On Mon, 15 Jul 2019 at 07:05:46 +, Luke Flinders wrote:
> seen as this is not a Debian related package causing the issue, I am
> happy if you want to close.
I can still help with the debugging :-) AFAICT the “Error: Timeout
reached while waiting for askpass.” condition is reached iff. the scr
Control: retitle -1 `cryptroot-unlock` timeouts when Kali's
cryptsetup-nuke-password package is installed
On Mon, 15 Jul 2019 at 07:05:46 +, Luke Flinders wrote:
> This is the package;
> https://gitlab.com/kalilinux/packages/cryptsetup-nuke-keys
Oh, didn't you mean
https://gitlab.com/kalilin
Hi there,
On Fri, 19 Jul 2019 at 22:14:49 -0300, intrigeri wrote:
> it turns out this is caused by a bug in libblockdev, which is fixed in
> sid already (although it seems like upstream applied the fix for
> unrelated reasons and it's not clear whether they realized this bug
> was a possibility).
On Sat, 20 Jul 2019 at 06:01:35 -0300, Guilhem Moulin wrote:
> LUKS2_get_volume_key_size() fails because the key size is specified in
> the ‘keyslots’ object of LUKSv2's JSON header [0], and that object is
> the empty array at that point.
Forgot to add another data point which sup
Control: tag -1 pending
On Thu, 08 Nov 2018 at 16:03:15 +0100, 21na...@gmail.com wrote:
> An encrypted (root) filesystem containing its key file can be unlocked by
> the initramfs image if the value of the variable “KEYFILE_PATTERN”, in the
> file “/etc/cryptsetup-initramfs/conf-hook”, matches the
Hi,
On Sun, 21 Jul 2019 at 13:36:06 +0200, Michael Biebl wrote:
> Agreed. I've just uploaded a libblockdev with that cherry-pick to buster
> and this change was acked by the SRMs, so should be in 10.1.
Awesome! :-)
> Regarding the LUKS2/udisks2/LimitMEMLOCK issue, would you prefer to
> track thi
On Sun, 21 Jul 2019 at 22:40:38 +0200, Michael Biebl wrote:
> I already uploaded 2.20-7+deb10u1 with this changelog, so it's not
> really possible anymore to undo this other then making a 2.20-7+deb10u2
> upload, which seems like overkill to me.
> I don't think the changelog is that misleading that
Control: tag -1 pending
Hi,
On Sun, 21 Jul 2019 at 12:58:28 +0100, Simon McVittie wrote:
> My understanding is that it's fine for me to remove cryptsetup-run, because
> its functionality has been subsumed by the combination of cryptsetup and
> cryptsetup-initramfs?
Yup it's safe to remove 'crypt
On Sun, 21 Jul 2019 at 21:57:09 -0300, Guilhem Moulin wrote:
> cryptsetup <2:2.0.3-1's (≤Stretch) functionalities have been subsumed
> by the combination of cryptsetup-run and cryptsetup-initramfs between
> 2:2.0.3-1 and 2:2.0.3-5 (Buster); and the combination of
> cryptsetu
On Mon, 22 Jul 2019 at 11:37:24 +1200, Ben Caradoc-Davies wrote:
> cryptsetup 2:2.1.0-6 has no dependency on cryptsetup-initramfs so the
> latter will be autoremoved if only cryptsetup was marked manual by the
> installer.
Ooops. We don't want ‘cryptsetup’ to hard-depend on ‘cryptsetup-initramfs’
Control: reassign -1 cryptsetup-initramfs
Control: forcemerge -1 820888
Hi,
On Wed, 24 Jul 2019 at 12:42:45 +0200, Mátyás Csere wrote:
> The symptoms are exactly as described on:
> https://bugs.launchpad.net/debian/+source/cryptsetup/+bug/1830110
> The proposed patch works on Buster too.
Please
Control: severity -1 normal
On Sat, 08 Jun 2019 at 22:05:42 +0200, Guilhem Moulin wrote:
> Our (cryptsetup maintaining team) plan is to rename ‘cryptsetup-run’ to
> ‘cryptsetup’ once Buster is released, hence this bug should be RC at
> this point: with `apt-install cryptsetup` the
pt-install cryptsetup-initramfs` if any volume needs to be unlocked at
| initramfs stage, i.e., holding /, /usr, and/or the resume device(s).
Cheers,
--
Guilhem.
From b72b0934eb4c729d5fef462bb832aec6665513c8 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin
Date: Fri, 26 Jul 2019 23:24:33 +0200
Subjec
Control: retitle -1 -v yields fatal name resolution errors
Control: tag -1 upstream
On Sat, 23 May 2020 at 18:33:38 +0800, Dan Jacobson wrote:
> $ nc -v -l -p 60111
> nc: getnameinfo: Temporary failure in name resolution
Do you have a working resolver on that host? I can't reproduce this
with a
On Sun, 24 May 2020 at 01:34:24 +0200, Sandro Knauß wrote:
> Control: forwarded -1 https://github.com/roundcube/roundcubemail/pull/7402
> […]
> Well I tried several times to reach upstream and they are often not
> answering.
> Never the less I created a pull request with an updated version, that
On Sun, 24 May 2020 at 01:38:14 +0200, Guilhem Moulin wrote:
> That error should probably not be fatal
FTR that's in report_sock().
--
Guilhem.
signature.asc
Description: PGP signature
Control: tag -1 moreinfo
On Fri, 29 May 2020 at 11:38:31 +1000, Russell Coker via
Pkg-roundcube-maintainers wrote:
> The package install asks questions about MySQL but there's no option for
> specifying sqlite.
Making sure Roundcube works out of the box with SQLite3 is part of the manual
tests I
On Fri, 29 May 2020 at 11:38:31 +1000, Russell Coker via
Pkg-roundcube-maintainers wrote:
> The package install asks questions about MySQL but there's no option for
> specifying sqlite.
It now occurs to me that what you're reporting here is the extra work
users of the package allegedly have to do
Control: severity -1 minor
Hi Ed,
On Wed, 27 May 2020 at 10:17:36 -0600, Ed Schaller wrote:
> When I first encountered this long before the bug was submitted I
> found a easier/safer way.
README.initramfs §11 certainly has shortcomings and doesn't pretend to
cover all cases, but note that your s
Source: roundcube
Severity: important
Tags: security
AFAICT no CVE was assigned for this yet. 1.2.x, 1.3.x and 1.4.x
branches are affected. Upstream fix:
1.4.x
https://github.com/roundcube/roundcubemail/commit/4beec65d40c5e5b1f2bace935c110baf05e10ae5
1.3.x
https://github.com/roundcube
Source: roundcube
Severity: important
Tags: security
AFAICT no CVE was assigned for this yet. 1.2.x, 1.3.x and 1.4.x
branches are affected. Upstream fix:
1.4.x
https://github.com/roundcube/roundcubemail/commit/ccaccae6653031b809b4347a60021951e19a0e43
1.3.x
https://github.com/roundcube
Control: severity -1 wishlist
Hi Matt,
On Wed, 03 Jun 2020 at 15:20:25 +, Matt Johnston wrote:
> The dropbear package currently has Recommends: dropbear-initramfs
> so installing dropbear pulls in 30MB of other initramfs-related packages
> not needed for a container. "Suggests" would seem mor
Source: roundcube
Severity: important
Tags: security
Control: found -1 1.4.9+dfsg.1-1
Control: found -1 1.3.15+dfsg.1-1~deb10u1
Control: found -1 1.2.3+dfsg.1-4+deb9u7
In a recent post roundcube webmail upstream has announced the following
security fix:
Cross-site scripting (XSS) via HTML or
Hi Luca,
On Mon, 28 Dec 2020 at 21:56:25 +, Luca Boccassi wrote:
> The problem is that the ${libdir} variable in the pkg-config file is
> not adjusted accordingly, so the wrong -L flags are exposed.
> Given it's a standard path this is not usually an issue when building
> reverse dependencies,
Control: severity -1 wishlist
Control: reassign -1 cryptsetup-initramfs
Control: block -1 by 778849
Hi,
AFAICT dracut has dracut-shutdown(8) which you can extend at will, or
convince the maintainer to ship the required logic for everyone.
However Debian's default initramfs, namely initramfs-tools
Control: tag -1 pending
On Tue, 29 Dec 2020 at 11:07:23 +, Luca Boccassi wrote:
> Feel free to mark this as closed with the next upload.
OK great! It's nice to be able to simplify d/rules for once :-)
--
Guilhem.
signature.asc
Description: PGP signature
Hi Christof,
On Mon, 13 May 2019 at 20:48:41 +0200, Christof Baumann wrote:
> In order to get rid of this I changed the script to only attempt
> activation of lvm volume groups after all the disks in /etc/crypttab
> have been unlocked.
Thanks for the patch!
> The check for dm-crypt devices needs
Control: tag -1 pending
Thanks all for the patches and discussion, and sorry for not chiming in
earlier in the release cycle.
I now merged in Guilherme's patch modulo some minor fixes. My first
reaction was this this was an “abuse” of initramfs-tools(7)'s interface
since it clearly state that pa
Control: blocks -1 by 962132
Hi,
On Thu, 23 Apr 2020 at 13:22:19 +0200, Robin Johansson wrote:
> As the kernel doesn't have a native way of setting the early ipv6
> address it's wrong to assume that ip=none or ip=off means no
> networking.
>
> Since the initrd scripts have been extracted to a se
Hi all,
On Sun, 03 Jan 2021 at 16:54:41 -0800, Sunil Mohan Adapa wrote:
> I will be filing an RM: bug on the package on Jan 10, 2021. I will
> wait to see if the other uploaders think it is still needed.
Roundcube's test suite which I'm working on now has some tests making
use of Net_IDNA2 so I'd
Control: severity -1 important
On Sun, 10 Jan 2021 at 20:35:45 -0400, David Prévot wrote:
> Guilhem, I did not spot that with ”build-rdeps php-net-idna2”, so I assume
> your need is a work in progress (please, do correct me If I’m wrong).
Yup you're right, once this is ready php-net-idna2 should
Control: severity -1 serious
On Mon, 11 Jan 2021 at 00:58:01 +0100, Guilhem Moulin wrote:
> On Sun, 03 Jan 2021 at 16:54:41 -0800, Sunil Mohan Adapa wrote:
>> I will be filing an RM: bug on the package on Jan 10, 2021. I will
>> wait to see if the other uploaders think it
Package: lintian
Version: 2.96.0
Severity: normal
File: /usr/share/lintian/lib/Lintian/Processable/Orig.pm
Dear Maintainer,
Lintian::Processable::Orig produces an incorrect file listing when
the common prefix of secondary tarballs isn't equal to the component
name. dpkg-source(1) reads
Extr
Control: tag -1 + patch
On Fri, 02 Oct 2020 at 15:22:21 +0200, Guilhem Moulin wrote:
> Lintian::Processable::Orig produces an incorrect file listing when
> the common prefix of secondary tarballs isn't equal to the component
> name. dpkg-source(1) reads
>
> Extracting
>
Source: roundcube
Severity: important
Tags: security
AFAICT no CVE was assigned for this yet. 1.2.x, 1.3.x and 1.4.x
branches are affected. Upstream fix:
1.4.x
https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0
1.3.x
https://github.com/roundcube
Source: roundcube
Severity: important
Tags: security
AFAICT no CVE was assigned for this yet. 1.2.x, 1.3.x and 1.4.x
branches are affected. Upstream fix:
1.4.x
https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6
1.3.x
https://github.com/roundcube
Hi there,
On Sun, 29 Dec 2019 at 17:13:46 -0800, Vagrant Cascadian wrote:
> When I run:
>
> sbuild -d UNRELEASED -c sid --source --force-orig-source
> --source-only-changes hello_2.10-2.dsc
>
> Results in an hello_2.10-2_amd64.changes that contains references to the
> .orig.tar but hello_2.10
Control: retitle -1 cryptsetup-initramfs: Can't open AES-XTS device from
initrd.img-5.6.0-1-amd64 built with MODULES=dep on systems lacking AES-NI
Control: tag -1 pending
Hi,
On Sat, 02 May 2020 at 11:19:48 +0200, Adrien CLERC wrote:
> It seems that linux-5.6 changes a lot of things in crypto mo
Control: reopen -1
Control: tag -1 pending
On Fri, 25 Dec 2020 at 15:51:01 +0100, Guilhem Moulin wrote:
> This is deliberate: we ship the source (LESS or un-minified CSS) and the
> generated minified CSS. Also IIRC Roundcube won't prefer the .min.css
> over the .css in this case,
Package: libjs-jquery
Version: 3.5.1+dfsg+~3.5.5-5
Severity: normal
Dear Maintainer,
The brotli suffix was changed from .br to .brotli in
3.5.1+dfsg+~3.5.4-3:
https://salsa.debian.org/js-team/node-jquery/-/commit/2c27f2b80e89dc4fb051cb7081ad464643316a9d
The .br suffix is hardcoded in ngx_h
On Tue, 12 Jan 2021 at 20:19:18 +0100, Jonas Smedegaard wrote:
> I think you (and nginx?) are mistaken:
FWIW ngx_brotli is a third-party nginx module developed by the folks
(Google) behind the brotli(1) utility and the brotli data format
[RFC7932].
> The officially registered meaning for file suf
On Tue, 12 Jan 2021 at 21:50:19 +0100, Jonas Smedegaard wrote:
>> br is the ISO 639-1 code for the breton language but I guess that's
>> not what you mean (application/ecmascript, text/x-perl or video/gl
>> don't conflict with the language codes for Spanish, Polish or Galician
>> right)? After
On Tue, 12 Jan 2021 at 22:35:30 +0100, Jonas Smedegaard wrote:
> * rfc7932 refrain from recommending a suffix
> (only talks about "HTTP Content Coding Registry")
That RFC is beyond my head but quick searches for “suffix” and
“extension” didn't lead to meaningful results. The IANA registration is
s served with ‘Content-Language: br’ header, which I
guess is why you changed the extension? IMHO adding ‘RemoveLanguage
.br’ in the of a system-provided snippet would be an OK
workaround, but whatever, I guess using .brotli suffixes for apache2 is
fine too :-)
On Tue, 12 Jan 2021 at 23:32:29 +01
Hi Jonas,
Thanks for the feedback, I appreciate the discussion : -)
On Wed, 13 Jan 2021 at 13:20:17 +0100, Jonas Smedegaard wrote:
> I find it wrong for Debian to add a NEWS file of "hi all brazilians, we
> decided that expressing the hip new brotli compression a few letters
> shorter is more i
> apt upgrade installed cryptsetup-initramfs 2:2.3.4-2~bpo10+1 over
> 2:2.3.4-1~bpo10+1
Next time please use the backports mailing list to report bugs for
-backports: https://backports.debian.org/Instructions/#index6h2
--
Guilhem.
signature.asc
Description: PGP signature
Package: roundcube
Version: 1.4.9+dfsg.1-1
Severity: wishlist
Tags: upstream
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/7625
Control: block 976811 by -1
Roundcube 1.4 officially doesn't support PHP8.0, see upstream issue
https://github.com/roundcube/roundcubemail/issue
libreadline88.1-1
ii libvirt06.9.0-1+b2
ii libxml2 2.9.10+dfsg-6.3+b1
ii sensible-utils 0.0.12+nmu1
libvirt-clients recommends no packages.
Versions of packages libvirt-clients suggests:
ii libvirt-daemon 6.9.0-1+b2
-- no debconf information
From: Guilhem Moulin
Date:
Unless
overwritten in the repo config, of course.)
However lintian-brush doesn't seem to understand includeIf.*.path (nor
include.path):
/path/to/debian/pkg $ lintian-brush --identity
Committer identity: Guilhem Moulin
Changelog identity: Guilhem Moulin
If I understand the sou
Package: devscripts
Version: 2.20.5
Severity: wishlist
File: /usr/bin/debcommit
Dear Maintainer,
Many of the devscripts tools honor the values of the DEBEMAIL and
DEBFULLNAME environment variables for attribution, however debcommit
ignores these AFAICT and follows the git-commit(1) semantics inst
On Wed, 23 Dec 2020 at 14:04:45 +, Jelmer Vernooij wrote:
>> If I understand the source correctly, this is because the gitconfig
>> library it's using doesn't understand these settings. It might be a
>> wishlist bug for the library, however lintian-brush could maybe call
>> `git config user.ema
Package: node-less
Version: 3.13.0+dfsg-2
Severity: normal
Dear Maintainer,
Running `apt install node-less node-clean-css` in a clean sid chroot I'm
unable to make lessc produce minified output. I don't know if
`--clean-css` does any “cleaning” or if it's a no-op.
$ lessc --clean-css /tmp/e
On Wed, 23 Dec 2020 at 17:39:44 +0100, Guilhem Moulin wrote:
> Running `apt install node-less node-clean-css` in a clean sid chroot I'm
> unable to make lessc produce minified output.
Forgot to explain why I expected otherwise. It boils down to the
deprecation notice one gets
Control: tag -1 pending
On Fri, 25 Dec 2020 at 13:49:29 +0100, Jonas Smedegaard wrote:
> Several build rules use a shell "for" construct, which ignores failures
> of all but latest iteration of those loops.
Thanks for spotting! Might even be worth trying to make lintian assign
a warning for this
Control: clone -1 -2
Control: tag -1 upstream
Control: retitle -2 Please ship precompressed JS and CSS files
Control: severity -1 normal
Control: severity -2 wishlist
On Fri, 25 Dec 2020 at 14:55:00 +0100, Jonas Smedegaard wrote:
> Build routines use the compressors closure-compiler and yui-compre
On Fri, 25 Dec 2020 at 16:00:09 +0100, Jonas Smedegaard wrote:
> I would expect upstream instructions to be irrelevant for the serving of
> minified files: That's something a frontend web server can be configured
> to favor instead of on-the-fly compression (or no compression)
> independent of t
Control: tag -1 - upstream
[I assume you wanted to reply to the bug here.]
On Fri, 25 Dec 2020 at 17:57:02 +0100, Jonas Smedegaard wrote:
> Do upstream project use closure-compiler from 2013 or something newer?
> See bug#733586,#847934,916145 - if not, then it might be (at least
> partly) wron
Package: lacme
Version: 0.6.1-1
Severity: grave
Justification: renders package unusable
Two upcoming changes in the Let's Encrypt chain of trust severely impact
lacme and will break new issuance when they're rolled out in December /
January.
1. The existing issuer, namely “Let's Encrypt Authorit
-encrypt-e[12].pem
+ - lets-encrypt-r[34]-cross-signed.pem
+ - lets-encrypt-r[34].pem
+ - letsencryptauthorityx[34].pem
+See https://letsencrypt.org/certificates/
+ * Moreover 'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt
+which is a concatenation of all known active CA certi
Control: tag -1 moreinfo
Hi,
On Mon, 07 Dec 2020 at 23:19:06 -0300, Javier Kohan wrote:
> Upgraded a system from Jessie (via Stretch as recommended).
It's irrelevant for this issue, but note that Roundcube is absent from
Debian Jessie.
> The package in fact "suggests", among other unavailable p
Hi Jonas!
On Mon, 07 Dec 2020 at 16:07:28 +0100, Jonas Smedegaard wrote:
> Error: Invalid order DNS:mail.homebase.dk, DNS:www.mail.homebase.dk
> [mail.homebase.dk] Error: Couldn't issue X.509 certificate!
> accept: Invalid argument at /usr/libexec/lacme/webserver line 80.
> Connection to jawa.home
Hi Jonas,
(Sorry for the delay in responding.)
On Wed, 16 Sep 2020 at 18:23:54 +0200, Jonas Smedegaard wrote:
> A certificate renewal endede like this:
> […]
> Running notification command `/bin/systemctl reload apache2`
> accept: Invalid argument at /usr/libexec/lacme/webserver line 80.
> […]
On Fri, 14 Aug 2020 at 11:40:25 +0200, Jonas Smedegaard wrote:
> Therefore I suggest to implement what I found more intuitive:
>
> Setting "null-stderr = MOSTLY", treated same as YES by default,
At the moment ternary options are not supported and I don't really like
this TBH :-P --debug should p
Control: severity -1 wishlist
On Sun, 18 Oct 2020 at 20:29:56 +0200, Jonas Smedegaard wrote:
> It is possible to indicate in certificates that OCSP stapling is used.
>
> It requires setting tlsfeature = status_request in CSR file,
> as documented e.g. at https://scotthelme.co.uk/ocsp-must-staple/
Control: tag -1 pending
On Tue, 08 Dec 2020 at 15:33:53 +0100, Jonas Smedegaard wrote:
> Quoting Jonas Smedegaard (2020-12-08 15:31:19)
>> Quoting Guilhem Moulin (2020-12-08 14:17:47)
>>> At the moment ternary options are not supported and I don't really
>>>
Control: severity -1 minor
Control: tag -1 pending
On Tue, 08 Dec 2020 at 13:33:43 +0100, Jonas Smedegaard wrote:
>> Added some thoughts at https://bugs.debian.org/976734#10 (leaving the
>> decision whether to merge these to you).
>
> I prefer to track these issues separately: The confusing but h
On Tue, 08 Dec 2020 at 12:18:29 -0300, Hostmaster FCEIA-UNR wrote:
> Regarding roundcube was not in jessie (I don´t know where we installed it
> from- they were debs, because now apt upgraded them- )
Possibly for jessie-backports, or left-over from squeeze?
> Installed all possible php ldap libra
On Tue, 08 Dec 2020 at 16:47:45 +0100, Guilhem Moulin wrote:
> The bug to fix is tracked as https://bugs.debian.org/882938 (which is
> not a Roundcube bug).
Had a look at this, wasn't a difficult fix AFAICT, just uploaded 2.2.0-3
which should eventually migrate to testing. We can&
Hi,
On Thu, 12 Nov 2020 at 19:17:43 +0100, Peter Corlett wrote:
> A cursory Google (and DDG etc) for `loop_cryptdevs` finds nothing
> except this line, and it is unclear what this broken code was supposed
> to achieve.
See #918008. Seems I renamed the function to foreach_cryptdev() (see
also 1d9
Control: retitle -1 crypto-modules-*-di lacks 'essiv' module (required for old
default cipher aes-cbc-essiv:sha256)
Control: reassign -1 src:linux
Hi Nathan,
On Thu, 29 Oct 2020 at 13:17:54 -0500, Nathan Schulte wrote:
> Using cryptsetup to securely wipe a device before enabling encryption, e.g.
Control: tag -1 moreinfo
Hi,
On Mon, 29 May 2017 at 14:26:53 +0200, Olaf Zaplinski wrote:
> I have upgraded from MySQL to mariaDB today, afterwards I did a bit of
> housekeeping.
>
> So I have purged the package 'php-mdb2-driver-mysql' which looked orphaned.
> No package
> had a dependency to
Hi Uwe,
On Thu, 26 Oct 2017 at 15:47:25 +0200, Uwe Kleine-König wrote:
> with the expectation that nc then bind(2)s passing
>
> .inet_pton(AF_INET6, "::1", &sin6_addr),
>
> in the 2nd argument (instead of "::") to limit where the open port is
> available.
`nc -l ::1 12345` does exactly th
Control: tag -1 pending
On Mon, 24 Apr 2017 at 16:21:08 +0800, 積丹尼 Dan Jacobson wrote:
> -C Send CRLF as line-ending.
>
> Mention if this adds a \r before every \n before sending it to the
> remote server.
>
> Also mention if it does or doesn't affect traffic coming back to us too.
>
> Al
Control: tag -1 fixed-upstream
On Wed, 24 Jan 2018 at 09:13:53 +0100, Milan Broz wrote:
> It would be nice if this patch is on added on top of 2.0.1 in Debian ;-)
My thought exactly :-) We wanted to wait until the auto-cryptsetup
transition has gone through before uploading 2:2.0.1-1 (missed it
On Wed, 24 Jan 2018 at 09:13:53 +0100, Milan Broz wrote:
> Fixed upstream in
> https://gitlab.com/cryptsetup/cryptsetup/commit/8728ba08e2e056a4c18b55407146eea7ac0043c6
Thanks for the super-fast fix, btw :-)
--
Guilhem.
signature.asc
Description: PGP signature
Control: reassign -1 cryptsetup-bin
Hi Michael,
On Sat, 10 Feb 2018 at 09:22:44 +0100, Michael Biebl wrote:
> On Wed, 24 Jan 2018 14:38:50 +0100 Guilhem Moulin
> wrote:
>> On Wed, 24 Jan 2018 at 09:13:53 +0100, Milan Broz wrote:
>>> Fixed upstream in
>>> https://gi
On Sat, 10 Feb 2018 at 23:17:34 +0100, Cyril Brulebois wrote:
> Guilhem Moulin (2018-02-10):
>> Should we? I was refraining from uploading 2.2.1 due to the following
>> note in the transition page
>>
>>“Please avoid uploads unrelated to this transition, they woul
Control: retitle -1 cryptsetup: Using luks2 with argon2 PBKDF produces an
unbootable system
On Mon, 19 Feb 2018 at 00:02:02 +0100, Mikhail Morfikov wrote:
> Since in Debian Sid we have a cryptsetup v2 for some time, I wanted to
> wipe my current system and install a fresh one in the LUKS/LVM set
Source: json-c
Version: 0.12.1-1.2
Severity: wishlist
Dear Maintainer,
cryptsetup ≥2.0.0 introduces a new on-disk “LUKS2” format, which uses
JSON text format for metadata. Hence libcryptsetup12 (currently in
experimental only) now depends on libjson-c3, and for cryptsetup to keep
working in the
Package: libargon2-0
Version: 0~20161029-1
Severity: wishlist
Dear Maintainer,
cryptsetup ≥2.0.0 introduces a new on-disk “LUKS2” format, which support
Argon2i and Argon2id as PBKDF. Hence the package now depends on
libargon2-0 (in experimental only), and for cryptsetup to keep working
in the de
On Fri, 05 Jan 2018 at 14:25:50 +0300, Michael S wrote:
> I know there is a ticket 792552 suggesting some patches but neigher is
> working for me, I have tried:
> - removing /run/udev/control before do_stop() in cryptsetup.functions
Can you try to apply the patch from #791944's message 181?
On Sat, 13 Jan 2018 at 11:30:53 +0100, t...@cock.li wrote:
> https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
> https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.0.tar.xz
> https://git.kernel.org/pub/scm/utils/cryptsetup/cryptsetup.git/refs/
https://li
Source: civicrm
Version: 4.7.24+dfsg-1
Severity: serious
Tags: security
Justification: security issues
(Since CiviCRM isn't in Jessie nor in Stretch I guess the Security Team
can ignore this.)
4.7.26, released on Nov. 1, fixes multiple security issues, with risks
upstream classified up to “critic
On Thu, 18 Jan 2018 at 14:35:37 +, Robert Lister wrote:
> apt-get install roundcube
This pulls in roundcube-core, which in turns pulls roundcube-mysql as
it's the first alternative (preferred driver):
$ apt depends roundcube-core
roundcube-core
[…]
|Depends: roundcube-mysql (
Control: tag -1 moreinfo
Hi Matthew,
On Fri, 22 Sep 2017 at 16:54:03 +0100, Matthew Wakeling wrote:
> I have set up my system with an unencrypted /root partition, but with
> /home, /var, /tmp, and swap all in an LVM inside a luks crypt
> partition.
> When booting, the system prompts for the crypt
What do you have in /etc/roundcube/debian-db.php?
--
Guilhem.
signature.asc
Description: PGP signature
Hi,
On Sat, 20 Jan 2018 at 12:00:06 +0100, Cyril Brulebois wrote:
> Jonas Meurer (2018-01-20):
>> Am 18.12.2017 um 19:38 schrieb Emilio Pozuelo Monfort:
>>> Actually I just read the thread about the -udeb uninstallability.
>>> Let's wait until that is fixed or until Cyril says it's alright to
>>>
Control: tag -1 + d-i moreinfo
Hi,
On Thu, 26 Apr 2018 at 13:24:44 +0200, Christian Dietrich wrote:
> I'm trying to install Debian Buster to an LUKS2 encrypted partition:
>
> cryptsetup luksFormat /dev/sda1 -> works
> cryptsetup --type=luks2 luksFormat /dev/sda1 -> "libgcc_s.so.1 must be
> instal
Control: reassign -1 src:linux 4.15.0-3-amd64
Control: retitle -1 linux: Please add userspace crypto ('algif_skcipher'
module) to crypto-modules .udeb
Control: severity -1 wishlist
Control: tag -1 - moreinfo
Control: affects -1 cryptsetup
On Thu, 26 Apr 2018 at 14:47:30 +0200, Christian Dietrich
Control: tag -1 pending
Hi Christian,
On Fri, 27 Apr 2018 at 10:22:55 +0200, Christian Ehrhardt wrote:
> It realizes no more options are there and then ends at
> } else if (argv[0] && argv[1]) {
> host = argv[0];
> uport = &argv[1];
> if (pflag || sflag
FYI I just refactored and simplified the option/argument verification
logic. Here are examples of command invocations with 0, 1, or 2
non-optional arguments.
Listening on AF_UNIX socket /tmp/sock (nc.openbsd <1.187-1 supports only
the second invocation).
$ strace -e trace=bind nc -U -l -s /
Control: tag -1 pending
On Tue, 08 May 2018 at 18:54:34 +0200, Geert Stappers wrote:
> It would be good if signing-party moved to a more team location.
It's done already: https://salsa.debian.org/debian/signing-party :-)
--
Guilhem.
signature.asc
Description: PGP signature
On Wed, 09 May 2018 at 09:58:07 +0200, Geert Stappers wrote:
> On Tue, May 08, 2018 at 07:01:48PM +0200, Guilhem Moulin wrote:
>> Control: tag -1 pending
>
> When will the upload happen?
Wanted to have upstream changes to clean up the SVN markup ($Id, $Rev,
etc.) But if there i
Control: tag -1 pending
Hi Daniel,
On Mon, 02 Oct 2017 at 14:14:12 -0700, Daniel Kahn Gillmor wrote:
> https://gitlab.com/cryptsetup/cryptsetup/tags suggests that upstream
> has released the first release candidate for cryptsetup 2.0.0:
> 2.0.0-rc0.
>
> It'd be great to have that uploaded to deb
Hi Salvatore,
Thanks for the poke! Upstream fixed this earlier today:
https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281e9268a0cfb0
> If you fix the vulnerability please also make sure to include the CVE
> (Common Vulnerabilities & Exposures) id in your changelog en
On Mon, 09 Apr 2018 at 12:25:20 +0200, Guilhem Moulin wrote:
> Thanks for the poke! Upstream fixed this earlier today:
>
> https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281e9268a0cfb0
My bad, it's only fixed in master and 1.3. Since 1.2 is still
ecurity; urgency=high
+
+ * Backport fix for CVE-2018-9846: When the archive plugin enabled and
+configured, it's possible to exploit the unsanitized, user-controlled
+"_uid" parameter to perform an MX (IMAP) injection attack.
+https://github.com/roundcube/roundcubemail/issues/
https://github.com/roundcube/roundcubemail/issues/6173
+
+ -- Guilhem Moulin Sat, 21 Apr 2018 01:51:56 +0200
+
roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high
* Backport fix for CVE-2017-16651: File disclosure vulnerability caused by
diff -Nru roundcube-1.2.3+dfsg.1/debia
Hi,
On Sat, 21 Apr 2018 at 08:23:55 +0200, Salvatore Bonaccorso wrote:
> On Sat, Apr 21, 2018 at 02:13:54AM +0200, Guilhem Moulin wrote:
>> On Fri, 20 Apr 2018 at 05:18:36 +0200, Salvatore Bonaccorso wrote:
>>> Thanks for following up for stretch. First a quick comment. Plea
On Sat, 21 Apr 2018 at 13:03:04 +0200, Guilhem Moulin wrote:
> On Sat, 21 Apr 2018 at 08:23:55 +0200, Salvatore Bonaccorso wrote:
>> Looks good to me, please do upload to security-master.
>
> Done.
Shy ping, in case you missed the upload (embargoed on Sat 21 Apr at
10:50:21 UTC) :
601 - 700 of 1122 matches
Mail list logo
