Package: wordpress
Version: 5.5.1+dfsg1-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Wordpress versions less than 5.5.2 have the following security
vulnerabilities:
CVE-2020-28039: Protected meta that could lead to
Hi Owen,
Thanks for the report, it is now enabled for the next release of Debian
net-snmp
https://salsa.debian.org/debian/net-snmp/-/commit/223b00693e5b68165b060e3f7342c4cc2574ba08
- Craig
On Tue, 27 Oct 2020 at 14:31, Craig Small wrote:
> Hi Owen,
>
> OK, I think I know what ha
Hi Owen,
OK, I think I know what happened, I was checking a different branch. No
idea why the build system says it is building with them when it's not.
Your patch is fine, I'll add that in shortly.
- Craig
On Tue, 27 Oct 2020 at 10:18, Craig Small wrote:
> On Tue, 27 Oct 2020 at 07:42, O
m a bit confused about what is not enabled and why your configure
option works.
The --with-openssl and having openssl 0.9.7 or later will do it.
- Craig
,
are you asking to clean up old bugs or are you having the same issue?
- Craig
On Sun, 25 Oct 2020 at 06:18, Graham Inggs wrote:
> Is this fix really still pending?
>
> ___
> Pkg-net-snmp-devel mailing list
> pkg-net-sn
what the /etc file had. This is what the value should be.
- Craig
ade EXTEND-MIB read-only which meant
+it was not possible to set the timeout of the cache. This patch
+allows administrator to set the value in the snmpd.conf file.
+Closes: #969508
+
+ -- Craig Small Mon, 07 Sep 2020 07:16:17 +1000
+
net-snmp (5.7.3+dfsg-5+deb10u1) buster-security; ur
Please change your locale if this is incorrect.
Using 'Craig Small ' as your from address.
Will send report to Debian (per lsb_release).
What sort of request is this? (If none of these things mean anything to you, or
you are trying to report a bug in an existing package, please press Enter to
exit
it not work too well as you have found.
- Craig
1:
https://salsa.debian.org/debian/wordpress/-/blob/buster/debian/patches/cs45974_url_valid_redirect
?
- Craig
1: https://packages.debian.org/buster/libsnmp30
2: https://packages.debian.org/buster/libperl5.28
3: https://packages.debian.org/search?keywords=libperl5.30
On Thu, 1 Oct 2020 at 16:24, Michael Rasmussen wrote:
> Package: libsnmp30
> Version: 5.7.3+dfsg-5+b2
> Severity
ple files.
craig
s broken.
source-only uploads fail because libsnmptrapd40 is new
binary uploads fail because they wont go into testing
So apparently, I need to:
* first upload a binary set to get libsnmptrapd40 through the gate
* upload a source-only for no other reason other than.. reasons
- Craig
on behalf of
Salvatore Bonaccorso
Sent: Friday, 11 September 2020 11:15 PM
To: Craig, Daniel (CASS, Marsfield) ;
968...@bugs.debian.org <968...@bugs.debian.org>
Cc: Nicolas Courtel
Subject: Re: Bug#968567: linux-image-4.19.0-10-amd64: kernel failure when
writing on a GFS2 partition
Hi Dani
?id=209217
Cheers,
Daniel Craig
s that team maintenance means a team salsa URL, which
often they are not. net-snmp uses a repository under debian. python is
close but you can also have:
Maintainer: Craig Small
Uploaders: Debian Python Modules Team
Vcs-Browser: https://salsa.debian.org/python-team/modules/mastodon
W
raries should do it.
- Craig
g/debian/tmp/usr/share/man/man3/NetSNMP::agent.3pm
its not installed as SNMP.3pm
I think the issue is in perl/SNMP/Makefile.PL
MAN3PODS => { 'SNMP.pm' => '$(INST_MAN3DIR)/SNMP.3' },
- Craig
ay
You could use -m ALL too. This is much more friendlier.
There are instructions in the file /etc/snmp/snmp.conf and also
instructions in snmp-mibs-downloader on how to enable this for the
client.
- Craig
reassign 968712 linux-signed-amd64
retitle 968712 IPv6 default accept_redirect not honoured
thankyou
Hi,
This isn't a procps bug for two reasons.
1) It looks like you are using systemd, so the program doing the
changes would be systemd-sysctl
2) Either program merely writes the value to the
Package: snmpd
Version: 5.8+dfsg-4
Severity: grave
Tags: security upstream
Justification: user security hole
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
CVE-2020-15861
snmpd runs as a low privileged user account. However, in combination with
the *snmp-mibs-downloader package* this
I'm trying to understand why you (or anyone) would use such an insecure
feature. One question, are you using in read-only mode or read-write mode?
read-only mode could be enabled, but read-write probably can't be anymore.
- Craig
On Fri, 31 Jul 2020 at 14:15, Albertas Sileika wrote:
>
Hi James,
That would have been intentional, the EXTEND MIB has major security
issues.
- Craig
On Thu, 30 Jul 2020 at 23:03, James Greig wrote:
> Package: snmpd
> Version: 5.7.3+dfsg-1.7+deb9u2
> Severity: important
>
> Dear Maintainer,
>
> *** Reporter, plea
Package: wnpp
Severity: normal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I intend to orphan the lprng-doc package. I thought it was part of lprng
which I have also orphaned.
The package description is:
The LPRng software is an enhanced, extended, and portable version
of the Berkeley
r
mteTriggerConf -f -p /run/snmpd.pid
- Craig
will do the trick?
Happy to work with you guys on a common fix.
- Craig
- Craig
On Fri, 17 Jul. 2020, 2:15 pm Bart Van Assche, wrote:
> Package: snmpd
> Version: 5.7.3
>
> The report below comes from USD AG (https://www.usd.de). I am forwarding
> this report to the Debi
k enhancements: response size + fallback to forward encoding
> move v3 engineID probe into initial packet build
>
Thanks for doing this bisect. So the issue happened after 5.7.3 (this
change happened in 2015, 5.7.3 was released in 2014) which means we only
need to worry about unstable and testing.
- Craig
e quick reading of the net-snmp setup is all we
need to do to make this happen is to add
--with-transports="TLSTCP DTLSUDP" --with-security-modules="tsm"
The default transports are UDP TCP Alias Unix and Callback while the
default security modules are usm only.
Does that sound right to you?
- Craig
packages and it is not too terrible about
the lintian warnings, but I haven't installed or tested it yet; that's a
job for tomorrow (which is only an hour away, but it will be much longer
than that). If anyone is keen in the meantime go ahead and see if it works
for you.
- Craig
On Sun, 28 Jun
he struct.
I'm concerned that if the binary has one idea of the struct and the library
has another we are going to get some very bad corruption going on between
them.
- Craig
Hi Danny,
It will (actually has) ended up in Bullseye but net-snmp v5.8 won't end
up in Stretch or Buster.
- Craig
On Tue, 16 Jun 2020 at 01:31, Danny Smit wrote:
> Thanks for your reply. Is version 5.8 expected to end up in either
> Debian Stretch or Buster?
>
> On Thu, Jun 11
Source: wordpress
Version: 5.4.1+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
WordPress 5.4.2 is out and fixes the following vulnerabilities:
Props to Sam Thomas (jazzy2fives) for finding an XSS issue where
this as well, but the version file is there.
My guess is you'll need to programatically inject the version
file at the top of the lsof manual page. Actually that's probably
what upstream should do too.
- Craig
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy
intain easysnmp but
willing to help when it's needed.
Hopefully, the upstream issues get sorted! Until we have more snmp
libraries than IRC clients I say more the merrier!
- Craig
This is the analysis of the latest WordPress security bugs.
Is it awesome upstream already has CVE IDs and (almost) clear patches of
the fixes? Yes, it is!
Sid: 5.4
All vulnerabilities, use upstream 5.4.1
Bullseye: 5.3.2
buster. It's the referencing and checking the version is impacted that
takes the time.
- Craig
1:
https://github.com/WordPress/wordpress-develop/commit/e65e7a3bd96df6675a9a3caa54f5945885379f09
2: https://core.trac.wordpress.org/changeset/47636
?
- Craig
next packaging update. Thank you!
thanks.
The "foo() {true;}" version works for bash and dash.
craig
--
craig sanders
ring munin directories:
munin.
Mar 19 14:00:23 ganesh systemd[1]: Started LSB: Create munin master directories
on boot.
craig
--- munin.dpkg-dist 2020-03-14 03:40:22.0 +1100
+++ munin 2020-03-19 14:00:07.916057288 +1100
@@ -27,5 +27,5 @@
# there is no process to be started or stopp
-devel and the
mass bug filing. I noticed my name was in the dd-list and wondered
why.
Anyway, I thought this program got nuked ages ago, could you remove it
please?
- Craig
Package: ftp.debian.org
Severity: normal
Hi,
I request the removal of the mudlet package. There are many reasons
why I think this package can no longer be in Debian.
1) It requires several other packages that are not in Debian or would
need to be embedded in the Mudlet package. Some of these
On Sat, 29 Feb 2020 at 18:45, Sven Joachim wrote:
>
> So the version you need to use in procps.maintscript is 2:3.3.16-4~, not
> 2:3.3.16-3~.
>
Thanks! I've fixed this now.
- Craig
ird thing that does this linking I didn't
know about.
So it was just easier to put the binaries back to /bin. I don't personally
run any unmerged systems so it is hard to test and keep resting.
If someone comes up with a install time helper that does this conditional
moving then I'll use that.
- Craig
I think they all should be using a path rather than hard coding where ps
is. But in any case that's what these other packages do. I'll revert the
change.
- Craig
On Wed, 26 Feb. 2020, 7:45 pm Thorsten Glaser, wrote:
> Package: procps
> Version: 2:3.3.16-2
> Severity: important
&
work out why the CI tests failed
(came down to reprotest brokeness again).
Apologies for the inconvenience. One day I'll work out the deb-ci syntax
and put something in to check for a broken symlink.
- Craig
It's mentioned in the sysctl man page under the --system option.
--system
Load settings from all system configuration files. Files are
read from directories in the following list in given order from top to
bottom. Once a file of a given filename is loaded, any
The settings are 1 not 2 to be in line with other distributions.
On Tue, 18 Feb. 2020, 12:39 pm Christoph Anton Mitterer, <
cales...@scientia.net> wrote:
> btw:
>
> What's the reason to not also set:
> fs.protected_fifos = 2
>
> ?
>
> Cheers,
> Chris.
>
Hi Thorsten,
I am pretty sure it's the fieldscur validation having a bad day. I've
emailed the author and will let you know what happens.
- Craig
On Sat, 15 Feb 2020 at 04:24, Thorsten Glaser wrote:
> Package: procps
> Version: 2:3.3.16-1
> Severity: important
>
> After
omes first
and overrides things in /run like systemd sysctl does.
Does that seem right to you? I'll make the necessary changes in procps if
so.
- Craig
1:
https://salsa.debian.org/systemd-team/systemd/blob/debian/master/src/basic/def.h#L44
2: https://salsa.debian.org/debian/procps/blob/master/sysctl.c#L62
this.
- Craig
-- Package-specific info:
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.3.0-3-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG
Actuallty looking at the code this time, yep it (procps sysctl) does do
that and reads them in order of precedence of the directories.
I think procps may have the order different though as /run is before /etc.
The sysctl.d man page is actually confusing so it's hard to say.
- Craig
On Thu, 6
it by creating
> /etc/sysctl.d/protect-links.conf .
>
That's not actually how the procps version of sysctl works. It reads all of
the directories. So looks like we have a bigger problem here as the systemd
version does something different to the procps version.
- Craig
;make docs"? Because otherwise I
wouldn't recommend doing that.
-Craig
From: Paolo Greppi
Sent: Wednesday, February 5, 2020 6:34 AM
To: ccf...@heasarc.gsfc.nasa.gov
Cc: 943...@bugs.debian.org <943...@bugs.debian.org>
Subject: troubles generating refman.
break
something and nobody understands why some program that used to work fine no
longer does and they didn't touch it.
- Craig
On Wed, 22 Jan 2020 at 02:03, Christoph Anton Mitterer <
cales...@scientia.net> wrote:
> Hey.
>
> Anything new on this? More than a year of people runn
The idea of having a -w option is something I'll look into. I'm not sure
if you noticed, but there is the PROCPS_FROMLEN environment variable you
can set to make that column wider too.
- Craig
On Mon, 20 Jan 2020 at 17:51, Marc Haber
wrote:
> Package: procps
> Version: 2:3.3.1
)
- Craig
Hi Markus,
Yes Nils was doing a nmu for me. Unless they are very keen I'll handle
the backports. As you said the confusion is on the sponsorship. We were
using a
Mentors as a way of getting the package from him to me in the standard way.
- Craig
On Tue, 24 Dec. 2019, 4:27 am Markus Koschany
(current) library isn't too good about reporting
problems back up to the calling binary.
- Craig
On Mon, 18 Nov 2019 at 02:25, Marco d'Itri wrote:
> On Oct 24, Craig Small wrote:
>
> > Are you sure it's just a lack of memory causing this problem?
> > It's going to be a
see where they are up to with their release cycle and if its a
while off, add a patch in Debian.
- Craig
1:
https://sourceforge.net/p/net-snmp/code/ci/cd09fd82522861830aaf9d237b26eef5f9ba50d2
Hi,
Thanks for packaging this, it will help with some other packages I have.
No need to add me to the uploaders, the main thing is the package is in the
archive.
- Craig
On Wed, 6 Nov 2019 at 10:11, Pierre-Elliott Bécue wrote:
> Le mercredi 14 mars 2018 à 22:28:14+1100, Craig Small a éc
Package: chromium
Version: 76.0.3809.100-1
Native Client (NaCl) appears to be explicitly disabled in the Debian
build of Chromium with the enable_nacl=false option here:
https://salsa.debian.org/chromium-team/chromium/blob/master/debian/rules#L85
FWIW, Ubuntu seems to do the same. This in
.
I'll be using this [1] to fix stable or its version equivalent.
- Craig
1:
https://github.com/WordPress/WordPress/commit/2fc33ef47d3a4d48f03ef79d4aacf420da51bb54
Hmm, I'm not too sure why I said it was fixed in that version. I think
there was another bug that got fixed that looked like that one.
Version 4.9.x of wordpress, when their release announcements were worth
something...
On Thu, 17 Oct 2019 at 05:21, Markus Koschany wrote:
> Hello Cr
d is used
by that program to check if there is already running process.
The -p option in the init script is for snmpd binary and is used to tell
snmpd where to create the pidfile.
- Craig
suspect there is some strangeness of the standardall target, often some
libraries are built and others (eg netsnmpmib) are not.
So the fix is, no parallel builds :(
Yes I saw the upstream commit comment. It's not the Makefile, its parallel
builds!
- Craig
the library it just doesn't abort instead of
merrily making a bad module, but there you go.
Probably also explains why the reproducible build check always fails.
It gives me a place to look, thanks!
- Craig
On Tue, 15 Oct 2019 at 06:07, gregor herrmann wrote:
> On Mon, 14 Oct 2019 10:34:41 +1
means a
coincidence or all functions are not available.
- Craig
as been wrong and doing nothing for a while and
yet snmptrapd works shows how often it gets used.
However, it's bad because people who do want to change the path (like you)
get led down the wrong... path.
A simple fix I can put in the next release, thanks for the report.
- Craig
, unfortunately.
The options are:
1) Comment out those lines in the configuration file; or
2) Download the DISMAN MIBs, Debian cannot have them in main due to
license problems
- Craig
1: https://wiki.debian.org/NonFreeIETFDocuments
Hi Andreas,
I never got a reply from you about this bug. I'm not really sure what
you were after here.
- Craig
On Tue, 5 Feb 2019 at 21:27, Craig Small wrote:
> Hi Andreas,
> I'm trying to understand what you are after here. I think you want the
> expat license, but the MI
github.com/chaos/pdsh
It would be nice to have a link to the old documentation pages that used to be
on the LLNL site, but I wasn't able to find a replacement for them.
BTW, the version of pdsh on github is 2.33
craig
--
craig sanders
e a choice of having all buttons grouped on the primary monitor, or
having the buttons for some windows just vanish entirely.
craig
That took longer than expected but I submitted 7 CVE ID requests into MITRE
tonight. I'm having trouble matching the changesets to the vulnerabilities
(I know 3 of them only) which will make backporting harder.
- Craig
>
Hi Salvatore,
I'll go ask for them over the weekend. I'll look into backports for the
relevant patches. Definitely a festival of XSS going on for this one!
- Craig
On Fri, 6 Sep 2019 at 17:47, Salvatore Bonaccorso wrote:
> Hi Craig,
>
> On Fri, Sep 06, 2019 at 05:37:45PM +10
Source: wordpress
Version: 5.2.2+dfsg1-1
Severity: normal
Tags: security
Wordpress has release 5.2.3 which fixes several security holes.
From
https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
Security Updates
Props to Simon Scannell of RIPS Technologies for
ot;) after the
button name. this was readable and useful.
I have no objection to this as an option for those who want it, but there
really needs to be an option to revert to the previous display behaviour.
please forward this bug report to upstream.
craig
to use the default files for systemd setup.
- Craig
-0006 ONLINE 0 0 0
errors: No known data errors
craig
--
craig sanders
Hi Matus,
Seems a bit strange it doesn't work, until it feels like it then it's all
ok. My guess is that some transitional thing is upsetting the init script.
Do you use systemd or sysvinit? That will narrow down if it a unit file or
init script issue.
- Craig
--
Craig Small (@smallsees
checking if a file exists and stating it.
- Craig
--
Craig Small https://dropbear.xyz/ csmall at : enc.com.au
Debian GNU/Linux https://www.debian.org/ csmall at : debian.org
Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees
GPG fingerprint
.
- Craig
Actually looking at the init script, it does check SNMPOPTS is set and this
is the only variable in the default file.
What exactly is not getting picked up or overwritten?
- Craig
On Tue, 23 Jul 2019 at 10:06, Daniel Reichelt wrote:
> Package: snmpd
> Version: 5.7.3+dfsg-5
>
Hi Daniel,
It's a little more complicated than that. The defaults are loaded in by
init-d-script but are then overwritten by the snmp init script. What it
should be testing is if they are unset variables and then use the defaults.
- Craig
Hi Chris,
Does --netsnmp-agent-libs give you the right answer?
That option only gives net-snmp libraries.
- Craig
Package: rsyslog
Version: 8.1901.0-1
Severity: minor
Tags: patch
The logcheck files use the http:// url but rsyslog now outputs its
messages using https://
Also for some reason there are two spaces in the HUPed message. I'm not
sure if the others have the same problem either.
-- System
The RCE part was fixed in WordPress 5.0.1 but the path traversal is still a
problem.
So the problem is that for the WordPress core, the way to exploit the path
traversal was taken away (but not the path traversal itself). The author
still states that some plugins or themes may still use this
Hi,
Attached is a debdiff between 5.0.3 to 5.04 which is essentially the
changesets I previously reference from the upstream SVN repository.
Option 1 is my preference, the main difference between #1 and #2 was the
changelog version.
- Craig
diff -Nru wordpress-5.0.3+dfsg1/debian/changelog
I probably should have stated it in the initial email but if you are asking
what my preference is, it would be to have WordPress 5.0.4 in Buster.
The difference between 5.0.4 and 5.0.3 currently in Buster is the security
fixes.
- Craig
nothing and wait until Buster is released and then fix it.
I haven't prepared differences yet because depending on the answer you
get a different debdiff.
- Craig
1:
https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
2:
https://salsa.debian.org/debian/wordpress
Hi,
I'll see what the release team say. I have everything prepared for a
backport, just need the respective OK.
- Craig
Source: wordpress
Version: 5.0.3+dfsg1-1
Severity: important
Tags: security
This release also includes a pair of security fixes that handle how comments
are filtered and then stored in the database. With a maliciously crafted
comment, a WordPress post was vulnerable to cross-site scripting.
On Wed, Mar 13, 2019 at 01:14:15AM +0100, Lars Kruse wrote:
> I applied this upstream:
>
> https://github.com/munin-monitoring/munin/commit/b892b14a2c2da9b32a380847ecbf16233019ad32
wow, thanks for the quick response.
craig
--
craig sanders
000
cpu19.value 284651262000
cpu20.value 285289428000
cpu21.value 285253196000
cpu22.value 284863188000
cpu23.value 285257014000
cpu24.value 286138678000
cpu25.value 28616061
cpu26.value 28618379
cpu27.value 286074776000
cpu28.value 286104446000
cpu29.value 286116918000
cpu30.value 286070438000
cp
the relevant processes?
I think the sleep will have a PPID of that second bash and the second bash
have a PPID of the first, which is how the tree gets formed.
- Craig
That shift key must have just dropped off for one of those 3/# button
presses.
I'll add that in for the next dh-make release.
- Craig
tags 880070 + help
severity 880070 minor
thankyou
There are no kFreeBSD porterboxes available now, which means its very
difficult to look into bugs specific to that arch.
--
Craig Small https://dropbear.xyz/ csmall at : enc.com.au
Debian GNU/Linux https
Package: software-properties-gtk
Version: 0.96.20.2-1
Severity: normal
--- Please enter the report below this line. ---
When selecting a different "Download from" location (tested numerous)
under the Debian software tab , select close and choose to refresh
cache, the refresh will not finish.
Hi Andreas,
I'm trying to understand what you are after here. I think you want the
expat license, but the MIT variety used is the expat. So if you had
something that used the expat license, then just choosing mit will do it.
But, that's not working somehow?
- Craig
On Tue, 5 Feb 2019 at 01
it was the same either way and was
added for non-Debian kernel users.
I can't actually see what the Debian systemd people use for sysctl
configuration files, I think they use the procps one so the upstream
systemd-sysctl change won't mean much here.
- Craig
-- Forwarded message -
From
generated files
to use that new build-dependency, although I'm using 12 not 11 as thats the
current recommended level.
- Craig
Package: lintian
Version: 2.5.119
Severity: minor
If a patch description ends with a word and the long description starts
with the same word, lintian incorrectly considers this a duplicate word.
For example:
Subject: Correct snmpwalk args in snmpcheck
snmpcheck used the old command line
201 - 300 of 1760 matches
Mail list logo