salvatore's blog

RC Bugs 2013/10

2013-03-15 by Salvatore Bonaccorso, tagged as bugs, debian, rc

Here concrete contributions on RC fixes for the week 2013/10:

#701227 - nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands

Propose a patch to the BTS.
#698871 - CVE-2013-0219 CVE-2013-0220

Upload packages prepared by Timo Aaltonen.
#702525 - ruby1.9.1: CVE-2013-1821: entity expansion DoS vulnerability in REXML

Upload package to delayed queue but also asked maintainers for an upload.
#702526 - ruby1.8: CVE-2013-1821: entity expansion DoS vulnerability in REXML

Sent patch to the BTS.
#702821 libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t

Helped in testbuild package with proposed patches.

RC Bugs 2013/09

2013-02-24 by Salvatore Bonaccorso, tagged as bugs, debian, rc

Again I did not much concrete RC bugs fixing, here is what I did in 2013/09:

#701052 - isync: CVE-2013-0289: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization

Prepared the package with upstream's patch for CVE-2013-0289 and uploaded to DELAYED/7 queue.

RC Bugs 2013/08

2013-02-17 by Salvatore Bonaccorso, tagged as bugs, debian, rc

The work done on RC bugs directly is again minimal:

#699615 - CVE-2013-0250 - corosync: Remote DoS due improper HMAC initialization

Sent comment to the BTS.

RC Bugs 2013/07

2013-02-15 by Salvatore Bonaccorso, tagged as bugs, debian, rc

Work done on RC bugs in 2013/07:

#699724 - radicale: Insufficient dependency on python-radicale

Propose to NMU in the BTS. Prepared the commits for collab-maint repository and test builded the package.
#700548 - padre: Failed to start: Can't locate object method "select" via package "Padre::DB::SyntaxHighlight"

Checked the report and replied to the reporter.

RC Bugs 2013/06

2013-02-09 by Salvatore Bonaccorso, tagged as bugs, debian, rc

No much work on RC bugs itself again this week. I worked a bit on open issues to track in the security tracker and reported new issues.

#700098 - cfingerd: CVE-2013-1049 remote buffer overflow

Prepared package with Marc's patch and uploaded to DELAYED/5 queue.

RC Bugs 2013/05

2013-01-31 by Salvatore Bonaccorso, tagged as bugs, debian, rc

No much work on actually fixing RC bugs done:

#699316 - libupnp: Multiple stack buffer overflow vulnerabilities

Sent debdiff (created with the patch found in Red Hat bugtracker) to the BTS.

RC Bugs 2013/04

2013-01-25 by Salvatore Bonaccorso, tagged as bugs, debian, rc

Work done on RC bugs for 2013/04:

#698231 - memcached: CVE-2013-0179

Upload patch as NMU to DELAYED/5 queue.
#698737 - owncloud: Multiple XSS vulnerabilities (oC-SA-2013-001)

Sent patch to the BTS.
#698940 - libcommon-sense-perl is not in the list of libev-perl dependencies

Add missing Depends on libcommon-sense-perl.

RC Bugs 2013/03

2013-01-19 by Salvatore Bonaccorso, tagged as bugs, debian, rc

My work done on RC bugs (only where I contributed to closing a bug):

#696424 - sanlock: CVE-2012-5638

Upload package prepared by David Weber.
#698375 - gfs2-utils: fails to upgrade from squeeze: insserv: script gfs2-utils: service gfs2 already provided!

Investigated the issue and sent a update to the BTS.
#684810 - rgl: FTBFS: types.h:98:5: error: 'copy' was not declared in this scope, and no declarations were found by argument-dependent lookup at the point of instantiation [-fpermissive]

Upload patch by Laszlo Kajan to testing-proposed-updates.
#698231 - memcached: CVE-2013-0179

Propose debdiff to the BTS.
#683584 - ganglia: [Debian RT] CVE-2012-3448: arbitrary script execution

Investigated the issue for Squeeze and proposed a debdiff based on the changes done upstream between 3.1.7 and 3.1.8.

RC Bugs 2013/02

2013-01-12 by Salvatore Bonaccorso, tagged as bugs, debian, rc

I tried to work again on security-tracker releated topics last week. For working on RC bugs, this is what I've done in 2013/02:

#685061 - gfs2-utils: fails to install due to incorrect dependencies in init.d LSB header

Add a Depends on gfs2-cluster for gfs2-utils binary package. Sent debdiff to the BTS. Uploaded the package to DELAYED/5 queue.
#697870 - redhat-cluster-suite: Fails to install due to removed clvm package

Sent patch for unstable to the BTS. Uploaded package to DELAYED/5 queue.
#697186 - Missing dependency on libcollection-dev

Upload package.
#697895 - Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)

Propose debdiffs to the BTS.
#697221 - motion: No longer has support for mysql

Propose patch to the BTS.

RC Bugs 2013/01

2013-01-05 by Salvatore Bonaccorso, tagged as bugs, debian, rc

Work done on RC bugs in 2013/01:

#696736 - Insecure permissions on database files

Upload NMU to the DELAYED/7 queue.
Fix a FTBFS in libconfig-model-dpkg-perl (no bugreport) if there is no writable $HOME available during tests in build.
#696424 - sanlock: CVE-2012-5638

Sent proposed debdiff to the BTS.
#697375 - rpm: CVE-2012-6088

Sent proposed debdiffs to the BTS. After Michal's confirmation prepared uploads for unstable and testing.

« Previous