Control: retitle -1 znc: CVE-2018-14056: path traversal flaw
On Sat, Jul 14, 2018 at 10:02:58PM +0200, Salvatore Bonaccorso wrote:
> Source: znc
> Version: 0.045-1
> Severity: grave
> Tags: patch security upstream
> Justification: user security hole
>
> Hi
>
> See https://github.com/znc/znc/comm
Processing control commands:
> retitle -1 znc: CVE-2018-14056: path traversal flaw
Bug #903788 [src:znc] znc: path traversal flaw
Changed Bug title to 'znc: CVE-2018-14056: path traversal flaw' from 'znc: path
traversal flaw'.
--
903788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903788
Processing control commands:
> retitle -1 znc: CVE-2018-14055: privilege escalation to admin permission
> (injection of rogue values in znc.conf)
Bug #903787 [src:znc] znc: privilege escalation to admin permission (injection
of rogue values in znc.conf)
Changed Bug title to 'znc: CVE-2018-14055:
Control: retitle -1 znc: CVE-2018-14055: privilege escalation to admin
permission (injection of rogue values in znc.conf)
On Sat, Jul 14, 2018 at 10:01:02PM +0200, Salvatore Bonaccorso wrote:
> Source: znc
> Version: 1.6.5-1
> Severity: grave
> Tags: patch security upstream
> Justification: user
Your message dated Sun, 15 Jul 2018 05:04:14 +
with message-id
and subject line Bug#901114: fixed in python-coverage 4.5.1+dfsg.1-1
has caused the Debian Bug report #901114,
regarding python-coverage: FTBFS when built with dpkg-buildpackage -A
to be marked as done.
This means that you claim t
Hi,
I may be running into the same issue here, running Xen.
I say "may", because after I updated to Debian 9.5 and linux
4.9.0-7-amd64, the server/Dom0 did not come back up after a reboot, and
I had to request a manual reboot from datacenter staff. The staff did
not provide any more error detail
Package: leela-zero
Severity: serious
Justification: Policy 2.2.1
Dear Maintainer,
When I try to run leela-zero, it tells me there's no weights file, and
I need to download extra file to make it functional.
Thus I think this package breaks the policy 2.2.1
> In addition, the packages in main
>
On Sun, 2018-07-15 at 02:27 +0200, Vincent Lefevre wrote:
> Package: src:linux
> Version: 4.9.110-1
> Severity: critical
> Justification: breaks the whole system
>
> After upgrade to Debian 9.5, I get a kernel panic with 4.9.0-7-amd64:
[...]
Are you running it on Xen?
Ben.
--
Ben Hutchings
One
Package: puredata-gui
Version: 0.48.1-6
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package fails to upgrade from
'testing'.
It installed fine in 'testing', then the upgrade to 'sid' fails
because it tries to overwrite other
Package: libomp5-7
Version: 1:7~svn336894-1~exp1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package failed to install
because it tries to overwrite other packages files without declaring a
Breaks+Replaces relation.
See pol
Package: python-pika,python-pika-doc
Version: 0.11.0-2
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package failed to install
because it tries to overwrite other packages files.
This is probably caused by a behavioral change
Package: src:linux
Version: 4.9.110-1
Severity: critical
Justification: breaks the whole system
After upgrade to Debian 9.5, I get a kernel panic with 4.9.0-7-amd64:
Loading Linux 4.9.0-7-amd64 ...
Loading initial ramdisk ...
[0.00] tsc: Unable to calibrate against PIT 17.14MiB 100% 7.8
Processing commands for cont...@bugs.debian.org:
> forwarded 903784 https://github.com/geopython/pycsw/issues/570
Bug #903784 [python3-pycsw] python3-pycsw: fails to install: SyntaxError
Set Bug forwarded-to-address to 'https://github.com/geopython/pycsw/issues/570'.
> thanks
Stopping processing h
Control: tags -1 upstream
On 07/14/2018 08:40 PM, Andreas Beckmann wrote:
> File "/usr/lib/python3/dist-packages/pycsw/server.py", line 78
> self.async = False
>^
> SyntaxError: invalid syntax
> [...]
>
> Could this be related to python 3.7?
Yes, see: #902788
async b
Processing control commands:
> tags -1 upstream
Bug #903784 [python3-pycsw] python3-pycsw: fails to install: SyntaxError
Added tag(s) upstream.
--
903784: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903784
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
(adding a few more pieces of information)
... and they also messed this up in SVN r73086; they fixed only the
switch/case statement in RelocateSectionExecDyn(), exactly the function
that is *not* exercised for VMMR0.r0 as that's an ET_REL file, not an
ET_DYN. :)
Reiterating: the rev2 patch in the
Source: open-build-service
Version: 2.7.4-2
Severity: grave
Tags: security upstream
Forwarded: https://bugzilla.suse.com/show_bug.cgi?id=1094819
Hi,
The following vulnerability was published for open-build-service.
CVE-2018-7689[0]:
| Lack of permission checks in the InitializeDevelPackage funct
Processing commands for cont...@bugs.debian.org:
> user debian...@lists.debian.org
Setting user to debian...@lists.debian.org (was a...@debian.org).
> usertags 894618 piuparts
There were no usertags set.
Usertags are now: piuparts.
> tags 902386 + sid buster
Bug #902386 [src:cvc3] cvc3: FTBFS in A
Your message dated Sat, 14 Jul 2018 21:53:25 +
with message-id
and subject line Bug#903061: fixed in python-base58 1.0.0-2
has caused the Debian Bug report #903061,
regarding python-base58 FTBFS: update Build-Depends: ruby-ronn -> ronn
to be marked as done.
This means that you claim that the
Package: libgmap1-dev
Version: 2017-11-15-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package ships (or creates)
a broken symlink.
>From the attached log (scroll to the bottom...):
0m37.4s ERROR: FAIL: Broken symlinks:
Package: src:libxmlada
Followup-For: Bug #903380
Hello.
Updating libxmlada for a new unicode version requires a renaming of
the -dev package for xmlada and all its reverse dependencies.
Such migrations happen in experimental. Most packages are already
renamed for unrelated reasons (gcc-8 migrati
Processing commands for cont...@bugs.debian.org:
> tags 896309 + sid buster
Bug #896309 {Done: Andreas Tille } [python-cfflib]
python-cfflib: cfflib fails to import
Added tag(s) buster and sid.
> tags 903213 - stretch
Bug #903213 {Done: Yaroslav Halchenko } [src:datalad]
datalad: FTBFS in stretc
Your message dated Sat, 14 Jul 2018 21:02:11 +
with message-id
and subject line Bug#872373: fixed in imagemagick 8:6.9.7.4+dfsg-11+deb9u4
has caused the Debian Bug report #872373,
regarding CVE-2017-12877
to be marked as done.
This means that you claim that the problem has been dealt with.
If
Your message dated Sat, 14 Jul 2018 21:05:39 +
with message-id
and subject line Bug#902883: fixed in talloc 2.1.14-1
has caused the Debian Bug report #902883,
regarding FTBFS on arch != amd64 because different libpytalloc-util.*.so name
to be marked as done.
This means that you claim that the
Your message dated Sat, 14 Jul 2018 21:02:11 +
with message-id
and subject line Bug#881392: fixed in imagemagick 8:6.9.7.4+dfsg-11+deb9u4
has caused the Debian Bug report #881392,
regarding imagemagick: CVE-2017-16546
to be marked as done.
This means that you claim that the problem has been d
Your message dated Sat, 14 Jul 2018 21:02:11 +
with message-id
and subject line Bug#885125: fixed in imagemagick 8:6.9.7.4+dfsg-11+deb9u4
has caused the Debian Bug report #885125,
regarding imagemagick: CVE-2017-17879: heap-buffer-overflow in ReadOneMNGImage
to be marked as done.
This means t
Processing control commands:
> tag -1 pending
Bug #902883 [src:talloc] FTBFS on arch != amd64 because different
libpytalloc-util.*.so name
Added tag(s) pending.
--
902883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902883
Debian Bug Tracking System
Contact ow...@bugs.debian.org with prob
Control: tag -1 pending
Hello,
Bug #902883 in talloc reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/samba-team/talloc/commit/e91469a60fc3a99df9f83dba5f5b049ab
Paul Gevers, le ven. 13 juil. 2018 13:46:45 +0200, a ecrit:
> I think this is caused by the fact that we loop over $pyver in the
> d/rules file, but apparently that is broken for multiple python3 versions.
I don't think that's the problem: I tried to pause after the
dh_install step, and we have th
severity 903713 important
thanks
Hi Luigi,
> Finally, a request: please lower the severity of this bug. It's not a
> regression, and I would assume good faith on something that has been the same
> for the past 10+ years
Don't worry; good faith assumed throughout. Downgrading to non-RC :-)
Be
Processing commands for cont...@bugs.debian.org:
> notfound 902879 5.2.14-dfsg-4
Bug #902879 {Done: Guilhem Moulin } [cryptsetup-run]
cryptdisks_start: fails on non-block-devices, "skipped, device $CRYPTTAB_SOURCE
does not exist"
There is no source info for the package 'cryptsetup-run' at versio
Processing commands for cont...@bugs.debian.org:
> severity 903713 important
Bug #903713 [src:plasma-browser-integration] plasma-browser-integration:
"This_file_is_part_of_KDE" in debian/copyright?
Warning: Unknown package 'src:plasma-browser-integration'
Severity set to 'important' from 'serious
Source: znc
Version: 0.045-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Hi
See https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773
allowing path traversal and can lead to expose some files which
shouldn't be, or potentially lead to a cra
Source: znc
Version: 1.6.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Hi
See
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e
https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d
which would allow privilege e
Followup-For: Bug #901001
Hi,
are there known upgrade problems related to this bug when upgrading
from jessie to stretch (python 3.4 -> 3.5) or could we tag this bug
as 'sid buster'?
Andreas
Control: notfixed -1 4.8-12
Control: close -1
On Mon, 11 Jun 2018 14:19:30 +0300 Juhani Numminen
wrote:
> Control: fixed -1 4.8-12
> Control: retitle -1 elastix does not start: symbol lookup error: elastix:
> undefined symbol: _ZN8vnl_math5hypotEdd
>
> I'm not seeing this failure in buster (wit
Processing control commands:
> notfixed -1 4.8-12
Bug #901312 [elastix] elastix does not start: symbol lookup error: elastix:
undefined symbol: _ZN8vnl_math5hypotEdd
No longer marked as fixed in versions elastix/4.8-12.
> close -1
Bug #901312 [elastix] elastix does not start: symbol lookup error:
Your message dated Sat, 14 Jul 2018 18:49:10 +
with message-id
and subject line Bug#903361: fixed in haskell-tagsoup 0.14.6-2
has caused the Debian Bug report #903361,
regarding haskell-tagsoup: FTBFS in buster/sid (dh_installexamples: Cannot find
"Main.hs")
to be marked as done.
This means
Your message dated Sat, 14 Jul 2018 18:48:56 +
with message-id
and subject line Bug#903332: fixed in happy 1.19.9-4
has caused the Debian Bug report #903332,
regarding happy: FTBFS in buster/sid (dh_installdocs: Cannot find "README")
to be marked as done.
This means that you claim that the pr
Package: python3-pycsw
Version: 2.2.0+dfsg-3
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package failed to install. As
per definition of the release team this makes the package too buggy for
a release, thus the severity.
>F
Your message dated Sat, 14 Jul 2018 18:25:13 +
with message-id
and subject line Bug#903111: fixed in haskell-raaz 0.2.0-3
has caused the Debian Bug report #903111,
regarding haskell-raaz FTBFS in buster
to be marked as done.
This means that you claim that the problem has been dealt with.
If t
Package: gitea
Version: 1.3.2+dfsg-3
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package modifies conffiles.
This is forbidden by the policy, see
https://www.debian.org/doc/debian-policy/#configuration-files
10.7.3: "[...]
Package: gitlab
Version: 10.6.5+dfsg-2
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package failed to install. As
per definition of the release team this makes the package too buggy for
a release, thus the severity.
>From th
Package: gimp
Version: 2.10.2-1
Severity: grave
Justification: renders package unusable
Dear Maintainer,
I may have the same problem. I updated many packages yesterday, and today
gimp will not launch.
Christoph reported that opening a .png file generated a splash screen
then error messages abo
Package: emacs-nox
Version: 1:25.2+1-7
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
a test with piuparts revealed that your package misses the copyright
file after an upgrade, which is a violation of Policy 12.5:
https://www.debian.org/doc/debian-policy/#copyright-inf
Package: linux-image-amd64-signed-template
Version: 4.18~rc4-1~exp1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
a test with piuparts revealed that your package misses the copyright
file, which is a violation of Policy 12.5:
https://www.debian.org/doc/debian-policy/#c
Processing commands for cont...@bugs.debian.org:
> user debian...@lists.debian.org
Setting user to debian...@lists.debian.org (was a...@debian.org).
> usertags 883641 piuparts
Usertags were: piuparts.
Usertags are now: piuparts.
> severity 835508 serious
Bug #835508 [ruby-leaflet-rails] ruby-leafl
On 07/14/2018 06:41 PM, Andreas Beckmann wrote:
> On 2018-07-14 17:27, Sebastiaan Couwenberg wrote:
>> On 07/14/2018 05:19 PM, Andreas Beckmann wrote:
>>> On 2018-07-14 17:04, Bas Couwenberg wrote:
The nvidia-driver packages cannot be updated as part of the stretch 9.5
stable update witho
Package: libgradle-plugins-java
Version: 4.4-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package fails to upgrade from
'sid' to 'experimental'.
It installed fine in 'sid', then the upgrade to 'experimental' fails
because i
Control: tag -1 stretch wontfix
Control: retitle -1 nvidia-graphics-drivers: Cannot be upgraded in stretch 9.5
with stretch-backports enabled (wants to remove several GNOME & KDE packages)
On 2018-07-14 17:27, Sebastiaan Couwenberg wrote:
> On 07/14/2018 05:19 PM, Andreas Beckmann wrote:
>> On 20
Processing control commands:
> tag -1 stretch wontfix
Bug #903770 [src:nvidia-graphics-drivers] nvidia-graphics-drivers: Cannot be
upgraded in stretch 9.5 without removing several GNOME & KDE packages
Added tag(s) wontfix and stretch.
> retitle -1 nvidia-graphics-drivers: Cannot be upgraded in st
On 07/14/2018 05:19 PM, Andreas Beckmann wrote:
> On 2018-07-14 17:04, Bas Couwenberg wrote:
>> The nvidia-driver packages cannot be updated as part of the stretch 9.5
>> stable update without removing several GNOME & KDE packages:
>
>> The following NEW packages will be installed:
>>libgl1 l
On 2018-07-14 17:04, Bas Couwenberg wrote:
> The nvidia-driver packages cannot be updated as part of the stretch 9.5
> stable update without removing several GNOME & KDE packages:
> The following NEW packages will be installed:
>libgl1 libgl1:i386 libgl1-nvidia-glx libglvnd0 libglvnd0:i386
>
Processing commands for cont...@bugs.debian.org:
> affects 903770 + release.debian.org
Bug #903770 [src:nvidia-graphics-drivers] nvidia-graphics-drivers: Cannot be
upgraded in stretch 9.5 without removing several GNOME & KDE packages
Added indication that 903770 affects release.debian.org
> thank
Source: nvidia-graphics-drivers
Version: 384.130-1
Severity: serious
Justification: makes the package in question unusable or mostly so
Dear Maintainer,
The nvidia-driver packages cannot be updated as part of the stretch 9.5
stable update without removing several GNOME & KDE packages:
The follo
I can confirm this bug in stable security.
It needs to be reopened.
Applying the patch mentioned by Jiri Palece (
https://salsa.debian.org/chromium-team/chromium/commit/402b98bb1079079a788696650e0a922b1e16bed8
)
Fixes the issue for me.
So I advise to rebuild chromium with it.
I built this package
Your message dated Sat, 14 Jul 2018 13:35:47 +
with message-id
and subject line Bug#903655: fixed in openmpi 3.1.1.real-3
has caused the Debian Bug report #903655,
regarding libopenmpi-dev: undefined symbol: OPAL_MCA_PMIX2X_PMIx_Get_version
to be marked as done.
This means that you claim that
Your message dated Sat, 14 Jul 2018 13:35:47 +
with message-id
and subject line Bug#903492: fixed in openmpi 3.1.1.real-3
has caused the Debian Bug report #903492,
regarding Runtime error "PMIX-XFER-VALUE: UNSUPPORTED TYPE 28016"
to be marked as done.
This means that you claim that the proble
Your message dated Sat, 14 Jul 2018 13:35:47 +
with message-id
and subject line Bug#903561: fixed in openmpi 3.1.1.real-3
has caused the Debian Bug report #903561,
regarding pmix 3.0.0 makes openmpi (and subsequent dependencies) unusable
to be marked as done.
This means that you claim that th
Your message dated Sat, 14 Jul 2018 13:36:04 +
with message-id
and subject line Bug#903530: fixed in pyresample 1.10.1-1
has caused the Debian Bug report #903530,
regarding pyresample FTBFS with Python 3.7 as supported version
to be marked as done.
This means that you claim that the problem h
Maximiliano Curia ha scritto:
¡Hola Luigi!
El 2018-07-14 a las 10:37 +0100, Chris Lamb escribió:
My interpretation of this is that the intention is to assign the copyright
to the kde project, although it's not a hundred percent clear.
I should have been clearer, sorry — I understand you are
Your message dated Sat, 14 Jul 2018 13:02:32 +
with message-id
and subject line Bug#895406: fixed in libopenmpt 0.2.7386~beta20.3-3+deb9u3
has caused the Debian Bug report #895406,
regarding libopenmpt: CVE-2018-10017
to be marked as done.
This means that you claim that the problem has been d
Your message dated Sat, 14 Jul 2018 13:02:33 +
with message-id
and subject line Bug#901913: fixed in ruby-sprockets 3.7.0-1+deb9u1
has caused the Debian Bug report #901913,
regarding CVE-2018-3760
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is
Hi Gianfranco,
please include upstream's v2 patch, they missed one occurrence of _PC32
in ldrELFRelocatable.cpp.h in the first version...
Jan
Source: exiv2
Version: 0.26-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/Exiv2/exiv2/issues/378
Hi,
The following vulnerability was published for exiv2, filling with RC
severity so that the only affected version in experimental does not
Package: boinc-server-maker
Version: 7.12.0+dfsg-1exp2
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package failed to install. As
per definition of the release team this makes the package too buggy for
a release, thus the sev
Package: bind
Version: 1:9.13.1+dfsg-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package failed to install. As
per definition of the release team this makes the package too buggy for
a release, thus the severity.
>From th
Your message dated Sat, 14 Jul 2018 10:21:26 +
with message-id
and subject line Bug#903729: fixed in isc-kea 1.4.0.P1-1
has caused the Debian Bug report #903729,
regarding isc-kea: CVE-2018-5739: failure to release memory may exhaust system
resources
to be marked as done.
This means that you
¡Hola Luigi!
El 2018-07-14 a las 10:37 +0100, Chris Lamb escribió:
My interpretation of this is that the intention is to assign the copyright
to the kde project, although it's not a hundred percent clear.
I should have been clearer, sorry — I understand you are going with
whatever the file sa
¡Hola!,
> My interpretation of this is that the intention is to assign the copyright
> to the kde project, although it's not a hundred percent clear.
I should have been clearer, sorry — I understand you are going with
whatever the file says but I am requesting that you make this clearer,
perhaps
¡Hola Chris!
El 2018-07-13 a las 16:39 +0100, Chris Lamb escribió:
Source: plasma-browser-integration
Version: 5.13.1-1
Severity: serious
X-Debbugs-CC: Maximiliano Curia
I just ACCEPTed plasma-browser-integration from NEW but noticed it
declares "This_file_is_part_of_KDE" as an copyright hol
Control: reassign -1 xserver-xorg-core
Control: forcemerge 900550 -1
On 2018-07-13 10:55 -0400, annadane wrote:
> Package: xfce4
> Version: 4.12.4
> Severity: grave
> Justification: renders package unusable
>
> Dear Maintainer,
>
> On a fresh install of Sid (as in minimal Stable -> dist-upgrade),
Processing control commands:
> reassign -1 xserver-xorg-core
Bug #903708 [xfce4] xfce4: xfce fails to start with all methods
Bug reassigned from package 'xfce4' to 'xserver-xorg-core'.
No longer marked as found in versions xfce4/4.12.4.
Ignoring request to alter fixed versions of bug #903708 to th
73 matches
Mail list logo
