Re: Preparation of the next stable Debian GNU/Linux update
On Sat, Dec 13, 2008 at 04:37:51PM +0100, Philipp Kern wrote: Preparation of Debian GNU/Linux 4.0r6 = Accepted Packages - These packages will be installed into the stable Debian distribution and will be part of the next revision. Also accepted was this upload to reportbug: Sourceful update of reportbug: version in stable: 3.31 version in updates: 3.31+etch1 Rationales: - 3.31+etch1: reportbug - bugs.d.o is now RR DNS. SMTP is only running on one of them. And the following security updates (also listed below): Sourceful update of phpmyadmin: version in stable: 4:2.9.1.1-8 version in updates: 4:2.9.1.1-9 Rationales: - 2.9.1.1-9: DSA 1675 phpmyadmin - fix cross site scripting, fix regression introduced in DSA 1641 Sourceful update of fai-kernels: version in stable: 1.17+etch.23 version in updates: 1.17+etch.23etch1 - 1.17+etch.23etch1: DSA 1687 fai-kernels - several vulnerabilities Sourceful update of squirrelmail: version in stable: 2:1.4.9a-2 version in updates: 2:1.4.9a-3 Rationales: - 1.4.9a-3: DSA 1682 squirrelmail - fix cross site scripting Sourceful update of user-mode-linux: version in stable: 2.6.18-1um-2etch.23 version in updates: 2.6.18-1um-2etch.23etch1 Rationales: - 2.6.18-1um-2etch.23etch1: DSA 1687 user-mode-linux - several vulnerabilities Sourceful update of linux-2.6: version in stable: 2.6.18.dfsg.1-23 version in updates: 2.6.18.dfsg.1-23etch1 Rationales: - 2.6.18.dfsg.1-23etch1: DSA 1687 linux-2.6 - several vulnerabilities Requires further Investigation -- These packages need further investigation. One reason the package is listed here could be that I'm not yet convinced this package should go into stable, but don't want to reject it entirely at the moment. Another reason could be that released and updated architectures are not yet in sync. Sourceful update of devscripts: version in stable: 2.9.26 version in updates: 2.9.26etch1 Rationales: - 2.9.26etch1: devscripts - Allow signing of changes files produced by dpkg versions = 1.14.17 (#474949) Problems: mipsel build missing Sourceful update of graphviz: version in stable: 2.8-2.4 version in updates: 2.8-3+etch1 Rationales: - 2.8-3+etch1: graphviz - fix stack overflow (CVE-2008-4555) Problems: ia64 and mipsel builds missing The builds for both packages are in and they are ready to be installed into stable. Sourceful update of perl: version in updates: 5.8.8-7etch4 version in updates-NEW: 5.8.8-7etch5 Rationales: - 5.8.8-7etch5: DSA 1678 perl - fix privilege escalation Problems: FTBFS on hppa This will hopefully be fixed with a new upload for the next point release. Packages Waiting for Investigation -- glpi | 0.68.2-1etch0.2 phpmyadmin | 2.9.1.1-9 squirrelmail | 1.4.9a-3 uw-imap | 2002edebian1-13.1+etch1 phpmyadmin and squirrelmail have been accepted. The other two (glpi and uw-imap) will be considered for the next point release. Covered DSAs The following DSAs are incorporated into this point release. Additionally to those already listed the following were accepted into this point release: DSA 1675 | phpmyadmin | fix cross site scripting, fix regression introduced in DSA 1641 DSA 1682 | squirrelmail | fix cross site scripting DSA 1687 | fai-kernels | several vulnerabilities DSA 1687 | linux-2.6 | several vulnerabilities DSA 1687 | user-mode-linux | several vulnerabilities Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Release Assistant `. `' xmpp:p...@0x539.de Stable Release Manager `-finger pkern/k...@db.debian.org signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update
* Paul Hardy [Fri, 17 Oct 2008 11:03:37 -0700]: If this is not a strong enough reason, I'll follow up with backports.org. I hadn't brought up a backport previously because I knew everyone was trying to focus on a lenny release. I think that's going to be better. Cheers, -- Adeodato Simó dato at net.com.org.es Debian Developer adeodato at debian.org Listening to: Ellos - Lejos de lo perfecto -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (1st update)
Am Freitag, den 17.10.2008, 13:13 +0200 schrieb Philipp Kern:
[..]
Preparation of Debian GNU/Linux 4.0r5
=
[..]
If you would like to get a package updated in the stable release, you
are advised to talk to the stable release managers first (see
http://www.debian.org/intro/organization).
I would like to get an update of xml-core into Etch. The reason is bug
#482140 [1]. The update would not change the behaviour, but the
dependencies and parts of the code-base (see the attachment and the bug
report). xml-core would then just depend on perl-base and
update-xmlcatalog should not longer fail during upgrade (seems, that
this does not always happen). Independent from this change I will
prepare an update to xml-core and docbook-xml (and other affected
packages) for Lenny.
[1] http://bugs.debian.org/482140
Regards, Daniel
Index: tools/update-xmlcatalog
===
--- tools/update-xmlcatalog (Revision 1255)
+++ tools/update-xmlcatalog (Arbeitskopie)
@@ -121,7 +121,7 @@
use strict;
## --
-use File::Spec::Functions;
+use File::Spec;
use Getopt::Long;
## --
@@ -196,7 +196,7 @@
{
if ( defined( $package ) )
{
- my $catalog = catfile( $catalog_dir, $package.xml );
+ my $catalog = File::Spec-catfile( $catalog_dir, $package.xml );
if ( ! -f $catalog )
{
print STDERR $name: error: package catalog $catalog not found\n;
@@ -261,7 +261,7 @@
{
if ( defined( $root ) )
{
- my $catalog = catfile( $catalog_dir, 'catalog' );
+ my $catalog = File::Spec-catfile( $catalog_dir, 'catalog' );
if ( ! -f $catalog )
{
print STDERR $name: error: root catalog $catalog not found\n;
@@ -275,7 +275,7 @@
}
elsif ( defined( $package ) )
{
- my $catalog = catfile( $catalog_dir, $package.xml );
+ my $catalog = File::Spec-catfile( $catalog_dir, $package.xml );
if ( ! -f $catalog )
{
print STDERR $name: error: package catalog $catalog not found\n;
@@ -344,8 +344,8 @@
if ( defined( $root ) )
{
$catalog = 'catalog';
-$catalog_data = catfile( $catalog_data_dir, $catalog );
-$catalog = catfile( $catalog_dir, $catalog );
+$catalog_data = File::Spec-catfile( $catalog_data_dir, $catalog );
+$catalog = File::Spec-catfile( $catalog_dir, $catalog );
my $start = $type;
$start .= 'Id' unless $type eq 'uri';
$start .= 'StartString';
@@ -358,8 +358,8 @@
}
elsif ( defined( $package ) )
{
-$catalog_data = catfile( $catalog_data_dir, $package );
-$catalog = catfile( $catalog_dir, $package.xml );
+$catalog_data = File::Spec-catfile( $catalog_data_dir, $package );
+$catalog = File::Spec-catfile( $catalog_dir, $package.xml );
my $start = $type;
$start .= 'Id' unless $type eq 'uri';
$start .= 'StartString';
@@ -375,7 +375,7 @@
$catalog = $local;
$catalog_data = $local;
$catalog_data =~ tr|/|_|;
-$catalog_data = catfile( $catalog_data_dir, $catalog_data );
+$catalog_data = File::Spec-catfile( $catalog_data_dir, $catalog_data );
my $start = ( $type eq 'uri' ) ? 'name' : $type;
$start .= 'Id' unless $type eq 'uri';
$id = $start=\$id\;
Index: debian/changelog
===
--- debian/changelog (Revision 1255)
+++ debian/changelog (Arbeitskopie)
@@ -1,3 +1,12 @@
+xml-core (0.09-0.1etch1) stable; urgency=low
+
+ * Non-maintainer upload.
+ * tools/update-xmlcatalog: Use File::Spec instead of File::Spec::Functions
+as workaround to #482140.
+ * debian/rules: Depend on perl-base rather than the full perl package.
+
+ -- Daniel Leidert (dale) [EMAIL PROTECTED] Tue, 14 Oct 2008 20:33:12 +0200
+
xml-core (0.09-0.1) unstable; urgency=low
* Non-maintainer upload.
Index: debian/rules
===
--- debian/rules (Revision 1255)
+++ debian/rules (Arbeitskopie)
@@ -48,7 +48,7 @@
dh_compress
dh_fixperms
dh_installdeb
- dh_perl
+ dh_perl -d
dh_gencontrol
dh_md5sums
dh_builddeb
Re: Preparation of the next stable Debian GNU/Linux update (1st update)
Daniel Leidert wrote: Am Freitag, den 17.10.2008, 13:13 +0200 schrieb Philipp Kern: [..] Preparation of Debian GNU/Linux 4.0r5 = [..] If you would like to get a package updated in the stable release, you are advised to talk to the stable release managers first (see http://www.debian.org/intro/organization). I would like to get an update of xml-core into Etch. The reason is bug #482140 [1]. The update would not change the behaviour, but the dependencies and parts of the code-base (see the attachment and the bug report). xml-core would then just depend on perl-base and update-xmlcatalog should not longer fail during upgrade (seems, that this does not always happen). Independent from this change I will prepare an update to xml-core and docbook-xml (and other affected packages) for Lenny. There is no requirement that people need to upgrade to the latest point release before upgrading to lenny and we don't intend to introduce that requirement. It also appears that you're too late to get this change included in the currently planned point release... If it gets 'fixed' in lenny, then I don't see a reason why anything else is needed? Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Philipp Kern wrote: Removed Packages These packages will be removed from the stable Debian distribution. This normally only a result of license problems when the license prohibits their distribution. [ No removals known at this point. ] what about f-prot (#495171)? Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Phillip, On Wed, Oct 15, 2008 at 6:39 AM, Philipp Kern [EMAIL PROTECTED] wrote: Preparation of Debian GNU/Linux 4.0r5 = We are preparing the next revision of the current stable Debian distribution (etch)... If you would like to get a package updated in the stable release, you are advised to talk to the stable release managers first (see http://www.debian.org/intro/organization). I see from the list that you're a manager on the Stable release team, so I hope this message satisfies the above requirement. :-) Can you include the latest version of the package I'm maintaining, unifont 1:5.1.20080914-1, which is currently in testing? The latest package has these improvements over the versions (original backport) currently in stable: * Closes all known bugs (some of which had been open in Debian for years). * Addresses potential DFSG issues, notably with a replacement of the 11,000+ glyphs in the Hangul Syllables block. * Provides complete coverage of the Unicode Basic Multilingual Plane. * Includes all additions for Unicode 5.1, released in April 2008. * Incorporates improvements made in older Ubuntu versions that weren't ported back to Debian. I did most of the development of the package under etch 4.0r3, and always made sure during development that the latest version would still build and install under 4.0r3. The current package builds under 4.0r3 with just a couple of warnings: 1) Warns about using a version of Policy 3.7.2. 2) Warns that the Homepage: control field isn't recognized and is being skipped. I asked about these for backporting to etch on the debian-mentors IRC channel a while ago. I was told that I should ignore those messages (because they were harmless) rather than constructing a separate backport control file. According to that advice, the version of unifont currently in testing should therefore be suitable as is for etch 4.0r5 (which probably won't even give the above two warnings anymore). Paul Hardy GPG Key ID: E6E6E390 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
dann frazier wrote: On Sun, Jul 27, 2008 at 02:29:38PM -0400, Joey Hess wrote: I'm wondering who wrote: As linux-modules-extra-2.6-etchnhalf was not ready in time we decided to skip it for r4 and include it in r5. Frans Pop wrote: Well done folks. You've again managed to break at least part of the functionality of Debian Installer and, more importantly, left users with a potentially unbootable system after installation. fjp You can now partition using loop-aes encryption, but the modules are not available for the installed system. fjp So you cannot access any loop-aes encrypted partitions. fjp Or (hopefully) the installation will fail during finish-install. Well, it would seem we have the first peice of errata for the end of http://www.debian.org/releases/etch/debian-installer/etchnhalf How's this? Index: etchnhalf.wml === RCS file: /cvs/webwml/webwml/english/releases/etch/debian-installer/etchnhalf.wml,v retrieving revision 1.4 diff -u -p -r1.4 etchnhalf.wml --- etchnhalf.wml 15 Jul 2008 08:56:10 - 1.4 +++ etchnhalf.wml 27 Jul 2008 21:17:42 - @@ -175,6 +175,9 @@ release. h3 id=errata-r0Errata specific to qetch-and-a-half/q/h3 p -No known issues. +Partitions encrypted using loop-AES will not be accessable after installation. accessible? +This issue is due to the absence of loop-aes kernel modules for the etchnhalf ^^ caused by? +kernel. These modules will be made available in the next update of Debian +GNU/Linux 4.0, 4.0r5. ... and can be fetched from proposed-updates before.? Regards, Joey -- Open source is important from a technical angle. -- Linus Torvalds -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
New package loop-aes-etchnhalf: architectures in updates: s390 all amd64 i386 powerpc arm sparc alpha ia64 mips mipsel hppa version in updates: 3.2c-2~etchnhalf.2 Rationales: - 3.2c-2~etchnhalf.1: loop-aes-etchnhalf - source compatible w/ etchnhalf kernel As linux-modules-extra-2.6-etchnhalf was not ready in time we decided to skip it for r4 and include it in r5. Well done folks. You've again managed to break at least part of the functionality of Debian Installer and, more importantly, left users with a potentially unbootable system after installation. This is the third time since Etch where a stable release involving something I have spent a serious amount of my time on is mishandled by the release team. I've had it with this mentality where apparently it is OK to just skip proper and timely preparation of releases, where it is OK to do things at the very last possible moment, break promises made to colleague DDs and break their work without any prior communication at all. As you obviously don't appreciate the work done by others to get things to the point that a release is possible, I will not participate in ANYTHING that has to do with releasing Lenny anymore, which means I'm dropping per now a lot of my D-I work, debian-cd work, documentation work and website work and any testing work I normally do. Frans Pop signature.asc Description: This is a digitally signed message part.
Re: Preparation of the next stable Debian GNU/Linux update
I'm wondering who wrote: As linux-modules-extra-2.6-etchnhalf was not ready in time we decided to skip it for r4 and include it in r5. Frans Pop wrote: Well done folks. You've again managed to break at least part of the functionality of Debian Installer and, more importantly, left users with a potentially unbootable system after installation. fjp You can now partition using loop-aes encryption, but the modules are not available for the installed system. fjp So you cannot access any loop-aes encrypted partitions. fjp Or (hopefully) the installation will fail during finish-install. Well, it would seem we have the first peice of errata for the end of http://www.debian.org/releases/etch/debian-installer/etchnhalf How many months do we plan to let users stumble over this before r5? This is the third time since Etch where a stable release involving something I have spent a serious amount of my time on is mishandled by the release team. I've had it with this mentality where apparently it is OK to just skip proper and timely preparation of releases, where it is OK to do things at the very last possible moment, break promises made to colleague DDs and break their work without any prior communication at all. We're very good at releasing every day / week (hello, britney, debian-cd). We *suck* at releasing every X years where every single thing is ad-hoc. As long as stable release frequency is random and release preparations are ad-hoc, we will continue to have such problems. As you obviously don't appreciate the work done by others to get things to the point that a release is possible, I will not participate in ANYTHING that has to do with releasing Lenny anymore, which means I'm dropping per now a lot of my D-I work, debian-cd work, documentation work and website work and any testing work I normally do. It might help your motivation slightly to think of stable as a sub-par and largely irrelevant derived distribution bolted onto the side of the real Debian. -- see shy jo, who at least can stop feeling bad about his original slink-and-half release. Apparently being an official Debian release would not have made it any better.. signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update
On Sun, Jul 27, 2008 at 07:22:21PM +0200, Frans Pop wrote: New package loop-aes-etchnhalf: architectures in updates: s390 all amd64 i386 powerpc arm sparc alpha ia64 mips mipsel hppa version in updates: 3.2c-2~etchnhalf.2 Rationales: - 3.2c-2~etchnhalf.1: loop-aes-etchnhalf - source compatible w/ etchnhalf kernel As linux-modules-extra-2.6-etchnhalf was not ready in time we decided to skip it for r4 and include it in r5. Well done folks. You've again managed to break at least part of the functionality of Debian Installer and, more importantly, left users with a potentially unbootable system after installation. This is the third time since Etch where a stable release involving something I have spent a serious amount of my time on is mishandled by the release team. I've had it with this mentality where apparently it is OK to just skip proper and timely preparation of releases, where it is OK to do things at the very last possible moment, break promises made to colleague DDs and break their work without any prior communication at all. So you would have had the release team do what instead, exactly? Wait indefinitely for this package to be ready, even if that meant impacting lenny preparations or releasing etch-and-a-half after the lenny release? The value in doing a ½ style point release is to make the OS available to users of newer hardware. If the point release is delayed so long that there's a new full release out before it's done, then *no one* gets the benefit of being able to install a supported Debian release on hardware that wasn't supported before. How would *that* be showing appreciation for the work that people have done to make etch ½ happen, exactly? Releasing without linux-modules-extra-2.6-etchnhalf et al. means that the updated hardware support is still useful to *some* users with newer hardware. As a release management decision, I see no grounds for attacking the release team the way you do. The normal media are still useful the same way that they were before, and the etchnhalf installer option is more useful than not having one was. That looks like a success to me, albeit a qualified success. On breaking promises and without any prior communication, I have no idea. I agree that neither is a good thing, but in my following of debian-release and debian-boot, I frankly have no idea where promises were made and broken. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
On Sun, Jul 27, 2008 at 02:29:38PM -0400, Joey Hess wrote: I'm wondering who wrote: As linux-modules-extra-2.6-etchnhalf was not ready in time we decided to skip it for r4 and include it in r5. Frans Pop wrote: Well done folks. You've again managed to break at least part of the functionality of Debian Installer and, more importantly, left users with a potentially unbootable system after installation. fjp You can now partition using loop-aes encryption, but the modules are not available for the installed system. fjp So you cannot access any loop-aes encrypted partitions. fjp Or (hopefully) the installation will fail during finish-install. Well, it would seem we have the first peice of errata for the end of http://www.debian.org/releases/etch/debian-installer/etchnhalf How's this? Index: etchnhalf.wml === RCS file: /cvs/webwml/webwml/english/releases/etch/debian-installer/etchnhalf.wml,v retrieving revision 1.4 diff -u -p -r1.4 etchnhalf.wml --- etchnhalf.wml 15 Jul 2008 08:56:10 - 1.4 +++ etchnhalf.wml 27 Jul 2008 21:17:42 - @@ -175,6 +175,9 @@ release. h3 id=errata-r0Errata specific to qetch-and-a-half/q/h3 p -No known issues. +Partitions encrypted using loop-AES will not be accessable after installation. +This issue is due to the absence of loop-aes kernel modules for the etchnhalf +kernel. These modules will be made available in the next update of Debian +GNU/Linux 4.0, 4.0r5. /p /if-etchnhalf-released -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
dann frazier [EMAIL PROTECTED] (27/07/2008): How's this? 1 typo. -No known issues. +Partitions encrypted using loop-AES will not be accessable after installation. accessible +This issue is due to the absence of loop-aes kernel modules for the etchnhalf +kernel. These modules will be made available in the next update of Debian +GNU/Linux 4.0, 4.0r5. /p /if-etchnhalf-released Mraw, KiBi. signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update
Hi, On Sun Jul 27, 2008 at 15:19:25 -0600, dann frazier wrote: On Sun, Jul 27, 2008 at 02:29:38PM -0400, Joey Hess wrote: I'm wondering who wrote: As linux-modules-extra-2.6-etchnhalf was not ready in time we decided to skip it for r4 and include it in r5. Frans Pop wrote: Well done folks. You've again managed to break at least part of the functionality of Debian Installer and, more importantly, left users with a potentially unbootable system after installation. fjp You can now partition using loop-aes encryption, but the modules are not available for the installed system. fjp So you cannot access any loop-aes encrypted partitions. fjp Or (hopefully) the installation will fail during finish-install. Well, it would seem we have the first peice of errata for the end of http://www.debian.org/releases/etch/debian-installer/etchnhalf How's this? Index: etchnhalf.wml === RCS file: /cvs/webwml/webwml/english/releases/etch/debian-installer/etchnhalf.wml,v retrieving revision 1.4 diff -u -p -r1.4 etchnhalf.wml --- etchnhalf.wml 15 Jul 2008 08:56:10 - 1.4 +++ etchnhalf.wml 27 Jul 2008 21:17:42 - @@ -175,6 +175,9 @@ release. h3 id=errata-r0Errata specific to qetch-and-a-half/q/h3 p -No known issues. +Partitions encrypted using loop-AES will not be accessable after installation. +This issue is due to the absence of loop-aes kernel modules for the etchnhalf +kernel. These modules will be made available in the next update of Debian +GNU/Linux 4.0, 4.0r5. /p /if-etchnhalf-released We just agreed with Joerg Jaspert to post-release the missing modules as soon as he has arrived in Argentina. Greetings Martin -- Martin Zobel-Helas [EMAIL PROTECTED] | Debian Release Team Member Debian GNU/Linux Developer | Debian Listmaster Public key http://zobel.ftbfs.de/5d64f870.asc - KeyID: 5D64 F870 GPG Fingerprint: 5DB3 1301 375A A50F 07E7 302F 493E FB8E 5D64 F870 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
On Fri, Jul 25, 2008 at 01:27:25PM +0200, Philipp Kern wrote: New package atl2-etchnhalf: architectures in updates: s390 all amd64 i386 powerpc arm sparc alpha ia64 mips mipsel hppa version in updates: 2.0.3-3~etchnhalf.1 Rationales: - 2.0.3-3~etchnhalf.1: atl2-etchnhalf - source compatible w/ etchnhalf kernel New package squashfs-etchnhalf: architectures in updates: s390 all amd64 i386 powerpc arm sparc alpha ia64 mips mipsel hppa version in updates: 1:3.3-7~etchnhalf.2 Rationales: - 3.3-7~etchnhalf.2: squashfs-etchnhalf - source compatible w/ etchnhalf kernel New package loop-aes-etchnhalf: architectures in updates: s390 all amd64 i386 powerpc arm sparc alpha ia64 mips mipsel hppa version in updates: 3.2c-2~etchnhalf.2 Rationales: - 3.2c-2~etchnhalf.1: loop-aes-etchnhalf - source compatible w/ etchnhalf kernel As linux-modules-extra-2.6-etchnhalf was not ready in time we decided to skip it for r4 and include it in r5. This also affects the new packages mentioned above which will not be included in the point release neither. Kind regards, Philipp Kern -- .''`. Philipp Kern Debian Developer : :' : http://philkern.de Debian Release Assistant `. `' xmpp:[EMAIL PROTECTED] `-finger pkern/[EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update
On Fri, Jul 25, 2008 at 12:53:09PM +0200, Philipp Kern wrote: [ Changes: include linux-modules-extra-2.6-etchnhalf, mention] [ architectures of new packages ] Preparation of Debian GNU/Linux 4.0r4 = Isn't that the case to give evidence to the etch-n-half packages presence ? -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
On Thu, Jul 24, 2008 at 01:09:14AM +0200, Philipp Kern wrote: We are preparing the next revision of the current stable Debian distribution (sarge) and will frequently send reports so people can actually comment on it and intervene whenever this is required. I saw proftpd 1.3.0-19etch1 has been approved, but is missing in the report. It fixes CVE-2007-2165. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Philipp Kern wrote: We are preparing the next revision of the current stable Debian distribution (sarge) and will frequently send reports so people can You mean etch, don't you? -- Eugene V. Lyubimkin aka JackYF, Ukrainian C++ developer. signature.asc Description: OpenPGP digital signature
Re: Preparation of the next stable Debian GNU/Linux update
On Thu, Jul 24, 2008 at 02:24:33AM +0300, Eugene V. Lyubimkin wrote: Philipp Kern wrote: We are preparing the next revision of the current stable Debian distribution (sarge) and will frequently send reports so people can You mean etch, don't you? Sure. Classical copy'n'paste mistake. Kind regards, Philipp Kern -- .''`. Philipp Kern Debian Developer : :' : http://philkern.de Debian Release Assistant `. `' xmpp:[EMAIL PROTECTED] `-finger pkern/[EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (II)
This one time, at band camp, Martin Zobel-Helas said: If you would like to get a package updated in the stable release, you are advised to talk to the stable release managers first (see http://www.debian.org/intro/organization). Following a conversation on IRC: clamav 0.90.1dfsg-3etch9 Uploaded, but not yet built, obviously. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (II)
Martin Zobel-Helas wrote: Preparation of Debian GNU/Linux 4.1r3 = Requires further Investigation -- unace-nonfree stable2.5-1 alpha amd64 arm hppa i386 ia64 mips mipsel powerpc sparc source unace-nonfree updates 2.5-1etch1 amd64 i386 source unace-nonfree - Make 64-bit clean and fix possible denial of service This is fine as 2.5-1 is scheduled for removal... Removed Packages These packages will be removed from the stable Debian distribution. This normally only a result of license problems when the license prohibits their distribution. flyspray stable 0.9.8-10 all source #459296 unace-nonfree stable 2.5-1 alpha amd64 arm hppa i386 ia64 mips mipsel powerpc sparc source #458052 Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (II)
Hi, On Thu Jan 17, 2008 at 22:32:37 +0100, Luk Claes wrote: Martin Zobel-Helas wrote: Preparation of Debian GNU/Linux 4.1r3 = Requires further Investigation -- unace-nonfree stable2.5-1 alpha amd64 arm hppa i386 ia64 mips mipsel powerpc sparc source unace-nonfree updates 2.5-1etch1 amd64 i386 source unace-nonfree - Make 64-bit clean and fix possible denial of service This is fine as 2.5-1 is scheduled for removal... Removed Packages These packages will be removed from the stable Debian distribution. This normally only a result of license problems when the license prohibits their distribution. flyspraystable 0.9.8-10 all source #459296 unace-nonfree stable 2.5-1 alpha amd64 arm hppa i386 ia64 mips mipsel powerpc sparc source #458052 added, thanks -- Martin Zobel-Helas [EMAIL PROTECTED] | Debian Release Team Member Debian GNU/Linux Developer | Debian Listmaster Public key http://zobel.ftbfs.de/5d64f870.asc - KeyID: 5D64 F870 GPG Fingerprint: 5DB3 1301 375A A50F 07E7 302F 493E FB8E 5D64 F870 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Hi, On Sat Dec 29, 2007 at 00:20:15 +0100, Martin Zobel-Helas wrote: The next revision of stable should therefore be released at the mid of February or 48h before the release of Etch, whatever comes first. ignore that one. i really should kill that from the skel directory.. Greetings Martin -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
flash version (Re: Preparation of the next stable Debian GNU/Linux update)
Hi, flashplugin-nonfree stable9.0.31.0.1 i386 source flashplugin-nonfree updates 9.0.48.0.1etch1 i386 source flashplugin-nonfree - New upstream release fixes security problems but adobe flash 9.0.48 has some CVE bugs - potential execution of arbitrary code, cross-site scripting, etc. see http://www.adobe.com/support/security/bulletins/apsb07-20.html These will be solved by only flash 9.0.115.0. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: flash version (Re: Preparation of the next stable Debian GNU/Linux update)
[Hideki Yamane] but adobe flash 9.0.48 has some CVE bugs - potential execution of arbitrary code, cross-site scripting, etc. see http://www.adobe.com/support/security/bulletins/apsb07-20.html These will be solved by only flash 9.0.115.0. Good. I guess one should use 9.0.115.0, then. But I believe 9.0.48 got fewer bugs than 9.0.31, so an update is preferable in any case. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
On Mon, Dec 24, 2007 at 10:50:42PM +0100, Ina Zobel wrote: Preparation of Debian GNU/Linux 4.0r2 = [...] Ina Zobel? :) That mail wasn't signed! :( Is Ina sending that mail on behalf of Martin Zobel-Helas? signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update
On Mon, Dec 24, 2007 at 07:25:42PM +1100, Anibal Monsalve Salazar wrote: On Mon, Dec 24, 2007 at 10:50:42PM +0100, Ina Zobel wrote: Preparation of Debian GNU/Linux 4.0r2 = [...] Ina Zobel? :) That mail wasn't signed! :( Is Ina sending that mail on behalf of Martin Zobel-Helas? And the date and time of that mail is wrong! In Australia it is 24 Dec at 7:29pm +1100. Ina's clock is too far in the future. :( signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update
On Mon, 2007-12-24 at 22:50 +0100, Ina Zobel wrote: If you disagree with one bit or another, please reply to this mail and explain why these things should be handled differently. flashplugin-nonfree stable9.0.31.0.1 i386 source flashplugin-nonfree updates 9.0.48.0.1etch1 i386 source flashplugin-nonfree - New upstream release fixes security problems This should be version 9.0.115.0.1~etch1. Regards, Bart Martens signature.asc Description: This is a digitally signed message part
Re: Preparation of the next stable Debian GNU/Linux update
Hi, On Mon Dec 24, 2007 at 09:33:39 +0100, Bart Martens wrote: On Mon, 2007-12-24 at 22:50 +0100, Ina Zobel wrote: If you disagree with one bit or another, please reply to this mail and explain why these things should be handled differently. flashplugin-nonfree stable9.0.31.0.1 i386 source flashplugin-nonfree updates 9.0.48.0.1etch1 i386 source flashplugin-nonfree - New upstream release fixes security problems This should be version 9.0.115.0.1~etch1. I can run the scripts generating this mail only on packages already installed on the archive, which wasn't the fact during that script run. The newer version is now installed and will be pushed into r2. Thx Martin -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Hi Luk, i guess the subject should have been Preparation of the next oldstable Debian GNU/Linux update Greetings Martin PS: Happy XMAS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, At Mon, 24 Dec 2007 12:59:24 +0100, Luk Claes wrote: Preparation of Debian GNU/Linux 3.1r7 = An up-to-date version is at http://release.debian.org/stable/3.1/3.1r7/. We are preparing the next revision of the current oldstable Debian distribution (sarge) and will frequently send reports so people can actually comment on it and intervene whenever this is required. Please take care #446086 when CD team creates an image. Thanks, - -- Kenshi Muto [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ http://mailcrypt.sourceforge.net/ iEYEARECAAYFAkdwPyIACgkQQKW+7XLQPLFVrACfduCc+R1zKduxScMmPyC3t6ww TTAAnRsVnHpJfFKOZDl7lfkIAB4T//Um =BsAP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
On Tue, Dec 25, 2007 at 08:22:18AM +0900, Kenshi Muto wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, At Mon, 24 Dec 2007 12:59:24 +0100, Luk Claes wrote: Preparation of Debian GNU/Linux 3.1r7 = An up-to-date version is at http://release.debian.org/stable/3.1/3.1r7/. We are preparing the next revision of the current oldstable Debian distribution (sarge) and will frequently send reports so people can actually comment on it and intervene whenever this is required. Please take care #446086 when CD team creates an image. Yup, will do. Thanks for the reminder. -- Steve McIntyre, Cambridge, UK.[EMAIL PROTECTED] Armed with Valor: Centurion represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
On 5/20/07, Martin Zobel-Helas [EMAIL PROTECTED] wrote: Hi, On Sun May 20, 2007 at 00:11:44 +0200, Thijs Kinkhorst wrote: On Saturday 19 May 2007 23:48, Martin Zobel-Helas - automated mail wrote: An up-to-date version is at http://release.debian.org/stable/4.0/4.0r1/. This yields a 404... fixed now. The requested URL /stable/4.0/4.0r1/changelog.txt was not found on this server. The requested URL /stable/4.0/4.0r1/timeline.txt was not found on this server. How can I propose a package for inclusion to further revisions? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Hi, On Saturday 19 May 2007 23:48, Martin Zobel-Helas - automated mail wrote: Preparation of Debian GNU/Linux 4.0r1 thanks for working on this! An up-to-date version is at http://release.debian.org/stable/4.0/4.0r1/. fai-kernels (1.17+etch3) is missing there. regards, Holger pgp6d4oPtB3ec.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update
Hi, On Sun May 20, 2007 at 11:31:06 +0300, Teodor wrote: On 5/20/07, Martin Zobel-Helas [EMAIL PROTECTED] wrote: Hi, On Sun May 20, 2007 at 00:11:44 +0200, Thijs Kinkhorst wrote: On Saturday 19 May 2007 23:48, Martin Zobel-Helas - automated mail wrote: An up-to-date version is at http://release.debian.org/stable/4.0/4.0r1/. This yields a 404... fixed now. The requested URL /stable/4.0/4.0r1/changelog.txt was not found on this server. The requested URL /stable/4.0/4.0r1/timeline.txt was not found on this server. How can I propose a package for inclusion to further revisions? If you are maintainer of a package: speak up in [EMAIL PROTECTED] and show your proposed changes. If you are user, please encourage the maintainer of the package to speak up in [EMAIL PROTECTED] Greetings Martin -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Unrar (source package unrar-nonfree) has CVE-2007-0855 (Stack-based buffer overflow) bug in etch and sarge. It has debian bug #410580 Maintainer didn't ask for it but should 1:3.7.3-1 be included in 4.0r1? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Hi, On Sun May 20, 2007 at 17:29:19 +0300, Touko Korpela wrote: Unrar (source package unrar-nonfree) has CVE-2007-0855 (Stack-based buffer overflow) bug in etch and sarge. It has debian bug #410580 Maintainer didn't ask for it but should 1:3.7.3-1 be included in 4.0r1? yes, please upload. -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update
Hi, On Sun May 20, 2007 at 00:11:44 +0200, Thijs Kinkhorst wrote: On Saturday 19 May 2007 23:48, Martin Zobel-Helas - automated mail wrote: An up-to-date version is at http://release.debian.org/stable/4.0/4.0r1/. This yields a 404... fixed now. -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
This one time, at band camp, Martin Zobel-Helas said: Preparation of Debian GNU/Linux 3.1r5 = An up-to-date version is at http://release.debian.org/stable/3.1/3.1r5/. We are preparing the next revision of the current stable Debian distribution (sarge) and will frequently send reports so people can actually comment on it and intervene whenever this is required. I would like to see clamav 0.84-2.sarge.13 go in, if possible, It fixes: * Unusual MIME Encoding Content Filter Bypass [ CVE-2006-6406 ] * nested multipart DoS [ CVE-2006-6481 ] * Fix null pointer dereference on base64 MIME attachments without file names [ CVE-2006-5874 ] * libclamav/rebuildpe.c: fix possible heap overflow [IDEF1597] * libclamav/chmunpack.c: fix possible crash [IDEF1736] Thanks for your consideration. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (II)
Martin Zobel-Helas [EMAIL PROTECTED] writes: Hi Roger, On Sat, Sep 23, 2006 at 12:07:58AM +0100, Roger Leigh [EMAIL PROTECTED] wrote: Please could you make sure that devmapper is included in the next stable update? It was supposed to be included in the last update, but for some reason was omitted. please go ahead and upload. Done. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgpkrVbC1SaAY.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (II)
Please could you make sure that devmapper is included in the next stable update? It was supposed to be included in the last update, but for some reason was omitted. Thanks, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgpFeQO5RcgqM.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (II)
Hi Roger, On Sat, Sep 23, 2006 at 12:07:58AM +0100, Roger Leigh [EMAIL PROTECTED] wrote: Please could you make sure that devmapper is included in the next stable update? It was supposed to be included in the last update, but for some reason was omitted. please go ahead and upload. Greetings Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (II)
Martin Zobel-Helas [EMAIL PROTECTED] writes: Hi Roger, On Sat, Sep 23, 2006 at 12:07:58AM +0100, Roger Leigh [EMAIL PROTECTED] wrote: Please could you make sure that devmapper is included in the next stable update? It was supposed to be included in the last update, but for some reason was omitted. please go ahead and upload. I uploaded it just before 3.1r2 was released. Does it require reuploading? -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgp8e4jzqQWuR.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi, On Saturday 16 September 2006 19:39, Moritz Muehlenhoff wrote: Please explain why you think that putting arbitrary long strings into fixed= sized buffers is not a security problem, preferedly in the bugreport. The buffer overflow can only be triggered through a file only root can write to. Thanks for your explainations (also to Joey), forwarded to the BTS. regards, Holger pgpG61ysGOpDr.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi Matthijs, Hi, What about #375494 and #377047, those are security bugs in the current stable distribution (Sarge) and according to the Security Team it didn't warrant an upload. Although it has a CVE so I think it's worth an upload to stable. What do you think ? If you are the maintainer of that package, please go ahead. Greetings Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Matthijs Mohlmann wrote: Hi, What about #375494 and #377047, those are security bugs in the current stable distribution (Sarge) and according to the Security Team it didn't warrant an upload. Although it has a CVE so I think it's worth an upload to stable. The first one doesn't look like a real security problem. And the second one is just a copy of the first one. Regards, Joey PS: Please make use of linebreaks -- Have you ever noticed that General Public Licence contains the word Pub? Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi, On Saturday 16 September 2006 08:50, Martin Schulze wrote: The first one doesn't look like a real security problem. Please explain why you think that putting arbitrary long strings into fixed sized buffers is not a security problem, preferedly in the bugreport. Thanks, Holger pgposIMHPkZOw.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
Holger Levsen wrote: The first one doesn't look like a real security problem. Please explain why you think that putting arbitrary long strings into fixed= sized buffers is not a security problem, preferedly in the bugreport. The buffer overflow can only be triggered through a file only root can write to. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Holger Levsen wrote: On Saturday 16 September 2006 08:50, Martin Schulze wrote: The first one doesn't look like a real security problem. Please explain why you think that putting arbitrary long strings into fixed sized buffers is not a security problem, preferedly in the bugreport. Please explain how an attacker can exploit this and force slapd to put arbitrary long strings into fixed sized buffers. Precondition: Requiring either root permissions or LDAP admin permissions don't count. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
On Fri, 15 Sep 2006 00:45:35 +0200 Martin Zobel-Helas [EMAIL PROTECTED] wrote: Preparation of Debian GNU/Linux 3.1r4 = An up-to-date version is at http://release.debian.org/stable/3.1/3.1r4/. We are preparing the next revision of the current stable Debian distribution (sarge) and will frequently send reports so people can actually comment on it and intervene whenever this is required. If you disagree with one bit or another, please reply to this mail and explain why these things should be handled differently. The overall plan is to release a new update of the stable Debian distribution roughly two months after the last update or after the initial release, whichever is suitable. The next revision of stable should therefore be released at October, 16th. An ftpmaster still has to give the final approval for each package since ftpmasters are responsible for the archive. However, we are trying to make their work as easy as possible in hope to get the next revision out properly and without any hassle. The regulations for updates to the stable Debian release are quite conservative. The requirements for packages to get updated in stable are: 1. The package fixes a security problem. An advisory by our own Security Team is required. Updates need to be approved by the Security Team. 2. The package fixes a critical bug which can lead to data loss, data corruption, or an overly broken system, or the package is broken or not usable (anymore). 3. The stable version of the package is not installable at all due to broken or unmet dependencies or broken installation scripts. 4. All released architectures have to be in sync. 5. The package gets all released architectures back in sync. It is (or (and (or 1 2 3) 4) 5) Regular bugs and upgrade problems don't get fixed in new revisions for the stable distribution. They should instead be documented in the Release Notes which are maintained by Rob Bradford mailto:[EMAIL PROTECTED] and are found at http://www.debian.org/releases/sarge/releasenotes. Packages which will most probably be rejected: . Packages that fix non-critical bugs. . Misplaced uploads, i.e. packages that were uploaded to 'stable unstable' or `frozen unstable' or similar. . Packages for which its binary packages are out of sync with regard to all supported architectures in the stable distribution. . Binary packages for which the source got lost somehow. . Packages that fix an unusable minor part of a package. If you would like to get a package updated in the stable release, you are advised to talk to the stable release managers first (see http://www.debian.org/intro/organization). Hi, What about #375494 and #377047, those are security bugs in the current stable distribution (Sarge) and according to the Security Team it didn't warrant an upload. Although it has a CVE so I think it's worth an upload to stable. What do you think ? Regards, Matthijs Mohlmann signature.asc Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi Kevin,
On Fri, Aug 25, 2006 at 09:59:53AM -0700, Kevin B. McCarty [EMAIL PROTECTED]
wrote:
Martin Zobel-Helas wrote:
mozilla-thunderbird-devstable1.0.2-2.sarge1.0.7 alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc
mozilla-thunderbird-devupdates 1.0.2-2.sarge1.0.8a alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc
mozilla-thunderbird-inspector stable1.0.2-2.sarge1.0.7 alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc
mozilla-thunderbird-inspector updates 1.0.2-2.sarge1.0.8a alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc
mozilla-thunderbird-offlinestable1.0.2-2.sarge1.0.7 alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc
mozilla-thunderbird-offlineupdates 1.0.2-2.sarge1.0.8a alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc
mozilla-thunderbird-typeaheadfind stable1.0.2-2.sarge1.0.7 alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc
mozilla-thunderbird-typeaheadfind updates 1.0.2-2.sarge1.0.8a alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc
mozilla-thunderbirdstable1.0.2-2.sarge1.0.7 alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source
mozilla-thunderbirdupdates 1.0.2-2.sarge1.0.8a alpha arm
hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source
DSA 1051 mozilla-thunderbird - several vulnerabilities
First of all, the above should also mention DSA 1134.
Yeah that is fixed. There where several DSAs missing, i found that while
digging for DSA 1134. My fault.
Second, is it planned to include the next round of security updates to
the Mozilla family by Alexander Sack? (cf. [0] [1]) For some reason
these don't seem to have gone into security.d.o yet and it would be very
nice to ship mozilla* packages that are up-to-date with security fixes.
Not for r3 anymore. I know that these packages are in preparation, but i
would like to publish r3 rather soon, and we usually let DSA packages wait
about one week in p-u-new before adding them to proposed-updates. This
way, we can catch up with debian-security or the BTS if a DSA is
seriously broken (like mozilla-thunderbird on i386 or libfreetype6).
Okay, that did not work this time, but mainly also my fault...
Third, please note that even if those updates don't get into Sarge r3,
the existing mozilla-thunderbird security update needs a bin-NMU on i386
[2].
I have prepared a binNMU on i386 for mozilla-thunderbird, availible on
http://people.debian.org/~zobel/packages/3.1r3/
Could you please check, if these packages work for you?
The debdiff for the package is the following:
[EMAIL PROTECTED]:~$ debdiff mozilla-thunderbird_1.0.2-2.sarge1.0.8a_i386.deb
/org/solar.home.ftbfs.de/chroots/sarge/tmp/mozilla-thunderbird_1.0.2-2.sarge1.0.8a.1_i386.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in first .deb but not in second
-
-rw-r--r-- root/root
/usr/lib/mozilla-thunderbird/components/libmozgnome.so
Control files: lines which differ (wdiff format)
Version: [-1.0.2-2.sarge1.0.8a-] {+1.0.2-2.sarge1.0.8a.1+}
Depends: bash, libatk1.0-0 (= 1.7.2), [-libbonobo2-0 (= 2.8.0),-] libc6 (=
2.3.2.ds1-21), libfontconfig1 (= 2.3.0), libfreetype6 (= 2.1.5-1), libgcc1
(= 1:3.4.1-3), [-libgconf2-4 (= 2.8.1),-] libglib2.0-0 (= 2.6.0),
[-libgnome2-0 (= 2.8.0), libgnomevfs2-0 (= 2.8.3-7),-] libgtk2.0-0 (=
2.6.0), libjpeg62, [-liborbit2 (= 1:2.10.0),-] libpango1.0-0 (= 1.8.1),
libpng12-0 (= 1.2.8rel), [-libpopt0 (= 1.7),-] libstdc++5 (= 1:3.3.4-1),
libx11-6 | xlibs ( 4.1.0), libxext6 | xlibs ( 4.1.0), libxft2 ( 2.1.1),
libxp6 | xlibs ( 4.1.0), libxrender1, libxt6 | xlibs ( 4.1.0), zlib1g (=
1:1.2.1)
Installed-Size: [-33011-] {+33016+}
Greetings
Martin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Zobel-Helas wrote: Hi Kevin, On Fri, Aug 25, 2006 at 09:59:53AM -0700, Kevin B. McCarty [EMAIL PROTECTED] wrote: Second, is it planned to include the next round of security updates to the Mozilla family by Alexander Sack? (cf. [0] [1]) For some reason these don't seem to have gone into security.d.o yet and it would be very nice to ship mozilla* packages that are up-to-date with security fixes. Not for r3 anymore. I know that these packages are in preparation, but i would like to publish r3 rather soon, and we usually let DSA packages wait about one week in p-u-new before adding them to proposed-updates. This way, we can catch up with debian-security or the BTS if a DSA is seriously broken (like mozilla-thunderbird on i386 or libfreetype6). OK. Third, please note that even if those updates don't get into Sarge r3, the existing mozilla-thunderbird security update needs a bin-NMU on i386 [2]. I have prepared a binNMU on i386 for mozilla-thunderbird, availible on http://people.debian.org/~zobel/packages/3.1r3/ Could you please check, if these packages work for you? Yes, I'm writing this email with the updated bin-NMU package you provided. I've used it to read ~100 emails now, together with the Enigmail extension, and found no problems. best regards, - -- Kevin B. McCarty [EMAIL PROTECTED] Physics Department WWW: http://www.princeton.edu/~kmccarty/Princeton University GPG: public key ID 4F83C751 Princeton, NJ 08544 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFE8cdcfYxAIk+Dx1ERAlF3AJ9O+DbsEy1JS3LDbkU6Gr+h++oFSQCffHiy vudHnEdu7zvSjs7GW53P0yw= =tvst -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Martin Zobel-Helas wrote: libnspr-devstable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libnspr-devupdates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libnspr4 stable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libnspr4 updates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libnss-dev stable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libnss-dev updates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libnss3stable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libnss3updates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-browserstable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-browserupdates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-calendar stable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-calendar updates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-chatzilla stable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-chatzilla updates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-devstable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-devupdates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-dom-inspector stable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-dom-inspector updates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-js-debuggerstable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-js-debuggerupdates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-mailnews stable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-mailnews updates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-psmstable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-psmupdates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozillastable2:1.7.8-1sarge3alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source mozillaupdates 2:1.7.8-1sarge7.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source DSA 1046 mozilla - several vulnerabilities DSA 1053 mozilla - programming error DSA 1118 mozilla - several vulnerabilities mozilla-firefox-dom-inspector stable1.0.4-2sarge4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-firefox-dom-inspector updates 1.0.4-2sarge9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-firefox-gnome-support stable1.0.4-2sarge4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-firefox-gnome-support updates 1.0.4-2sarge9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-firefoxstable1.0.4-2sarge4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source mozilla-firefoxupdates 1.0.4-2sarge9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source DSA 1044 mozilla-firefox - several vulnerabilities DSA 1055 mozilla-firefox - programming error DSA 1120 mozilla-firefox - several vulnerabilities mozilla-thunderbird-devstable1.0.2-2.sarge1.0.7 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-thunderbird-devupdates 1.0.2-2.sarge1.0.8a alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-thunderbird-inspector stable1.0.2-2.sarge1.0.7 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-thunderbird-inspector updates 1.0.2-2.sarge1.0.8a alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-thunderbird-offlinestable1.0.2-2.sarge1.0.7 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-thunderbird-offlineupdates 1.0.2-2.sarge1.0.8a alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc mozilla-thunderbird-typeaheadfind stable1.0.2-2.sarge1.0.7 alpha arm hppa i386 ia64 m68k mips
Re: Preparation of the next stable Debian GNU/Linux update (I)
Kevin B. McCarty wrote: Second, is it planned to include the next round of security updates to the Mozilla family by Alexander Sack? (cf. [0] [1]) For some reason these don't seem to have gone into security.d.o yet and it would be very nice to ship mozilla* packages that are up-to-date with security fixes. They are still building. Although I'm not speaking for the SRM anymore, they have to draw the line at some date after which no updates are possible anymore or they won't be able to update stable at all, because there are always some security updates in preparation. Third, please note that even if those updates don't get into Sarge r3, the existing mozilla-thunderbird security update needs a bin-NMU on i386 [2]. Eeks. In case somebody is working on an NMU, please get in touch with the security team so that it doesn't annulate the upcoming security update. Regards, Joey -- Whenever you meet yourself you're in a time loop or in front of a mirror. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
On Fri, Aug 25, 2006 at 09:59:53AM -0700, Kevin B. McCarty wrote: First of all, the above should also mention DSA 1134. Second, is it planned to include the next round of security updates to the Mozilla family by Alexander Sack? (cf. [0] [1]) For some reason these don't seem to have gone into security.d.o yet and it would be very nice to ship mozilla* packages that are up-to-date with security fixes. Third, please note that even if those updates don't get into Sarge r3, the existing mozilla-thunderbird security update needs a bin-NMU on i386 [2]. CC'ed to Alexander. There have been minor glitches in communication, which unfortunately led to this delay, sorry! However, I am expecting the latest security updates every minute. And yes, we should wait or bin NMU thunderbird. If I know more, I will let you know. - Alexander -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack| : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `-http://www.debian.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Martin Zobel-Helas wrote: Accepted Packages - These packages will be installed into the stable Debian distribution and will be part of the next revision. [...] freetype2-demosstable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc freetype2-demosupdates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc freetype stable2.1.7-2.4 source freetype updates 2.1.7-2.5 source libfreetype6-dev stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6-dev updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6-udeb stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6-udeb updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6 stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6 updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc DSA 1095 freetype - fix several vulnerabilities Uh, that's bad. -2.5 is broken. See http://bugs.debian.org/libfreetype6. Unfortunately still no DSA which corrects the broken packages caused by the first DSA... Regards, Rene signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi Rene, On Thu, Aug 24, 2006 at 08:24:35PM +0200, Rene Engelhard [EMAIL PROTECTED] wrote: Martin Zobel-Helas wrote: Accepted Packages - These packages will be installed into the stable Debian distribution and will be part of the next revision. [...] freetype2-demosstable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc freetype2-demosupdates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc freetype stable2.1.7-2.4 source freetype updates 2.1.7-2.5 source libfreetype6-dev stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6-dev updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6-udeb stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6-udeb updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6 stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libfreetype6 updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc DSA 1095 freetype - fix several vulnerabilities Uh, that's bad. -2.5 is broken. See http://bugs.debian.org/libfreetype6. Unfortunately still no DSA which corrects the broken packages caused by the first DSA... moved out of the way for now, won't be in r3 for now, but i think this issue needs fixing NOW, so i think we want to wait for an updated freetype package. Greetings Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
This one time, at band camp, Martin Zobel-Helas said: clamav-base stable0.84-2.sarge.8 all clamav-base updates 0.84-2.sarge.9 all clamav-daemon stable0.84-2.sarge.8 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-daemon updates 0.84-2.sarge.9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-docs stable0.84-2.sarge.8 all clamav-docs updates 0.84-2.sarge.9 all clamav-freshclam stable0.84-2.sarge.8 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-freshclam updates 0.84-2.sarge.9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-milter stable0.84-2.sarge.8 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-milter updates 0.84-2.sarge.9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-testfiles stable0.84-2.sarge.8 all clamav-testfiles updates 0.84-2.sarge.9 all clamavstable0.84-2.sarge.8 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source clamavupdates 0.84-2.sarge.9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source libclamav-dev stable0.84-2.sarge.8 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libclamav-dev updates 0.84-2.sarge.9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libclamav1stable0.84-2.sarge.8 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libclamav1updates 0.84-2.sarge.9 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc DSA 1050 clamav - fix denial of service or arbitrary code execution This should be 0.84-2.sarge.10. DSA-1153-1 clamav -- buffer overflow -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
Rene Engelhard wrote:
Martin Zobel-Helas wrote:
Accepted Packages
-
These packages will be installed into the stable Debian distribution
and will be part of the next revision.
[...]
freetype2-demosstable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips
mipsel powerpc s390 sparc
freetype2-demosupdates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips
mipsel powerpc s390 sparc
freetype stable2.1.7-2.4 source
freetype updates 2.1.7-2.5 source
libfreetype6-dev stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips
mipsel powerpc s390 sparc
libfreetype6-dev updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips
mipsel powerpc s390 sparc
libfreetype6-udeb stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips
mipsel powerpc s390 sparc
libfreetype6-udeb updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips
mipsel powerpc s390 sparc
libfreetype6 stable2.1.7-2.4 alpha arm hppa i386 ia64 m68k mips
mipsel powerpc s390 sparc
libfreetype6 updates 2.1.7-2.5 alpha arm hppa i386 ia64 m68k mips
mipsel powerpc s390 sparc
DSA 1095 freetype - fix several vulnerabilities
Uh, that's bad. -2.5 is broken. See http://bugs.debian.org/libfreetype6.
Unfortunately still no DSA which corrects the broken packages caused by
the first DSA...
There's not going to be any due to ongoing conflicting actions by the
security team and the maintainer. Attached is my last trial to get
this fixed. Feel free to pass this through proposed-updates.
Regards,
Joey
--
Those who don't understand Unix are condemned to reinvent it, poorly.
diff -u freetype-2.1.7/debian/changelog freetype-2.1.7/debian/changelog
--- freetype-2.1.7/debian/changelog
+++ freetype-2.1.7/debian/changelog
@@ -1,3 +1,19 @@
+freetype (2.1.7-3.1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Rebuilt with higher version number
+
+ -- Martin Schulze [EMAIL PROTECTED] Fri, 18 Aug 2006 17:06:28 +0200
+
+freetype (2.1.7-2.6) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Adjusted the patch to fix integer overflows to catch negative and zero
+values as well, thanks to Wolfram Gloger [EMAIL PROTECTED]
+[debian/patches/400-CVE-2006-2493_integer-overflows.diff, Bug#373581]
+
+ -- Martin Schulze [EMAIL PROTECTED] Thu, 17 Aug 2006 09:15:31 +0200
+
freetype (2.1.7-2.5) stable-security; urgency=high
* Non-maintainer upload by the Security Team
diff -u freetype-2.1.7/debian/patches/400-CVE-2006-2493_integer-overflows.diff
freetype-2.1.7/debian/patches/400-CVE-2006-2493_integer-overflows.diff
--- freetype-2.1.7/debian/patches/400-CVE-2006-2493_integer-overflows.diff
+++ freetype-2.1.7/debian/patches/400-CVE-2006-2493_integer-overflows.diff
@@ -77,12 +77,15 @@
#include rasterrs.h
-@@ -175,6 +176,9 @@
+@@ -175,6 +176,12 @@
bitmap-rows = height;
bitmap-pitch = pitch;
-+if ((FT_ULong)pitch LONG_MAX/height)
++if ((FT_ULong)pitch LONG_MAX/height || height = 0)
++{
++ error = Raster_Err_Array_Too_Large;
+ goto Exit;
++}
+
if ( FT_ALLOC( bitmap-buffer, (FT_ULong)pitch * height ) )
goto Exit;
signature.asc
Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (V)
On Wed, Apr 05, 2006 at 05:58:17PM +0200, Martin Zobel-Helas wrote: fai stable2.8.4all source fai updates 2.8.4sarge1 all source Fixes three problems This explanation should probably be more verbose, shouldn't it? Gruesse, -- Frank Lichtenheld [EMAIL PROTECTED] www: http://www.djpig.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (V)
Hi Frank, On Sunday, 09 Apr 2006, you wrote: On Wed, Apr 05, 2006 at 05:58:17PM +0200, Martin Zobel-Helas wrote: fai stable2.8.4all source fai updates 2.8.4sarge1 all source Fixes three problems This explanation should probably be more verbose, shouldn't it? allready fixed. but thanks. Greetings Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (V)
This one time, at band camp, Martin Zobel-Helas said: Preparation of Debian GNU/Linux 3.1r2 = An up-to-date version is at http://release.debian.org/stable/3.1/3.1r2/. We are preparing the next revision of the current stable Debian distribution (sarge) and will frequently send reports so people can actually comment on it and intervene whenever this is required. The status of the following packages changed since the last announcement: - New Packages =-=-=-=-=-=- Please add kaffeine to the list of new packages. DSA 1023 kaffeine - buffer overflow clamavupdates 0.84-2.sarge.7 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source These should hopefully be 0.84-2.sarge.8 DSA 1024 clamav - several vulnerabilities Thanks, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (V)
* Stephen Gran ([EMAIL PROTECTED]) [060406 14:11]: Please add kaffeine to the list of new packages. DSA 1023 kaffeine - buffer overflow clamavupdates 0.84-2.sarge.7 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source These should hopefully be 0.84-2.sarge.8 DSA 1024 clamav - several vulnerabilities At the time where this mail was written, it was .7. Now it's of course .8 :) Cheers, Andi -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (III)
Hi Martin, thanks for the update. Martin Schulze wrote: libchipcard20 stable0.9.1-7alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libchipcard20 updates 0.9.1-7sarge0 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 libchipcard stable0.9.1-7source libchipcard updates 0.9.1-7sarge0 source [...] MISSING arm I assume that is MISSING sparc? Is there anything I can/need to do to fix this or is this transient? Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Martin Schulze wrote: would you entertain a one-line fix removing the deluser command from the postrm of chipcard-tools (source package libchipcard). [...] Please go ahead. Normally, such a change wouldn not warrant a fix in a stable release, but in this case the package in question is not available in the subsequent distribution so it will be removed in either way, hence an update. OK, I've uploaded 0.9.1-7sarge0. Thank you for the quick reply and assessment. Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
On Thu, Feb 09, 2006 at 10:37:38 +0100, Martin Schulze wrote: Martin Zobel-Helas wrote: there was some discussion[1] wether the next stable update could have some timezone data updated in the glibc package. Show me the changes. Unless large chunks of the world are affected I don't consider timezone details to warrant an update in our stable release. A note in the release notes may be useful instead. A diff between the timezone dir in sarge's glibc sources and upstream CVS HEAD's lists changes for at least Australia, Azerbaijan, Canada, Cuba, Georgia, Haiti, Iran, Jordan, Kyrgyzstan, Libya, Nicaragua, Palestine, Tasmania, Tunisia, United States of America, Uruguay as well as the 2005 leap second. IMHO those are sufficient changes to warrant an update in stable. HTH, Ray -- LWN normally tries to avoid talking much about Microsoft - it is simply irrelevant to the free software world most of the time. http://www.lwn.net/2000/0406/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Martin Zobel-Helas wrote: Hi Joey, there was some discussion[1] wether the next stable update could have some timezone data updated in the glibc package. Show me the changes. Unless large chunks of the world are affected I don't consider timezone details to warrant an update in our stable release. A note in the release notes may be useful instead. Regards, Joey -- Everybody talks about it, but nobody does anything about it! -- Mark Twain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi Joey, would you entertain a one-line fix removing the deluser command from the postrm of chipcard-tools (source package libchipcard). I'm having trouble with this on #346527 (still need to figure out how to fix this for users upgrading from original sarge) and think that this could be simple enough and grave enough for being worth addressing in a stable update. If you are generally OK with this, I'll upload the (one-line postrm + changelog) fix to s-p-u. Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Thomas Viehmann wrote: would you entertain a one-line fix removing the deluser command from the postrm of chipcard-tools (source package libchipcard). I'm having trouble with this on #346527 (still need to figure out how to fix this for users upgrading from original sarge) and think that this could be simple enough and grave enough for being worth addressing in a stable update. If you are generally OK with this, I'll upload the (one-line postrm + changelog) fix to s-p-u. Please go ahead. Normally, such a change wouldn not warrant a fix in a stable release, but in this case the package in question is not available in the subsequent distribution so it will be removed in either way, hence an update. Regards, Joey -- Linux - the choice of a GNU generation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
On Mon, Feb 06, 2006 at 09:53:14AM +0100, Martin Schulze wrote: 2006/01/21 21:45 MET * Accepted albatross * Accepted antiword * Investigation of cernlib * Investigation of clamav * Accepted crawl * Moved evms from further to accept * Accepted mantis * Accepted perl * Accepted sudo Are you aware of the complaints regarding the solution implemented in the sudo DSA? http://bugs.debian.org/349729 http://bugs.debian.org/349196 http://bugs.debian.org/349549 http://bugs.debian.org/349587 -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi Joey, there was some discussion[1] wether the next stable update could have some timezone data updated in the glibc package. Greetings [1] http://lists.debian.org/debian-volatile/2006/02/msg0.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
* Martin Schulze [Mon, 06 Feb 2006 09:53:14 +0100]: Rejected Packages - muttstable1.5.9-2alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source muttupdates 1.5.9-2sarge1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source Arbitrary changes. Just for the record: mutt (1.5.9-2sarge1) stable; urgency=low * For attachments marked for deletion after the message is sent, don't remove them if the message is finally cancelled, or if the attachments are dropped from the message prior to sending. (Closes: #332972) But well, this was solved on IRC already: Joey insisted that this was not suitable for stable, and I did not fight over it. Cheers, -- Adeodato Simó dato at net.com.org.es Debian Developer adeodato at debian.org A black cat crossing your path signifies that the animal is going somewhere. -- Groucho Marx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
I see that the preparations for releasin 3.1r1 are well underway, and I may be too late for this, but I though I would ask. I realize (after having it gently pointed out to me in #338004) that this patch is incomplete, as it missed a stray db_stop. This one time, at band camp, Stephen Gran said: diff -u debian/clamav-daemon.postinst.in.old debian/clamav-daemon.postinst.in --- debian/clamav-daemon.postinst.in.old2005-08-20 18:55:06.0 -0400 +++ debian/clamav-daemon.postinst.in2005-08-20 18:58:42.0 -0400 @@ -30,10 +30,10 @@ UCFVER=`check_ucf` - . /usr/share/debconf/confmodule if [ -n $2 ]; then if dpkg --compare-versions $2 lt 0.82-2; then #loading debconf module + . /usr/share/debconf/confmodule db_purge || true db_stop || true fi @@ -60,7 +60,7 @@ echo delaycompress $DEBROTATEFILE echo create 640 $User adm $DEBROTATEFILE echo postrotate $DEBROTATEFILE - echo kill -HUP \`cat $PidFile\` /dev/null $DEBROTATEFILE + echo [ ! -f $PidFile ] || kill -HUP \`cat $PidFile\` /dev/null $DEBROTATEFILE echo endscript $DEBROTATEFILE echo } $DEBROTATEFILE touch $LogFile Would it be possible to add the following: @@ -78,8 +78,6 @@ fi fi - db_stop || true - ;; abort-upgrade|abort-remove|abort-deconfigure) ;; If it is, I will prepare a fixed package as soon as possible. If not, I understand. Thanks, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (VI)
Andrew Donnellan wrote: It's been a while since the last update: how long to go before r1? Dunno. Ryan (ftpmaster) won't give a green light for r1 until the kernel has been updated. That'll still take a while. Regards, Joey -- Life is too short to run proprietary software. -- Bdale Garbee -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (VI)
Martin Schulze [EMAIL PROTECTED] writes: Andrew Donnellan wrote: It's been a while since the last update: how long to go before r1? Dunno. Ryan (ftpmaster) won't give a green light for r1 until the kernel has been updated. Kernel of sarge? 2.6.8 and 2.4.27? IIRC, Debian Kernel Team already have some ready packages for it. -- O T A V I OS A L V A D O R - E-mail: [EMAIL PROTECTED] UIN: 5906116 GNU/Linux User: 239058 GPG ID: 49A5F855 Home Page: http://www.freedom.ind.br/otavio - Microsoft gives you Windows ... Linux gives you the whole house. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (VI)
On 2005-12-03 Otavio Salvador [EMAIL PROTECTED] wrote: Martin Schulze [EMAIL PROTECTED] writes: Andrew Donnellan wrote: It's been a while since the last update: how long to go before r1? Dunno. Ryan (ftpmaster) won't give a green light for r1 until the kernel has been updated. Kernel of sarge? 2.6.8 and 2.4.27? IIRC, Debian Kernel Team already have some ready packages for it. deb http://kernel.debian.net/debian sarge-proposed-security-updates main cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken.(c) Jasper Ffforde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (VI)
Otavio Salvador wrote: Martin Schulze [EMAIL PROTECTED] writes: Andrew Donnellan wrote: It's been a while since the last update: how long to go before r1? Dunno. Ryan (ftpmaster) won't give a green light for r1 until the kernel has been updated. Kernel of sarge? 2.6.8 and 2.4.27? IIRC, Debian Kernel Team already have some ready packages for it. I know. Most of them are ready. Regards, Joey -- Life is too short to run proprietary software. -- Bdale Garbee -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (IV)
Hi Joey, please also update base-config. #154482 is still valid for sarge, and is very annoying. Greetings Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (IV)
Martin Zobel-Helas wrote: Hi Joey, please also update base-config. #154482 is still valid for sarge, and is very annoying. From the first glance this looks like a wrong setting in the debconf db. -- dpkg-reconfigure base-config with proper priorities Regards, Joey -- Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (IV)
On Thu, Sep 15, 2005 at 06:42:08PM +0200, Martin Schulze wrote: Martin Zobel-Helas wrote: please also update base-config. #154482 is still valid for sarge, and is very annoying. From the first glance this looks like a wrong setting in the debconf db. -- dpkg-reconfigure base-config with proper priorities (a) You mean 'apt-setup' - base-config does not ask any questions in its maintainer scripts so dpkg-reconfigure is not useful for it; (b) The apt-setup patch mentioned in base-config 2.66's changelog is needed to have that question actually get re-asked when you run apt-setup, which is the bug. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (IV)
Colin Watson wrote: Martin Zobel-Helas wrote: please also update base-config. #154482 is still valid for sarge, and is very annoying. From the first glance this looks like a wrong setting in the debconf db. -- dpkg-reconfigure base-config with proper priorities (a) You mean 'apt-setup' - base-config does not ask any questions in its maintainer scripts so dpkg-reconfigure is not useful for it; (b) The apt-setup patch mentioned in base-config 2.66's changelog is needed to have that question actually get re-asked when you run apt-setup, which is the bug. So, where is the patch, and where is the updated package? Regards, Joey -- Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (II)
On Sat, Aug 20, 2005 at 05:11:01PM +0200, Martin Schulze wrote: If you would like to get a package updated in the stable release, you are advised to talk to the stable release manager first (see http://www.debian.org/intro/organization). Changelog - 2005/08/20 17:09 MET * Accepted mantis * Investigation of mozilla * Investigation of mozilla-firefox Please add mozilla-thunderbird here too. The security upload is pending as you told me :). -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.jwsdot.com/ | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (II)
Alexander Sack wrote: On Sat, Aug 20, 2005 at 05:11:01PM +0200, Martin Schulze wrote: If you would like to get a package updated in the stable release, you are advised to talk to the stable release manager first (see http://www.debian.org/intro/organization). Changelog - 2005/08/20 17:09 MET * Accepted mantis * Investigation of mozilla * Investigation of mozilla-firefox Please add mozilla-thunderbird here too. The security upload is pending as you told me :). I can only add packages that are there. Two architectures are missing for Thunderbird on klecker before I can release an advisory. Regards, Joey -- Those who don't understand Unix are condemned to reinvent it, poorly. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (II)
On Lun 22 août 2005 11:42, Martin Schulze a écrit : Alexander Sack wrote: On Sat, Aug 20, 2005 at 05:11:01PM +0200, Martin Schulze wrote: If you would like to get a package updated in the stable release, you are advised to talk to the stable release manager first (see http://www.debian.org/intro/organization). Changelog - 2005/08/20 17:09 MET * Accepted mantis * Investigation of mozilla * Investigation of mozilla-firefox For firefox, there's this bug which is very bad So for now please don't accept it in this new release http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324344 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324173 Regards, -- Jean-Yves LENHOF http://www.lenhof.eu.org [EMAIL PROTECTED] Port Perso : 06 09 39 96 49 Fixe : 03 20 39 62 86 Tel Free ADSL (Dégroupage Free) : 08 71 76 47 32 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
This one time, at band camp, Martin Schulze said: These packages will be installed into the stable Debian distribution and will be part of the next revision. clamav-base stable0.84-2 all clamav-base updates 0.84-2.sarge.1 all clamav-daemon stable0.84-2 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-daemon updates 0.84-2.sarge.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-docs stable0.84-2 all clamav-docs updates 0.84-2.sarge.1 all clamav-freshclam stable0.84-2 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-freshclam updates 0.84-2.sarge.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-milter stable0.84-2 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-milter updates 0.84-2.sarge.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc clamav-testfiles stable0.84-2 all clamav-testfiles updates 0.84-2.sarge.1 all clamavstable0.84-2 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source clamavupdates 0.84-2.sarge.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc source libclamav-dev stable0.84-2 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libclamav-dev updates 0.84-2.sarge.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libclamav1stable0.84-2 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc libclamav1updates 0.84-2.sarge.1 alpha arm hppa i386 ia64 m68k mips mipsel powerpc s390 sparc DSA 737 clamav - remote DOS I see that you are actually including .2 (which is great). I would like to get the following patch in as well, but I understand if you feel it inapropriate for a stable update. The first 2 diff's fix #321440 and #315063, while the last fixes an unreported bug in redirection, as well as a privately reported bug about a hang on low entropy systems. All of these changes have been in unstable for some time, so I feel as though they have gotten at least some testing to make sure they won't do additional harm. Thanks for considering, diff -u debian/clamav-freshclam.logrotate.old debian/clamav-freshclam.logrotate --- debian/clamav-freshclam.logrotate.old 2005-08-20 18:54:28.0 -0400 +++ debian/clamav-freshclam.logrotate 2005-08-20 18:54:39.0 -0400 @@ -5,7 +5,7 @@ delaycompress create 640 clamav adm postrotate - [ -f /var/run/clamav/freshclam.pid ] kill -HUP `cat /var/run/clamav/freshclam.pid` /dev/null + [ ! -f /var/run/clamav/freshclam.pid ] || kill -HUP `cat /var/run/clamav/freshclam.pid` /dev/null endscript } diff -u debian/clamav-daemon.postinst.in.old debian/clamav-daemon.postinst.in --- debian/clamav-daemon.postinst.in.old2005-08-20 18:55:06.0 -0400 +++ debian/clamav-daemon.postinst.in2005-08-20 18:58:42.0 -0400 @@ -30,10 +30,10 @@ UCFVER=`check_ucf` - . /usr/share/debconf/confmodule if [ -n $2 ]; then if dpkg --compare-versions $2 lt 0.82-2; then #loading debconf module + . /usr/share/debconf/confmodule db_purge || true db_stop || true fi @@ -60,7 +60,7 @@ echo delaycompress $DEBROTATEFILE echo create 640 $User adm $DEBROTATEFILE echo postrotate $DEBROTATEFILE - echo kill -HUP \`cat $PidFile\` /dev/null $DEBROTATEFILE + echo [ ! -f $PidFile ] || kill -HUP \`cat $PidFile\` /dev/null $DEBROTATEFILE echo endscript $DEBROTATEFILE echo } $DEBROTATEFILE touch $LogFile diff -u debian/clamav-freshclam.postinst.in.old debian/clamav-freshclam.postinst.in --- debian/clamav-freshclam.postinst.in.old 2005-08-20 18:52:54.0 -0400 +++ debian/clamav-freshclam.postinst.in 2005-08-20 18:53:39.0 -0400 @@ -161,7 +161,7 @@ # Set up cron method if [ $runas = cron ]; then -min=$(( `od -A n -N 2 -l /dev/random` % 3600 / 60 )) +min=$(( `od -A n -N 2 -l /dev/urandom` % 3600 / 60 )) # min=`perl -e 'print int(rand(60))'` FRESHCLAMCRON=/etc/cron.d/clamav-freshclam FRESHCLAMTEMP=/var/lib/clamav/freshclam.cron @@ -173,7 +173,7 @@ if [ -e /etc/cron.d/clamav-freshclam ]; then echo -n Disabling old cron script . . . mv /etc/cron.d/clamav-freshclam /etc/cron.d/clamav-freshclam.dpkg-old - ucf -p /etc/cron.d/clamav-freshclam /dev/null 21 || true + ucf -p /etc/cron.d/clamav-freshclam /dev/null 21 || true echo done fi fi -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | |
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi, On Fri, Jul 08, 2005, Martin Schulze wrote: Preparation of the next stable Debian GNU/Linux update == An up-to-date version is at http://people.debian.org/~joey/3.1r1/. There's no trace of gnome-system-monitor on that page. Could you please review http://lists.debian.org/debian-release/2005/06/msg00302.html and tell me whether you accept or reject it? Thanks, -- Loïc Minier [EMAIL PROTECTED] Come, your destiny awaits! signature.asc Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
On Fri, 08 Jul 2005 09:18:16 +0200, Martin Schulze wrote: Preparation of the next stable Debian GNU/Linux update == An up-to-date version is at http://people.debian.org/~joey/3.1r1/. I am preparing the (most probably) last revision ever of the current stable Debian distribution (woody) and will frequently send reports so people can actually comment on it and intervene whenever this is required. It is scheduled for any time now. If you disagree with one bit or another, please reply to this mail and explain why these things should be handled differently. There is still time to reconsider. I notice kernel updates are missing from this list. We are still sitting on the ABI-changing netfilter frag leak fix; there are also numerous other security fixes that the kernel needs. I've spoken to joeyh about this, and he's fine with the kernel package name change. So, our plan is to upload to stable-proposed-updates, and the d-i folks will update sarge's d-i for the new kernels. Martin, do you have any problems with this? The plan is to release a new revision roughly two months after the last update. It is required, however, that this happens before the release of sarge since the Debian archive infrastructure is unable to update the then called oldstable distribution. Hence, this update is planned for the end of May, right before the proposed release of sarge. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Martin Schulze wrote: 3. The stable version of the package is not installable at all due to broken or unmet dependencies or broken installation scripts. Would you consider a fix for #315946 if uploaded to s-p-u? Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi Joey, On Fri, Jul 08, 2005 at 09:18:16AM +0200, Martin Schulze wrote: Preparation of the next stable Debian GNU/Linux update == An up-to-date version is at http://people.debian.org/~joey/3.1r1/. I am preparing the (most probably) last revision ever of the current stable Debian distribution (woody) and will frequently send reports so people can actually comment on it and intervene whenever this is required. It is scheduled for any time now. s/the \(most probably\) last revision ever/another step towards the final version/ s/woody/sarge/ The joy of semi-automated postings... Cheers, Steffen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Steffen Grunewald wrote: Hi Joey, On Fri, Jul 08, 2005 at 09:18:16AM +0200, Martin Schulze wrote: Preparation of the next stable Debian GNU/Linux update == An up-to-date version is at http://people.debian.org/~joey/3.1r1/. I am preparing the (most probably) last revision ever of the current stable Debian distribution (woody) and will frequently send reports so people can actually comment on it and intervene whenever this is required. It is scheduled for any time now. s/the \(most probably\) last revision ever/another step towards the final version/ s/woody/sarge/ The joy of semi-automated postings... No, the joy of copied templates... :) It's corrected on the web page. Regards, Joey -- Computers are not intelligent. They only think they are. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
Hi, On Fri, Jul 08, 2005, Martin Schulze wrote: 2. The package fixes a critical bug which can lead into data loss, data corruption, or an overly broken system, or the package is broken or not usable (anymore). I've sent an updated package for gnome-system-monitor in my message of the 23th of june to this list: http://lists.debian.org/debian-release/2005/06/msg00302.html I've reminded you of this request in a private mail the 27th of june. Is anything preventing inclusion of gnome-system-monitor? Please confirm its inclusion or reject it. Thanks for your work. Regards, -- Loïc Minier [EMAIL PROTECTED] Life is like a sewer - what you get out of it depends on what you put into it. -- Hen3ry -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Preparation of the next stable Debian GNU/Linux update (I)
On Fri, Jul 08, 2005 at 09:18:16AM +0200, Martin Schulze wrote: The requirements for packages to get updated in stable are: 1. The package fixes a security problem. An advisory by our own Security Team is required. Updates need to be approved by the Security Team. 2. The package fixes a critical bug which can lead into data loss, data corruption, or an overly broken system, or the package is broken or not usable (anymore). 3. The stable version of the package is not installable at all due to broken or unmet dependencies or broken installation scripts. 4. All released architectures have to be in sync. 5. The package gets all released architectures back in sync. It is (or (and (or 1 2 3) 4) 5) I am adopting the httperf package. It was in Woody and was removed from Sarge/Sid because of licensing issues with linking to OpenSSL. The issue has been resolved [0] by the current upstream maintainer. Since the package was in Woody and not in Sarge [1], there is the potential for someone to have had it installed prior to upgrading and now have it still installed. This could be a problem since if the package is only allowed back into Sid/Etch, then Sarge users with the obsolete httperf would not receive any future security updates (if they become necessary) for the package. Is this sufficient justification to have the package added back in to Sarge? Here is a summary of the changes from the Woody version: * Move from non-US to main * Recompile against libssl0.9.7 * Update license and copyright file. * Corrected some minor lintian warnings against the man page. * Added a watch file. The last two changes can be backed out if it is necessary to get the package into Sarge. If this is sufficient, I can have a new package done and uploaded (by my sponsor) by tomorrow. Comments would be appreciated. -Roberto [0] http://lists.debian.org/debian-legal/2005/07/msg00040.html [1] http://packages.debian.org/httperf -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgp48hFSwc7Gi.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
Am 2005-07-08 09:18:16, schrieb Martin Schulze: Preparation of the next stable Debian GNU/Linux update == An up-to-date version is at http://people.debian.org/~joey/3.1r1/. ^ I am preparing the (most probably) last revision ever of the current stable Debian distribution (woody) and will frequently send reports so ^ The plan is to release a new revision roughly two months after the last update. It is required, however, that this happens before the release of sarge since the Debian archive infrastructure is unable to update the then called oldstable distribution. Hence, this update is planned for the end of May, right before the proposed release of sarge. ??? Disclaimer -- This list intends to help the ftp-masters releasing 3.1r1. They have the final power to accept a package or not. If you want to comment on this list, please send a mail to Martin Schulze [EMAIL PROTECTED]. Last updated 2005/07/08 09:16 MET Ist this message an accident ? Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Preparation of the next stable Debian GNU/Linux update (III)
On Sat, Dec 18, 2004 at 11:46:31PM +0100, Santiago Vila wrote: Someone who installs from 3.0r[012] should have stable in sources.list. There is no need to have packages available in both places, at least not several weeks after the release of 3.0r3. Assuming they've got a network source in there which has an up to date mirror. If they're using something like a local mirror that isn't updated or CDs they may not have a copy of 3.0r3 in their sources.list. -- You grabbed my hand and we fell into it, like a daydream - or a fever.
Re: Preparation of the next stable Debian GNU/Linux update (III)
Not directly related to 3.0r4, but while we are at it: Would be possible to remove packages in security.debian.org which are already part of 3.0r3?
Re: Preparation of the next stable Debian GNU/Linux update (III)
On Sat, 2004-12-18 at 19:53 +0100, Santiago Vila wrote: Not directly related to 3.0r4, but while we are at it: Would be possible to remove packages in security.debian.org which are already part of 3.0r3? Isn't that not correct, since someone who installs from 3.0 or 3.0r[123] disks will need all of the packages in security.d.o to be able to upgrade to the latest secure revisions? -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. Fair is where you take your cows to be judged. Unknown signature.asc Description: This is a digitally signed message part
Re: Preparation of the next stable Debian GNU/Linux update (III)
Santiago Vila wrote: Not directly related to 3.0r4, but while we are at it: Would be possible to remove packages in security.debian.org which are already part of 3.0r3? What would we gain from this? I would not like that but maybe you have a good reason for asking. Regards, Joey -- Experience is something you don't get until just after you need it.
Re: Preparation of the next stable Debian GNU/Linux update (III)
|| On Sat, 18 Dec 2004 20:06:13 +0100 || Martin Schulze [EMAIL PROTECTED] wrote: ms Santiago Vila wrote: Not directly related to 3.0r4, but while we are at it: Would be possible to remove packages in security.debian.org which are already part of 3.0r3? ms What would we gain from this? ms I would not like that but maybe you have a good reason for asking. It reduze the index files. But I don't like to force it because the user can use an outdated mirror and in this case security will have the needed packages for his system be secure again. IMHO we should leave it in both places. -- O T A V I OS A L V A D O R - E-mail: [EMAIL PROTECTED] UIN: 5906116 GNU/Linux User: 239058 GPG ID: 49A5F855 Home Page: http://www.freedom.ind.br/otavio - Microsoft gives you Windows ... Linux gives you the whole house. pgpKz3JhQx4iU.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (III)
Ron Johnson wrote: On Sat, 2004-12-18 at 19:53 +0100, Santiago Vila wrote: Not directly related to 3.0r4, but while we are at it: Would be possible to remove packages in security.debian.org which are already part of 3.0r3? Isn't that not correct, since someone who installs from 3.0 or 3.0r[123] disks will need all of the packages in security.d.o to be able to upgrade to the latest secure revisions? In general yes, but normally you also have the regular links to http.us.debian.org, no? Regards, Joey -- Experience is something you don't get until just after you need it.
Re: Preparation of the next stable Debian GNU/Linux update (III)
On Sat, 2004-12-18 at 20:22 +0100, Martin Schulze wrote: Ron Johnson wrote: On Sat, 2004-12-18 at 19:53 +0100, Santiago Vila wrote: Not directly related to 3.0r4, but while we are at it: Would be possible to remove packages in security.debian.org which are already part of 3.0r3? Isn't that not correct, since someone who installs from 3.0 or 3.0r[123] disks will need all of the packages in security.d.o to be able to upgrade to the latest secure revisions? In general yes, but normally you also have the regular links to http.us.debian.org, no? Well, it's moot in my case (I track sid). -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. All else being equal, you're safer traveling in a passenger vehicle that's larger and heavier than in one that's smaller and lighter. http://www.carsafety.org/vehicle_ratings/sfsc.htm signature.asc Description: This is a digitally signed message part
Re: Preparation of the next stable Debian GNU/Linux update (III)
On Sat, 18 Dec 2004, Ron Johnson wrote: On Sat, 2004-12-18 at 19:53 +0100, Santiago Vila wrote: Not directly related to 3.0r4, but while we are at it: Would be possible to remove packages in security.debian.org which are already part of 3.0r3? Isn't that not correct, since someone who installs from 3.0 or 3.0r[123] disks will need all of the packages in security.d.o to be able to upgrade to the latest secure revisions? Someone who installs from 3.0r[012] should have stable in sources.list. There is no need to have packages available in both places, at least not several weeks after the release of 3.0r3.
