close 951794 2.0-2
thanks
27;t
> know what happened with that. That said, I do not feel the tool fits
> into lintian - at least not with lintian current design.
devscripts seems fine to me if lintian doesn't want it. :)
-Kees
--
Kees Cook@debian.org
rks it as deprecated for quite a while now.
>
> Kees, what do you think?
Yeah, it (and hardening-includes) should get removed in favor of
the dpkg-buildflags method. However, this means we need to move the
"hardening-check" script from hardening-includes to lint
This is a kernel bug, not a dosemu bug. Please see:
https://lkml.org/lkml/2015/8/13/435
--
Kees Cook@debian.org
oposed update to
> debian/watch (#738531) while I'm at it. Thoughts?
That'd be great, yes.
> Of course, it would be preferable to upload 2.8.3 instead, and fix
> these bugs at the same time :)
I've seen some reports that 2.8.3 has issues with the apache
Severity: serious
This breaks SMTP TLS connections to debian.org when the client presents
a sha512 cert:
^ grep confSERVER_CERT /etc/mail/sendmail.mc
define(`confSERVER_CERT',`/etc/ssl/certs/smtp-cert.pem')dnl
$ openssl x509 -text -noout -in /etc/ssl/certs/smtp-cert.pem | grep 'Signature
Algori
h problems
> in the future.
I will try to reproduce this with parallel=5 (I've used =4), and chase any
resulting bug upstream.
Thanks for finding this!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
ort the FTBFS separately.
After fixing the bison3-induced FTBFS, I still can't reproduce this i386
build problem. I'm uploading again now, and will see what the buildds
produce...
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email
close 655745
thanks
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
close 661161
thanks
debhelper 9.20120312 is now in Debian, and 9.20120115ubuntu3 is in Ubuntu,
so the versioning used here is correct now.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: feh
Version: 1.10-1
Severity: grave
Tags: security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty
This bug report was also filed in Ubuntu and can be found at
http://launchpad.net/bugs/607328
The description, from segooon, follows:
Bin
Package: aptitude
Version: 0.6.3-3.2ubuntu1
Severity: grave
Tags: security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty
This bug report was also filed in Ubuntu and can be found at
http://launchpad.net/bugs/607264
The description, from segooon
Package: conky
Version: 1.8.0-1ubuntu1
Severity: grave
Tags: security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty
This bug report was also filed in Ubuntu and can be found at
http://launchpad.net/bugs/607309
The description, from segooon, fol
Package: tesseract
Version: 2.04-2
Severity: grave
Tags: security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty
This bug report was also filed in Ubuntu and can be found at
http://launchpad.net/bugs/607297
The description, from segooon, follows
tags 572468 + patch
tags 572468 + pending
thanks
Hello,
I've prepared an NMU for flex (versioned as 2.5.35-9.1) and
uploaded it to unstable. Please feel free to tell me if I
should delay it longer.
Thanks,
-Kees
--
Kees Cook@debian.org
diff -u
ll CLI updates are
> tied to a transition we are currently seeing through.
>
> Rest assured that a new version of db4o will be forthcoming very soon.
Okay, excellent! I was just trying to reduce RC bugs for the bug
squashing party. I'm glad th
rst though. I will continue to work on
> the solution, though my time has been limited of late by a busy work
> schedule.
Ah, very cool. I hadn't seen any comments on the bug, so I assumed there
was no activity on it.
> On Sun, Jan 24, 2010 at 4:49 PM, Kees Cook wrote:
> > I&#x
a feature request than anything else.
Further protecting a user who is already customizing their PAM stack is a
good idea and nice to have, but shouldn't cause PAM to have an RC bug for
it.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email
Hello!
Attached is the patch that seems to be suggested as the solution, based on
fw's comments. I'll upload this shortly...
-Kees
--
Kees Cook@debian.org
diff -u debfoster-2.7/debian/postrm debfoster-2.7/debian/postrm
--- debfoster-
I've filed a removal request:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566760
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble?
I've filed a removal request:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566757
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble?
ithout doing a fair bit of work. Also note that the current version
upstream is 7.12.
Removing this from testing would also cause these to be removed:
longomatch tangerine
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bug
severity 557754 important
thanks
Both of these issues are denials of service, so I'm reducing severity
to "important". Additionally, upstream seems to indicate in their bug
report that CVE-2007-2195 does not exist any more.
--
Kees Cook
rm from testing and next
stable.
What makes the most sense for this bug?
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
[1]
https://buildd.debian.org/fetch.cgi?pkg=libselinux;ver=2.0.87-1;arch=i386;stamp=1255498769
--
Kees Cook@debian.org
diff -u libselinux-2.0.85/debian/control libselinux-2.0.85/debian/control
--- libselinux-2.0.85/debian/control
+++ libselinux-2.0.85/debi
more carefully reviewed for copyright issues.
Thanks,
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
If it's any consolation, mimetex isn't installed by default in cgi-bin,
though moodle is a direct user. It's not clear if moodle's existing
filtering limits this exposure or not.
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, ema
Attached is a patch for unstable to avoid this in the future...
--
Kees Cook@debian.org
Description: allow tetex-bin to be installable after 5 years.
Ubuntu: https://bugs.edge.launchpad.net/bugs/384904
Debian: http://bugs.debian.org/cgi-bin
w to contact them. So
> I hope Kees can look into this.
Thanks for the heads-up! Yeah, it looks like Ubuntu got the original
patch. I will get it fixed up. (Feel free to email me, but if you want
to reach Ubuntu security in general, you can use secur...@ubuntu.com.)
-Kees
--
Kee
-26-244986-1
6721753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Conta
Hi,
How about this patch as an alternative, which doesn't change the
semantics of the array, but makes sure it is aligned.
Thanks,
-Kees
--
Kees Cook@outflux.net
diff -u jfsutils-1.1.12/debian/changelog jfsutils-1.1.12/debian/changelog
--- jfs
Tags: patch
thanks
Hi,
This patch disables jemalloc on architectures for which the *_2POW
defines aren't defined. (Which is causing the FTBFS's for hppa, sparc,
and s390.)
Thanks,
-Kees
--
Kees Cook@outflux.net
diff -u varnish-2.0.1/de
Tags: patch
thanks
Hi,
This patch make netmaze run for my on amd64 -- I just swapped all the
longs for ints. Behavior between i386 and amd64 looks the same to me
now.
-Kees
--
Kees Cook@outflux.net
diff -u netmaze-0.81+jpg0.82/allmove.c netmaze
Tags: patch
Hi!
How about just allowing a download failure in the postinst instead?
This wouldn't compromise the ability for "update-eicar" to do its job,
but would allow the package to install if an external network was not
available.
Thanks,
-Kees
Hi,
On Sat, Sep 20, 2008 at 09:06:21AM +0200, Mike Hommey wrote:
> On Fri, Sep 19, 2008 at 07:10:14PM -0700, Kees Cook wrote:
> > The above changes are for CVE-2008-3529.
>
> Certainly not. It's not in upstream patch.
This is where I was getting details:
https://bugzilla.red
Hi,
On Fri, Sep 19, 2008 at 09:24:30PM +0200, Mike Hommey wrote:
> On Mon, Sep 15, 2008 at 08:55:10AM -0700, Kees Cook wrote:
> > As far as I know, this patch matches the upstream changes for the
> > problem. Please see:
> >
> > https://bugzilla.redhat.com/show_bug.
ll be
silently ignored if -O is less than 2.
-Kees
[1] http://wiki.debian.org/Hardening
add hardening-wrapper to debian/control Build-Deps
add "export DEB_BUILD_HARDENING=1" to debian/rules
[2]
http://svn.debian.org/wsvn/hardening/hardening-w
-Wextra -D_FORTIFY_SOURCE=2 -Wl,-z,relro -o hello hello.c
Note, AFAIK, -fPIC and -fPIE is redundant: -fPIE is a subset of -fPIC.
-Kees
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
or m68k
and hppa (architectures that don't support it).
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ld", ["/usr/bin/ld", ... "-z", "relro", ...
...
I don't have an m68k machine to test with, but if you run with
DEB_BUILD_HARDENING_DEBUG=1 you should be able to see the commands that
are being run during the configure script, and should help narrow down
Hi, I'd like to NMU a work-around fix for this problem. Currently
libpoe-component-jabber-perl is unusable, this NMU will fix the problem.
Please see attached proposed NMU debdiff.
--
Kees Cook@outflux.net
diff -Nru /tmp/wO9Kg26sZF/libpoe-comp
e diff.gz's and the .dsc. The orig is here[2].
Thanks,
-Kees
[1]
http://mentors.debian.net/debian/pool/main/l/libpoe-component-sslify-perl/libpoe-component-sslify-perl_0.08-1.dsc
[2]
http://search.cpan.org/CPAN/authors/id/N/NP/NPEREZ/POE-Component-Jabber-2.02.t
Thomas wrote:
> BEGIN failed--compilation aborted at
> /usr/share/perl5/POE/Component/Jabber/Client/Legacy.pm line 2.
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble
Tags: patch
Hi! Attached is the NMU I'd like to upload shortly.
Thanks,
-Kees
--
Kees Cook@outflux.net
diff -u libgtkada2-2.8.1/debian/control libgtkada2-2.8.1/debian/control
--- libgtkada2-2.8.1/debian/control
+++ libgtkada2-2.8.1/debian/co
Hello! Attached is a fix for this bug (texlive dep change).
--
Kees Cook@outflux.net
diff -u libgtkada2-2.8.1/debian/control libgtkada2-2.8.1/debian/control
--- libgtkada2-2.8.1/debian/control
+++ libgtkada2-2.8.1/debian/control
@@ -2,7 +2,7
, and possibly
other versions, allows user-assisted remote attackers to execute
arbitrary code via crafted header information in a skin bitmap image,
which triggers memory corruption."
Attached is the patch being used in Ubuntu.
--
Kees Cook@outflux.n
noticing the breakage! I've changed the patch around a
little and tested with old and new SoX, and it seems to be working.
I'll get the new version uploaded shortly.
Thanks again and take care,
--
Kees Cook@outflux.net
--
To UNSUBS
Tags: patch
Attached is the patch used in Ubuntu's ktorrent 2.0.3 version.
--
Kees Cook@outflux.net
diff -Nru ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/chunkcounter.cpp ktorrent-2.0.3+dfsg1/libktorrent/torrent/chunkcounter.cpp
--- ktorrent-
ftp://ftp.gnupg.org/gcrypt/gpgme/patches/gpgme-1.1.3-multiple-message.patch
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Attaching mplayer patch (same fix, different path)
--
Kees Cook@outflux.net
--- mplayer-1.0~rc1.orig/loader/dmo/DMO_VideoDecoder.c
+++ mplayer-1.0~rc1/loader/dmo/DMO_VideoDecoder.c
@@ -121,6 +121,7 @@
this->iv.m_bh = malloc(b
emcpy, which allows user-assisted remote attackers to cause a buffer
overflow and possibly execute arbitrary code."
xine-lib has a copy of this code in src/libw32dll/. Attached is the
(tiny) patch I used in Ubuntu for 1.1.2.
--
Kees Cook@outflux.ne
x27;m
using in Ubuntu for 2.0.3.
[1] http://bugzilla.gnome.org/show_bug.cgi?id=415526
--
Kees Cook@outflux.net
#! /bin/sh /usr/share/dpatch/dpatch-run
## 51_fix-format-strings.dpatch by Kees Cook <[EMAIL PROTECTED]>
##
## All lines beginning with `## D
enial of service and possibly execute arbitrary
code via a crafted Q.931 SETUP packet."
See attached patch for upstream fix.
--
Kees Cook@outflux.net
Index: urlhandler.cpp
===
--- urlh
d
(3) qof.trace.[PID] temporary files."
See also bug #406983 -- this CVE is fixed in version 2.0.5.
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ks by writing a URI
with a null byte to the hostname (location.hostname) DOM property, due
to interactions with DNS resolver code."
Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=370445
Upstream patch: https://bugzilla.mozilla.org/attachment.cgi?id=255252
--
ack" to be
set to 0 in site configurations.
--
Kees Cook@outflux.net
diff -Nur moin1.3-1.3.4/MoinMoin/multiconfig.py moin1.3-1.3.4.new/MoinMoin/multiconfig.py
--- moin1.3-1.3.4/MoinMoin/multiconfig.py 2005-03-12 13:26:14.0 -0800
+++ m
n.kde.org/trunk/extragear/multimedia/amarok/src/magnatunebrowser/magnatunealbumdownloader.cpp?rev=633728&r1=632452&r2=633728
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
BTW, the CVE is misleading, there are ruby script fixes needed as well
as the unzip bug. Attached is a patch for the ruby fixes, which appear
to be in upstream 1.4.5 already.
--
Kees Cook@outflux.net
diff -Nur amarok-1.4.3/amarok/src/scripts
shell
metacharacters."
There is an open KDE bug report[2], and SuSE has patched this
problem. I'm working on extracting the patches now...
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979
[2] http://bugs.kde.org/show_bug.cgi?id=138499
an tell,
if ps/ps.c exists in the codebase, it's vulnerable. (Since that file
was embedded from a vulnerable version of gv.)
Thanks!
--
Kees Cook@outflux.net
es to both 0.4.0 and 0.6.1).
--
Kees Cook@outflux.net
diff -Nur evince-0.4.0/ps/ps.c evince-0.4.0.new/ps/ps.c
--- evince-0.4.0/ps/ps.c2005-06-17 06:33:00.0 -0700
+++ evince-0.4.0.new/ps/ps.c2006-12-04 12:28:32.280683848 -0800
@@ -1
Tags: patch
Hello! I've reported this upstream[1] and suggested a possible patch[2]
to disable handling of GNUTYPE_NAMES (since it is a deprecated type).
[1] https://savannah.gnu.org/bugs/index.php?18355
[2] https://savannah.gnu.org/bugs/download.php?file_id=11327
--
Kees
Tags: patch
Seems like the tmp file isn't needed at all? Possible patch attached.
--
Kees Cook@outflux.net
diff -u thttpd-2.23beta1/debian/thttpd.logrotate
thttpd-2.23beta1/debian/thttpd.logrotate
--- thttpd-2.23beta1/debian/thttpd.logr
uot;Type 1 - None",
which is accepted even if it is not offered by the server...'
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2369
http://www.realvnc.com/products/free/4.1/release-notes.html
--
Kees Cook@outflux.net
--
To UNSUBSCR
Package: yaird
Version: 0.0.12-1
Followup-For: Bug #343042
I'm seeing the same problems with yaird. Made 2.6.14 unbootable.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh
Package: squirrelmail
Version: 2:1.4.5-2
Severity: grave
Tags: patch
Justification: renders package unusable
squirrelmail uses the wrong prefix for SSL imap connections. This is
reported (and fixed) here:
http://libarynth.f0.am/cgi-bin/twiki/view/Libarynth/SquirrelMail
/usr/share/squirrelmail/f
Package: libssl0.9.8
Version: 0.9.8a-2
Severity: grave
Justification: renders package unusable
There is a seg fault when using Perl LWP to access https sites:
#0 0xb7dc3942 in SSL_CTX_ctrl () from /usr/lib/i686/cmov/libssl.so.0.9.8
#1 0xb7de07de in XS_Crypt__SSLeay__CTX_new ()
from /usr/lib
67 matches
Mail list logo
