Package: python-django
Severity: serious
Tags: security
Hi,
Several security issues were announced in Django:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
and a regression fix was later posted:
https://www.djangoproject.com/weblog/2011/sep/10/127/
Can you please
Package: backuppc
Severity: serious
Tags: security patch
Hi,
BackupPC 3.2.1 was released back in April.
http://sourceforge.net/mailarchive/forum.php?thread_name=f1f1ef74-716d-4af8-b1bf-c1ba6d9a98a1%40SC1EXHC-02.global.atheros.comforum_name=backuppc-devel
The release includes a security fix. Can
This bug just caused a serious security incident for us, and I was able
to work through the cause and the reason why not everyone sees it. The
problem was introduced in 0.70 and is still present in 0.73.
The following change was added in 0.70:
sub accept() {
warn accept called as a
On Wed, August 31, 2011 08:55, Peter Palfrader wrote:
On Wed, 31 Aug 2011, Raphael Geissert wrote:
Changes:
ca-certificates (20110502+nmu1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Blacklist DigiNotar Root CA (Closes: #639744)
Are we updating stable
Hi Lisandro, others,
On Fri, 17 Jun 2011 10:09:11, you wrote:
On Vie 17 Jun 2011 06:50:14 Thijs Kinkhorst escribió:
Is there any news on inclusion of this patch?
I'll do my best to review it and discuss it with the rest of
the tem this weekend.
Thanks, but I'm not aware of progress
On Wed, August 31, 2011 12:38, Thijs Kinkhorst wrote:
Raphaël, any reason that there's an upload for squeeze on security-master,
but not for lenny?
OK, sorry for this, I should have researched that a bit more. Just found
out that Lenny ca-certificates doesn't have DigiNotar.
Cheers,
Thijs
On Wed, August 31, 2011 15:37, Sune Vuorela wrote:
On Wednesday 31 August 2011 13:09:16 Thijs Kinkhorst wrote:
2. The KDE trust store will not be updated when the Debian Security Team
releases its planned update to ca-certificates to address Diginotar
concern.
JFTR, diginotar isn't in KDE's
Hi Gregor,
Op zondag 22 mei 2011 18:14:15 schreef gregor herrmann:
On Wed, 18 May 2011 11:54:02 +0200, Thijs Kinkhorst wrote:
Sympa recommends libio-socket-ssl-perl, so I got that automatically,
however, I failed to get libio-socket-inet6-perl because
libio-socket-ssl-perl only suggests
severity 638955 normal
tags 638955 -security
thanks
Hi Kim,
On Tue, August 23, 2011 12:11, Kim Rostgaard Christensen wrote:
/etc/proftpd/ldap.conf contains passwords and should therefore not be
world readable per default.
I think the same applies to other vuser backends
Thanks for your
Package: ftp.debian.org
On Fri, August 19, 2011 20:33, Debian FTP Masters wrote:
There are disparities between your recently accepted upload and the
override file for the following file(s):
libapache2-mod-php5filter_5.3.7-1_amd64.deb: package says priority is
extra, override says optional.
On Tue, August 16, 2011 10:27, Thorsten Glaser wrote:
On Mon, 15 Aug 2011, Barry Warsaw wrote:
In addition to my original patch, this change will fix the dependencies
in the
resulting .deb.
Thanks, committed.
Confirmed that it all works fine now, I've uploaded this.
Thijs
--
To
On Thu, August 11, 2011 17:49, Barry Warsaw wrote:
On Aug 11, 2011, at 09:25 AM, Thorsten Glaser wrote:
tags 637398 + pending
thanks
On Wed, 10 Aug 2011, Barry Warsaw wrote:
In Ubuntu, the attached patch was applied to achieve the following:
Thanks for sending, applied it so it'll be in the
Hi,
On Mon, February 21, 2011 15:12, Ansgar Burchardt wrote:
While installing the latest security update, mailman complained about
files in /var/lib/mailman/qfiles and suggested to use
/var/lib/mailman/bin/show_qfiles to examine these files.
However show_qfiles aborts with an error:
Hi Paul,
On Thu, August 11, 2011 22:45, Paul Gevers wrote:
On 07/03/11 19:35, Paul Gevers wrote:
As discussed below and in bug 624516, I prepared a patch for
CVE-2010-1644: cacti: XSS issues in host.php and data_sources.php in
lenny. The maintainer of cacti suggested to contact you for
Hi Thorsten,
On Thu, August 11, 2011 09:25, Thorsten Glaser wrote:
tags 637398 + pending
thanks
On Wed, 10 Aug 2011, Barry Warsaw wrote:
In Ubuntu, the attached patch was applied to achieve the following:
Thanks for sending, applied it so it'll be in the next
upload. (This is not urgent,
Hi Marc,
Wondering why the installation of mscorefonts was taking too long
I checked the details and found that none of the fonts could be
retrieved from any of the URLs listed in
ttf-mscorefonts-installer.postinst.
The installer will go through all 12 URLs for each font file
which means a
Hi,
On Thu, June 23, 2011 23:28, Jean-Baptiste Lallement wrote:
apt-file search -gtkmozembed
Unknown option: g
Unknown option: t
Unknown option: k
Interpreting options after command both disables searching for patterns
starting with - and is in conflict with the help text that mandates
tags 570506 +patch
thanks
Could this package support libstemmer_c? (so the libstemmer contents
extracted over libstemmer_c
I agree with this request but the Debian proper way to do it is to use the
Debian packaged version of libstemmer.
This requires two patches to be applied:
1) Enable
-linebreak-perl also doesn't build on kfreebsd, which in turn
causes sympa to fail to migrate to testing.
Can you please check this out?
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan 2
to solve that by adding the virtual package 'ping' as an
alternative.
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
--- debian
Hi,
On Tue, 1 Mar 2011 20:43:32 +0100, Thijs Kinkhorst wrote:
Attached patch fixes this issue. I have tested it here and it works just
like expected.
What I think are compelling arguments to apply the patch:
* It furthers integration in Debian; it's inconvenient and inefficent to
keep
On Thu, June 9, 2011 23:03, Peter Samuelson wrote:
[Thijs Kinkhorst]
The last two security updates for subversion, 1.6.12dfsg-6 and
1.6.12dfsg-7,
have failed to build on kfreebsd-i386 and kfreebsd-amd64. Attached are
two
sample build logs. Can you investigate this?
It is a problem we've
-2.4.23/debian/changelog
--- openldap-2.4.23/debian/changelog
+++ openldap-2.4.23/debian/changelog
@@ -1,3 +1,10 @@
+openldap (2.4.23-7.2) stable; urgency=low
+
+ * Non-maintainer upload targeted at stable.
+ * Fix dpkg-reconfigure slapd. Closes: #596343
+
+ -- Thijs Kinkhorst th...@debian.org Wed, 15
Package: sphinxsearch
Severity: importaht
Tags: patch
Hi Radu,
By default sphinxsearch logs to /var/log/sphinxsearch but these logs are
not rotated, allowing them to grow endlessly and in the end fill up the
disk. I'm attaching the config I'm using. It should be easy to install it
with
tags 563205 +security
thanks
Hi Radu,
You wrote:
As soon as the squeeze is released I'll provide the API packages.
As squeeze is now released, I'm very much looking forward to an updated
package including these patches. It's a bit unfortunate that the original
reporter reported so many issues
Hi Gregor,
On Mon, June 13, 2011 14:08, Gregor Jasny wrote:
I'm the maintainer of v4l-utils. Currently I'm building the 32bit version
of libv4l(-dev) within the v4l-utils package myself. But with an added
libjpeg dependency and the upcoming multiarch support things get
complicated.
Op donderdag 02 juni 2011 07:34:59 schreef Christian PERRIER:
Security team, I need advice and help here. My co-maintainer for
shadow, Nicolas, is more or less MIA, so I'm left nearly alone to
maintain shadow. As Nicolas was also upstream, you understand how
desperate is my situation..:-)
On Sat, June 4, 2011 07:53, Mike Hommey wrote:
On Sat, Jun 04, 2011 at 07:46:25AM +0200, Thijs Kinkhorst wrote:
Hi Mike,
On Sat, June 4, 2011 03:47, Mike Hommey wrote:
On Sun, May 29, 2011 at 07:00:23PM -0400, Michael Gilbert wrote:
package: libxml2
version: 2.7.8.dfsg-2
severity
Package: nagios3
Severity: serious
Tags: security
Hi,
Two XSS issues have been reported for Nagios and Icinga:
CVE-2011-2179: http://tracker.nagios.org/view.php?id=224
CVE-2011-1523: http://tracker.nagios.org/view.php?id=207
Can you please see to it that these are fixed in unstable and
Package: libvirt
Version: 0.8.8-1
Severity: serious
Tags: patch
Hi,
Version 0.8.8 introduced a regression which reopens a security issue.
Please see:
https://bugzilla.redhat.com/show_bug.cgi?id=709769
https://www.redhat.com/archives/libvir-list/2011-May/msg01935.html
Can you ensure that
Package: asterisk
Version: 1:1.8.3.3-1
Severity: serious
Tags: security
Hi,
A remote DoS was reported in AST-2011-007:
http://downloads.asterisk.org/pub/security/AST-2011-007.html
This affects only the version in unstable, this bug will prevent migration
of that version until fixed. Please
Hi Mike,
On Sat, June 4, 2011 03:47, Mike Hommey wrote:
On Sun, May 29, 2011 at 07:00:23PM -0400, Michael Gilbert wrote:
package: libxml2
version: 2.7.8.dfsg-2
severity: serious
tag: security
some overflow issues were disclosed for libxml2. see:
Package: perl
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for perl.
CVE-2011-0761[0]:
| Perl 5.10.x allows context-dependent attackers to cause a denial of
| service (NULL pointer dereference and application crash) by leveraging
|
Package: systemtap
Severity: serious
Tags: security
Hi,
When unprivileged mode is enabled, a normal user can crash the system via
systemtrap. The following CVE (Common Vulnerabilities Exposures) ids
were
published:
CVE-2011-1769
CVE-2011-1781 (1.4 only)
If you fix the vulnerabilities please
Hi,
Earlier I proposed a fix for this but in a stable upload, but as this bug
wasn't yet fixed in unstable, the release mangager was uncomfortable with
allowing it, so I've created an NMU for sid first, Please find the debdiff
attached. As I didn't hear any problems with this fix when I proposed
Package: httpcomponents-client
Version: 4.0.1-1
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for httpcomponents-client.
CVE-2011-1498
[HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be
sent to the target
Package: network-manager-openvpn
Severity: important
Tags: security
Hi,
The following issue has been reported to Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=708876
Password to unlock certificate is logged to /var/log/messages
May 29 19:46:42 localhost NetworkManager[4791]:
On Wed, May 18, 2011 13:08, Dominic Hargreaves wrote:
Because there's no way for a package to say I depend on foo
only if the system is configured with IPv6 I actually think this
should be a Depends rather than Recommends, if it breaks without just
because IPv6 is configured on the system.
It
Hoi Matthijs,
Is er een kans dat dit probleem in stable gepatcht wordt? Ik wil er wel bij
helpen als dat nodig is, laat maar weten!
Groeten,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan
Package: libio-socket-ssl-perl
Version: 1.33-1+squeeze1
Severity: important
Tags: patch ipv6
Hi,
When I installed 'sympa' I got the following error messages in my log:
[Mon May 16 17:06:13 2011] [warn] [client 137.56.126.19] mod_fcgid: stderr:
Can't locate Socket6.pm in @INC (@INC contains:
On Tue, May 17, 2011 09:38, Wouter Verhelst wrote:
nbd-server 2.9.21 has a NULL-pointer dereference in its negotiation
phase, which allows unauthenticated users to DoS the server by causing
the negotiation to fail (e.g., by specifying a non-existing name for an
export).
Please use
Package: openssh-server
Version: 1:5.5p1-6
Severity: wishlist
Hi,
I propose to demote the hard dependency on openssh-blacklist to a Recommends.
It's better to be safe than sorry, and the Recommends ensures that by default
the
blacklist is still installed. However those users that are certain
; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Apply patch from upstream addressing arbitrary file overwrite
+(CVE-2011-1425, closes: #620560).
+
+ -- Thijs Kinkhorst th...@debian.org Sat, 09 Apr 2011 17:40:24 +0200
+
xmlsec1 (1.2.14-1) unstable; urgency=low
* New
Hi Andrew,
Are you able to work on this issue? It's always most helpful if the regular
maintainer of a package is involved in security updates.
Cheers,
Thijs
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Package: xmlsec1
Severity: serious
Tags: security
Hi,
A new version of xmlsec has been released which fixes a security issue:
When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled
in Packages-arch-specific, but I
might be wrong.
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
signature.asc
Description: This is a digitally signed
severity 589384 serious
thanks
Hi Brian,
I'm marking this issue as release critical for wheezy. It can lead to
surprises in the configuration of PHP, e.g. that filename.php.jpeg is executed
as PHP code. Although this legacy effect is considered quite well known and
hence not a security
Package: cpqarrayd
Version: 2.3-1
Severity: minor
Hi,
cpqarrayd currently is arch any and not listed in Packages-arch-specific.
It doesn't fail to build on non-intel archs but it will not be useful
there since SmartArray devices are not shipped with such archs.
It does fail to build with
Package: polarssl
Severity: serious
Tags: security
Hi,
The following report by PolarSSL upstream was brought to our attention:
https://lists.ubuntu.com/archives/ubuntu-motu/2011-February/007026.html
Unfortunately it doesn't disclose details. I'll contact the upstream
maintainer about that, but
tags 511597 +patch
thanks
Hi,
Attached patch fixes this issue. I have tested it here and it works just like
expected.
What I think are compelling arguments to apply the patch:
* It furthers integration in Debian; it's inconvenient and inefficent to keep
two certificate stores up to date,
On Tue, March 1, 2011 05:21, Michael Gilbert wrote:
package: busybox-udeb
version: 1:1.17.1-10
severity: grave
Hi, testing is currently uninstallable since debootstrap (as of 1.0.28)
no longer uses md5 for integrity checks. It can make use of various
shaXYZsum instead. I think providing
forwarded 614340 https://bugs.launchpad.net/debian/+source/mailman/+bug/725498
thanks
On Monday 21 February 2011 08:21:58 Adrian von Bidder wrote:
Please consider this trivial patch, which exposees message-ids to the
templates used for the email archive.
Thanks. Because there's currently a
Package: mailman
Severity: wishlist
Hi Timo,
On Monday 21 February 2011 13:09:39 Timo Veith wrote:
Hello debian mailman hackers,
I'v got a question according to the mailman package of Debian lenny. Today
a security update came in and I had some very old psv files left in
On Thursday 18 November 2010 21:02:11 Timo Sirainen wrote:
v2.0 uses by default:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
Yes, this looks good, so the bug can be closed when 2.0 is uploaded. Will that
happen sometime soon?
Thijs
signature.asc
Description: This is a digitally signed
Package: lintian
Version: 2.4.3
Severity: wishlist
Tags: patch
Hi,
Files under /etc/cron.d must conform to the same filename specs as those in
the cron.{hourly,daily,weekly} dirs, so it would be nice to check those for
dots aswell.
Attached patch accomplishes that.
One could perhaps consider
Package: scponly
Version: 4.8-4.1
Severity: normal
Hi,
The lenny version allowed the + character to be in commands.
The squeeze version doesn't allow this anymore. I cannot find in the
changelog why this was changed.
Problem is that it breaks duplicity, which uses a + in filenames,
which used
Op zondag 20 februari 2011 14:26:01 schreef Thijs Kinkhorst:
Your package fails to autobuild from source.
The problem is that I built it when stable still had kernel 2.6.32 and it
now has 2.6.37. I can confirm that the package still builds with 2.6.32.
This means that 2.6.37 has
Hi Jérémy,
On Wednesday 23 February 2011 15:04:10 Jérémy Lal wrote:
Redmine package 1.0.1-1 is affected by several security issues :
* Info leak in journals controller
* Persistent XSS in wiki
* Command Execution in SCM adapter
Thanks. We've taken note of the issue (RT 3009) and someone from
Hi,
I see an upload for 0.16.2 is already pending. Great.
Please include the following CVE id's in its changelog:
CVE-2010-4653
CVE-2010-4654
Source: http://article.gmane.org/gmane.comp.security.oss.general/4117
It fixes those issues, which are probably very minor, but it would be good to
have
On Saturday 19 February 2011 16:22:44 Hector Oron wrote:
Your package fails to autobuild from source.
Find full build log at:
https://buildd.debian.org/fetch.cgi?pkg=cpqarrayd;ver=2.3-1.1;arch=armel;
stamp=1298114825
Find an overview of failing architectures at:
On Sunday 20 February 2011 12:04:08 Julian Andres Klode wrote:
With squeeze, squeeze-updates was introduced, bringing
us in a situation where we have two repositories:
squeeze-updates (for updates)
squeeze/updates (for security)
That's confusing. It would be better to
On Sunday 20 February 2011 12:50:09 Thijs Kinkhorst wrote:
Your package fails to autobuild from source.
Find full build log at:
https://buildd.debian.org/fetch.cgi?pkg=cpqarrayd;ver=2.3-1.1;arch=arme
l;
stamp=1298114825
Find an overview of failing architectures
On Wednesday 16 February 2011 11:07:31 Didier 'OdyX' Raboud wrote:
build-win32/g10/gpgv.exe usr/share/win32
IMHO, you should put gpgv.exe under usr/share/win32 . There is no policy
for such stuff, but gzip-win32 and cpio-win32 both put their *.exe there,
so having gpgv.exe there gives more
Hi,
On Sunday 26 December 2010 18:15:47 bertagaz wrote:
Since gnupg process unstrusted user input, having hardening options
enabled during its build might be a good idea. Actuallly I did try a build
with hardening-wrapper and it went fine [1]. Attached is a patch to enable
this feature.
On Wednesday 09 February 2011 11:35:15 Didier 'OdyX' Raboud wrote:
If your Debian can run wine, gpgv.exe runs correctly under wine (although
with glitches around path handling in the --keyring option; which are
workaround'able).
But yes, I can handle this, and I'll make sure to be
Hi,
This bug is fixed in squeeze through version sympa/6.0.1+dfsg-4 but unstable
is still affected, so it seems. Fixing it would allow 6.1 to migrate to
testing. Would this be possible?
thanks,
Thijs
signature.asc
Description: This is a digitally signed message part.
Hi Philipp,
On Tue, February 8, 2011 11:11, Philipp Kern wrote:
Package: ia32-libs
Version: 20110117
Severity: normal
IBM's proprietary Tivoli Storage Manager backup client has ACL support
when
running on Linux. However it's only available if libacl.so can be
dlopen()ed.
As it's still a
/changelog
+++ cpqarrayd-2.3/debian/changelog
@@ -1,3 +1,11 @@
+cpqarrayd (2.3-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Apply no_ida patch from Fedora to make package build again
+in a squeeze context (closes: #543064).
+
+ -- Thijs Kinkhorst th...@debian.org Mon, 17 Jan
Hi Didier,
On Tuesday 08 February 2011 17:06:37 Didier Raboud wrote:
a current flaw of the standalone version of win32-loader (source and binary
package in Debian) is that it downloads the d-i kernel and initrds through
Internet without any form of checking that those are authenticated
On Wed, February 2, 2011 22:14, Goswin von Brederlow wrote:
PS: The sources are on mentors and need a sponsor for the upload. Thijs?
unblock ia32-libs-core/20110202
unblock ia32-libs/20110202
unblock ia32-libs-gtk/20110202
I would sponsor this if the release team acks that it is still
On Sun, January 30, 2011 20:46, Russ Allbery wrote:
Philipp Kern pk...@debian.org writes:
The tech-ctte did decide on that matter. What's the progress on this
bug now? Is there any action taken as a consequence of it?
It's waiting for someone to do the work required to come up with a
) testing; urgency=medium
+
+ * Non-maintainer upload by the Security Team
+ * Fix CVE-2010-4341 (Closes: #610032)
+
+ -- Thijs Kinkhorst th...@debian.org Mon, 31 Jan 2011 20:48:45 +0100
+
sssd (1.2.1-4) unstable; urgency=low
* Add patch from Stephen Gallagher to ensure LDAP authentication
diff
: this is where you define your SP.
There is an example shipped in
/usr/share/doc/simplesamlphp/examples/config-templates.
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services
Bezoekadres Warandelaan 2 • Tel. 013 466 3035 • G 236
--
To UNSUBSCRIBE, email
to the config-sanitycheck.php file. Each module you
want to enable can have its own config file which contains settings
specific to that module. In this case you could create a
config-sanitycheck.php based on
/usr/share/simplesamlphp/modules/sanitycheck/config-templates/
--
Thijs Kinkhorst th
contains in its config/
directory, in our /etc/simplesamlphp. This makes the behaviour of the
Debian package close to upstream and hence also close to existing
documentation. This will be incorporated in the next upload.
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library
On Sunday 23 January 2011 12:07:05 Julien Cristau wrote:
The release notes list that the default python is now 2.5, whole it is
actually 2.6 (as per apt-cache show python).
I fixed this in SVN, thanks for pointing it out.
Your fix is wrong, python2.5 is still in squeeze, so
Package: release-notes
Severity: normal
Tags: patch
Hi,
The release notes list that the default python is now 2.5, whole it is
actually 2.6 (as per apt-cache show python).
Attached patch updates the notes for that.
Thanks for maintaining the release notes.
Cheers,
Thijs
-- System
Hi Tollef,
I don't see why you think missing salting should be grave. Sure, it
should be fixed, but it's hardly the end of the world.
I agree with this, it's not a DSA-worthy issue. However, I still would
strongly prefer to see a fix in squeeze before the release - salts are
considered to
Dear release team,
On Wednesday 19 January 2011 23:24:14 Romain Beauxis wrote:
Thus, I kindly request the unblocking of spip 2.1.1-3 and its migration to
testing in the purpose of shipping a fixed spip package in Debian squeeze.
Please unblock this to address a security issue.
Cheers,
Thijs
Package: developers-reference
Severity: normal
Tags: patch
Hi,
Please apply attached patch, that encourages maintainers to file an issue
in RT directly.
Cheers,
Thijs
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture:
On Wed, January 19, 2011 09:41, Goswin von Brederlow wrote:
Package: ia32-libs
Version: 20101012
Severity: normal
The source can no longer be updated as non-root, which I find an
unaceptable solution.
Hmm, this is mode 0644 with me but apparently I changed that some time,
because it seems
Hi Bdale,
I see that the security issue in #609641 / CVE-2011-0010 is fixed in sid
but not in squeeze (lenny not affected). Would you be able to provide an
update via testing-proposed-updates for this? Let me know if you need
someone from the security team to do it.
Cheers,
Thijs
--
To
On Tuesday 18 January 2011 10:52:21 Bdale Garbee wrote:
On Tue, 18 Jan 2011 09:20:21 +0100, Thijs Kinkhorst th...@debian.org
wrote:
I see that the security issue in #609641 / CVE-2011-0010 is fixed in sid
but not in squeeze (lenny not affected). Would you be able to provide an
update via
Meanwhile (since base-files 5.3), there is an /etc/profile.d and
/etc/profile sources /etc/profile.d/*.sh, so this behaviour can easily
be changed now.
Good point that this is now fixable, but it has been an issue for 12 years
now, and squeeze is in quite a deep freeze. May I propose that
On Monday 17 January 2011 21:23:45 Helge Kreutzmann wrote:
Until recently, the name of the affected package was printed as first
word on the subject line. Now the subject starts with Security update
for
The first (old) version is much better, I already know (from sorting,
from the sender
Package: devscripts
Version: 2.10.35lenny7
Severity: normal
Hi,
If I install devscripts in a fresh squeeze chroot, the Recommendation of
www-browser is automatically fulfulled by conkeror which in turn depends
on xulrunner-1.9 which adds even more dependencies.
The package description says
at least.
Interested parties can also find built packages for amd64 and i386 in our
repository: http://non-gnu.uvt.nl/debian/squeeze/cpqarrayd/
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres
Package: ia32-libs
Version: 20110115
Severity: important
Tags: security patch
Hi,
The fetch-and-build script uses --allow-unauthenticated to download the
packages to include in the build. This is quite undesirable because
essentially this unnecessarily breaks the trust chain for the hundreds
of
Hi Keith,
Good to hear your interest in the package.
On Fri, January 7, 2011 22:03, Keith Erekson wrote:
Two questions:
1. Why does this package depend on apache2 (or httpd), but not include any
apache2 conf (or a post-install script)?
Indeed we could install an example apache.conf,
On Thursday 30 December 2010 16:36:31 Julien Cristau wrote:
the following CVE (Common Vulnerabilities Exposures) ids were
published for phpmyadmin.
Can be fixed through security.d.o if it's not done by release, tagging
accordingly. A fixed package would still be appreciated, though.
On Thursday 16 December 2010 11:55:05 Goswin von Brederlow wrote:
On the note of ia32-libs-gtk. It seems that was rejected by an
overzelous lintian check. It doesn't depend on libc (no kidding :).
I will have to check that and add lintian overrides to it or get lintian
fixed.
Is there
On Tuesday 07 December 2010 18:01:05 Goswin von Brederlow wrote:
Uploading ia32-libs-core_20101207_source to mentors. Sponsors
welcome.
I have uploaded this now. I think this needs unblocking so that ia32-libs can
also migrate.
I've also sponsored ia32-libs-gtk/20101125 which could also need
On Wednesday 15 December 2010 15:29:00 Thijs Kinkhorst wrote:
I've also sponsored ia32-libs-gtk/20101125 which could also need an
unblock.
Unfortunately this got rejected:
Reject Reasons:
ia32-libs-gtk: lintian output: 'missing-dependency-on-libc needed by
./lib32/libglib-2.0.so.0.2400.2
On Thursday 18 November 2010 22:24:01 Thijs Kinkhorst wrote:
On Wednesday 17 November 2010 14:26:07 Goswin von Brederlow wrote:
ia32-libs-core (20101117) unstable; urgency=low
ia32-libs (20101117) unstable; urgency=low
I just uploaded these to sid.
I think ia32-libs-core still needs
Package: libapache2-authcassimple-perl
Version: 0.10-1
Severity: minor
Tags: patch
Hi,
Please see attached a patch to fix small typos in the package description.
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153
Source: opendnssec
Version: 1.1.3-1
Severity: minor
Tags: patch
Hi,
Here's a patch for some typos I encountered in the description while browsing
the opendnssec-packages.
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus
Source: opendnssec
Version: 1.1.3-1
Severity: minor
Hi,
All packages built from this source package include the same README.Debian.
Its contents however show that this file was intended to be only installed
into the opendnssec-enforcer package.
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl
Package: dovecot
Version: 1:1.2.15-3
Severity: important
Tags: security
Hi,
After installing dovecot it comes with insecure SSL ciphers enabled by
Luckily I saw that SSLv2 is now default disabled, but even with SSLv3
and TLSv1 dovecot enables 40 bit ciphers:
EXP-EDH-RSA-DES-CBC-SHA 40 bits
On Wednesday 17 November 2010 14:26:07 Goswin von Brederlow wrote:
ia32-libs-core (20101117) unstable; urgency=low
ia32-libs (20101117) unstable; urgency=low
I just uploaded these to sid.
I hope they can be unblocked and their urgency pushed by the release team if
they think it's
On Sunday 14 November 2010 23:35:39 Robert Millan wrote:
2010/11/14 Werner Koch w...@gnupg.org:
I don't have time to work on this myself. Unless someone else does,
I'd still recommend adding the SUID bit as a temporary solution.
Might be the easiest way until we have proper disk
701 - 800 of 2622 matches
Mail list logo