On Tue, May 30, 2006 at 10:58:36AM +0200, Frederik Schüler wrote:
> There was an error while trying to autobuild your package:
Yes, no arch seemed to build it, however:
> > configure.ac:44: error: m4_defn: undefined macro: _AC_LANG
> > autoconf/lang.m4:157: AC_LANG_POP is expanded from...
> > aut
On Wed, May 31, 2006 at 02:43:02AM +0200, Javier Fernández-Sanguino Peña wrote:
>
> From this it looks like AC_PROG_CC -> AC_LANG_POP -> _AC_LANG and
> for some reason that macro is undefined. But samhain does not use that at
> all, that's autoheader working here.
After d
On Thu, Jun 01, 2006 at 03:43:44AM +0100, Christian Kujau wrote:
>
> Q: is it possible to let packages just depend on "libxyz" rather than
>"libxyz-0.12"? So, package libxyz-0.14 and libxyz-0.23 and -1.21 too
> could "Provides: libxyz"I bet this is a FAQ but I still could
> not fin
severity 370123 serious
merge 370123 369503
tag 369503 help upstream
thanks
I have forwarded this bug upstream as I have no idea how to fix
it myself. If any bug-squashing hunter can help with this bug I would
appreciate it.
Javier
- Forwarded message ---
From: Javier Fernández-Sanguino
tags 370808 upstream help
thanks
Hi Samhain support!
This is (again) the Debian maintainer of Samhain speaking. I wanted to notify
you of a bug recently submitted to the Debian Bug Tracking System: #370808
[1] it seems that the latest version of samhain cannot be built in amd64:
http://buildd.deb
On Sun, Jun 11, 2006 at 09:42:28AM +0200, Andreas Barth wrote:
> Package: euro-support-x
> Version: 1.33
> Severity: serious
>
> Hi,
>
> this package depends on the removed xfonts-base-transcoded.
When was this package removed? It still shows up in
http://packages.debian.org/unstable/x11/xfonts-
On Sun, Jun 11, 2006 at 09:42:28AM +0200, Andreas Barth wrote:
> this package depends on the removed xfonts-base-transcoded.
BTW, this package did not depend: on it, xfonts-base-transcoded was in the
Recommends: line so I don't see why this bug would qualify as serious.
In any case, a new package
On Sun, Jun 11, 2006 at 12:49:04PM -0700, Steve Langasek wrote:
> > When was this package removed? It still shows up in
> > http://packages.debian.org/unstable/x11/xfonts-base-transcoded
> > and is available in both sid and testing (in xorg-x11 6.9.0.dfsg.1-6)
>
> It's been removed from unstable f
On Mon, Jun 12, 2006 at 10:53:29AM +0200, Andreas Barth wrote:
> * Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]) [060611 23:47]:
> > On Sun, Jun 11, 2006 at 09:42:28AM +0200, Andreas Barth wrote:
> > > this package depends on the removed xfonts-base-transcoded.
> >
&
On Thu, Jan 19, 2006 at 12:11:55PM +0100, Wolfram Quester wrote:
> Package: openuniverse
> Version: 1.0beta3.1-2
> Severity: grave
> Justification: renders package unusable
>
> Hi,
>
> during the last update I got:
>
> Preparing to replace openuniverse 1.0beta3.1-2 (using
> .../openuniverse_1.0
tags 348841 pending
thanks
On Thu, Jan 19, 2006 at 12:11:55PM +0100, Wolfram Quester wrote:
> Package: openuniverse
> Version: 1.0beta3.1-2
That is not correct, the package you are installin is 1.0beta3.1-3
> during the last update I got:
>
> Preparing to replace openun
The latest OpenSSL version (0.9.8-6) does not seem to fix the problem with
Nessus, actually, it makes it work since now the workaround of using a
restricted set of ciphers no longer works either:
If you try to connect the Nessus client with the server you get this:
[26753] SSL_connect: error:1409
On Sat, Apr 22, 2006 at 01:22:53AM +0200, Javier Fernández-Sanguino Peña wrote:
> On Thu, Apr 20, 2006 at 03:48:09PM -0700, Don Armstrong wrote:
> > Should we decide to change the license, we should either use the MIT
> > license if we don't want it to be copyleft, or
On Thu, Apr 20, 2006 at 03:48:09PM -0700, Don Armstrong wrote:
> Should we decide to change the license, we should either use the MIT
> license if we don't want it to be copyleft, or the GPL if we do. A
> custom license is not something that we want to write, and especially
> not without serious th
On Sat, Apr 22, 2006 at 06:40:11AM -0700, Don Armstrong wrote:
> > The only change I made to it was substituting "FreeBSD Documentation
> > Project" for "Debian Project".
>
> You've sent two totally different licenses to the list so far; I was
> refering specifically to the license which was attac
On Sat, Apr 22, 2006 at 04:47:53PM +0200, Florian Weimer wrote:
> * Javier Fernández-Sanguino Peña:
>
> > Copyright 1997-2006 Software in the Public Interest, Inc. All rights
> > reserved.
>
> Is this correct? Have all contributors assigned copyright to SPI?
Contri
On Sun, Apr 23, 2006 at 11:57:00AM +0200, Francesco Poli wrote:
> I think that a page very similar to
> http://spohr.debian.org/~joeyh/testing-security.html
> would help making the public aware of how things are going on for Debian
> stable, from a security point of view.
The problem is, there is
On Mon, Apr 24, 2006 at 09:54:11PM -0700, Don Armstrong wrote:
>
> Here we basically have two choices.
Who's *we*? Have you talked to the security team or is this just wishful
thinking?
> 1. Certain people sign NDAs/agreements to get the early disclosure
> information; in return they cannot disc
On Wed, Apr 26, 2006 at 06:33:12PM +0200, Ludovic Rousseau wrote:
> Note that I am ready to NMU your package if you do not respond within one
> week since the bug is RC.
Please go ahead.
> Your prerm script can be removed now since the file
> /etc/reader.conf.d/libetoken will not be created now
On Fri, Apr 28, 2006 at 08:12:43PM -0400, Aaron M. Ucko wrote:
> The attached patch addresses both issues; could you please apply it,
> or at least authorize an NMU?
Sure, go ahead and NMU. I've not been able to do so these weeks and might not
be able to through Debconf6.
Thanks for your help
Ja
On Sun, May 21, 2006 at 06:41:58PM +0200, Ludovic Rousseau wrote:
>
> It is removed by postinst now. You could remove the removal and the call
> to /usr/sbin/update-reader.conf once Debian Etch is out.
>
> I also modified the Info.plist file.
> - Only the first reader was used by pcscd because on
On Tue, Mar 28, 2006 at 07:20:24PM -0500, Justin Pryzby wrote:
> Your cheops NMU ftbfs.
What's this? Where's the patch?
Javier
signature.asc
Description: Digital signature
Hi everyone,
I was reviewing the status of #238245 ("Debian web site is licensed under the
OPL which is not considered DFSG-free") and see that there have been no
actions since October last year and no discussion at debian-www.
In summary: The web pages license content should be changed from th
On Thu, Apr 20, 2006 at 01:03:19AM +0200, Francesco Poli wrote:
> I agree that the GNU GPL v2 would be a perfectly reasonable choice for
> the Debian website.
> Several other GPLv2-compatible licenses are good choices too, however.
I'd rather use a simpler license for text content it is more under
On Thu, Apr 20, 2006 at 12:56:57AM +0200, Francesco Poli wrote:
> >
> >I suggest using a BSD-style license. The attached license is such a
> >license. It is based on the FreeBSD documentation license [3] and
> >explicitely mentions translations. In our case (the website) the
> >'
On Wed, Feb 15, 2006 at 12:09:43AM +1300, Matt Brown wrote:
> Hi,
>
> I have prepared a NMU patch to fix this bug as a part of the T & S
> portion of my NM application.
Thanks for doing this.
> Additionally the running function never succeeded because portreserve
> doesn't create a pid file. T
On Thu, Feb 16, 2006 at 01:22:20AM +1300, Matt Brown wrote:
> Hi Javier,
Hi there. I hope you don't mind me being a little bit picky, but I think it
helps you hone your skills :-)
>
> > * there's a buffer overflow if 'fname' is longer than 512 chars. buf should
> > *not* be of a static size
>
On Thu, Feb 16, 2006 at 09:52:24PM +1300, Matt Brown wrote:
> On Wed, 2006-02-15 at 15:14 +0100, Javier Fernández-Sanguino Peña wrote:
> The patch is now back down to the size/scope that I consider appropriate
> for a NMU, I agree that the previous patch was getting a little unwieldy
&g
On Fri, Feb 17, 2006 at 04:20:02PM +0100, Daniel Rodriguez Garcia wrote:
> I have built a package that fixes the problem.
> I include attached the source and binary files for the package.
It would have been best if you provided a patch against the current Debian
sources. The BTS should not be used
On Sat, Feb 18, 2006 at 02:47:33PM +1300, Matt Brown wrote:
> I did however discover one minor bug that occurred when the stop target
> of the init script was run twice in a row and resulted in some ugly
> error output from trying to read the non-existant pidfile. The
> functionality was still corr
On Sat, Feb 25, 2006 at 08:53:41PM +0100, Manolo Díaz wrote:
> Hi,
>
> After install the new package mozilla-thunderbird is still in English,
> even removing .mozilla-thunderbird dir. Afteward, I've tried to remove
> or reinstall the package with no success.
Yes, the prerm script is not correct,
(Note: I missed Kurt's reply since he mailed the BTS but did not mail me
directly a copy...)
Hi, just a short message to let you guys know that the Nessus server <->
client communication is working perfectly fine with OpenSSL version 0.9.8a-7.
Thanks!
Javier
signature.asc
Description: Digital
merge 356651 356807
thanks
On Tue, Mar 14, 2006 at 09:20:36AM +0100, Bastian Blank wrote:
> There was an error while trying to autobuild your package:
Already reported, see 356651
Regards
Javier
signature.asc
Description: Digital signature
On Wed, Jun 21, 2006 at 05:15:07PM +0200, Pierre Morin wrote:
> It doesn't seem to be a problem for other distros,
> does it ?
Other distros ship non-free software and violate license conditions in free
software. And your point is?
Regards
Javier
signature.asc
Description: Digital signature
On Sun, Jul 02, 2006 at 12:17:47PM +0200, Julien Danjou wrote:
>
> reopen 375404
> thanks buddy, hit me five!
>
> Hello,
>
> It seems to be not fully fixed:
Yes, this is because Raphael fixed the shell script but did not fix the gpl.c
file, as this file will only regenerate if the COPYING file
On Sat, Nov 19, 2005 at 03:46:23PM +, MJ Ray wrote:
> I think the statistic is questionable, so there should be
> verification/substantiation of the statistic, but I don't know
> whether it's right or wrong. I think it's prejudging things to
> delete the first paragraph as suggested.
I don't k
On Sat, Nov 19, 2005 at 06:03:13PM -0500, Filipus Klutiero wrote:
> Hi Javier,
> I'd like to be sure about which claim you refer to. The current claim is
> the one that says that Debian *does* issue fixes for most problems under
> 48 hours, right? I'm asking since if I understand right the statis
severity 343487 grave
tags 343487 pending confirmed sid etch
reassign 343487 nessus
thanks
After debugging this issue in a system that Marc Haber set up for testing
I've found two different issues, one is a misconfiguration, the other is a
problem with the nessus package (the client)
- localhost
On Wed, Dec 28, 2005 at 02:16:26AM -0800, Steve Langasek wrote:
> > The issue should be fixed by recompiling the client against a set of the
> > libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> > also that the package has an undeclared dependency on libssl0.9.7 (the
> >
On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fernández-Sanguino Peña wrote:
>
> * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> 0.9.8
Just found out why this happened. The Nessus server gets compile against
both versions since libnasl depends on 0.9.7, I did not no
On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:
>
> > Since there is no libssl097-dev any longer I guess I'll have to recompile
> > all
> > packages.
>
> It should actually be possible to fix this with binNMUs on the autobuilders,
> I think. I'll go ahead and queue those now.
P
On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote:
>
> > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > 0.9.8
>
> Ok, I don't see this either:
>
> $ ldd /tmp/nessus/usr/sbin/nessusd|grep ssl
> libssl.so.0.9.8 => not found
> $
Funny, it seems that ldd ou
On Thu, Dec 29, 2005 at 11:17:41AM +0100, Marc Haber wrote:
> The resulting packages naturally only depend on libssl0.9.7, and seem
> to work fine. This might be a workaround.
Great, yes, this is a workaround. Unfortunately it's a *local* workaround.
Even if I can generate i386 packages compiled f
FWIW, this bug causes the Nessus client to be unable to contact the server
(since they use server side certificates with OpenSSL) and is the root cause
of #343487. Please fix this bug as soon as possible or, otherwise, Nessus
users will not be able to use Nessus at all in sid/testing.
Thanks
Jav
On Sat, Jan 14, 2006 at 11:48:44AM -0500, Justin Pryzby wrote:
> I intend to NMU a fix for this bug sponsored by Thomas Viehmann; the
> attached patch simply drops the dependency on xlibs-dev, because there
> is no actual direct dependency.
Please don't, I already uploaded an updated package.
Jav
Based on the comment made by Jim Paris to bug #338006 I've found that adding
the following line to nessusd.conf makes the client able to talk with the
server:
ssl_cipher_list = SSLv2:-LOW:-EXPORT:RC4+RSA
I'm going to add this to the default nessusd.conf to implemente a workaround
fix for #343487
g with `## DP:' are a description of the patch.
## DP: This patch fixes a lot of problems with temporary directory
## DP: It was written by Javier Fernández-Sanguino Peña
if [ $# -lt 1 ]; then
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
Package: bugzilla
Version: 2.16.7-7sarge1
Priority: critical
Tags: patch sarge woody
I sent this mail to the security team a while back and forwarded it upstream
too. Since this bug is now public
(https://bugzilla.mozilla.org/show_bug.cgi?id=305353), I'm opening up a
ticket in the BTS for easier
On Sun, Sep 25, 2005 at 01:09:38AM +0200, Erik Schanze wrote:
> Hi!
>
> Please find attached patch for Makefile-in to only process texi with
> texi2html files that succeed.
> So it build again.
Ok. I will apply it right away.
> Additionaly there are many warnings during build and something is
Package: bugzilla
Version: 2.18.3-1
Severity: grave
Tags: sid etch security patch
The bugzilla package's postinst script uses temporary files in an unsafe
way which could be used to conduct symlink attacks against the root
user when the package is configured. This is because it uses a hardcoded
l
Package: gnome-vlc
Version: 0.8.1.svn20050314-1
Priority: serious
This dummy package is present in woody, sarge, etch and sid.
As this is a dummy transition-only package (for potato?), there
is no reason this this package should still exist in the distribution?
Notice that we currently only sup
Package: gvlc
Version: 0.8.1.svn20050314-1
Priority: serious
This dummy package is present in woody, sarge, etch and sid.
As this is a dummy transition-only package (for potato?), there
is no reason this this package should still exist in the distribution?
Notice that we currently only support
Package: krb4
Version: 1.2.2-11.2
Priority: serious
This source package includes kerberos4kth1, kerberos4kth-services,
kerberos4kth-user and kerberos4kth-x11. All these four packages
are dummy packages that were present in woody, sarge, etch and sid.
As these are dummy transition-only package (f
Package: koffice-i18n
Version: 1.3.5-2
Priority: serious
This source package includes koffice-i18n-zhcngb2312 and koffice-i18n-zhtwbig5.
These otwo packages are dummy packages that were present in sarge, etch
and sid but were not present in woody. As these are dummy transition-only
package (for
Package: libalgorithm-diff-ruby
Version: 0.4-3
Priority: serious
This dummy package is present in sarge, etch and sid.
As this is a dummy transition-only package (for woody?), there
does not seem to be any no reason why this package should still
exist in the distribution.
Notice that we current
Package: snort
Severity: critical
Version: 2.3.3-2
Justification: remote compromise
Well, I have just read both an X-force and a CERT alert related to Snort,
it seems that it is possible to make a preprocessor (bo) crash and run code
remotely through a single UDP traffic.
I'm still investigating
On Wed, Oct 19, 2005 at 08:48:49AM +0100, Phil Brooke wrote:
> > The yiff server, by default, will run as the root user, even though it
> > only requires privileges to access the audio devices (/dev/dsp and
> > /dev/mixer), no effort is make by the package to create an specific user
> > and run the
tags 334616 patch
thanks
On Wed, Oct 19, 2005 at 12:58:10PM +0100, Phil Brooke wrote:
>
> Those three points should fix the problem you've identified.
>
> I wouldn't worry about the other two bugs you filed -- I should be able to
> tidy those up within a few weeks (I hope!).
Attached is a patch
On Wed, Oct 19, 2005 at 11:09:58AM +0200, Moritz Muehlenhoff wrote:
> Hi,
> as the attack is based on overflowing buf1[] through crafted len values
> taken from the packet header in BoGetDirection() and this function isn't
> present in 2.3 Debian doesn't seem to vulnerable.
Yes, based on the sourc
On Fri, Oct 21, 2005 at 11:44:58AM +0200, Moritz Muehlenhoff wrote:
> Hi,
> while I agree that running yiff with lesser privileges is desirable
> I can't see a RC security problem in this case. You can't crash
> a system be reading from /dev, /proc or /sys, even reading from raw
> hard disk devices
tags 324017 moreinfo unreproducible
thanks
On Fri, Aug 19, 2005 at 03:45:58PM -0400, Rick Friedman wrote:
> Package: cron
> Version: 3.0pl1-88
> Severity: grave
> Justification: renders package unusable
>
>
> The cron daemon runs as normal until a cronjob starts up. Actually, I
> don't even know
On Sat, Aug 20, 2005 at 07:28:25PM -0400, Rick Friedman wrote:
> It certainly seems more than coincidental to me that your strace shows the
> same seg fault that my strace shows... immediately after opening
> "crontabs/root".
Oh, and BTW, the only change in -88 that might affect cron's behaviour
On Sat, Aug 20, 2005 at 07:11:19PM -0400, Rick Friedman wrote:
> Package: cron
> Version: 3.0pl1-88
> Followup-For: Bug #324017
>
>
> Below is the output of strace when a cronjob should've started (I should
> add that the job that was supposed to run was in root's crontab):
Not very useful. Alth
On Sat, Aug 20, 2005 at 07:11:43PM -0500, Mike Hokenson wrote:
>
> In -88, u->scontext is set to NULL if get_security_context() fails (i
> think) and in free_user() there's a freecon() call on u->scontext but no
> NULL check. Maybe that's where the problem is?
Your assessment looks quite correc
On Sat, Aug 20, 2005 at 07:51:17PM -0500, Mike Hokenson wrote:
>
> I just noticed I was building cron w/out selinux support. :P
Yes, I guessed as much :-)
>
> Here's a backtrace of a -g:
(..)
>
> Which still pretty much leads back to the same place...
Yes.
> I'm not sure what your patch look
On Sat, Aug 20, 2005 at 07:51:17PM -0500, Mike Hokenson wrote:
> I'm not sure what your patch looks like, but just testing for a NULL
> u->scontext didn't work, I had to do this:
Aggg.. you are right, I don't think clearly this late, the problem is that
u->scontext is undefined, that's why free()
On Sat, Aug 20, 2005 at 08:21:35PM -0500, Mike Hokenson wrote:
> If it only contains the NULL pointer check, it won't (already tried), Rick
> will probably be able to confirm this when he updates. I'm not familiar
> with the mirroring system, do you think it'll appear shortly or is there a
> pla
reopen 323386
tags 323386 etch sarge
retitle 323386 kismet: Security vulnerabilities CAN-2005-2626 and CAN-2005-2627
present in sarge and etch
thanks
Dear maintainer, the version currently distributed of kismet in stable and
testing has several security issues. You should reopen a security
bug
On Mon, Aug 22, 2005 at 02:46:23AM -0700, Steve Langasek wrote:
> close 323386 2005.08.R1-1
> thanks
>
> This is incorrect. With the introduction of version tracking support in
> the BTS, you should *not* use the reopen command on bugs that were
> correctly closed in an upload.
There's no way I
Package: avifile
Version: 1:0.7.43.20050224-1
Priority: serious
Justification: Section 2.3 "Copyright considerations"
The only copyright statement in the debian/copyright file says:
Copyright: GPL (see /usr/share/common-licenses/GPL)
and LGPL (see /usr/share/common-licenses/LGPL)
That's plain wr
Package: vlc
Version: 0.8.4-svn20050810-1
Priority: serious
Justification: Section 2.3 "Copyright considerations"
The vlc package contains multiple files whose copyright are not detailed
in debian/copyright. Moreover, many of these files do _not_ have
a license clarification on its header as desc
On Thu, Aug 25, 2005 at 02:58:51PM +0200, kabi wrote:
> On 8/25/05, Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> wrote:
> > Package: avifile
> > Version: 1:0.7.43.20050224-1
> > Priority: serious
>
> I really don't see any reason for this priority an
On Fri, Aug 26, 2005 at 01:51:44PM +0200, kabi wrote:
> > Debian distributes _binaries_ and that's what your packages ship, binary
> > files with documentation. The documentation file debian/copyright is
> > mandatory for all packages and its contents are too. It is a way to
> > determine
> > what
Package: mediamate
Version: 0.9.3.6-2
Priority: serious
Tags: patch
Since version 4.50-1 libphp-adodb no longer includes the PHP files under
/usr/share/adodb. They are included in /usr/share/php/adodb. Your package
uses the old location which means that the include of the Adodb libraries
will fa
Package: libpam-runtime
Version: 0.76-22
Priority: serious
Tags: security
It seems we are missing some of upstream releases (0.77 was released in
September 2002 and 0.78 was released in November 2004). Please package this
new release:
ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/
The 0.7
I'm still working on this bug, the problem is that I don't get the latest
userland utilities to compile with the latest patch I provided too so until
I don't get around to fix this there will be no rsbac-admin packages in
Debian. This makes the kernel-patch package rather useless as RSBAC goes,
Package: nvi
Version: 1.79-21
Priority: grave
Tags: security patch woody sid
Justification: local DoS
(Note: The bugs I talk about in this report have been present in Debian's
nvi for ages. Actually, OpenBSD provides an alternate 'recover'
implementation (attached) written in Perl that fixes most
On Mon, Mar 07, 2005 at 02:26:07PM +0100, Kaare Hviid wrote:
> Package: cheops
> Version: 0.61-11
> Severity: serious
>
> FTBFS in pbuilder and apparently all buildds:
>
> gcc -g -O2 -Wall -DDEFAULT_PATH=\"/usr/share/cheops\"
> -DLIB_PATH=\"/usr/lib/cheops\" -I/usr/include/gtk-1.2 -I/usr/include
severity 296311 serious
merge 292176 296311
tags 292176 patch
thanks
Attached is a patch to temporarily fix this issue. A long term fix would
mean:
- relocating the icons, but I'm not sure if that would break KDE's
standards.
What's the standard in KDE related to icons of use only by an applic
tags 279483 patch pending
thanks
The attached patch should fix this, I'm making a NMU upload as this RC bug
has been over 4 months unanswered.
Regards
Javier
diff -Nru susv3-6/debian/changelog susv3-6.1/debian/changelog
--- susv3-6/debian/changelog2004-10-26 23:57:11.0 +0200
+++ su
tags 295554 patch
thanks
If I've understood the issue correctly the attached patch fixes this issue.
Regards
Javier
diff -Nru xinetd-2.3.13.old/debian/changelog xinetd-2.3.13/debian/changelog
--- xinetd-2.3.13.old/debian/changelog 2005-03-08 15:42:26.0 +0100
+++ xinetd-2.3.13/debian/cha
On Tue, Mar 08, 2005 at 09:00:34AM -0500, Justin Pryzby wrote:
> On Tue, Mar 08, 2005 at 10:22:54AM +0100, Javier Fernández-Sanguino Peña
> wrote:
> > tags 279483 patch pending
> > thanks
> >
> > The attached patch should fix this, I'm making a NMU upload
On Tue, Mar 08, 2005 at 11:06:28AM -0500, Justin Pryzby wrote:
> Okay. FYI it appears that dh_clean was not called, as your patch
> includes things I would not expect (and which were not present in the
> other patch), such as DEBIAN/ and debian/files. I'm not familiar with
> cdbs, so I'm not goin
On Wed, Mar 16, 2005 at 01:21:34PM -0500, Justin Pryzby wrote:
> I was able to upgrade then purge, then reinstall sid's new
> checksecurity. So, I think it would be useful if you could make the
> postinst set -x and reconfigure it to point out where the problem is.
That might work too, but I sugg
tags 299811 moreinfo unreproducible
thanks
> I tried to install checksecurity today, and this is what I got:
(...)
> Unpacking checksecurity (from .../checksecurity_2.0.7-2_all.deb) ...
> Setting up checksecurity (2.0.7-2) ...
> dpkg: error processing checksecurity (--configure):
> subprocess po
On Sun, Jan 16, 2005 at 10:48:39PM +0100, Thomas Schmidt wrote:
>
> I also think that it would be the best to just keep the user, because
> other packages will use it too (vdradmin and some plugins).
The user, if created by the package, should be removed. If other packages
depend on it, they sh
Package: apache
Version: 1.3.33-2
Priority: grave
Tags: security sid sarge
Hi, I've found unsafe uses of /tmp in some of Apache's scripts in the
source, one of this (check_forensic) is installed in Debian's apache-utils
package and IMHO should be fixed. They are rather low risk, but I have to
s
>* added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> tcltags.sh so they use mktemp instead of insecure $$ construction to
> create temporary files (CAN-2005-0069) (closes: #289560)
A few comments and questions regarding this entry:
- the scripts seem to be anci
On Tue, Jan 18, 2005 at 11:38:55PM +0100, Thomas Schmidt wrote:
>
> Well, it seems that there are different opinions in this case - some
> developers (you for example) say that system users should be removed
> when the package is purged, some say that it is no problem if the
> user is not deleted.
On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:
Martin, just to get things straight, my comments are not directed
towards you, but towards the vim maintainer.
>
> - I wanted to avoid the tempfile r
On Wed, Jan 19, 2005 at 12:04:06PM +0100, Martin Pitt wrote:
> > IMHO
>
> There is no need for this. mktemp generates an error message on its
> own, so this would only write two messages.
Mktemp might not be available. The || test would actually check wether
mktemp fails (not common) and wether
> I hope I'll find time next weekend for a new upload.
There's no hurry, take your time, these scripts have been in Debian for
ages. You can even wait until the next upstream version is released, no
sense in making two uploads to fix these.
Regards
Javier
--
To UNSUBSCRIBE, email to [EMAIL
reopen 290974
tags 290974 sarge
thanks
A few comments on this:
>* (Thom May)
> - Security fix - fix tempfile usage in check_forensic (Closes: #290974)
- Please help track this bugs in sarge by tagging them
- fmn.sh was not fixed. Even if not used in the Debian package I would
appreciat
Package: mysql-server
Version: 4.1.7-2
Priority: grave
Tags: experimental
Just a quick note to tell that there are several symlink vulnerabilities in
the experimental version of mysql-server which have been fixed in sid's.
This includes (but is not limited to) mysqlaccess (#291122), and
mysql_ins
Package: openwebmail
Priority: grave
Version: 2.41-10
Tags: patch security
Openwebmail has multiple unsafe usages of temporary files (in /tmp) which
lead to race conditions and symlink attacks. There are actually a lot of
Perl scripts that, instead of using Perl's builtin File::Temp module use
severity 291658 normal
retitle 291658 nessus-plugins: Some NASL plugins in release 2.2.2a (and later)
are non-free
thanks
On Sat, Jan 22, 2005 at 08:26:39AM +0100, Florian Weimer wrote:
>
> Upstream claims that large parts of nessus-plugins has never been
> licensed under the GPL. The copyright
Package: razor
Version: 2.610-2
Severity: grave
Tags: security patch sid testing
The use done of files under /tmp by Razor for logging is unsafe and open to
symlink attacks. It would be best if Razor would use safely created
temporary files and directories to prevent a local installation from bei
On Fri, Feb 29, 2008 at 04:19:52AM +0100, Cyril Brulebois wrote:
> Please find attached a diff for my NMU, to be uploaded to DELAYED/2 RSN.
I find it quite surprising that you upload a fix to 2-day NMU when I'm not in
the Low-threshold NMU list.
> -Build-Depends-Indep: debhelper
> +Build-Depends:
On Fri, Feb 29, 2008 at 05:24:38AM +0100, Cyril Brulebois wrote:
> please find attached a patch for this bug. I don't plan to NMU that one.
I've already uploaded a fix for this one.
> Note that S-V is really ancient, and that there's still room for
> improvement.
Please file your improvements as
Package: po4a
Version: 0.29-1
Severity: grave
Tags: security patch
If you run po4a-gettextize on contents that do not get converted to PO files
due to some issue, the script will dump its results in
/tmp/gettextization.failed.po.
The script uses a file in the /tmp diretory but does not try to p
1 - 100 of 218 matches
Mail list logo
