Bug#877039: marked as done (":80" is appended to socket file name)
Your message dated Thu, 06 Dec 2018 13:05:26 +
with message-id
and subject line Bug#877039: fixed in lighttpd 1.4.52-1
has caused the Debian Bug report #877039,
regarding ":80" is appended to socket file name
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
877039: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877039
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lighttpd
Version: 1.4.45-1
If the server is bound to a socket in file system, three characters :80 are
appended to the file path, breaking my reverse proxy setup.
Minimal example:
jonny@heron:/var/tmp/ltest$ lighttpd -D -f config &
[1] 30888
jonny@heron:/var/tmp/ltest$ 2017-09-28 00:26:22: (log.c.217) server started
jonny@heron:/var/tmp/ltest$ ls
config lighty.pid lighty.sock:80
jonny@heron:/var/tmp/ltest$ cat config
server.document-root = "/var/tmp/ltest/"
index-file.names = ( "index.html", "index.lighttpd.html" )
server.bind = "/var/tmp/ltest/lighty.sock"
server.errorlog = "/dev/tty"
server.pid-file = "/var/tmp/ltest/lighty.pid"
dir-listing.activate = "enable"
# -- end of lighttpd config.
expected: a socket "lighty.sock" without :80
jonny@heron:~$ dpkg -s libc6 | grep ^Version
Version: 2.24-17
jonny@heron:~$ uname -a
Linux heron 4.11.0-1-amd64 #1 SMP Debian 4.11.6-1 (2017-06-19) x86_64 GNU/Linux
I think the source lines appending the port are src/network.c,
buffer_copy_buffer(b, srv->srvconf.bindhost);
buffer_append_string_len(b, CONST_STR_LEN(":"));
buffer_append_int(b, srv->srvconf.port);
I remember my setup to work some time ago (jessie or something older)
--- End Message ---
--- Begin Message ---
Source: lighttpd
Source-Version: 1.4.52-1
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 877...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Helmut Grohne (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 06 Dec 2018 13:44:42 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost
lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet
lighttpd-mod-webdav lighttpd-mod-authn-gssapi lighttpd-mod-authn-ldap
lighttpd-mod-authn-mysql lighttpd-mod-geoip
Architecture: source
Version: 1.4.52-1
Distribution: sid
Urgency: medium
Maintainer: Debian QA Group
Changed-By: Helmut Grohne
Description:
lighttpd - fast webserver with minimal memory footprint
lighttpd-doc - documentation for lighttpd
lighttpd-mod-authn-gssapi - GGSAPI authentication for lighttpd
lighttpd-mod-authn-ldap - LDAP authentication for lighttpd
lighttpd-mod-authn-mysql - MySQL authentication for lighttpd
lighttpd-mod-cml - cache meta language module for lighttpd
lighttpd-mod-geoip - GeoIP restrictions for lighttpd
lighttpd-mod-magnet - control the request handling module for lighttpd
lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 857255 877039 879496 913528
Changes:
lighttpd (1.4.52-1) unstable; urgency=medium
.
* QA Upload.
* New upstream release. (Closes: #879496)
+ Fix CVE-2018-19052. (Closes: #913528)
+ Don't append port to unix sockets. (Closes: #877039)
+ Refactor buffer API. (Closes: #857255)
+ Don't use AC_PATH_PROG to find pkg-config. (Addresses: #912358)
+ Drop patch fix-openssl-1.1.1.patch applied upstream.
+ Add new mod_sockproxy.so to main package.
* Replace Build-Depends: dh-systemd with newer debhelper for lintian.
Checksums-Sha1:
f83569abd053a4a4142bd6445a14fe5a02cfc1ca 3164 lighttpd_1.4.52-1.dsc
d2cc3d8b4997e73b0d8bf3fd2685fc0e79650385 728668 lighttpd_1.4.52.orig.tar.xz
2eca58e718d9567083b7aad2a1be723cf3deba19 801 lighttpd_1.4.52.orig.tar.xz.asc
3baaa543bdf03c86d8e63ae19e062e0798d89f5d 47008 lighttpd_1.4.52-1.debian.tar.xz
9830b4a05d827c9e72c12173650296508f0507a5 13155
lighttpd_1.4.52-1_amd64.buildinfo
Checksums-Sha256:
bab3dc02ee868bafed693e94c0b565cc
Bug#913528: marked as done (lighttpd: CVE-2018-19052)
Your message dated Thu, 06 Dec 2018 13:05:26 + with message-id and subject line Bug#913528: fixed in lighttpd 1.4.52-1 has caused the Debian Bug report #913528, regarding lighttpd: CVE-2018-19052 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 913528: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913528 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: lighttpd Version: 1.4.49-1.1 Severity: important Tags: security upstream Control: found -1 1.4.45-1 Hi, The following vulnerability was published for lighttpd. CVE-2018-19052[0]: | An issue was discovered in mod_alias_physical_handler in mod_alias.c in | lighttpd before 1.4.50. There is potential ../ path traversal of a | single directory above an alias target, with a specific mod_alias | configuration where the matched alias lacks a trailing '/' character, | but the alias target filesystem path does have a trailing '/' | character. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19052 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19052 [1] https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1 Regards, Salvatore --- End Message --- --- Begin Message --- Source: lighttpd Source-Version: 1.4.52-1 We believe that the bug you reported is fixed in the latest version of lighttpd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 913...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Helmut Grohne (supplier of updated lighttpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 06 Dec 2018 13:44:42 +0100 Source: lighttpd Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav lighttpd-mod-authn-gssapi lighttpd-mod-authn-ldap lighttpd-mod-authn-mysql lighttpd-mod-geoip Architecture: source Version: 1.4.52-1 Distribution: sid Urgency: medium Maintainer: Debian QA Group Changed-By: Helmut Grohne Description: lighttpd - fast webserver with minimal memory footprint lighttpd-doc - documentation for lighttpd lighttpd-mod-authn-gssapi - GGSAPI authentication for lighttpd lighttpd-mod-authn-ldap - LDAP authentication for lighttpd lighttpd-mod-authn-mysql - MySQL authentication for lighttpd lighttpd-mod-cml - cache meta language module for lighttpd lighttpd-mod-geoip - GeoIP restrictions for lighttpd lighttpd-mod-magnet - control the request handling module for lighttpd lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd lighttpd-mod-webdav - WebDAV module for lighttpd Closes: 857255 877039 879496 913528 Changes: lighttpd (1.4.52-1) unstable; urgency=medium . * QA Upload. * New upstream release. (Closes: #879496) + Fix CVE-2018-19052. (Closes: #913528) + Don't append port to unix sockets. (Closes: #877039) + Refactor buffer API. (Closes: #857255) + Don't use AC_PATH_PROG to find pkg-config. (Addresses: #912358) + Drop patch fix-openssl-1.1.1.patch applied upstream. + Add new mod_sockproxy.so to main package. * Replace Build-Depends: dh-systemd with newer debhelper for lintian. Checksums-Sha1: f83569abd053a4a4142bd6445a14fe5a02cfc1ca 3164 lighttpd_1.4.52-1.dsc d2cc3d8b4997e73b0d8bf3fd2685fc0e79650385 728668 lighttpd_1.4.52.orig.tar.xz 2eca58e718d9567083b7aad2a1be723cf3deba19 801 lighttpd_1.4.52.orig.tar.xz.asc 3baaa543bdf03c86d8e63ae19e062e0798d89f5d 47008 lighttpd_1.4.52-1.debian.tar.xz 9830b4a05d827c9e72c12173650296508f0507a5 13155 lighttpd_1.4.52-1_amd64.buildinfo Checksums-Sha256: bab3dc02ee868bafed693e94c0b565cc924ebd4d0d960ca4e0d404aecb38ad27 3164 lighttpd_1.4.52-1.dsc 27bc0991c530b7c6335e6efff2181934d3c1a1c516f7401ea71d8302cefda764 728668 lighttpd_1.4.52.orig.tar.xz fd8b589ec181f2d166fcadd71acf2e0b95c0c9ca8db96af2329d3a5a5efb2177 801 lighttpd_1.4.52.orig.tar.xz.asc 40ebe
Bug#879496: marked as done (new upstream release 1.4.52 available)
Your message dated Thu, 06 Dec 2018 13:05:26 + with message-id and subject line Bug#879496: fixed in lighttpd 1.4.52-1 has caused the Debian Bug report #879496, regarding new upstream release 1.4.52 available to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879496: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879496 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: lighttpd Version: 1.4.45-1 Hi, we just released 1.4.46. In https://build.opensuse.org/package/show/home:stbuehler:lighttpd-1.4.x/lighttpd I provide an updated package; as always our goal is to build on older distributions too, while sticking to the official package as close as possible. Build service doesn't provide the source gpg signature yet, so to download the source package use: wget -O lighttpd_1.4.46.orig.tar.xz.asc https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.46.tar.xz.asc dget -ud https://download.opensuse.org/repositories/home:/stbuehler:/lighttpd-1.4.x/Debian_Next/lighttpd_1.4.46-0.1.dsc * I included the gpg signature in the upload for now (but this breaks Ubuntu 14.04, dpkg-dev-1.17.5ubuntu5 doesn't like the "unknown" file) * Some new modules; some of those got their own package. The descriptions might need some work. * Updated var/www/cgi-bin/ in lighttpd.lintian-overrides. You might want to rethink that (#763618, #837696), policy is clear on this imho: https://www.debian.org/doc/debian-policy/#web-servers-and-applications > [...] > 1. Cgi-bin executable files are installed in the directory >/usr/lib/cgi-bin > [...] --- End Message --- --- Begin Message --- Source: lighttpd Source-Version: 1.4.52-1 We believe that the bug you reported is fixed in the latest version of lighttpd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 879...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Helmut Grohne (supplier of updated lighttpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 06 Dec 2018 13:44:42 +0100 Source: lighttpd Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav lighttpd-mod-authn-gssapi lighttpd-mod-authn-ldap lighttpd-mod-authn-mysql lighttpd-mod-geoip Architecture: source Version: 1.4.52-1 Distribution: sid Urgency: medium Maintainer: Debian QA Group Changed-By: Helmut Grohne Description: lighttpd - fast webserver with minimal memory footprint lighttpd-doc - documentation for lighttpd lighttpd-mod-authn-gssapi - GGSAPI authentication for lighttpd lighttpd-mod-authn-ldap - LDAP authentication for lighttpd lighttpd-mod-authn-mysql - MySQL authentication for lighttpd lighttpd-mod-cml - cache meta language module for lighttpd lighttpd-mod-geoip - GeoIP restrictions for lighttpd lighttpd-mod-magnet - control the request handling module for lighttpd lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd lighttpd-mod-webdav - WebDAV module for lighttpd Closes: 857255 877039 879496 913528 Changes: lighttpd (1.4.52-1) unstable; urgency=medium . * QA Upload. * New upstream release. (Closes: #879496) + Fix CVE-2018-19052. (Closes: #913528) + Don't append port to unix sockets. (Closes: #877039) + Refactor buffer API. (Closes: #857255) + Don't use AC_PATH_PROG to find pkg-config. (Addresses: #912358) + Drop patch fix-openssl-1.1.1.patch applied upstream. + Add new mod_sockproxy.so to main package. * Replace Build-Depends: dh-systemd with newer debhelper for lintian. Checksums-Sha1: f83569abd053a4a4142bd6445a14fe5a02cfc1ca 3164 lighttpd_1.4.52-1.dsc d2cc3d8b4997e73b0d8bf3fd2685fc0e79650385 728668 lighttpd_1.4.52.orig.tar.xz 2eca58e718d9567083b7aad2a1be723cf3deba19 801 lighttpd_1.4.52.orig.tar.xz.asc 3baaa543bdf03c86d8e63ae19e062e0798d89f5d 47008 lighttpd_1.4.52-1.debian.tar.xz 9830b4a05d827c9e72c12173650296508f0507a5 13155 lighttpd_1.4.52-1_amd64.buildinfo Checksums-Sha256: bab3dc02ee868bafed69
Bug#857255: marked as done (lighttpd: mod_scgi: out of bounds read in scgi_demux_response)
Your message dated Thu, 06 Dec 2018 13:05:26 +
with message-id
and subject line Bug#857255: fixed in lighttpd 1.4.52-1
has caused the Debian Bug report #857255,
regarding lighttpd: mod_scgi: out of bounds read in scgi_demux_response
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
857255: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857255
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lighttpd
Version: 1.4.45-1
Tags: security patch
While debugging a problem with lighttpd on behalf of my current employer
Intenta GmbH, I found an out of bounds read.
http://sources.debian.net/src/lighttpd/1.4.45-1/src/mod_scgi.c/#L1828
| for (c = hctx->response_header->ptr, cp = 0, used =
buffer_string_length(hctx->response_header); used; c++, cp++, used--) {
| if (*c == ':') in_header = 1;
| else if (*c == '\n') {
| if (in_header == 0) {
| /* got a response without a
response header */
|
| c = NULL;
| header_end = 1;
| break;
| }
|
| if (eol == EOL_UNSET) eol = EOL_N;
|
| if (*(c+1) == '\n') {
| header_end = 1;
| hlen = cp + 2;
| break;
| }
|
| } else if (used > 1 && *c == '\r' && *(c+1) ==
'\n') {
The loop is constructed such that up to `used` bytes can be read
starting from `c`. Thus the access to `*c` is ok. However accessing
`*(c+1)` may be out of bounds. The condition should check for `used > 1`
before accessing `*(c+1)`. Both the later condition checking for CR LF
in the excerpt above and an even later condition checking for double CR
LF do check for sufficient buffer contents. It's only this one
occurrence that misses the check. In practise, this can result in
lighttpd sending corrupted responses to its clients when its SCGI reads
are chunked in a bad way (i.e. they end with '\n').
The following patch fixes the problem:
--- a/src/mod_scgi.c
+++ b/src/mod_scgi.c
@@ -1826,7 +1826,7 @@
if (eol == EOL_UNSET) eol = EOL_N;
- if (*(c+1) == '\n') {
+ if (used > 1 && *(c+1) == '\n') {
header_end = 1;
hlen = cp + 2;
break;
It is unclear whether this issue can be used to corrupt the memory of a
lighttpd. The actual impact beyond malformed responses is not clear and
thus no attempt has been made at allocating a CVE.
Helmut
--- End Message ---
--- Begin Message ---
Source: lighttpd
Source-Version: 1.4.52-1
We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Helmut Grohne (supplier of updated lighttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 06 Dec 2018 13:44:42 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost
lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet
lighttpd-mod-webdav lighttpd-mod-authn-gssapi lighttpd-mod-authn-ldap
lighttpd-mod-authn-mysql lighttpd-mod-geoip
Architecture: source
Version: 1.4.52-1
Distribution: sid
Urgency: medium
Maintainer: Debian QA Group
Changed-By: Helmut Grohne
Description:
lighttpd - fast webserver with minimal memory footprint
lighttpd-doc - documentation for lighttpd
lighttpd-mod-authn-gssapi - GGSAPI authentication for lighttpd
lighttpd-mod-authn-ldap - LDAP authentication for lighttpd
Processing of lighttpd_1.4.52-1_source.changes
lighttpd_1.4.52-1_source.changes uploaded successfully to localhost along with the files: lighttpd_1.4.52-1.dsc lighttpd_1.4.52.orig.tar.xz lighttpd_1.4.52.orig.tar.xz.asc lighttpd_1.4.52-1.debian.tar.xz lighttpd_1.4.52-1_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
lighttpd_1.4.52-1_source.changes ACCEPTED into unstable
Mapping sid to unstable. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 06 Dec 2018 13:44:42 +0100 Source: lighttpd Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav lighttpd-mod-authn-gssapi lighttpd-mod-authn-ldap lighttpd-mod-authn-mysql lighttpd-mod-geoip Architecture: source Version: 1.4.52-1 Distribution: sid Urgency: medium Maintainer: Debian QA Group Changed-By: Helmut Grohne Description: lighttpd - fast webserver with minimal memory footprint lighttpd-doc - documentation for lighttpd lighttpd-mod-authn-gssapi - GGSAPI authentication for lighttpd lighttpd-mod-authn-ldap - LDAP authentication for lighttpd lighttpd-mod-authn-mysql - MySQL authentication for lighttpd lighttpd-mod-cml - cache meta language module for lighttpd lighttpd-mod-geoip - GeoIP restrictions for lighttpd lighttpd-mod-magnet - control the request handling module for lighttpd lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd lighttpd-mod-webdav - WebDAV module for lighttpd Closes: 857255 877039 879496 913528 Changes: lighttpd (1.4.52-1) unstable; urgency=medium . * QA Upload. * New upstream release. (Closes: #879496) + Fix CVE-2018-19052. (Closes: #913528) + Don't append port to unix sockets. (Closes: #877039) + Refactor buffer API. (Closes: #857255) + Don't use AC_PATH_PROG to find pkg-config. (Addresses: #912358) + Drop patch fix-openssl-1.1.1.patch applied upstream. + Add new mod_sockproxy.so to main package. * Replace Build-Depends: dh-systemd with newer debhelper for lintian. Checksums-Sha1: f83569abd053a4a4142bd6445a14fe5a02cfc1ca 3164 lighttpd_1.4.52-1.dsc d2cc3d8b4997e73b0d8bf3fd2685fc0e79650385 728668 lighttpd_1.4.52.orig.tar.xz 2eca58e718d9567083b7aad2a1be723cf3deba19 801 lighttpd_1.4.52.orig.tar.xz.asc 3baaa543bdf03c86d8e63ae19e062e0798d89f5d 47008 lighttpd_1.4.52-1.debian.tar.xz 9830b4a05d827c9e72c12173650296508f0507a5 13155 lighttpd_1.4.52-1_amd64.buildinfo Checksums-Sha256: bab3dc02ee868bafed693e94c0b565cc924ebd4d0d960ca4e0d404aecb38ad27 3164 lighttpd_1.4.52-1.dsc 27bc0991c530b7c6335e6efff2181934d3c1a1c516f7401ea71d8302cefda764 728668 lighttpd_1.4.52.orig.tar.xz fd8b589ec181f2d166fcadd71acf2e0b95c0c9ca8db96af2329d3a5a5efb2177 801 lighttpd_1.4.52.orig.tar.xz.asc 40ebebd86ba93933dd7eae31e4b0693a0b04299e991c51796fff18afc29cbe19 47008 lighttpd_1.4.52-1.debian.tar.xz 1d65294c2112cfd344926224ae6614a708206febb9fca44bbbcc58e0e23b0ccc 13155 lighttpd_1.4.52-1_amd64.buildinfo Files: b334c8de0c5073d1665513281742a4f6 3164 httpd optional lighttpd_1.4.52-1.dsc 34f5c79137325ba31484bed1e54e66e6 728668 httpd optional lighttpd_1.4.52.orig.tar.xz 14cbef98f3d645b8ca380c7f8cbd186a 801 httpd optional lighttpd_1.4.52.orig.tar.xz.asc 264d0d39104a12ee68b096d394c9c111 47008 httpd optional lighttpd_1.4.52-1.debian.tar.xz e2e357134aa1f2bee22773b4163396d0 13155 httpd optional lighttpd_1.4.52-1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAlwJGt0ACgkQLRqqzyRE REIb1Q//S3KLGbjZS67Vq9/OpYqcEA27IieMzWKqaw4FkLMWjm2/8HcwfY9ln7m9 NFAxxRVaEublgxp4o9eKI3mQEMucXlyQD1bydC2lfFkijHe9p7j0fXpMbem22taU VWLi00AePYc/S2ccGWuMmQpWpYxaseabPTj8V46DRLOIBylAyHHumnvaoqDCFir6 73AI+Diyp7BxLOJQvU8RHmvhgL63j3how+KebDeLsAazDZtSArhKObvsBU6Gjs6K 0HC6vAxIzV1BjBm7jALVkoVf53c/bKNR9vRbXVkEqRxK1knUWo6d5kBSppbglnws 9yT6mBOkuo6dspGF3d3rjl1KhL0YLYuogTNS6P3ewD5R+yCzlvhv5GCRdL+vGnoM 3saclDiuy9BHQvTlY2zM7+oDZIedn0DfwVnukbuZSXrWlTpHjU6oGsMAyBC7cbVs XDxPdw4P50Gq3Y/GBhncfO0Ldm0sODM4dqrCf+1MgTn2TC48JpecPfFHk6tzcA3R d8eGyc/bgygHttdvWbPge9oYRFW241FiCYJF4fXgUqS4HINvl9F3KjTYUH8vE1A5 DYFXD9eJtdFMgob6xHd/COx2Az5sHvpQr+BkzXKD7nOq262bOMCEeSsZb1gA2Mgt RKQNmPmQ+xKUzWedDvT1ijuQPxdt/mNRx0uUO78zNMs0d6A6RBE= =S5y/ -END PGP SIGNATURE- Thank you for your contribution to Debian.
Processing of xpdf_3.04-11_source.changes
xpdf_3.04-11_source.changes uploaded successfully to localhost along with the files: xpdf_3.04-11.dsc xpdf_3.04-11.debian.tar.xz xpdf_3.04-11_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Processing of xpdf_3.04-11exp1_source.changes
xpdf_3.04-11exp1_source.changes uploaded successfully to localhost along with the files: xpdf_3.04-11exp1.dsc xpdf_3.04-11exp1.debian.tar.xz xpdf_3.04-11exp1_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
xpdf_3.04-11_source.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 06 Dec 2018 15:13:34 +0100 Source: xpdf Binary: xpdf Architecture: source Version: 3.04-11 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Gianfranco Costamagna Description: xpdf - Portable Document Format (PDF) reader Changes: xpdf (3.04-11) unstable; urgency=medium . * QA upload * Revert to 3.04-9 version because unstable has old poppler Checksums-Sha1: 8e141988129ecdcf684affa478ddaf74edb0b5a3 1867 xpdf_3.04-11.dsc ca11d686ee5fb5dba29f343ef6a3fb94e938bbea 53272 xpdf_3.04-11.debian.tar.xz 88aef74df33c2516efa166d4f5331d9a6d366ca8 8688 xpdf_3.04-11_source.buildinfo Checksums-Sha256: 5da1d7802c0cee95f0da25006b1895a0bd65ca2ff53450a6c8be79d1e20863a0 1867 xpdf_3.04-11.dsc 63dcb1be64e657307a587dc6a2f1e3092449873e78ad4d7e6977f14a24724ad0 53272 xpdf_3.04-11.debian.tar.xz c7a05bffca1a92295f46061bef82bc0b633a4f06a99911b232437269d28a97b9 8688 xpdf_3.04-11_source.buildinfo Files: 6c65f5a074ed7584469619a07aae7f4d 1867 text optional xpdf_3.04-11.dsc 04789d00c31bf771de169e432895d290 53272 text optional xpdf_3.04-11.debian.tar.xz 1376891258dbe369077b18114461516d 8688 text optional xpdf_3.04-11_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAlwJLuUACgkQ808JdE6f Xdk9+RAApC0n6r1GdeckklMKNuVrJ19nLIOpKXCa1Qj4xaMa7AGRHkhUpugyvffc azyW/L6ucKtygHo2yKeepHd1TiZ5olc+D4f5IZC67ura6o/N6v8gx48cjHN2BU8N Py8nSHRF0Cw20kO/ONqV+HTOZBPPJ2WpqXzVANUv7XtjuCaSTqcV13DEs3TZDDFG lpqyfS/2Colc+tw44xLKb+HajzP5dmMN8ocBzWfos61TYEUJq5/1uxN93M0tAPKO XhCri196wfPVe8tJbvmv4GujplAmsW92zKcH3yudaRCFMF9tmZGymqvW1AUtS34S Y9QwhK06U9tE0fp4GJQ7tQ+ImghXHq8lmXV9kVOLvwJ3h46g+Slvm2hLv+xhMR+e JOgPVSDREMz9umilpsxAF+V7Y2csMu7Jtqofs94WvV4TuOrZMMBmCkkepwRl6QoD YBuVnpKQ50dI84Mjj3nqKxVOPkm4HI4X8BXI4zPec/ja6r3EyDvc6y9U7jLUazka 03vlGRtQwMRQcluBYzQmRly7dbaNPLK21lMm03l1cXlY79Abd+bir7ue9gliK5lu YmRVixJ3ANguULgA9gC+sG7/FRZ+/YsLjno+lGeJscsQ7ajTJX+flM8pzfGJCcV+ uoYC253aHepHpc4pKhYY4jaV8U4huMd+YD/WiD8+0lSlxaRTXNs= =5sF8 -END PGP SIGNATURE- Thank you for your contribution to Debian.
xpdf_3.04-11exp1_source.changes ACCEPTED into experimental
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 06 Dec 2018 15:16:02 +0100 Source: xpdf Binary: xpdf Architecture: source Version: 3.04-11exp1 Distribution: experimental Urgency: medium Maintainer: Debian QA Group Changed-By: Gianfranco Costamagna Description: xpdf - Portable Document Format (PDF) reader Changes: xpdf (3.04-11exp1) experimental; urgency=medium . * QA upload * Upload to experimental with patch for poppler-0.71, to make the archive ready for the transition. Checksums-Sha1: fc9cb32a901d89536b34b42ce21ed8b6c8913878 1883 xpdf_3.04-11exp1.dsc ca6df6693e51ecd8bb1857780136a8db4003f523 53372 xpdf_3.04-11exp1.debian.tar.xz 492bcf3c07310a57c561ca8b7025d870549ecf76 8704 xpdf_3.04-11exp1_source.buildinfo Checksums-Sha256: f87d41e781bab3a7d512d973a6aba1bba84e4226cef541028d235ec21a5a43d6 1883 xpdf_3.04-11exp1.dsc b19aec1bc6ce528f70da109493e4e11e0b99f219bf86b1c8044039fca98343b7 53372 xpdf_3.04-11exp1.debian.tar.xz 8fcdb2f8a9688c97530c0c44d8aa1e5dc9dd5b354bd6f24077d21c54d7080553 8704 xpdf_3.04-11exp1_source.buildinfo Files: 92e38fa61d77b3519f2409ad65a32ebe 1883 text optional xpdf_3.04-11exp1.dsc 672c1ec22566573d45af083df577a13f 53372 text optional xpdf_3.04-11exp1.debian.tar.xz 19612bba1faba41e36cffe488aa1af2b 8704 text optional xpdf_3.04-11exp1_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAlwJL1YACgkQ808JdE6f XdnAwRAAhZgX1FDOkmpqxEwSkUSp6yZaiK8ZtFOeg9hfoByy2RahI8djGpNtf3tL /e73yj0Jppk4TTwojpXZVn+qzI2FT9wpXR8NyLcKGyNjGIG9JS0oOt/8ZMLD9i+Z ptdE+Wl5a9VMo0Ey0z1kDOdaJ7dfxt9BYXCxljUdwPWn0dk+GUjJZKDgv5TYtdlS cnI48EH16ULkqFXmvoogNGqcXBLwIbVNUtye4Y4kbOkIAQSgDLGD53FC0ZU/bRXa hk9o+gHJnXkpJuEg1nnJ/J9Wp7PQeE061D/qT0qMGLBXc0ADDlKuAGGo2m5UQ3Jm aB1bwZuCpXg58hS63z987XAbovSRBfgoDmlc8kAzl5ykMi+XyPVdmg6w1ZLPQNpk UFk39HAUV8H4vCij65ARlSUkD/b9SNC6IfBE4rcZBo1asLmoWTPfm6DKH+BxeLT1 LHLwioRnuDVUGfGWfHsKsDOc1U1f1qGa6pLIEEmwyZrruluSWlhuHzjriiFL7xsn JQzNMYDtrIT9Z1BLQHiRoUO4yOS0M1sqfKrN+4f4I7cp4Xf1JmkWPEf6lDqzXVmO /zkbWTGxuIf+6VWuJ7bdE4acq5O/3x74/s7zHx+aEXsr39Vkh14/jx841dMA3YmM Bn62mdWWlDYhgRzGWJq1SjzDiIgJRLTc19aIxkd6eeK4SLbxfuc= =iLlp -END PGP SIGNATURE- Thank you for your contribution to Debian.
Bug#915742: simba: fails to purge - command ucf in postrm not found
Package: simba Version: 0.8.4-5 Severity: important User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to purge due to a command not found. According to policy 7.2 you cannot rely on the depends being available during purge, only the essential packages are available for sure. Please see the manpages ucf(1), ucfr(1) and the example maintainer scripts under /usr/share/doc/ucf/examples/ for correct usage of ucf. Filing this as important because a.) it's a clear policy violation (to not clean up at purge) b.) having a piuparts clean archive is a release goal since lenny and c.) this package being piuparts buggy blocks packages depending on it from being tested by piuparts (and thus possibly the detection of more severe problems). >From the attached log (scroll to the bottom...): 0m56.0s ERROR: Command failed (status=1): ['chroot', '/srv/piuparts/tmp/tmp1sQcO0', 'dpkg', '--purge', 'simba'] (Reading database ... 4459 files and directories currently installed.) Purging configuration files for simba (0.8.4-5) ... /var/lib/dpkg/info/simba.postrm: 27: /var/lib/dpkg/info/simba.postrm: ucf: not found dpkg: error processing package simba (--purge): installed simba package post-removal script subprocess returned error exit status 127 Errors were encountered while processing: simba cheers, Andreas simba_0.8.4-5.log.gz Description: application/gzip
[bts-link] source package doxygen
# # bts-link upstream status pull for source package doxygen # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html # https://bts-link-team.pages.debian.net/bts-link/ # user debian-bts-l...@lists.debian.org # remote status report for #818379 (http://bugs.debian.org/818379) # Bug title: doxygen: Does not properly trap for errors when calling dot # * https://github.com/doxygen/doxygen/issues/6653 # * remote status changed: (?) -> open usertags 818379 + status-open thanks
Bug#915742: simba: fails to purge - command ucf in postrm not found
On Thu, Dec 06, 2018 at 04:56:07PM +0100, Andreas Beckmann wrote: >... > Please see the manpages ucf(1), ucfr(1) and the example maintainer > scripts under /usr/share/doc/ucf/examples/ for correct usage of ucf. > > Filing this as important because a.) it's a clear policy violation (to > not clean up at purge) b.) having a piuparts clean archive is a release > goal since lenny and c.) this package being piuparts buggy blocks > packages depending on it from being tested by piuparts (and thus > possibly the detection of more severe problems). > > From the attached log (scroll to the bottom...): > > 0m56.0s ERROR: Command failed (status=1): ['chroot', > '/srv/piuparts/tmp/tmp1sQcO0', 'dpkg', '--purge', 'simba'] > (Reading database ... 4459 files and directories currently installed.) > Purging configuration files for simba (0.8.4-5) ... > /var/lib/dpkg/info/simba.postrm: 27: /var/lib/dpkg/info/simba.postrm: ucf: > not found > dpkg: error processing package simba (--purge): >installed simba package post-removal script subprocess returned error exit > status 127 > Errors were encountered while processing: >simba IMHO this is RC: https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#id11 all postrm actions may only rely on essential packages and must gracefully skip any actions that require the package’s dependencies if those dependencies are unavailable. > cheers, > > Andreas cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Processing of mcrypt_2.6.8-4_source.changes
mcrypt_2.6.8-4_source.changes uploaded successfully to localhost along with the files: mcrypt_2.6.8-4.dsc mcrypt_2.6.8-4.diff.gz mcrypt_2.6.8-4_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
mcrypt_2.6.8-4_source.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 06 Dec 2018 19:18:55 +0100 Source: mcrypt Binary: mcrypt Architecture: source Version: 2.6.8-4 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Andreas Henriksson Description: mcrypt - Replacement for old unix crypt(1) Changes: mcrypt (2.6.8-4) unstable; urgency=medium . * QA Upload (sigh, third time is a charm?) * Also explicitly pass BZIP2=/bin/bzip2 to configure Checksums-Sha1: d72459ff54b090e10cf382d55d2e0f39020fa24e 1952 mcrypt_2.6.8-4.dsc b75636342b34a4988dc51ecde892f27f5a0a93c2 348145 mcrypt_2.6.8-4.diff.gz 33300ee9a306e66ac6d028c59b63732ecc78030b 5649 mcrypt_2.6.8-4_amd64.buildinfo Checksums-Sha256: 082eb363f08ef0a5a1a1f849ff86fd5f838b9a554190c2d22d906c241c4fe684 1952 mcrypt_2.6.8-4.dsc 57e1c205ab7d1413f74f140dc832ba0247428f83eb19fc383d62e5fd991af413 348145 mcrypt_2.6.8-4.diff.gz c365ccb7fc40ffc6b040e41c974cd54e8288ac271d1e8fa774908a3243ac93c1 5649 mcrypt_2.6.8-4_amd64.buildinfo Files: e6f7e719df21a29424e748ecf6895eb9 1952 utils optional mcrypt_2.6.8-4.dsc 7ea7440c0a574415236b5fa4c7c1e73a 348145 utils optional mcrypt_2.6.8-4.diff.gz 52d85f2aa8cfda2b11573fc4a0191c41 5649 utils optional mcrypt_2.6.8-4_amd64.buildinfo -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAlwJaFYRHGFuZHJlYXNA ZmF0YWwuc2UACgkQC8R9xk0TUwarlxAAo0uvOtVHYqK6ridre+AI5Bx0L7zr5mFz +To21ilb40kPG6di+EKDsaBaHxx01BjTsBJFcxNh4Nf3WBso4qYz28Y+Gl49Dil+ X5hddk2KAk7ZzY4VH/BGEdPnEaECEY42Pw/RGK0aHQKlP/MQAAECV5AqIaRttfUw NxAxyUDJVFY2oLDBf2Lmj8IF639uT8hHpLhmKgAap7UnydFwV6MPwoHOF+J8baxR r1gZblxhUhV8mUE9yDforYvptAdIV+Cgcojzqs+UkRHmFCKRuYI53E2pEzoo3c1i V8kERGW0kNOYYcheocFMDEkJayda1Bcnr9JSqsfWWFlc2hk0A9kKH2aGWqjUjIoy nEJkfWoecwOsvEQE02nqery1q1tYGxNCK15WRALg7yxy9wrrNdzHEZlPrGiYHs9f 6UmRhBba5UmpY3mOdvPXeJtN1A2lY0afJxwQ8FakUv180cfx1TeGyOL+gcUiFNQV 6p0He3k50OQn0KH1smdyC3manh2VttacOtWT5xzuyndLXu9neCiLuW6xEwanZAPl dBr/T/416a9NxEWkA1yBfhlYaSTKa/uqoCN4M/fbHlZtnEKk7spQ+OMc9OBMIeFW Pn55q/W7PhIoUCk+ycpBhqVK7gI1WZ9b+QWOFwmbApJ2blIiEFB+DVPjB54xaAxf A2bHTyyd2/0= =OCUa -END PGP SIGNATURE- Thank you for your contribution to Debian.
Bug#889803: add package with cd-paranoia binary
Niels, it looks like you uploaded src:libcdio-paranoia 10.2+0.94+2-4, removing the cd-paranoia binary package, because cd-paranoia(1) is already included in the libcdio-utils package. However, if you look at libcdio-utils in sid, you’ll see this is no longer the case – there is currently no package in sid that provides cd-paranoia(1). Would you be willing to undo that change and upload a new src:libcdio-paranoia equivalent to 10.2+0.94+2-3? For reference, here’s the current situation. cd-paranoia(1) was originally developed in upstream’s libcdio repository.¹ In 2011, shortly after the release of libcdio 0.83, Rocky Bernstein split that repository into a libcdio repository and a libcdio-paranoia repository,² copying over cd-paranoia(1) to the new development. Further work on the program occurred there. However, libcdio appears not to have much attention paid to it in Debian at the time, so src:libcdio 0.83 and its associated binary packages were included with jessie and stretch, and libcdio-utils contained cd-paranoia(1). After the stretch release, however, src:libcdio and src:libcdio-paranoia got updates in Debian: src:libcdio to 2.0.0 and src:libcdio-paranoia to 10.2+0.94+2. During the update, cd-paranoia(1) disappeared from src:libcdio, as expected. However, the program didn’t get included in any of src:libcdio-paranoia’s binary packages. This brings us to the current situation, in which the cd-paranoia(1) program is not distributed in sid at all. ¹ https://git.savannah.gnu.org/cgit/libcdio.git ² https://github.com/rocky/libcdio-paranoia
lighttpd is marked for autoremoval from testing
lighttpd 1.4.49-1.1 is marked for autoremoval from testing on 2019-01-02 It is affected by these RC bugs: 866737: lighttpd: Enable Mod command fails on Stretch 887450: lighttpd: lighttpd missing dependency on perl5 for mod scripts 913249: lighttpd: Can't locate Term/ReadLine.pm in @INC 913251: lighttpd: SSL: renegotiation initiated by client, killing connection
link-grammar is marked for autoremoval from testing
link-grammar 5.5.0-1 is marked for autoremoval from testing on 2019-01-12 It is affected by these RC bugs: 915060: link-grammar: autopkgtest relies on built binaries without matching dependencies
abiword is marked for autoremoval from testing
abiword 3.0.2-8 is marked for autoremoval from testing on 2019-01-12 It (build-)depends on packages with these RC bugs: 915060: link-grammar: autopkgtest relies on built binaries without matching dependencies
