Bug#1011426: bullseye-pu: package tcpdump/4.99.0-2+deb11u1
Hi Adam, On Sat, May 28, 2022 at 8:51 PM Adam D. Barratt wrote: > Please go ahead, thanks. Uploaded. Thanks!
Bug#1011426: bullseye-pu: package tcpdump/4.99.0-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Hi, I would like to update the AppArmor profile for tcpdump in bullseye to match the one in bookworm; the changes don't really qualify for a stable update per se, but they are trivial and would be important quality-of-life improvements for users who are not knowledgeable about AppArmor and don't understand why they get -EPERM in some cases. The update would fix the following bugs (both "normal"): * "AppArmor grants access to *.pcap but not *.cap" https://bugs.debian.org/989433 * "apparmor profile prevents -C -W" https://bugs.debian.org/1010688 Full debdiff is attached. Thanks. diffstat for tcpdump-4.99.0 tcpdump-4.99.0 changelog |8 usr.bin.tcpdump |4 2 files changed, 12 insertions(+) diff -Nru tcpdump-4.99.0/debian/changelog tcpdump-4.99.0/debian/changelog --- tcpdump-4.99.0/debian/changelog 2021-01-15 23:41:47.0 +0100 +++ tcpdump-4.99.0/debian/changelog 2022-05-22 18:22:50.0 +0200 @@ -1,3 +1,11 @@ +tcpdump (4.99.0-2+deb11u1) bullseye; urgency=medium + + * Minor AppArmor profile updates (debian/usr.bin.tcpdump): ++ Grant access to *.cap (closes: #989433). ++ Account for numerical suffix in filenames added by -W (closes: #1010688). + + -- Romain Francoise Sun, 22 May 2022 18:22:50 +0200 + tcpdump (4.99.0-2) unstable; urgency=medium * Add autopkgtest support, running the upstream test suite. diff -Nru tcpdump-4.99.0/debian/usr.bin.tcpdump tcpdump-4.99.0/debian/usr.bin.tcpdump --- tcpdump-4.99.0/debian/usr.bin.tcpdump 2021-01-03 21:25:50.0 +0100 +++ tcpdump-4.99.0/debian/usr.bin.tcpdump 2022-05-22 18:19:03.0 +0200 @@ -54,6 +54,10 @@ # for -r, -F and -w /**.[pP][cC][aA][pP] rw, + /**.[cC][aA][pP] rw, + # -W adds a numerical suffix + /**.[pP][cC][aA][pP][0-9]* rw, + /**.[cC][aA][pP][0-9]* rw, # for convenience with -r (ie, read pcap files from other sources) /var/log/snort/*log* r,
Bug#994112: bullseye-pu: package tmux/3.1c-1+deb11u1
Hi Adam, On Sat, Sep 18, 2021 at 01:30:27PM +0100, Adam D. Barratt wrote: > Please go ahead. Ok, uploaded. I noticed while I was doing the upload that I had left a typo in the changelog entry and applied the following on top of the diff you have already reviewed. Sorry about that. Thanks! diff -u tmux-3.1c/debian/changelog tmux-3.1c/debian/changelog --- tmux-3.1c/debian/changelog 2021-09-11 23:24:41.0 +0200 +++ tmux-3.1c/debian/changelog 2021-09-18 15:02:56.0 +0200 @@ -1,11 +1,11 @@ tmux (3.1c-1+deb11u1) bullseye; urgency=medium - * Cherry-pick commit 7a4aa14618 from upstream to fix race condition + * Cherry-pick commit 7a4aa14618 from upstream to fix a race condition which results in the config not being loaded if several clients are interacting with the server while it's initializing (upstream GitHub issue #2438, closes: #992202). - -- Romain Francoise Sat, 11 Sep 2021 23:24:41 +0200 + -- Romain Francoise Sat, 18 Sep 2021 15:02:56 +0200 tmux (3.1c-1) unstable; urgency=medium
Bug#994112: bullseye-pu: package tmux/3.1c-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Hello, I'm seeking permission to upload tmux/3.1c-1+deb11u1 to bullseye; it fixes a regression which results in tmux not loading its configuration during startup in some situations (#992202). Full debdiff attached. Thanks, diffstat for tmux-3.1c tmux-3.1c changelog|9 + patches/series |1 + patches/upstream-7a4aa14618.diff | 28 3 files changed, 38 insertions(+) diff -Nru tmux-3.1c/debian/changelog tmux-3.1c/debian/changelog --- tmux-3.1c/debian/changelog 2020-11-01 13:45:43.0 +0100 +++ tmux-3.1c/debian/changelog 2021-09-11 23:24:41.0 +0200 @@ -1,3 +1,12 @@ +tmux (3.1c-1+deb11u1) bullseye; urgency=medium + + * Cherry-pick commit 7a4aa14618 from upstream to fix race condition +which results in the config not being loaded if several clients are +interacting with the server while it's initializing (upstream GitHub +issue #2438, closes: #992202). + + -- Romain Francoise Sat, 11 Sep 2021 23:24:41 +0200 + tmux (3.1c-1) unstable; urgency=medium * New upstream release. diff -Nru tmux-3.1c/debian/patches/series tmux-3.1c/debian/patches/series --- tmux-3.1c/debian/patches/series 2020-11-01 13:45:43.0 +0100 +++ tmux-3.1c/debian/patches/series 2021-09-11 23:06:29.0 +0200 @@ -1 +1,2 @@ platform-quirks.diff +upstream-7a4aa14618.diff diff -Nru tmux-3.1c/debian/patches/upstream-7a4aa14618.diff tmux-3.1c/debian/patches/upstream-7a4aa14618.diff --- tmux-3.1c/debian/patches/upstream-7a4aa14618.diff 1970-01-01 01:00:00.0 +0100 +++ tmux-3.1c/debian/patches/upstream-7a4aa14618.diff 2021-09-11 23:06:36.0 +0200 @@ -0,0 +1,28 @@ +commit 7a4aa146187cc60d2df66333b3e7dd5a5176f793 +Author: Nicholas Marriott +Date: Wed Oct 28 10:09:10 2020 + + +Do not require that there be no other clients before loading the config, +being the first client is enough. GitHub issue 2438. + +--- a/server-client.c b/server-client.c +@@ -1975,13 +1975,13 @@ + } + + /* +- * If this is the first client that has finished identifying, load +- * configuration files. ++ * If this is the first client, load configuration files. Any later ++ * clients are allowed to continue with their command even if the ++ * config has not been loaded - they might have been run from inside it +*/ + if ((~c->flags & CLIENT_EXIT) && +- !cfg_finished && +- c == TAILQ_FIRST(&clients) && +- TAILQ_NEXT(c, entry) == NULL) ++ !cfg_finished && ++ c == TAILQ_FIRST(&clients)) + start_cfg(); + } +
Bug#976094: buster-pu: package grub2/2.02+dfsg1-20+deb10u3
On Mon, Jan 11, 2021 at 03:57:10PM +0100, Cyril Brulebois wrote: > If I'm getting this right, the udeb part shouldn't be much of an issue, > but the change regarding the fresh install vs. grub-install /could/ have > side effects. As documented, the installer /should/ be doing the right > thing already (via grub-installer), but checking (if only for peace of > mind) would be best. For the record, 2.02+dfsg1-20+deb10u3 broke a custom cloud installation system at $work which relied on the fact that grub-pc would DTRT in its postinst when preseeded with the device to install on. Fixing that issue isn't particularly hard (adding the missing grub-install + mkconfig), however I'm surprised that such a behavior change was deemed appropriate for a stable release update.
Bug#973917: buster-pu: package tcpdump/4.9.3-1~deb10u2
Hi Adam, On Thu, Nov 19, 2020 at 9:31 PM Adam D. Barratt wrote: > Please go ahead. Thanks, uploaded.
Bug#973917: buster-pu: package tcpdump/4.9.3-1~deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I am seeking permission to upload a new version of tcpdump to
stable-proposed-updates to address CVE-2020-8037 (bug #973877).
Full debdiff attached.
Thanks,
diffstat for tcpdump-4.9.3 tcpdump-4.9.3
changelog|7
patches/series |1
patches/upstream-32027e1993.diff | 61 +++
3 files changed, 69 insertions(+)
diff -Nru tcpdump-4.9.3/debian/changelog tcpdump-4.9.3/debian/changelog
--- tcpdump-4.9.3/debian/changelog 2019-10-19 16:55:18.0 +0200
+++ tcpdump-4.9.3/debian/changelog 2020-11-07 13:36:24.0 +0100
@@ -1,3 +1,10 @@
+tcpdump (4.9.3-1~deb10u2) buster; urgency=high
+
+ * Cherry-pick commit 32027e1993 from the upstream tcpdump-4.9 branch to fix
+untrusted input issue in the PPP printer (CVE-2020-8037, closes: #973877).
+
+ -- Romain Francoise Sat, 07 Nov 2020 13:36:24 +0100
+
tcpdump (4.9.3-1~deb10u1) buster-security; urgency=high
* New upstream release, with fixes for 24 different CVEs (closes: #941698).
diff -Nru tcpdump-4.9.3/debian/patches/series
tcpdump-4.9.3/debian/patches/series
--- tcpdump-4.9.3/debian/patches/series 2019-10-19 00:20:22.0 +0200
+++ tcpdump-4.9.3/debian/patches/series 2020-11-07 13:34:47.0 +0100
@@ -2,3 +2,4 @@
man-section.diff
platform-quirks.diff
disable-tests.diff
+upstream-32027e1993.diff
diff -Nru tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff
tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff
--- tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff 1970-01-01
01:00:00.0 +0100
+++ tcpdump-4.9.3/debian/patches/upstream-32027e1993.diff 2020-11-07
13:34:39.0 +0100
@@ -0,0 +1,61 @@
+commit 32027e199368dad9508965aae8cd8de5b6ab5231
+Author: Guy Harris
+Date: Sat Apr 18 14:04:59 2020 -0700
+
+PPP: When un-escaping, don't allocate a too-large buffer.
+
+The buffer should be big enough to hold the captured data, but it
+doesn't need to be big enough to hold the entire on-the-network packet,
+if we haven't captured all of it.
+
+(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 891761728b..33fb034127 100644
+--- a/print-ppp.c
b/print-ppp.c
+@@ -1367,19 +1367,29 @@ trunc:
+ return 0;
+ }
+
++/*
++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
++ * The length argument is the on-the-wire length, not the captured
++ * length; we can only un-escape the captured part.
++ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+ const u_char *p, int length)
+ {
++ u_int caplen = ndo->ndo_snapend - p;
+ u_char *b, *t, c;
+ const u_char *s;
+- int i, proto;
++ u_int i;
++ int proto;
+ const void *se;
+
++ if (caplen == 0)
++ return;
++
+ if (length <= 0)
+ return;
+
+- b = (u_char *)malloc(length);
++ b = (u_char *)malloc(caplen);
+ if (b == NULL)
+ return;
+
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+* Do this so that we dont overwrite the original packet
+* contents.
+*/
+- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
++ for (s = p, t = b, i = caplen; i != 0; i--) {
+ c = *s++;
+ if (c == 0x7d) {
+- if (i <= 1 || !ND_TTEST(*s))
++ if (i <= 1)
+ break;
+ i--;
+ c = *s++ ^ 0x20;
Bug#855875: unblock: tcpdump/4.9.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock tcpdump 4.9 is not compatible with OpenSSL 1.1 so a few months ago I disabled crypto support altogether. However, it now appears that OpenSSL 1.0 will be officially supported in stretch, so I would like to bring back tcpdump to feature parity with jessie and previous releases by enabling crypto support based on OpenSSL 1.0. Full debdiff attached. Thanks for considering. unblock tcpdump/4.9.0-2 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing'), (850, 'unstable'), (800, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diffstat for tcpdump-4.9.0 tcpdump-4.9.0 changelog |9 + control |3 ++- rules |2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff -Nru tcpdump-4.9.0/debian/changelog tcpdump-4.9.0/debian/changelog --- tcpdump-4.9.0/debian/changelog 2017-01-26 20:04:11.0 +0100 +++ tcpdump-4.9.0/debian/changelog 2017-02-11 16:40:05.0 +0100 @@ -1,3 +1,12 @@ +tcpdump (4.9.0-2) unstable; urgency=medium + + * Re-enable crypto support, targeting OpenSSL 1.0 as upstream still +doesn't support OpenSSL 1.1. + * Drop --enable-ipv6 from configure line, it has been the default for + years now. + + -- Romain Francoise Sat, 11 Feb 2017 16:40:05 +0100 + tcpdump (4.9.0-1) unstable; urgency=high * New upstream security release, fixing the following: diff -Nru tcpdump-4.9.0/debian/control tcpdump-4.9.0/debian/control --- tcpdump-4.9.0/debian/control2017-01-26 19:59:23.0 +0100 +++ tcpdump-4.9.0/debian/control2017-02-11 16:34:29.0 +0100 @@ -5,7 +5,8 @@ Build-Depends: debhelper (>= 8.9.4~), dh-autoreconf, dpkg-dev (>= 1.16.1~), - libpcap0.8-dev (>= 1.8) + libpcap0.8-dev (>= 1.8), + libssl1.0-dev Standards-Version: 3.9.8 Homepage: http://www.tcpdump.org/ Vcs-Browser: https://anonscm.debian.org/cgit/users/rfrancoise/tcpdump.git/ diff -Nru tcpdump-4.9.0/debian/rules tcpdump-4.9.0/debian/rules --- tcpdump-4.9.0/debian/rules 2017-01-26 19:52:15.0 +0100 +++ tcpdump-4.9.0/debian/rules 2017-02-11 16:39:13.0 +0100 @@ -7,4 +7,4 @@ dh $@ --parallel --with autoreconf override_dh_auto_configure: - dh_auto_configure -- --enable-ipv6 --with-crypto=no + dh_auto_configure -- --with-crypto=yes
Bug#852744: unblock: tcpdump/4.9.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock tcpdump 4.9.0 is a security upstream release which fixes 41 distinct vulnerabilities, most of which are remotely exploitable. I would appreciate if you could grant 4.9.0-1 an exemption from the current mandatory 10-day migration delay rule. The debdiff is too large to include, but the corresponding changelog entry is below. Thanks! unblock tcpdump/4.9.0-1 tcpdump (4.9.0-1) unstable; urgency=high * New upstream security release, fixing the following: + CVE-2016-7922: buffer overflow in print-ah.c:ah_print(). + CVE-2016-7923: buffer overflow in print-arp.c:arp_print(). + CVE-2016-7924: buffer overflow in print-atm.c:oam_print(). + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print(). + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print(). + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print(). + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print(). + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header(). + CVE-2016-7930: buffer overflow in print-llc.c:llc_print(). + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print(). + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum(). + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print(). + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print(). + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print(). + CVE-2016-7936: buffer overflow in print-udp.c:udp_print(). + CVE-2016-7937: buffer overflow in print-udp.c:vat_print(). + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame(). + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions. + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions. + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions. + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions. + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print(). + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print(). + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print(). + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print(). + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions. + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print(). + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print(). + CVE-2016-8575: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print(). + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print(). + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print(). + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print(). + CVE-2017-5341: buffer overflow in print-otv.c:otv_print(). + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). + CVE-2017-5482: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse(). + CVE-2017-5484: buffer overflow in print-atm.c:sig_print(). + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap(). + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print(). * Re-enable all tests and bump build-dep on libpcap0.8-dev to >= 1.8 accordingly. * Switch Vcs-Git URL to the https one. * Adjust lintian override name about dh 9. -- Romain Francoise Thu, 26 Jan 2017 20:04:11 +0100
Bug#794407: jessie-pu: package tcpdump/4.6.2-5+deb8u1
On Sun, Aug 02, 2015 at 08:14:20PM +0100, Adam D. Barratt wrote: > Please go ahead. Thanks Adam, uploaded. -- Romain Francoise http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87si818o4e@orebokech.com
Bug#794407: jessie-pu: package tcpdump/4.6.2-5+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I am seeking permission to upload a new version of tcpdump to
stable-proposed-updates to fix bug #793479, which makes tcpdump unusable
for people who use -Z to drop privileges and stream the output of
tcpdump to another program.
Full debdiff attached.
Thanks,
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (650, 'testing'), (600, 'unstable'), (550, 'experimental'), (550,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.3 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for tcpdump-4.6.2 tcpdump-4.6.2
changelog |8
patches/50_droproot_stderr.diff | 28
patches/series |1 +
3 files changed, 37 insertions(+)
diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog
--- tcpdump-4.6.2/debian/changelog 2015-04-04 19:20:52.0 +0200
+++ tcpdump-4.6.2/debian/changelog 2015-08-02 20:01:20.0 +0200
@@ -1,3 +1,11 @@
+tcpdump (4.6.2-5+deb8u1) stable; urgency=low
+
+ * Cherry-pick commit 3f15ae25c2 from upstream Git to fix -Z confirmation
+log being sent to stdout, where it can get mixed with pcap stream
+data if '-w -' is used (closes: #793479).
+
+ -- Romain Francoise Sun, 02 Aug 2015 19:57:22 +0200
+
tcpdump (4.6.2-5) unstable; urgency=high
* Cherry-pick commit fb6e5377f3 from upstream Git to fix regressions in the
diff -Nru tcpdump-4.6.2/debian/patches/50_droproot_stderr.diff tcpdump-4.6.2/debian/patches/50_droproot_stderr.diff
--- tcpdump-4.6.2/debian/patches/50_droproot_stderr.diff 1970-01-01 01:00:00.0 +0100
+++ tcpdump-4.6.2/debian/patches/50_droproot_stderr.diff 2015-08-02 20:01:08.0 +0200
@@ -0,0 +1,28 @@
+commit 3f15ae25c25046b9ebdf8ab0283f2e6382a4df0e
+Author: Denis Ovsienko
+Date: Mon Feb 9 01:21:51 2015 +
+
+droproot(): always print to stderr (GH #425)
+
+Otherwise it interferes with the output of "tcpdump -w -".
+
+--- a/tcpdump.c
b/tcpdump.c
+@@ -727,7 +727,7 @@
+ fprintf(stderr, "error : ret %d\n", ret);
+ }
+ else {
+- printf("dropped privs to %s\n", username);
++ fprintf(stderr, "dropped privs to %s\n", username);
+ }
+ /* We don't need CAP_SETUID and CAP_SETGID */
+ capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_SETUID);
+@@ -747,7 +747,7 @@
+ exit(1);
+ }
+ else {
+- printf("dropped privs to %s\n", username);
++ fprintf(stderr, "dropped privs to %s\n", username);
+ }
+ #endif /* HAVE_CAP_NG_H */
+ }
diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series
--- tcpdump-4.6.2/debian/patches/series 2015-04-04 19:08:59.0 +0200
+++ tcpdump-4.6.2/debian/patches/series 2015-08-02 19:53:02.0 +0200
@@ -3,6 +3,7 @@
20_man_fixes.diff
50_hurd.diff
50_kfreebsd.diff
+50_droproot_stderr.diff
50_autotools-dev.diff
60_cve-2014-8767.diff
60_cve-2014-8768.diff
Bug#781912: unblock: tcpdump/4.6.2-5
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock tcpdump 4.6.2-5, it fixes some regressions introduced in
the latest version as part of the fix for CVE-2015-2153. Full debdiff
attached. Thanks!
unblock tcpdump/4.6.2-5
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (900, 'testing'), (850, 'unstable'), (800, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.0.0-rc6-ore (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for tcpdump-4.6.2 tcpdump-4.6.2
changelog |8 +
patches/60_cve-2015-2153-2.diff | 54
patches/series |1
3 files changed, 63 insertions(+)
diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog
--- tcpdump-4.6.2/debian/changelog 2015-03-14 18:43:44.0 +0100
+++ tcpdump-4.6.2/debian/changelog 2015-04-04 19:20:52.0 +0200
@@ -1,3 +1,11 @@
+tcpdump (4.6.2-5) unstable; urgency=high
+
+ * Cherry-pick commit fb6e5377f3 from upstream Git to fix regressions in the
+RPKI/RTR printer after the CVE-2015-2153 changes. Thanks to Artur Rona
+from Ubuntu for the heads-up (closes: #781362).
+
+ -- Romain Francoise Sat, 04 Apr 2015 19:10:27 +0200
+
tcpdump (4.6.2-4) unstable; urgency=high
* Cherry-pick changes from upstream Git to fix the following security
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2153-2.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2153-2.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2153-2.diff 1970-01-01 01:00:00.0 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2153-2.diff 2015-04-04 19:06:28.0 +0200
@@ -0,0 +1,54 @@
+Description: RPKI to Router Protocol: Fix Segmentation Faults and other problems.
+ - Fix/add ND_TCHECK2 tests,
+ - Fix a buffer overflow,
+ - Remove a debug printf
+Origin: upstream, https://github.com/the-tcpdump-group/tcpdump/commit/fb6e5377f392555b8c725f66b8b701f0061a3695
+
+diff -pruN -x '*~' tcpdump-4.6.2.orig/print-rpki-rtr.c tcpdump-4.6.2/print-rpki-rtr.c
+--- tcpdump-4.6.2.orig/print-rpki-rtr.c 2015-03-22 12:55:55.349173971 +0100
tcpdump-4.6.2/print-rpki-rtr.c 2015-03-22 12:49:56.987396951 +0100
+@@ -178,7 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *
+ pdu_header = (rpki_rtr_pdu *)tptr;
+ pdu_type = pdu_header->pdu_type;
+ pdu_len = EXTRACT_32BITS(pdu_header->length);
+-ND_TCHECK2(tptr, pdu_len);
++ND_TCHECK2(*tptr, pdu_len);
+ hexdump = FALSE;
+
+ ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -255,6 +255,7 @@ rpki_rtr_pdu_print (netdissect_options *
+
+ pdu = (rpki_rtr_pdu_error_report *)tptr;
+ encapsulated_pdu_length = EXTRACT_32BITS(pdu->encapsulated_pdu_length);
++ ND_TCHECK2(*tptr, encapsulated_pdu_length);
+ tlen = pdu_len;
+
+ error_code = EXTRACT_16BITS(pdu->pdu_header.u.error_code);
+@@ -287,9 +288,10 @@ rpki_rtr_pdu_print (netdissect_options *
+ tptr += 4;
+ tlen -= 4;
+ }
++ ND_TCHECK2(*tptr, text_length);
+ if (text_length && (text_length <= tlen )) {
+ memcpy(buf, tptr, min(sizeof(buf)-1, text_length));
+- buf[text_length] = '\0';
++ buf[min(sizeof(buf) - 1, text_length)] = '\0';
+ ND_PRINT((ndo, "%sError text: %s", indent_string(indent+2), buf));
+ }
+ }
+@@ -336,13 +338,13 @@ rpki_rtr_print(netdissect_options *ndo,
+ pdu_header = (rpki_rtr_pdu *)tptr;
+ pdu_type = pdu_header->pdu_type;
+ pdu_len = EXTRACT_32BITS(pdu_header->length);
++ ND_TCHECK2(*tptr, pdu_len);
+
+ /* infinite loop check */
+ if (!pdu_type || !pdu_len) {
+ break;
+ }
+
+-ND_TCHECK2(*tptr, pdu_len);
+ if (tlen < pdu_len) {
+ goto trunc;
+ }
+
diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series
--- tcpdump-4.6.2/debian/patches/series 2015-03-14 18:44:30.0 +0100
+++ tcpdump-4.6.2/debian/patches/series 2015-04-04 19:08:59.0 +0200
@@ -10,5 +10,6 @@
60_cve-2014-9140.diff
60_cve-2015-0261.diff
60_cve-2015-2153.diff
+60_cve-2015-2153-2.diff
60_cve-2015-2154.diff
60_cve-2015-2155.diff
Bug#781908: unblock: strongswan/5.2.1-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release Team, Please unblock strongswan 5.2.1-6, it fixes a RC bug related to the new systemd service included in the jessie version. Full debdiff attached. Thanks! unblock strongswan/5.2.1-6 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (900, 'testing'), (850, 'unstable'), (800, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-rc6-ore (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diffstat for strongswan-5.2.1 strongswan-5.2.1 changelog| 10 ++ patches/03_systemd-service.patch |4 +--- strongswan-starter.links |1 + 3 files changed, 12 insertions(+), 3 deletions(-) diff -Nru strongswan-5.2.1/debian/changelog strongswan-5.2.1/debian/changelog --- strongswan-5.2.1/debian/changelog 2015-01-05 13:11:54.0 +0100 +++ strongswan-5.2.1/debian/changelog 2015-04-04 17:55:38.0 +0200 @@ -1,3 +1,13 @@ +strongswan (5.2.1-6) unstable; urgency=medium + + * Ship /lib/systemd/system/ipsec.service as a symlink to +strongswan.service in strongswan-starter instead of using Alias= in +the service file. This makes the ipsec name available to invoke-rc.d +before the service gets actually enabled, which avoids some confusion +(closes: #781209). + + -- Romain Francoise Sat, 04 Apr 2015 17:55:38 +0200 + strongswan (5.2.1-5) unstable; urgency=high * debian/patches: diff -Nru strongswan-5.2.1/debian/patches/03_systemd-service.patch strongswan-5.2.1/debian/patches/03_systemd-service.patch --- strongswan-5.2.1/debian/patches/03_systemd-service.patch 2014-12-28 16:17:34.0 +0100 +++ strongswan-5.2.1/debian/patches/03_systemd-service.patch 2015-04-04 16:18:55.0 +0200 @@ -1,6 +1,6 @@ --- a/init/systemd/strongswan.service.in +++ b/init/systemd/strongswan.service.in -@@ -1,10 +1,12 @@ +@@ -1,9 +1,10 @@ [Unit] Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf -After=syslog.target @@ -12,5 +12,3 @@ StandardOutput=syslog [Install] - WantedBy=multi-user.target -+Alias=ipsec.service diff -Nru strongswan-5.2.1/debian/strongswan-starter.links strongswan-5.2.1/debian/strongswan-starter.links --- strongswan-5.2.1/debian/strongswan-starter.links 1970-01-01 01:00:00.0 +0100 +++ strongswan-5.2.1/debian/strongswan-starter.links 2015-04-04 16:05:08.0 +0200 @@ -0,0 +1 @@ +lib/systemd/system/strongswan.service lib/systemd/system/ipsec.service
Bug#780574: unblock: tcpdump/4.6.2-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock tcpdump 4.6.2-4, it includes four security fixes that are
not tracked in the BTS, but have CVE identifiers. Full debdiff attached.
Thanks!
unblock tcpdump/4.6.2-4
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (650, 'testing'), (600, 'unstable'), (550, 'experimental'), (550,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.1-ore (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diffstat for tcpdump-4.6.2 tcpdump-4.6.2
changelog | 11
patches/60_cve-2015-0261.diff | 56 ++
patches/60_cve-2015-2153.diff | 24 ++
patches/60_cve-2015-2154.diff | 31 +++
patches/60_cve-2015-2155.diff | 15 +++
patches/series|4 +++
6 files changed, 141 insertions(+)
diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog
--- tcpdump-4.6.2/debian/changelog 2014-11-29 12:24:11.0 +0100
+++ tcpdump-4.6.2/debian/changelog 2015-03-14 18:43:44.0 +0100
@@ -1,3 +1,14 @@
+tcpdump (4.6.2-4) unstable; urgency=high
+
+ * Cherry-pick changes from upstream Git to fix the following security
+issues:
++ CVE-2015-0261: missing bounds checks in IPv6 Mobility printer.
++ CVE-2015-2153: missing bounds checks in RPKI/RTR printer.
++ CVE-2015-2154: missing bounds checks in ISOCLNS printer.
++ CVE-2015-2155: missing bounds checks in ForCES printer.
+
+ -- Romain Francoise Sat, 14 Mar 2015 18:43:44 +0100
+
tcpdump (4.6.2-3) unstable; urgency=high
* Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff 1970-01-01 01:00:00.0 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-0261.diff 2015-03-14 18:31:07.0 +0100
@@ -0,0 +1,56 @@
+diff --git a/print-mobility.c b/print-mobility.c
+index 83447cf..b6fa61e 100644
+--- a/print-mobility.c
b/print-mobility.c
+@@ -69,6 +69,18 @@ struct ip6_mobility {
+ #define IP6M_BINDING_UPDATE 5 /* Binding Update */
+ #define IP6M_BINDING_ACK 6 /* Binding Acknowledgement */
+ #define IP6M_BINDING_ERROR 7 /* Binding Error */
++#define IP6M_MAX 7
++
++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
++ IP6M_MINLEN, /* IP6M_BINDING_REQUEST */
++ IP6M_MINLEN + 8, /* IP6M_HOME_TEST_INIT */
++ IP6M_MINLEN + 8, /* IP6M_CAREOF_TEST_INIT */
++ IP6M_MINLEN + 16, /* IP6M_HOME_TEST*/
++ IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST */
++ IP6M_MINLEN + 4, /* IP6M_BINDING_UPDATE */
++ IP6M_MINLEN + 4, /* IP6M_BINDING_ACK */
++ IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR*/
++};
+
+ /* XXX: unused */
+ #define IP6MOPT_BU_MINLEN 10
+@@ -95,16 +107,20 @@ mobility_opt_print(netdissect_options *ndo,
+ unsigned i, optlen;
+
+ for (i = 0; i < len; i += optlen) {
++ ND_TCHECK(bp[i]);
+ if (bp[i] == IP6MOPT_PAD1)
+ optlen = 1;
+ else {
+- if (i + 1 < len)
++ if (i + 1 < len) {
++ND_TCHECK(bp[i + 1]);
+ optlen = bp[i + 1] + 2;
++ }
+ else
+ goto trunc;
+ }
+ if (i + optlen > len)
+ goto trunc;
++ ND_TCHECK(bp[i + optlen]);
+
+ switch (bp[i]) {
+ case IP6MOPT_PAD1:
+@@ -203,6 +219,10 @@ mobility_print(netdissect_options *ndo,
+
+ ND_TCHECK(mh->ip6m_type);
+ type = mh->ip6m_type;
++ if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
++ ND_PRINT((ndo, "(header length %u is too small for type %u)", mhlen, type));
++ goto trunc;
++ }
+ switch (type) {
+ case IP6M_BINDING_REQUEST:
+ ND_PRINT((ndo, "mobility: BRR"));
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff 1970-01-01 01:00:00.0 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2015-2153.diff 2015-03-14 18:31:07.0 +0100
@@ -0,0 +1,24 @@
+diff --git a/print-rpki-rtr.c b/print-rpki-rtr.c
+index 5bb5df7..8847c53 100644
+--- a/print-rpki-rtr.c
b/print-rpki-rtr.c
+@@ -178,6 +178,7 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+ pdu_header = (rpki_rtr_pdu *)tptr;
+ pdu_type = pdu_header->pdu_type;
+ pdu_len = EXTRACT_32BITS(pdu_header->length);
++ND_TCHECK2(tptr, pdu_len);
+ hexdump = FALSE;
+
+ ND_PRINT((ndo, "%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -306,6 +307,11 @@ rpki_rtr_pdu_print (netdissect_options *ndo, const u_char *tptr, u_int indent)
+ if (ndo->ndo_vflag > 1 || (
Bug#771552: unblock: tcpdump/4.6.2-3
On Sun, Nov 30, 2014 at 05:06:49PM +, Adam D. Barratt wrote: > On Sun, 2014-11-30 at 17:56 +0100, Romain Francoise wrote: >> Please unblock tcpdump 4.6.2-3, it fixes a security vulnerability in the >> PPP dissector known as CVE-2014-9140. > > Unblocked. Thanks! -- Romain Francoise http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/871tokbolw@silenus.orebokech.com
Bug#771552: unblock: tcpdump/4.6.2-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock tcpdump 4.6.2-3, it fixes a security vulnerability in the
PPP dissector known as CVE-2014-9140.
Full debdiff attached
unblock tcpdump/4.6.2-3
diffstat for tcpdump-4.6.2 tcpdump-4.6.2
changelog |7 +
patches/60_cve-2014-9140.diff | 50 ++
patches/series|1
3 files changed, 58 insertions(+)
diff -Nru tcpdump-4.6.2/debian/changelog tcpdump-4.6.2/debian/changelog
--- tcpdump-4.6.2/debian/changelog 2014-11-22 11:48:11.0 +0100
+++ tcpdump-4.6.2/debian/changelog 2014-11-29 12:24:11.0 +0100
@@ -1,3 +1,10 @@
+tcpdump (4.6.2-3) unstable; urgency=high
+
+ * Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow
+in the PPP dissector (CVE-2014-9140).
+
+ -- Romain Francoise Sat, 29 Nov 2014 12:23:53 +0100
+
tcpdump (4.6.2-2) unstable; urgency=high
* Urgency high due to security fixes.
diff -Nru tcpdump-4.6.2/debian/patches/60_cve-2014-9140.diff tcpdump-4.6.2/debian/patches/60_cve-2014-9140.diff
--- tcpdump-4.6.2/debian/patches/60_cve-2014-9140.diff 1970-01-01 01:00:00.0 +0100
+++ tcpdump-4.6.2/debian/patches/60_cve-2014-9140.diff 2014-11-29 12:15:29.0 +0100
@@ -0,0 +1,50 @@
+commit 0f95d441e4b5d7512cc5c326c8668a120e048eda
+Author: Guy Harris
+Date: Wed Oct 22 12:31:21 2014 -0700
+
+Do bounds checking when unescaping PPP.
+
+Clean up a const issue while we're at it.
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 8e098f0..9a983e6 100644
+--- a/print-ppp.c
b/print-ppp.c
+@@ -1351,14 +1351,15 @@ static void
+ ppp_hdlc(netdissect_options *ndo,
+ const u_char *p, int length)
+ {
+- u_char *b, *s, *t, c;
++ u_char *b, *t, c;
++ const u_char *s;
+ int i, proto;
+ const void *se;
+
+ if (length <= 0)
+ return;
+
+- b = (uint8_t *)malloc(length);
++ b = (u_char *)malloc(length);
+ if (b == NULL)
+ return;
+
+@@ -1367,14 +1368,13 @@ ppp_hdlc(netdissect_options *ndo,
+ * Do this so that we dont overwrite the original packet
+ * contents.
+ */
+- for (s = (u_char *)p, t = b, i = length; i > 0; i--) {
++ for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
+ c = *s++;
+ if (c == 0x7d) {
+- if (i > 1) {
+-i--;
+-c = *s++ ^ 0x20;
+- } else
+-continue;
++ if (i <= 1 || !ND_TTEST(*s))
++break;
++ i--;
++ c = *s++ ^ 0x20;
+ }
+ *t++ = c;
+ }
diff -Nru tcpdump-4.6.2/debian/patches/series tcpdump-4.6.2/debian/patches/series
--- tcpdump-4.6.2/debian/patches/series 2014-11-22 11:38:26.0 +0100
+++ tcpdump-4.6.2/debian/patches/series 2014-11-29 12:19:11.0 +0100
@@ -7,3 +7,4 @@
60_cve-2014-8767.diff
60_cve-2014-8768.diff
60_cve-2014-8769.diff
+60_cve-2014-9140.diff
Rebuilding the archive with new build flags
Hi all, A few weeks ago I mentioned on -devel[1] that dpkg-buildflags would be switching from -fstack-protector to -fstack-protector-strong, a new GCC 4.9 feature. This change has now landed in unstable with dpkg 1.17.11. Moritz tells me that the Security Team can request binNMUs for a set of packages that have been identified as security-sensitive[2] if they don't get rebuilt with the new flag by the time we freeze for jessie. However, I think it would be better to ensure maximum coverage of the archive by rebuilding everything that can benefit from the flag, i.e. all the packages that use dpkg-buildflags via debhelper >= 9 or cdbs, and produce arch:any binaries. Has this kind of mass binNMU been attempted before? Who would I need to talk to to get this done at least on amd64 and i386 before the freeze? Thanks, [1]: https://lists.debian.org/debian-devel/2014/06/msg00453.html [2]: http://anonscm.debian.org/viewvc/secure-testing/hardening/ -- Romain Francoise http://people.debian.org/~rfrancoise/ signature.asc Description: PGP signature
Re: Bug#631018: [RFC] libevent 2.0 transition
Hi, Any progress on this transition? Thanks, -- Romain Francoise http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87liu0peka@silenus.orebokech.com
Re: [SRM] Stable update for libpcap
Ok, thanks. Uploaded. -- Romain Francoise http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87mxf6a7yr@silenus.orebokech.com
Re: [SRM] Stable update for libpcap
Hi Adam, Anything else I can do to get this going forward? Or can I just upload? Thanks, -- Romain Francoise http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8739hbfzb2@silenus.orebokech.com
Re: [SRM] Stable update for libpcap
Hi Adam, Thanks for your review! "Adam D. Barratt" writes: > So far as I can see from the diff and reading the log for #623868, this > also includes changes related to #625443; is that correct? The bug log > there mentions that the problem only occurs with libpcap 1.1.1-4, > whereas squeeze has 1.1.1-2 - is the log incorrect, or does #625443 not > actually affect stable? #625443 is caused by the fix for #623868 so it cannot affect stable. I squashed the original security fix (#623868) and the additional compatibility fixups (#625443) into one patch for this stable update, that way we have the same code in squeeze and in wheezy (or we will when 1.1.1-8 migrates). Cheers, -- Romain Francoise http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87d3ha1992@silenus.orebokech.com
[SRM] Stable update for libpcap
Hi,
I'd like to upload the following update for libpcap in squeeze, it
addresses two bugs:
- #612803: device detection is broken if the bonding module is loaded
because it creates an extra file in /sys/class/net, the upstream fix is
used verbatim.
- #623868 (aka CVE-2011-1935): a security issue that was not serious
enough to warrant a DSA. The patch is the result of several upstream
commits that were backported to libpcap 1.1.1.
Thanks!
changelog |9 +++
patches/45_bonding.diff | 24 ++
patches/46_tpacket_alignment.diff | 88 ++
patches/series|2
4 files changed, 123 insertions(+)
diff -Nru libpcap-1.1.1/debian/changelog libpcap-1.1.1/debian/changelog
--- libpcap-1.1.1/debian/changelog 2010-04-06 21:38:44.0 +0200
+++ libpcap-1.1.1/debian/changelog 2011-07-10 19:26:04.0 +0200
@@ -1,3 +1,12 @@
+libpcap (1.1.1-2+squeeze1) stable; urgency=low
+
+ * Backport changes from upstream to fix corruption of snapshot length on
+live captures (CVE-2011-1935) (closes: #623868).
+ * Backport fix from upstream to fix device detection when the bonding
+module is loaded (closes: #612803).
+
+ -- Romain Francoise Sun, 10 Jul 2011 19:26:04 +0200
+
libpcap (1.1.1-2) unstable; urgency=low
* debian/patches/50_kfreebsd.diff: Fix configure script to properly
diff -Nru libpcap-1.1.1/debian/patches/45_bonding.diff
libpcap-1.1.1/debian/patches/45_bonding.diff
--- libpcap-1.1.1/debian/patches/45_bonding.diff1970-01-01
01:00:00.0 +0100
+++ libpcap-1.1.1/debian/patches/45_bonding.diff2011-07-10
19:22:56.0 +0200
@@ -0,0 +1,24 @@
+commit 073a8b37f97b684a34d29800400879e4e902ff63
+Author: andy-1
+Date: Tue Apr 27 23:33:23 2010 -0700
+
+Ignore /sys/net/dev files if we get ENODEV for them, not just ENXIO.
+
+Both of them are indications that there's no such interface, so the file
+probably corresponds to something other than a device.
+
+Reviewed-By: Guy Harris
+
+diff --git a/pcap-linux.c b/pcap-linux.c
+index af12543..de3239a 100644
+--- a/pcap-linux.c
b/pcap-linux.c
+@@ -1883,7 +1883,7 @@ scan_sys_class_net(pcap_if_t **devlistp, char *errbuf)
+*/
+ strncpy(ifrflags.ifr_name, name, sizeof(ifrflags.ifr_name));
+ if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifrflags) < 0) {
+- if (errno == ENXIO)
++ if (errno == ENXIO || errno == ENODEV)
+ continue;
+ (void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
+ "SIOCGIFFLAGS: %.*s: %s",
diff -Nru libpcap-1.1.1/debian/patches/46_tpacket_alignment.diff
libpcap-1.1.1/debian/patches/46_tpacket_alignment.diff
--- libpcap-1.1.1/debian/patches/46_tpacket_alignment.diff 1970-01-01
01:00:00.0 +0100
+++ libpcap-1.1.1/debian/patches/46_tpacket_alignment.diff 2011-07-10
19:22:12.0 +0200
@@ -0,0 +1,88 @@
+From cc4298babe767e394dc673c87ef3dbabe3fdb7c9 Mon Sep 17 00:00:00 2001
+From: Julien Moutinho
+Date: Tue, 22 Mar 2011 23:53:15 -0700
+Subject: [PATCH] Fix the calculation of the frame size in memory-mapped
+ captures.
+
+The old calculation truncated packets to a smaller value than the
+snapshot length.
+---
+ pcap-linux.c | 61
---
+ 1 file changed, 58 insertions(+), 3 deletions(-)
+
+--- a/pcap-linux.c
b/pcap-linux.c
+@@ -3057,15 +3057,70 @@
+ {
+ unsigned i, j, frames_per_block;
+ struct tpacket_req req;
++ socklen_t len;
++ unsigned int sk_type, tp_reserve, maclen, tp_hdrlen, netoff, macoff;
+
+ /* Note that with large snapshot (say 64K) only a few frames
+* will be available in the ring even with pretty large ring size
+* (and a lot of memory will be unused).
+* The snap len should be carefully chosen to achive best
+* performance */
+- req.tp_frame_size = TPACKET_ALIGN(handle->snapshot +
+-TPACKET_ALIGN(handle->md.tp_hdrlen) +
+-sizeof(struct sockaddr_ll));
++
++ /* NOTE: calculus matching those in tpacket_rcv()
++ * in linux-2.6/net/packet/af_packet.c
++ */
++ len = sizeof(sk_type);
++ if (getsockopt(handle->fd, SOL_SOCKET, SO_TYPE, &sk_type, &len) < 0) {
++ snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "getsockopt: %s",
pcap_strerror(errno));
++ return -1;
++ }
++#ifdef PACKET_RESERVE
++ len = sizeof(tp_reserve);
++ if (getsockopt(handle->fd, SOL_PACKET, PACKET_RESERVE, &tp_reserve,
&len) < 0) {
++ if (errno != ENOPROTOOPT) {
++ /*
++ * ENOPROTOOPT means "kernel doesn&#
Re: [RFC] libevent 2.0 transition
Leo 'costela' Antunes writes: > I wanted to get libevent in sid as fast as possible because of another > of my packages, but it can wait a bit if it helps. FWIW libevent 2.0 would allow us to fix an important bug in tmux as well, so the sooner the better. -- Romain Francoise http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87sjqyvris@silenus.orebokech.com
Re: please pre-approve libevent/1.4.13-stable-2
Thanks for the fix, Anibal! I should note for the release team that this issue doesn't affect the version of tmux in testing (1.3-2), only the version in experimental (1.4-3). Otherwise I would probably have set the severity to something RC. The bug can affect any application which relies on libevent for signal handling and uses the select/poll backend (on Linux libevent uses epoll by default), but if we don't have any existing reports in the BTS about this I'm not sure it's wise to have this in squeeze at this stage of the release. Thanks, -- Romain Francoise http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87aaiz6eb7@elegiac.orebokech.com
Please unblock deskbar-applet 2.22.3.1-1
New stable upstream release, with only bug fixes and translation updates. It contains a change to use the new URLs for delicious feeds which I think would be nice to have in lenny (the service moved from del.icio.us to delicious.com). Full diffstat (including harmless churn related to the upstream version change): | diffstat for deskbar-applet-2.22.2.1 deskbar-applet-2.22.3.1 | | ChangeLog | 49 +++ | NEWS| 25 + | configure | 20 - | configure.ac|2 | debian/changelog|7 | debian/control |2 | debian/control.in |2 | deskbar/defs.py |2 | deskbar/handlers/desklicious.py | 66 ++-- | deskbar/handlers/tomboy.py |3 | deskbar/ui/About.py |2 | po/ChangeLog|4 | po/vi.po| 639 ++--- | 13 files changed, 380 insertions(+), 443 deletions(-) Thanks, -- Romain Francoise <[EMAIL PROTECTED]> http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam
Steve Langasek <[EMAIL PROTECTED]> writes: > So if there's no evidence of arbitrary code execution, I think > it's appropriate here to downgrade the bug -- but the security > team should also be apprised. Fine with me. -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Preparing the libpcap transition
Steve Langasek <[EMAIL PROTECTED]> writes: > If libpcap0.9 is actually backwards-compatible with libpcap0.8, > wouldn't it be far better to restore the libpcap0.8 package name so > that only one package has to be rebuilt for the 0.9->0.8 transition, > instead of rebuilding 20-some packages for an 0.8->0.9 transition? Yes, with the same soname and a simple shlibs bump. > I don't see any reason why this wouldn't work, and it would certainly > be a lot easier. You're right, I think I'll do that. -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Preparing the libpcap transition
For etch I want to reduce the number of concurrent versions of libpcap and keep only libpcap0.9. Right now we have three versions in unstable: - libpcap, the old legacy version. It was the default libpcap version for sarge. It provides libpcap0.7, libpcap0.7-dev and libpcap-dev which is both a virtual and dummy binary package, and has 58 reverse dependencies. - libpcap0.8, which was introduced late in the sarge release cycle to support new upstream versions of some of its reverse dependencies such as tcpdump and ethereal (at the time I felt it wasn't reasonable to force a migration of all packages, in hindsight we probably would have had the time). It provides libpcap0.8 and libpcap0.8-dev, and has 31 reverse dependencies. - libpcap0.9 is the latest (major) upstream version, 0.9.1 was released this week and 0.9.2 is planned for tomorrow to fix minor problems in the new API. My tentative plan is simply to move libpcap-dev to libpcap0.9 and ask people to rebuild packages to migrate to libpcap0.9. Porting should be pretty straightforward in most cases and trivial if moving from libpcap0.8 since the new library is API (and ABI) forwards-compatible[1] with libpcap0.8. Depending on how fast things go, asking for the removal of the old versions in September sounds reasonable. I'd like to get the ok of the release team before proceeding. Thanks, -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- Footnotes: [1] Which means that changing the soname and package name wasn't necessary. When I first packaged libpcap0.9 for experimental, I didn't know there would be no incompatible changes to the API and took the safe route. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Emacsen in the 'desktop' task
Jérôme Marant <[EMAIL PROTECTED]> writes: > I've seen a sarge installation report stating that the 'desktop' task > selects XEmacs instead of GNU Emacs. Is it true? Nope. > If so, I'm quite surprised of this since Emacs is much higher than > XEmacs in the popularity contest and I'd advice it to be changed > before the release. It installs neither Emacs nor XEmacs. It does, however, install vim via the vim-gtk dependency. :-) Cheers, -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Please consider rcs 5.7-15 for sarge
Steve Langasek <[EMAIL PROTECTED]> writes: > It would also be nice if the package took care of this file in the clean > target: > diff -u rcs-5.7/debian/substvars rcs-5.7/debian/substvars > --- rcs-5.7/debian/substvars > +++ rcs-5.7/debian/substvars > @@ -1 +1 @@ > -shlibs:Depends=libc6 (>= 2.3.2.ds1-4) > +shlibs:Depends=libc6 (>= 2.3.2.ds1-21) Yes, already fixed in the upcoming -16. Thanks, -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Please consider rcs 5.7-15 for sarge
It contains one small documentation change and mostly cleanups. The debdiff will appear large but it's because I removed a few extraneous files from the Debian diff (.orig files, etc) when I adopted it. Nothing release critical nor even important so I'll understand if you have better things to do but I'd like to see these cleanups in sarge. Thanks, -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Please approve tcpdump 3.8.3-5
It contains only documentation changes, debdiff below: diff -u tcpdump-3.8.3/debian/copyright tcpdump-3.8.3/debian/copyright --- tcpdump-3.8.3/debian/copyright +++ tcpdump-3.8.3/debian/copyright @@ -8,7 +8,7 @@ Upstream Authors: tcpdump-workers@tcpdump.org -Licensed under the 3-clause BSD license: +Licensed under the 3-clause BSD license: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions @@ -28,6 +28,41 @@ IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +Some files in this package are licensed under the 4-clause BSD license, +the copyright on most of them belongs to The Regents of the University +of California. Since the license was retroactively changed in 1999 to +remove the advertising clause, they are effectively under the 3-clause +license even if the text of the license in the files hasn't been +updated. See the following document for more details: + + ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change> + +Other files under the 4-clause BSD license and whose copyright doesn't +belong to the The Regents of the University of California are listed +below: +- aodv.h, Copyright (c) 2003 Bruce M. Simpson +- atmuni31.h, Copyright (c) 1997 Yen Yen Lim and North Dakota State University +- ieee802_11.h, Copyright (c) 2001 Fortress Technologies and Charlie Lenahan +- print-802_11.c, Copyright (c) 2001 Fortress Technologies and Charlie Lenahan +- print-aodv.c, Copyright (c) 2003 Bruce M. Simpson +- print-ascii.c, Copyright (c) 1997, 1998 The NetBSD Foundation, Inc. +- print-cnfp.c, Copyright (c) 1998 Michael Shalayeff +- print-gre.c, Copyright (c) 2002 Jason L. Wright +- print-mobile.c, Copyright (c) 1998 The NetBSD Foundation, Inc. +- print-sunatm.c, Copyright (c) 1997 Yen Yen Lim and North Dakota State + University +- print-telnet.c, Copyright (c) 1997, 1998 The NetBSD Foundation, Inc. +- print-timed.c, Copyright (c) 2000 Ben Smithurst +- missing/inet_aton.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska + Högskolan (Royal Institute of Technology, Stockholm, + Sweden). +- missing/inet_ntop.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska + Högskolan (Royal Institute of Technology, Stockholm, + Sweden). +- missing/inet_pton.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska + Högskolan (Royal Institute of Technology, Stockholm, + Sweden). + Current upstream maintainers: Bill Fenner <[EMAIL PROTECTED]> Fulvio Risso<[EMAIL PROTECTED]> @@ -53,7 +88,7 @@ Darren Reed <[EMAIL PROTECTED]> David Kaelbling <[EMAIL PROTECTED]> David Young <[EMAIL PROTECTED]> - Don Ebright <[EMAIL PROTECTED]> + Don Ebright <[EMAIL PROTECTED]> Eric Anderson <[EMAIL PROTECTED]> Franz Schaefer <[EMAIL PROTECTED]> Gianluca Varenni<[EMAIL PROTECTED]> diff -u tcpdump-3.8.3/debian/changelog tcpdump-3.8.3/debian/changelog --- tcpdump-3.8.3/debian/changelog +++ tcpdump-3.8.3/debian/changelog @@ -1,9 +1,18 @@ +tcpdump (3.8.3-5) unstable; urgency=low + + * debian/copyright: Clarify license conditions, some files in the +distribution are still under the 4-clause BSD license (closes: #283008). + * debian/changelog: Revise 3.8.3-4 entry to add CAN numbers (which have +been assigned in the meantime). + + -- Romain Francoise <[EMAIL PROTECTED]> Sun, 1 May 2005 17:23:45 +0200 + tcpdump (3.8.3-4) unstable; urgency=high * Urgency set to high due to security fixes. * debian/patches/50_misc_dos.dpatch: Security fixes stolen from the 3.8 branch fix infinite loops in the BGP, ISIS, LDP and RSVP dissectors -(closes: #306529). +[CAN-2005-1278, CAN-2005-1279, CAN-2005-1280] (closes: #306529). * debian/patches/00list: Add 50_misc_dos. -- Romain Francoise <[EMAIL PROTECTED]> Wed, 27 Apr 2005 21:05:37 +0200 -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: wmaker, wsound* and libdockapp.
Andreas Metzler <[EMAIL PROTECTED]> writes: > I was checking up on wmaker's status re sarge migration, and while I was > at it, chose to mail it here. Do we really want the new wmaker in sarge? It's the result of several months of upstream development and it's apparently a bit rough around the edges, and it's even unusable for me because of bug #283240. This is by no means a critical bug by Debian standards but as a mere user I would prefer sarge to ship with version 0.80. My two cents, -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `-
Re: Removal-from-sarge proposals
Steve Langasek <[EMAIL PROTECTED]> writes: > Ok, thanks for the info. I agree that this bug should be considered RC > then. Shall I upgrade the severity again? > Are you yourself planning to NMU the package to the new upstream > version, if the maintainer is not? I have refrained from doing so for some time for a number of reasons (NMU of new upstream versions considered harmful, my having patches for the package which need to be reviewed by other people, etc), but if you (as Release Assistant) think I should do so, I will be glad to. (I already have a package of 1.41 for my own machines.) Cheers, -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- pgpopBn8B1UrF.pgp Description: PGP signature
Re: Removal-from-sarge proposals
Steve Langasek <[EMAIL PROTECTED]> writes: >> wmbubble: #207377 (or someone takes the patch and makes an NMU..) > Downgrading this; someone seems to have upgraded it without > communicating with the maintainer, and there's no real indication in the > report that the bug actually has a significant impact on usability, 2.6 > kernel or not. Still an NMU candidate, though, IMHO. I upgraded this one; I think it deserves "serious" severity since it makes wmbubble die after a few seconds with "Floating point exception" when running a 2.6 kernel. As I said in the message to control, I guess most users will be running a 2.6 kernel during Sarge's lifetime. The solution to this problem is not to NMU with the patch found in #207377 but to update the package to version 1.41 which has upstream support for Linux 2.6 (not just CPU counters), see #220643. I had several mail exchanges and IRC conversations with the maintainer who promised several times to do so, but he seems to have real-life problems right now and never got around to doing it. Note that he didn't followup to any of the bugs opened against wmbubble at the moment. -- ,''`. : :' :Romain Francoise <[EMAIL PROTECTED]> `. `' http://people.debian.org/~rfrancoise/ `- pgppEgAVEHKPk.pgp Description: PGP signature
