dfsg.1-1+deb7u1
On Thu, Sep 27, 2012 at 09:33:26AM +0200, Michael Hanke wrote:
Added patches are attached.
Now they are.
--
Michael Hanke
http://mih.voxindeserto.de
From 94e84ce4ff93ea071ca17bcf823918432749c868 Mon Sep 17 00:00:00 2001
From: Matthew Farrellee m...@redhat.com
Date: Fri, 10 Aug 2012 12:36:44 -0400
Subject: [PATCH] Check setuid return value (7.6 version), #3165
Signed-off-by: Timothy St. Clair tstcl...@redhat.com
---
src/condor_utils/my_popen.cpp |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/src/condor_utils/my_popen.cpp
+++ b/src/condor_utils/my_popen.cpp
@@ -397,7 +397,7 @@
seteuid( 0 );
setgroups( 1, egid );
setgid( egid );
- setuid( euid );
+ if( setuid( euid ) ) _exit(ENOEXEC); // Unsafe?
/* before we exec(), clear the signal mask and reset SIGPIPE
to SIG_DFL
@@ -677,7 +677,7 @@
seteuid( 0 );
setgroups( 1, egid );
setgid( egid );
- setuid( euid );
+ if( setuid( euid ) ) _exit(ENOEXEC); // Unsafe?
/* Now it's safe to exec whatever we were given */
execv( cmd, const_castchar *const*(argv) );
diff --git a/src/condor_schedd.V6/schedd.cpp b/src/condor_schedd.V6/schedd.cpp
index 74e2a9e..e59ddf8 100644
--- a/src/condor_schedd.V6/schedd.cpp
+++ b/src/condor_schedd.V6/schedd.cpp
@@ -2961,79 +2961,6 @@ Scheduler::WriteAttrChangeToUserLog( const char* job_id_str, const char* attr,
int
-Scheduler::abort_job(int, Stream* s)
-{
- PROC_ID job_id;
- int nToRemove = -1;
-
- // First grab the number of jobs to remove/hold
- if ( !s-code(nToRemove) ) {
- dprintf(D_ALWAYS,abort_job() can't read job count\n);
- return FALSE;
- }
-
- if ( nToRemove 0 ) {
- // We are being told how many and which jobs to abort
-
- dprintf(D_FULLDEBUG,abort_job: asked to abort %d jobs\n,nToRemove);
-
- while ( nToRemove 0 ) {
- if( !s-code(job_id) ) {
-dprintf( D_ALWAYS, abort_job() can't read job_id #%d\n,
- nToRemove);
-return FALSE;
- }
- abort_job_myself(job_id, JA_REMOVE_JOBS, false, true );
- nToRemove--;
- }
- s-end_of_message();
- } else {
- // We are being told to scan the queue ourselves and abort
- // any jobs which have a status = REMOVED or HELD
- ClassAd *job_ad;
- static bool already_removing = false; // must be static!!!
- char constraint[120];
-
- // This could take a long time if the queue is large; do the
- // end_of_message first so condor_rm does not timeout. We do not
- // need any more info off of the socket anyway.
- s-end_of_message();
-
- dprintf(D_FULLDEBUG,abort_job: asked to abort all status REMOVED/HELD jobs\n);
-
- // if already_removing is true, it means the user sent a second condor_rm
- // command before the first condor_rm command completed, and we are
- // already in the below job scan/removal loop in a different stack frame.
- // so we should just return here.
- if ( already_removing ) {
- return TRUE;
- }
-
- snprintf(constraint,120,%s == %d || %s == %d,ATTR_JOB_STATUS,REMOVED,
- ATTR_JOB_STATUS,HELD);
-
- job_ad = GetNextJobByConstraint(constraint,1);
- if ( job_ad ) {
- already_removing = true;
- }
- while ( job_ad ) {
- if ( (job_ad-LookupInteger(ATTR_CLUSTER_ID,job_id.cluster) == 1)
- (job_ad-LookupInteger(ATTR_PROC_ID,job_id.proc) == 1) ) {
-
- abort_job_myself(job_id, JA_REMOVE_JOBS, false, true );
-
- }
- FreeJobAd(job_ad);
-
- job_ad = GetNextJobByConstraint(constraint,0);
- }
- already_removing = false;
- }
-
- return TRUE;
-}
-
-int
Scheduler::transferJobFilesReaper(int tid,int exit_status)
{
ExtArrayPROC_ID *jobs = NULL;
@@ -10706,9 +10633,6 @@ Scheduler::Register()
daemonCore-Register_Command( RESCHEDULE, RESCHEDULE,
(CommandHandlercpp)Scheduler::reschedule_negotiator,
reschedule_negotiator, this, WRITE);
- daemonCore-Register_CommandWithPayload(KILL_FRGN_JOB, KILL_FRGN_JOB,
- (CommandHandlercpp)Scheduler::abort_job,
- abort_job, this, WRITE);
daemonCore-Register_CommandWithPayload(ACT_ON_JOBS, ACT_ON_JOBS,
(CommandHandlercpp)Scheduler::actOnJobs,
actOnJobs, this, WRITE, D_COMMAND,
diff --git a/src/condor_schedd.V6/scheduler.h b/src/condor_schedd.V6/scheduler.h
index 863189e..842b81f 100644
--- a/src/condor_schedd.V6/scheduler.h
+++ b/src/condor_schedd.V6/scheduler.h
@@ -301,9 +301,6 @@ class Scheduler : public Service
// requires a new round of negotiation
voidneedReschedule();
- // job managing
- intabort_job(int, Stream *);
-
// [IPV6] These two functions are never called by others.
// It is non-IPv6 compatible, though.
void send_all_jobs(ReliSock*, struct sockaddr_in*);
From 1db67805b2f9ec0f20548b0307c17cc1eb1f Mon Sep 17 00:00:00 2001
From: Matthew Farrellee m...@redhat.com
Date: Mon, 30 Jul 2012 15:31:37 -0700
Subject: [PATCH] FS authentication requires authentication directory to be
mode=0700, #3166
Signed-off-by: Zach Miller zmil...@cs.wisc.edu
---
src/condor_io/condor_auth_fs.cpp | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff
Re: Bug#688210: condor: Multiple security issues
a bug that caused an invalid proxy to be delegated when refreshing the job's X.509 proxy when configuration variable DELEGATE_JOB_GSI_CREDENTIALS_LIFETIME was set to 0. (Ticket #3059). 13. Fixed a bug in which DAGMan did not account properly for jobs being suspended and then unsuspended. (Ticket #3108). 14. condor_dagman now takes note of job reconnect failed events (event code 24) in the user log, for counting idle jobs. (Ticket #3189). 15. Job IDs generated by NorduGrid ARC 12.05 and above are now properly recognized. (Ticket #3062). 16. Fixed a bug in which Condor would not mark grid-type nordugrid jobs as Running due to variation in the format of the job status value. NorduGrid ARC job statuses of the form INLRMS: ? are now properly recognized both with and without the space after the colon. (Ticket #3118). 17. The condor_gridmanager now properly handles X.509 proxy files that are specified in the job ClassAd with a relative path name. (Ticket #3027). 18. Fixed a bug that caused daemon names, as set in configuration variables such as STARTD_NAME, containing a period character to be ignored. (Ticket #3172). 19. Fixed a bug that prevented the condor_schedd from removing old execute directories for local universe jobs on start up. (Ticket #3176). 20. The condor_defrag daemon sometimes scheduled fewer draining attempts than specified. (Ticket #3199). 21. Fixed a bug that could cause the condor_gridmanager to crash if a grid universe job's X.509 user certificate did not contain an e-mail address. (Ticket #3203). 22. Fixed a bug introduced in Condor version 7.7.5 that caused multiple condor_schedd daemons running on the same machine to share the job queue with each other due to way in which the default value of configuration variable JOB_QUEUE_LOG was set. (Ticket #3196). 23. Fixed a bug that could cause condor_q to not print all jobs when it thought it was querying an old condor_schedd daemon. (Ticket #3206). 24. Fixed a bug that could cause a job's standard output and standard error files to be written in the job's initial working directory, despite the submit description file's specification to write them to a different directory. This would happen when the file transfer mechanism was used, the execution machine was running Condor version 7.7.1 or earlier, and either Condor's security negotiation was disabled or the configuration variable SEC_ENABLE_MATCH_PASSWORD_AUTHENTICATION was set to True. (Ticket #3208). 25. The log message generated when the EXECUTE directory is missing is now more helpful. (Ticket #3194). 26. The load average was incorrect for non-English versions on Windows platforms. This has been fixed for Windows Vista and more recent versions. (Ticket #3182). 27. The command condor_q -run now displays correct HOST field information for local universe jobs. (Ticket #3150). Given these facts, and unless someone convinces me otherwise, I'm inclined to upload Condor 7.8.4 with all the bugfixes to unstable. All the sites I have talked to that use the Debian Condor package have no interest in testing a version that has known but unfixed bugs. If the release team objects a transition of this package into wheezy, a security-fix-only version could go through proposed-updates. The reduction in testing exposure for this package from by-passing unstable is probably negligible anyway. Cheers, Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120921113956.GA13541@meiner
Ping! (was: Chances to obtain a freeze-exception for condor?)
On Mon, Aug 27, 2012 at 10:00:49PM +0200, Michael Hanke wrote: On Thu, Aug 23, 2012 at 10:39:48AM +0200, Michael Hanke wrote: I have uploaded an updated 'condor' package to experimental. It fixes all remaining (user-relevant) annoyances of the current version in testing. The fixes are only a few lines per bug, and they are only changes in the packaging itself. The full diff to the version in testing is attached. Here are the stats (most lines are comments/docs): debian/changelog | 18 ++ debian/condor.links|1 - debian/condor.postinst | 24 debian/condor_qsub |3 +-- Bugs fixed are: #684667, #684879, and #678425 (none of them RC). Would you allow for a freeze exception of an upload to unstable with these changes (or any subset you would name)? And what about FTBFS fixes for alpha? http://bugs.debian.org/685892 Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120910103827.GD22016@meiner
Re: Chances to obtain a freeze-exception for condor?
On Thu, Aug 23, 2012 at 10:39:48AM +0200, Michael Hanke wrote: I have uploaded an updated 'condor' package to experimental. It fixes all remaining (user-relevant) annoyances of the current version in testing. The fixes are only a few lines per bug, and they are only changes in the packaging itself. The full diff to the version in testing is attached. Here are the stats (most lines are comments/docs): debian/changelog | 18 ++ debian/condor.links|1 - debian/condor.postinst | 24 debian/condor_qsub |3 +-- Bugs fixed are: #684667, #684879, and #678425 (none of them RC). Would you allow for a freeze exception of an upload to unstable with these changes (or any subset you would name)? And what about FTBFS fixes for alpha? http://bugs.debian.org/685892 Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120827200049.GA22809@meiner
Chances to obtain a freeze-exception for condor?
Dear release team,
I have uploaded an updated 'condor' package to experimental. It fixes
all remaining (user-relevant) annoyances of the current version in
testing. The fixes are only a few lines per bug, and they are only
changes in the packaging itself. The full diff to the version in testing
is attached. Here are the stats (most lines are comments/docs):
debian/changelog | 18 ++
debian/condor.links|1 -
debian/condor.postinst | 24
debian/condor_qsub |3 +--
Bugs fixed are: #684667, #684879, and #678425 (none of them RC).
Would you allow for a freeze exception of an upload to unstable with these
changes (or any subset you would name)?
Thanks in advance,
Michael
--
Michael Hanke
http://mih.voxindeserto.de
diff --git a/debian/changelog b/debian/changelog
index 052d595..7d82e0b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+condor (7.8.2~dfsg.1-2) experimental; urgency=low
+
+ * Make postinst script more robust against missing config variables (Closes:
+#684667). Patch is courtesy of Tim Cartwright.
+ * Disable Condor's file transfer mechanism for jobs submitted via
+condor_qsub, because a shared filesystem is assumed for these jobs
+(Closes: #684879).
+ * This time really remove dangling symlink /usr/sbin/condor - ../bin/condor.
+This file no longer exists (Closes: #678425).
+ * Support deployment scenario where the administrative 'condor' user is not
+a local system user, but is shared (e.g. through LDAP) by all machines in a
+Condor pool (see installation manual section 3.2). The condor package will
+accept to run under an existing non-system user account named 'condor',
+but only when that account is locked, i.e. not login is possible
+(Closes: #684463).
+
+ -- Michael Hanke m...@debian.org Sun, 12 Aug 2012 19:20:35 +0200
+
condor (7.8.2~dfsg.1-1) unstable; urgency=high
* Upstream security release. Prevent an attacker who is manipulating
diff --git a/debian/condor.links b/debian/condor.links
deleted file mode 100644
index 50536d1..000
--- a/debian/condor.links
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/condor /usr/sbin/condor
diff --git a/debian/condor.postinst b/debian/condor.postinst
index 04e4584..0cc4487 100755
--- a/debian/condor.postinst
+++ b/debian/condor.postinst
@@ -18,8 +18,7 @@ condor_debconf_cfg=/etc/condor/config.d/00debconf
condor_make_homedir() {
for dlabel in LOCAL_UNIV_EXECUTE CRED_STORE_DIR EXECUTE LOCK LOG SPOOL; do
-dname=$(condor_config_val $dlabel)
-if [ $? -eq 0 ]; then
+if dname=$(condor_config_val $dlabel 2/dev/null); then
mkdir -p $dname
chown -R $condor_user: $dname
else
@@ -165,8 +164,25 @@ case $1 in
configure)
# according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621833#119
# this should always work
-adduser --system --group --gecos $condor_gecos --home $condor_home \
---disabled-password --disabled-login $condor_user --quiet
+if ! adduser --system --group --gecos $condor_gecos --home $condor_home \
+--disabled-password --disabled-login $condor_user --quiet 2/dev/null; then
+# the only time where it would fail, is when there is an existing
+# non-system 'condor' user. This could happen e.g. in a heterogenous
+# Condor pool (various OSes) where the adminstrative Condor user
+# comes from LDAP and the home dir is shared across machines. This
+# is a supported deployment scenario for Condor (see installation
+# manual section 3.2)
+# the only problem is the possibility to conflict with an actual
+# human user with the same name, so only proceed when the
+# respective user is locked down
+SH=$(getent passwd | egrep '^condor:'| cut -d : -f 7)
+if [ $SH = /bin/false -o $SH = /usr/sbin/nologin ]; then
+echo WARNING: Condor will be running under an existing non-system user account 'condor'.
+else
+echo ERROR: Condor cannot run under unlocked non-system account 'condor' 12
+exit 1
+fi
+fi
# make sure the config and home dir are complete
condor_local_cfg_template
condor_put_debconf_cfg
diff --git a/debian/condor_qsub b/debian/condor_qsub
index 4673456..078bd0c 100755
--- a/debian/condor_qsub
+++ b/debian/condor_qsub
@@ -338,8 +338,7 @@ submit_file=$(mktemp --tmpdir condor_qsub.X)
cat EOT $submit_file
# condor_qsub call: $@
universe = vanilla
-should_transfer_files = YES
-when_to_transfer_output = ON_EXIT
+should_transfer_files = NO
#log = $log_file
EOT
Bug#685070: unblock: condor/7.8.2~dfsg.1-1
Hi, On Fri, Aug 17, 2012 at 08:36:02AM +0200, Michael Hanke wrote: If you want more specific information, please let me know what you need and I'll get upstream to chime in. This is just a ping. The package would be ready to migrate. Is there anything else you require from me for a migration, or any other information that I could get you? Thanks, Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120820073737.GA27288@meiner
Bug#685070: unblock: condor/7.8.2~dfsg.1-1
On Thu, Aug 16, 2012 at 09:43:20PM +0100, Adam D. Barratt wrote: On Thu, 2012-08-16 at 13:20 +0200, Michael Hanke wrote: I have just made an upload of an upstream security fix release addressing CVE-2012-3416. I decided to upload this upstream release instead of cherry-picking the security fix, because this release only addresses this fix anyway. I'm attaching the full diff to the current version in wheezy. Here are the stats: Is this issue specifically related to IPv6 addresses, or is the file in which it's fixed a red herring? Yes, that confused me too. However, AFAIK, this is not limited to IPv6. Here is the full advisory: http://research.cs.wisc.edu/condor/security/vulnerabilities/CONDOR-2012-0002.html If you want more specific information, please let me know what you need and I'll get upstream to chime in. Thanks, Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120817063602.GB4801@meiner
Bug#685070: unblock: condor/7.8.2~dfsg.1-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package condor
I have just made an upload of an upstream security fix release
addressing CVE-2012-3416. I decided to upload this upstream release
instead of cherry-picking the security fix, because this release only
addresses this fix anyway. I'm attaching the full diff to the current
version in wheezy. Here are the stats:
CMakeLists.txt |2 +-
debian/changelog|9 +
doc/condor-macros.tex |2 +-
doc/version-history/7-8.history.tex | 58 -
nmi_tools/condor_nmi_submit | 49 ++--
nmi_tools/glue/SubmitInfo.pm| 423 ++-
nmi_tools/nmi-build-platforms |6 +-
src/condor_utils/ipv6_hostname.cpp | 70 +-
8 files changed, 178 insertions(+), 441 deletions(-)
The fix is in src/condor_utils/... CMakeLists only reflects the version
number change. doc/... is the upstream changelog item. And the changes
in nmi_tools/ are concerned with the upstream build and test framework
for pushing out this release. The latter code is just dead weight and
is not built, installed or otherwise touched by the Debian package.
Thanks
unblock condor/7.8.2~dfsg.1-1
-- System Information:
Debian Release: wheezy/sid
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/CMakeLists.txt b/CMakeLists.txt
index e34ef70..afce6ea 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -29,7 +29,7 @@ set(PACKAGE condor)
# Condor and other systems parse this number. Keep it simple:
# Number.Number.Number. Do nothing else. If you need to add
# more information, PRE_RELEASE is usually the right location.
-set(VERSION 7.8.1)
+set(VERSION 7.8.2)
# Set PRE_RELEASE to either a string (i.e. PRE-RELEASE-UWCS) or OFF
# This shuld be PRE-RELEASE-UWCS most of the time, and OFF when
diff --git a/debian/changelog b/debian/changelog
index f0d1789..052d595 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+condor (7.8.2~dfsg.1-1) unstable; urgency=high
+
+ * Upstream security release. Prevent an attacker who is manipulating
+reverse-DNS entries and is able to connect to a Condor daemon to gain
+access to a Condor pool that is using DNS/hostname host-based authentication
+(only). CVE-2012-3416
+
+ -- Michael Hanke m...@debian.org Thu, 16 Aug 2012 08:32:49 +0200
+
condor (7.8.1~dfsg.1-2) unstable; urgency=low
* Remove dangling symlink /usr/sbin/condor - ../bin/condor. This file no
diff --git a/doc/condor-macros.tex b/doc/condor-macros.tex
index 75e2ecb..b7bd2b8 100644
--- a/doc/condor-macros.tex
+++ b/doc/condor-macros.tex
@@ -5,7 +5,7 @@
% Set up version, author and copyright notices
%
\newcommand{\AuthorNotice}{Condor Team, University of Wisconsin--Madison}
-\newcommand{\VersionNotice}{Version 7.8.1}
+\newcommand{\VersionNotice}{Version 7.8.2}
\newcommand{\CondorR}{\Reg{Condor}}
\newcommand{\CopyrightNotice}{
diff --git a/doc/version-history/7-8.history.tex b/doc/version-history/7-8.history.tex
index e7bb224..cbf3328 100644
--- a/doc/version-history/7-8.history.tex
+++ b/doc/version-history/7-8.history.tex
@@ -16,6 +16,61 @@ New features will be added in the 7.9.x development series.
The details of each version are described below.
%%
+\subsection*{\label{sec:New-7-8-2}Version 7.8.2}
+%%
+
+\noindent Release Notes:
+
+\begin{itemize}
+
+\item Condor version 7.8.2 released on August 14, 2012.
+
+\item \Security Fixed a critical problem with DNS handling.
+
+\end{itemize}
+
+\noindent New Features:
+
+\begin{itemize}
+
+\item None.
+
+\end{itemize}
+
+\noindent Configuration Variable and ClassAd Attribute Additions and Changes:
+
+\begin{itemize}
+
+\item None.
+
+\end{itemize}
+
+\noindent Bugs Fixed:
+
+\begin{itemize}
+
+\item \Security Fixed a critical problem with DNS handling.
+
+\end{itemize}
+
+\noindent Known Bugs:
+
+\begin{itemize}
+
+\item None.
+
+\end{itemize}
+
+\noindent Additions and Changes to the Manual:
+
+\begin{itemize}
+
+\item None.
+
+\end{itemize}
+
+
+%%
\subsection*{\label{sec:New-7-8-1}Version 7.8.1}
%%
@@ -23,8 +78,7 @@ The details of each version are described below.
\begin{itemize}
-\item Condor version 7.8.1 not yet released.
-%\item Condor version 7.8.1 released on Month Date, 2012.
+\item Condor version 7.8.1 released on June 15, 2012.
\end{itemize}
diff --git a/nmi_tools/condor_nmi_submit b/nmi_tools/condor_nmi_submit
index 27457ff..9c0751d 100755
--- a/nmi_tools/condor_nmi_submit
+++ b
Please grant freeze exception for condor
Hi release team, please consider granting a freeze exception for condor http://packages.qa.debian.org/c/condor.html It is fixing bugs #678952 (I18N), #680201 (I18N), and #681144 (important). The latter one is a one line fix. The changelog mentions another bugfix (#678425), but this change is actually not included in this upload (the bug was reopened). I'm attaching the full diff between the version in testing and unstable. Thanks in advance, Michael -- changelog -- condor (7.8.1~dfsg.1-2) unstable; urgency=low * Remove dangling symlink /usr/sbin/condor - ../bin/condor. This file no longer exists (Closes: #678425). * Add Debconf template translations: - Czech -- courtesy of Martin Å Ãn martin@zshk.cz (Closes: #678952) - Spanish -- courtesy of Fernando C. Estrada fcestr...@fcestrada.com (Closes: #680201) * Only issue 'condor_restart' command in postinst, when condor_master is actually running. If that is not the case, for example when daemon startup is prevented by system policy, package installation would fail otherwise. Thanks to Andreas Beckmann for the report. (Closes: #681144) -- Michael Hanke m...@debian.org Thu, 21 Jun 2012 18:40:11 +0200 --- -- diffstat --- debian/changelog | 16 + debian/condor.postinst |4 +- debian/po/cs.po| 345 ++ debian/po/es.po| 389 ++ debian/po/sv.po| 48 - 5 files changed, 753 insertions(+), 49 deletions(-) --- -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120726091422.GB20650@meiner
Re: Please grant freeze exception for condor
and the missing diff... On Thu, Jul 26, 2012 at 11:14:22AM +0200, Michael Hanke wrote: Hi release team, please consider granting a freeze exception for condor http://packages.qa.debian.org/c/condor.html It is fixing bugs #678952 (I18N), #680201 (I18N), and #681144 (important). The latter one is a one line fix. The changelog mentions another bugfix (#678425), but this change is actually not included in this upload (the bug was reopened). I'm attaching the full diff between the version in testing and unstable. Thanks in advance, Michael -- changelog -- condor (7.8.1~dfsg.1-2) unstable; urgency=low * Remove dangling symlink /usr/sbin/condor - ../bin/condor. This file no longer exists (Closes: #678425). * Add Debconf template translations: - Czech -- courtesy of Martin Å Ãn martin@zshk.cz (Closes: #678952) - Spanish -- courtesy of Fernando C. Estrada fcestr...@fcestrada.com (Closes: #680201) * Only issue 'condor_restart' command in postinst, when condor_master is actually running. If that is not the case, for example when daemon startup is prevented by system policy, package installation would fail otherwise. Thanks to Andreas Beckmann for the report. (Closes: #681144) -- Michael Hanke m...@debian.org Thu, 21 Jun 2012 18:40:11 +0200 --- -- diffstat --- debian/changelog | 16 + debian/condor.postinst |4 +- debian/po/cs.po| 345 ++ debian/po/es.po| 389 ++ debian/po/sv.po| 48 - 5 files changed, 753 insertions(+), 49 deletions(-) --- -- Michael Hanke http://mih.voxindeserto.de -- Michael Hanke http://mih.voxindeserto.de diff --git a/debian/changelog b/debian/changelog index fdaf957..f0d1789 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +condor (7.8.1~dfsg.1-2) unstable; urgency=low + + * Remove dangling symlink /usr/sbin/condor - ../bin/condor. This file no +longer exists (Closes: #678425). + * Add Debconf template translations: +- Czech -- courtesy of Martin Å Ãn martin@zshk.cz + (Closes: #678952) +- Spanish -- courtesy of Fernando C. Estrada fcestr...@fcestrada.com + (Closes: #680201) + * Only issue 'condor_restart' command in postinst, when condor_master is +actually running. If that is not the case, for example when daemon +startup is prevented by system policy, package installation would fail +otherwise. Thanks to Andreas Beckmann for the report. (Closes: #681144) + + -- Michael Hanke m...@debian.org Thu, 21 Jun 2012 18:40:11 +0200 + condor (7.8.1~dfsg.1-1) unstable; urgency=low * New upstream bugfix release: diff --git a/debian/condor.postinst b/debian/condor.postinst index d24f0a0..04e4584 100755 --- a/debian/condor.postinst +++ b/debian/condor.postinst @@ -184,7 +184,9 @@ case $1 in # send the restart command to condor, as we know that the installation # is finished. condor_master should figure this out on its own within # 5 minutes, but there is no need to wait -condor_restart +# check for a running condor master first, as otherwise the restart +# command fails and consequently package installation fails +condor_status -master 2 /dev/null condor_restart || true ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/debian/po/cs.po b/debian/po/cs.po new file mode 100644 index 000..23ce2bb --- /dev/null +++ b/debian/po/cs.po @@ -0,0 +1,345 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the condor package. +# FIRST AUTHOR EMAIL@ADDRESS, YEAR. +# +msgid +msgstr +Project-Id-Version: condor\n +Report-Msgid-Bugs-To: con...@packages.debian.org\n +POT-Creation-Date: 2012-04-30 20:35+0200\n +PO-Revision-Date: 2012-06-25 12:08+0200\n +Last-Translator: Martin Sin martin@zshk.cz\n +Language-Team: Czech debian-l10n-cz...@lists.debian.org\n +Language: \n +MIME-Version: 1.0\n +Content-Type: text/plain; charset=utf-8\n +Content-Transfer-Encoding: 8bit\n + +#. Type: title +#. Description +#: ../condor.templates:1001 +msgid Condor configuration +msgstr Nastavení Condoru + +#. Type: boolean +#. Description +#: ../condor.templates:2001 +msgid Manage initial Condor configuration automatically? +msgstr Provést automatické počáteční nastavení Condoru? + +#. Type: boolean +#. Description +#: ../condor.templates:2001 +msgid +The setup for Condor can be handled automatically, asking a few questions to +create an initial configuration appropriate for a machine that is either a +member of an existing pool or a fully functional \Personal Condor +installation
Re: Please grant freeze exception for condor
On Thu, Jul 26, 2012 at 11:14:22AM +0200, Michael Hanke wrote: please consider granting a freeze exception for condor http://packages.qa.debian.org/c/condor.html Thanks! -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120726201942.GA32538@meiner
Re: Bug#613337: libvia transition
Hi, On Sun, Mar 04, 2012 at 11:17:56PM +0100, Julien Cristau wrote: On Thu, Feb 9, 2012 at 09:38:51 +0100, Michael Hanke wrote: I will upload a new SO version of LIBVIA shortly. Right now only ODIN and LIPSIA use this library. The LIBVIA dependency of ODIN will be dropped by the next upload (few more days). how many is few? :) Thanks for moving this upwards on my TODO list. Of course things turned out to be more complicated. New upstream version had some issues, upstream needs more time, now libpng transition needs to be dealt with for ODIN. If am lucky I can do all this sometime today. If not, I will need few more days (TM) ;-) Cheers, Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120305084916.GA12213@meiner
Re: Bug#613337: libvia transition
On Mon, Mar 05, 2012 at 09:49:16AM +0100, Michael Hanke wrote: Thanks for moving this upwards on my TODO list. Of course things turned out to be more complicated. New upstream version had some issues, upstream needs more time, now libpng transition needs to be dealt with for ODIN. If am lucky I can do all this sometime today. If not, I will need few more days (TM) ;-) I prepared an upload that only deals with the via-transition for now. However, it doesn't build in unstable due to: The following packages have unmet dependencies: libvtk5.8: Depends: libnetcdf6 which is a virtual package. libnetcdf6 is a transitional package and VTK could use a rebuild. VTK Git shows a new package upload is coming, but it hasn't arrived yet. Changelog: vtk (5.8.0-7) unstable; urgency=low * Prepare vtk for move to multi-arch (png,tiff,z,jpeg). Closes: #661676 * Bump to Std-Vers: 3.9.3, no changes needed. -- Mathieu Malaterre mathieu.malate...@gmail.com Sun, 04 Mar 2012 21:54:19 +0100 I guess this will resolve itself in a few days -- which I'll use to look into the png-transition for ODIN. Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120305092041.GA13316@meiner
libvia transition
Dear Release Team, I will upload a new SO version of LIBVIA shortly. Right now only ODIN and LIPSIA use this library. The LIBVIA dependency of ODIN will be dropped by the next upload (few more days). LIPSIA is currently totally broken (#613337) and will be replaced with a new major version (probably within the next 2-3 weeks). Before this can happen I need to upload a new library package (ISIS; ITP #633677) that serves as the IO layer of the new LIPSIA version, and a couple of upcoming packages. ISIS will depend on the new VIA version. As this transistion is a tiny one and all affected packages are maintained by the NeuroDebian team I think that it would neither cause trouble, nor do we need assistance. Please let me know if I overlooked something and we should not do this at this point. Michael -- Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120209083851.GC9314@meiner
Eligibility for arno-iptables-firewall_1.9.2.k-4squeeze1 upload to stable?
Dear release team, I have prepared an update of arno-iptables-firewall to fix #617510 in squeeze. This bug causes the firewall startup to fail when bash is not the default shell and the plugin is enabled (which it is not by default). The full source package diff is below. Would you accept this into stable? Thanks in advance, Michael PS: An upload that fixes this problem in the version in unstable will happen shortly. diff -Nru arno-iptables-firewall-1.9.2.k/debian/changelog arno-iptables-firewall-1.9.2.k/debian/changelog --- arno-iptables-firewall-1.9.2.k/debian/changelog 2011-03-10 08:32:34.0 -0500 +++ arno-iptables-firewall-1.9.2.k/debian/changelog 2011-03-10 08:51:29.0 -0500 @@ -1,3 +1,11 @@ +arno-iptables-firewall (1.9.2.k-4squeeze1) stable; urgency=low + + * Add upstream patch to fix bashisms in the ipsec plugin that will cause the +firewall startup to fail on systems where this plugin is enabled and bash +is not the default shell. Closes: #617510 + + -- Michael Hanke michael.ha...@gmail.com Thu, 10 Mar 2011 08:27:24 -0500 + arno-iptables-firewall (1.9.2.k-4) unstable; urgency=low * Add patch to unify the IPv4 and IPv6 default setup to allow outgoing diff -Nru arno-iptables-firewall-1.9.2.k/debian/patches/fix_bashisms arno-iptables-firewall-1.9.2.k/debian/patches/fix_bashisms --- arno-iptables-firewall-1.9.2.k/debian/patches/fix_bashisms 1969-12-31 19:00:00.0 -0500 +++ arno-iptables-firewall-1.9.2.k/debian/patches/fix_bashisms 2011-03-10 08:49:59.0 -0500 @@ -0,0 +1,21 @@ +From: Lonnie Abelbeck li...@lonnie.abelbeck.com +Subject: Fix bashisms in plugin +Origin: upstream, https://rocky.eld.leidenuniv.nl/trac/aif/changeset?old_path=%2Ftrunkold=529new_path=%2Ftrunknew=530 +Bug-Debian: http://bugs.debian.org/617510 + +--- a/share/arno-iptables-firewall/plugins/50ipsec-vpn.plugin b/share/arno-iptables-firewall/plugins/50ipsec-vpn.plugin +@@ -77,11 +77,11 @@ + fi + done + +- local -i cnt=0 ++ local cnt=0 + IFS=' ,' + for eif in $EXT_IF; do + for net in $INTERNAL_NET; do +- let cnt++ ++ cnt=$((cnt + 1)) + iptables -I SPOOF_CHK $cnt -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN + done + done diff -Nru arno-iptables-firewall-1.9.2.k/debian/patches/series arno-iptables-firewall-1.9.2.k/debian/patches/series --- arno-iptables-firewall-1.9.2.k/debian/patches/series2011-03-10 08:33:17.0 -0500 +++ arno-iptables-firewall-1.9.2.k/debian/patches/series2011-03-10 08:49:59.0 -0500 @@ -1,4 +1,5 @@ ipv6_block +fix_bashisms debconf_layer init.d_depfix default_ipv4v6_config -- Michael Hanke http://mih.voxindeserto.de signature.asc Description: Digital signature
Please unblock arno-iptable-firewall 1.9.2.k-4
Dear release team, thanks for having unblocked arno-iptables-firewall 1.9.2.k-3 with a fix for better IPv6 support. However, that fix also had negative side effects. I have uploaded 1.9.2.k-4 to unstable that adds two patches to fix two more IPv6 related issues that are jointly documented in #596170. http://bugs.debian.org/596170 The new patches are available here: http://patch-tracker.debian.org/patch/series/view/arno-iptables-firewall/1.9.2.k-4/default_ipv4v6_config http://patch-tracker.debian.org/patch/series/view/arno-iptables-firewall/1.9.2.k-4/purge_ipv4v6_rules_upon_restart Other than adding these patches there have been no changes to the package. The changelog is: * Add patch to unify the IPv4 and IPv6 default setup to allow outgoing traffic and all incoming traffic on trusted and loopback interfaces. This patch also relaxes the rigorous blocking of any IPv6 traffic that was introduced by 1.9.2.k-3, and caused applications, like wxmaxima, relying on local IPv6 connection to be broken (Closes: #596170). * Add patch to prevent IPv6 rule accumulation upon firewall restart. This patch supplements the default configuration patch and is also documented in #596170. I'd be glad if you could allow the version to transition into squeeze. Thanks in advance, Michael -- GPG key: 1024D/3144BE0F Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100913004401.ga27...@meiner
Please unblock 'fsl' to fix RC-bug #592242
Hi, On Mon, Aug 09, 2010 at 10:24:50AM +0100, Adam D. Barratt wrote: If I'm reading #592242 correctly, the suggested fix is that fsl should conflict with cyrus-clients-2.2? This would appear to be a violation of policy 10.1. Following a discussion on -devel [0] I have uploaded a fix for the fix (4.1.6-4) that removes all conflicting symlinks and hence all offending package conflicts. Details of the modifications are documented in #592242. Please unblock 'fsl' to allow a transition into squeeze. Thanks in advance. Michael [0] http://lists.debian.org/debian-devel/2010/08/msg00314.html -- GPG key: 1024D/3144BE0F Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100903204349.ga1...@meiner
Please unblock arno-iptable-firewall 1.9.2.k-3
Hi,
to prevent an unnecessarily delay in fixing #594326 I have uploaded
1.9.2.k-3 that only fixes this bug and a bug in debian/control (full
diff against current version in squeeze is attached). Please allow this
version to transition into testing.
I'm nevertheless awaiting your decision on whether you'd be willing to
accept a full upstream bugfix release (see previous messages).
Thanks in advance,
Michael
--
GPG key: 1024D/3144BE0F Michael Hanke
http://mih.voxindeserto.de
diff --git a/debian/changelog b/debian/changelog
index 27298fd..dac7bf3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+arno-iptables-firewall (1.9.2.k-3) unstable; urgency=low
+
+ * Hosts were open to IPv6 connections, even when the firewall was up
+(Closes: #594326). Thanks to Tim Small for reporting.
+ * Fix typo in debian/control that caused misc:Depends to be dropped.
+
+ -- Michael Hanke michael.ha...@gmail.com Sat, 28 Aug 2010 10:03:15 -0400
+
arno-iptables-firewall (1.9.2.k-2) unstable; urgency=low
* Move iproute from recommended to a dependency (Closes: #566117). Thanks to
diff --git a/debian/control b/debian/control
index 4454f8d..00b0cb9 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ XS-DM-Upload-Allowed: yes
Package: arno-iptables-firewall
Architecture: all
-Depends: iptables (=1.2.11), gawk, debconf (=1.3.22) | cdebconf (= 0.43), ${misc:Dependsa}, iproute
+Depends: iptables (=1.2.11), gawk, debconf (=1.3.22) | cdebconf (= 0.43), ${misc:Depends}, iproute
Recommends: lynx, dnsutils
Description: single- and multi-homed firewall script with DSL/ADSL support
Unlike other lean iptables frontends in Debian, arno-iptables-firewall
diff --git a/debian/patches/ipv6_block b/debian/patches/ipv6_block
new file mode 100644
index 000..407b83a
--- /dev/null
+++ b/debian/patches/ipv6_block
@@ -0,0 +1,30 @@
+From: Arno van Amersfoort arn...@rocky.eld.leidenuniv.nl
+Subject: Block ipv6 traffic also when the firewall is up.
+Origin: upstream, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594326#25
+Bug-Debian: http://bugs.debian.org/594326
+--- a/share/arno-iptables-firewall/environment
b/share/arno-iptables-firewall/environment
+@@ -391,7 +391,11 @@
+ printf \033[40m\033[1;31msysctl $@: ($retval) $result\033[0m\n 2
+ return $retval
+ fi
+- echo ${INDENT}sysctl $@
++
++ if [ -n $result ]; then
++echo ${INDENT}$result
++ fi
++
+ return 0
+ }
+
+@@ -424,7 +428,9 @@
+ retval=$?
+
+ if [ $retval = 0 ]; then
+-echo ${INDENT}${sysctl_commandline}
++if [ -n $result ]; then
++ echo ${INDENT}$result
++fi
+ return 0
+ else
+ printf \033[40m\033[1;31m${sysctl_commandline}: ($retval) $result\033[0m\n 2
diff --git a/debian/patches/series b/debian/patches/series
index d61375e..58ef11a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
+ipv6_block
debconf_layer
init.d_depfix
Re: arno-iptable-firewall: bugfix backport or new upstream service release for squeeze?
Hi Mehdi, On Fri, Aug 27, 2010 at 05:46:47PM +0200, Mehdi Dogguy wrote: In general, a backported bugfix is preferred. However, a diff between the two versions would help us to decide on whether it is worth including the new release. Could you please provide such a diff? The diff of the current version in testing and the latest upstream version is attached. For the sake of clarity I stripped all hunks that only had changes in comments or indentation. I'd like to reiterate that this diff contains more bugfixes than what the BTS currently has patches for. Thanks, Michael -- GPG key: 1024D/3144BE0F Michael Hanke http://mih.voxindeserto.de diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall index 04fb045..65d1d58 100755 --- a/bin/arno-iptables-firewall +++ b/bin/arno-iptables-firewall @@ -421,7 +421,7 @@ setup_kernel_settings() # Disable ICMP send_redirect -sysctl -w net.ipv4.conf.all.send_redirects=0 +sysctl_set_all net.ipv4.conf send_redirects 0 # Don't accept source routed packets. # Attackers can use source routing to generate @@ -431,10 +431,10 @@ setup_kernel_settings() ### if [ $SOURCE_ROUTE_PROTECTION = 0 ]; then echo DISABLING protection against source routed packets - sysctl -w net.ipv4.conf.all.accept_source_route=1 + sysctl_set_all net.ipv4.conf accept_source_route 1 else echo Enabling protection against source routed packets - sysctl -w net.ipv4.conf.all.accept_source_route=0 + sysctl_set_all net.ipv4.conf accept_source_route 0 fi # ICMP Broadcasting protection (smurf amplifier protection) @@ -511,20 +511,19 @@ setup_kernel_settings() ## if [ $RP_FILTER = 1 ]; then echo Enabling anti-spoof with rp_filter - sysctl -w net.ipv4.conf.all.rp_filter=1 + sysctl_set_all net.ipv4.conf rp_filter 1 else echo Disabling anti-spoof with rp_filter - sysctl -w net.ipv4.conf.all.rp_filter=0 + sysctl_set_all net.ipv4.conf rp_filter 0 fi - # Block ALL ICMP echo requests? ### if [ $ECHO_IGNORE = 1 ]; then echo Blocking all ICMP echo-requests - sysctl -w net.ipv4.icmp_echo_ignore_all=1 + sysctl_set_all net.ipv4 icmp_echo_ignore_all 1 else - sysctl -w net.ipv4.icmp_echo_ignore_all=0 + sysctl_set_all net.ipv4 icmp_echo_ignore_all 0 fi # Add synflood protection? @@ -541,20 +540,20 @@ setup_kernel_settings() ### if [ $LOG_MARTIANS = 1 ]; then echo Enabling the logging of martians - sysctl -w net.ipv4.conf.all.log_martians=1 + sysctl_set_all net.ipv4.conf log_martians 1 else echo Disabling the logging of martians - sysctl -w net.ipv4.conf.all.log_martians=0 + sysctl_set_all net.ipv4.conf log_martians 0 fi # Accept ICMP redirect messages? if [ $ICMP_REDIRECT = 1 ]; then echo Enabling the acception of ICMP-redirect messages - sysctl -w net.ipv4.conf.all.accept_redirects=1 + sysctl_set_all net.ipv4.conf accept_redirects 1 else echo Disabling the acception of ICMP-redirect messages - sysctl -w net.ipv4.conf.all.accept_redirects=0 + sysctl_set_all net.ipv4.conf accept_redirects 0 fi # Time To Live (TTL) is the term for a data field in the internet protocol. @@ -614,7 +613,7 @@ setup_kernel_settings() # Disable ICMP send_redirect -sysctl -w net.ipv6.conf.all.send_redirects=0 +sysctl_set_all net.ipv6.conf send_redirects 0 # Don't accept source routed packets. # Attackers can use source routing to generate @@ -624,28 +623,28 @@ setup_kernel_settings() ### if [ $SOURCE_ROUTE_PROTECTION = 0 ]; then echo DISABLING protection against source routed packets - sysctl -w net.ipv6.conf.all.accept_source_route=1 + sysctl_set_all net.ipv6.conf accept_source_route 1 else echo Enabling protection against source routed packets - sysctl -w net.ipv6.conf.all.accept_source_route=0 + sysctl_set_all net.ipv6.conf accept_source_route 0 fi # Accept ICMP redirect messages? if [ $ICMP_REDIRECT = 1 ]; then echo Enabling the acception of ICMP-redirect messages - sysctl -w net.ipv6.conf.all.accept_redirects=1 + sysctl_set_all net.ipv6.conf accept_redirects 1 else echo Disabling the acception of ICMP-redirect messages - sysctl -w net.ipv6.conf.all.accept_redirects=0 + sysctl_set_all net.ipv6.conf accept_redirects 0 fi -# IP forwarding (need it to perform
arno-iptable-firewall: bugfix backport or new upstream service release for squeeze?
Dear Release Team, one of my packages (arno-iptables-firewall) just got a bugreport that it leave machines open to IPv6 connections. It could be argued that #594326 is an RC-bug instead of just important -- what it is now. A fix has been made upstream. My question is now whether you'd prefer a backported bugfix for squeeze (which would be trivial), or whether you'd support a new upstream _bugfix_ release that also addresses this and a number of other bugs of lower severity? See e.g. #594345 and this changelog excerpt: * BusyBox doesn't understand grep -x, so use ^$ instead + dots should be escaped (thanks Lonnie) * Slightly safer check on whether we have IPv6 on the system we're running * IPv6 detection failed due to our systctl wrapper function being to verbose. This caused IPv6 to always be open on systems having IPv6 connectivity (Debug bug #594326, thanks to Tim Small for reporting this) * From now on explicitly set all variables for sysctl wildcard variables (like net.ipv4.conf.*.rp_filter) since newer kernels handle those differently now (Thanks to Klemen Mihevc) * Don't unset IFS immediately after local IFS declaration in functions, this breaks older shells * Modprobe didn't work properly for old modprobe/distros when modules were compiled in-kernel Thanks, Michael -- GPG key: 1024D/3144BE0F Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100826125638.ga8...@meiner
Re: Library transition libnifti1 - libnifti2
On Mon, Aug 09, 2010 at 10:24:50AM +0100, Adam D. Barratt wrote: non-free is currently not auto-built, so the new fsl packages are only available on amd64. Ah, right -- I will take care of that. Shall I simply upload a bugfix for fsl to unstable? If I'm reading #592242 correctly, the suggested fix is that fsl should conflict with cyrus-clients-2.2? This would appear to be a violation of policy 10.1. The 'fsl' package only provides /usr/bin symlinks for all tools in the 'fsl-4.1' package -- users do not need to have them, that is merely a convenience package that avoids configuring the environment manually. Due to a number of rather generic names multiple file conflicts with other packages exists -- none of them can be dealt with using the alternatives system. It was my impression that a package conflict would be appropriate, since the only other possibility would be to not have such a package at all. Moreover, the scope of any of these packages makes it rather unlikely that they get installed on the same system. Michael -- GPG key: 1024D/3144BE0F Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100809120146.ga14...@meiner
Re: Library transition libnifti1 - libnifti2
Dear release team,
as far as I can see it all packages depending on libnifti have been
built properly against the new version and are ready to go. One of the
rdeps ('fsl' in non-free), however, just received a serious bug report
regarding a package file conflict. I added the appropriate conflict
statement and can upload at any time, but I'm unsure what the best
procedure is to not delay the transition unnecessarily.
Do packages in non-free affect transitions in main?
Shall I simply upload a bugfix for fsl to unstable?
Thanks in advance,
Michael
--
GPG key: 1024D/3144BE0F Michael Hanke
http://mih.voxindeserto.de
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100808163406.gb7...@meiner
Re: Library transition libnifti1 - libnifti2
On Wed, Jul 21, 2010 at 09:11:00PM +0100, Adam D. Barratt wrote: On Sun, 2010-07-18 at 19:06 -0400, Michael Hanke wrote: The nifti1 library (src:nifticlib) has a bug (#587912) regarding its handling of large compressed files. The bug is fixed upstream, but requires an SO version bump, due to changes in the ABI. Upstream will make a release shortly and I'd like to update the Debian package ASAP. Most rdependent packages are maintained by the NeuroDebian team anyway, and we would coordinate the transition with ourselves to make it quick ;-) I notice that this has now been uploaded. Will any of the r-deps (included again below) require sourceful uploads, or could we handle them all via binNMUs? dicomnifti fsl fslview gifticlib lipsia odin python-nifti All these will have sourceful uploads either bringing a new upstream release, fixing a bug, other pending packaging updates, or combinations thereof. All new source packages are ready and I'm waiting for the library to become available. xmedcon This package build-depends on 'libnifti1-dev' which is no longer provided, hence a sourceful upload is also required. The maintainer is informed, but hasn't responded yet. I will file a bug with a patch. Thanks, Michael -- GPG key: 1024D/3144BE0F Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100721202048.ga7...@meiner
Library transition libnifti1 - libnifti2
Hi, The nifti1 library (src:nifticlib) has a bug (#587912) regarding its handling of large compressed files. The bug is fixed upstream, but requires an SO version bump, due to changes in the ABI. Upstream will make a release shortly and I'd like to update the Debian package ASAP. Most rdependent packages are maintained by the NeuroDebian team anyway, and we would coordinate the transition with ourselves to make it quick ;-) Is there anything we should take care of -- other than contacting maintainers ahead of time to make them aware of the upcoming transition? Is there anything that would require delaying a transition? Thanks, Michael List of (build-)rdependent source packages: --- dicomnifti fsl fslview gifticlib lipsia odin python-nifti xmedcon -- GPG key: 1024D/3144BE0F Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100718230653.ga30...@meiner
Re: Bug#494340: fslview package fixing RC-bugs
On Mon, Oct 13, 2008 at 04:14:54PM +0300, Riku Voipio wrote: On Sun, Oct 12, 2008 at 04:41:42PM +0200, Adeodato Simó wrote: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475993#37 which has its origin in the VTK package and got fixed very recently ...Which wont migrate to testing thanks to new upstream version of QT4 that has been uploaded to unstable. Should I T-P-U it? Yes, please. No, it can't be hinted, please reupload 3.0+4.0.2-5 to testing-proposed-updates as 3.0+4.0.2-5+lenny1 or something similar. Please verify that #502083 gets fixed too, if it affects the old upstream version too. fslview 3.0+4.0.2-3lenny1 is sitting in incoming and waiting for approval: http://incoming.debian.org/fslview_3.0+4.0.2-3lenny1_i386.changes It has backported fixes for all RC-bugs including #502083. Thanks, Michael -- GPG key: 1024D/3144BE0F Michael Hanke http://apsy.gse.uni-magdeburg.de/hanke ICQ: 48230050 signature.asc Description: Digital signature
fslview package fixing RC-bugs
Dear Release Managers, the fslview package in lenny (3.0+4.0.2-3) is affected by three RC bugs (482209, 475993, 475993). All of them are fixed, since version 3.0+4.0.2-5, but it never got into testing due to a FTBFS on ARM. Recently, Yaroslav Halchenko was able to determine the cause of the bug (had already been reported): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475993#37 which has its origin in the VTK package and got fixed very recently http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492538 The package with all RC-bug fixes corresponding to the fslview upstream version currently in lenny is already in the archive http://ftp.debian.org/debian/pool/main/f/fslview/fslview_3.0+4.0.2-5.dsc However, in unstable it has already been replaced by a more recent upstream version. Can the above package be hinted into testing, or should I prepare a new upload to testing-proposed-updates? Thanks, Michael -- GPG key: 1024D/3144BE0F Michael Hanke http://apsy.gse.uni-magdeburg.de/hanke ICQ: 48230050 signature.asc Description: Digital signature
RC bug #395034 fixable by amd64 binNMU
Hi,
RC bug #395034 complains about python-4suite-{rdf|xml} being uninstallable
because they both contain the same file and -rdf depends on -xml.
I did some research and discovered that this only affects the amd64
packages in the archive. Other arches are not affected.
I rebuilt the amd64 packages with pbuilder and the resulting binary
packages do not have this bugs. Please refer to
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=395034
for more information.
I think a binNMU of the amd64 packages fixes this bug. However, I cannot
do this myself, because I'm not a DD and it doesn't make much sense to
prepare a bin NMU that has to be rebuilt anyway.
Thanks,
Michael
--
GPG key: 1024D/3144BE0F Michael Hanke
http://apsy.gse.uni-magdeburg.de/hanke
ICQ: 48230050
signature.asc
Description: Digital signature
