From anarcat at debian.org Fri Feb 5 21:37:29 2016 From: anarcat at debian.org (Antoine =?UTF-8?Q?Beaupr=C3=A9?=) Date: Fri, 05 Feb 2016 16:37:29 -0500 Subject: [Pkg-roundcube-maintainers] Bug#813843: wheezy backports cruelly out of date Message-ID: <20160205213729.25492.7959.reportbug@angela.anarc.at> Source: roundcube Version: 0.9.5-1~bpo70+1 Severity: normal Tags: security The wheezy version of roundcube is seriously out of date. It is running a version that has no correspondance to the jessie version (it was dropped from jessie prior to release) or stretch (it was not updated since then). The last upload was done by `Vincent Bernat `, one of the current uploaders. There are two ways out of this: * remove roundcube from wheezy-backports * update roundcube in wheezy-backports-sloppy It may be necessary to actually do both because normally, you can't have packages into $SUITE-backports that are not in $SUITE+1, hence the -sloppy. I stumbled upon this while doing secuirty triage for recent Roundcube security issues. Normally, backports are not part of that triage, but they are often covered eventually as the backports are updated from the corresponding source. I am worried that the 0.9.5 version in wheezy-backports is vulnerable to a bunch of security issues... https://security-tracker.debian.org/tracker/source-package/roundcube http://www.cvedetails.com/version/155252/Roundcube-Webmail-0.9.5.html Just looking at the above, roundcube in wheezy-backports seems vulnerable to http://www.cvedetails.com/cve/CVE-2013-6172/ steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) From taffit at debian.org Sat Feb 13 19:43:06 2016 From: taffit at debian.org (David =?UTF-8?Q?Pr=C3=A9vot?=) Date: Sat, 13 Feb 2016 15:43:06 -0400 Subject: [Pkg-roundcube-maintainers] Bug#814664: Incorrect hardcoded php-auth and other dependencies Message-ID: <20160213194306.GA23976@mikado.tilapin.org> Package: roundcube-core Version: 1.1.4+dfsg.1-1 Severity: important Hi, According to composer.json-dist, there shouldn?t be any php-auth dependency. Instead, it should read something like: Depends: php-auth-sasl (>= 1.0.6), php-net-idna2 (>= 0.1.1), php-net-sieve (>= 1.3.4), php-mail-mime (>= 1.9.0), php-net-smtp (>= 1.4.2), php-patchwork-utf8 (>= 1.2.3) Suggests: php-net-ldap2 (>= 2.1.0), php-net-ldap3 pkg-php-tools may be useful to translate those dependencies automatically, and to keep them up to date. Since php-auth ?is not maintained? [0], we?d like to get read of it ASAP, thus the important severity. 0: https://pear.php.net/package/Auth I?ll open a serious bug against php-auth, and block it by this one. You may wish to update your package before it gets auto-removed. Regards David -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From owner at bugs.debian.org Sat Feb 13 19:57:08 2016 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 13 Feb 2016 19:57:08 +0000 Subject: [Pkg-roundcube-maintainers] Processed: Useless in Debian References: <20160213195436.GA26800@mikado.tilapin.org> <20160213195436.GA26800@mikado.tilapin.org> Message-ID: Processing control commands: > block -1 by 814664 Bug #814665 [php-auth] Useless in Debian 814665 was not blocked by any bugs. 814665 was not blocking any bugs. Added blocking bug(s) of 814665: 814664 -- 814665: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814665 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From noreply at release.debian.org Sun Feb 21 04:39:04 2016 From: noreply at release.debian.org (Debian testing autoremoval watch) Date: Sun, 21 Feb 2016 04:39:04 +0000 Subject: [Pkg-roundcube-maintainers] roundcube-plugins-extra is marked for autoremoval from testing Message-ID: roundcube-plugins-extra 1.1.3-20151025 is marked for autoremoval from testing on 2016-03-28 It (build-)depends on packages with these RC bugs: 814665: php-auth: Useless in Debian From noreply at release.debian.org Sun Feb 21 04:39:04 2016 From: noreply at release.debian.org (Debian testing autoremoval watch) Date: Sun, 21 Feb 2016 04:39:04 +0000 Subject: [Pkg-roundcube-maintainers] roundcube is marked for autoremoval from testing Message-ID: roundcube 1.1.4+dfsg.1-1 is marked for autoremoval from testing on 2016-03-28 It (build-)depends on packages with these RC bugs: 814665: php-auth: Useless in Debian From bugs at sandroknauss.de Tue Feb 23 00:12:14 2016 From: bugs at sandroknauss.de (Sandro =?UTF-8?Q?Knau=C3=9F?=) Date: Tue, 23 Feb 2016 01:12:14 +0100 Subject: [Pkg-roundcube-maintainers] Bug#814664: Bug#814664: Incorrect hardcoded php-auth and other dependencies In-Reply-To: <20160213194306.GA23976@mikado.tilapin.org> References: <20160213194306.GA23976@mikado.tilapin.org> Message-ID: <2364778.8aXY6mosKu@tuxin> Hey, thanks for reporting this bug. I actually try to use pkg-php-tools, but don't get the same result like you. I installed the composer.json-dist to roundcure-core package and than run override_dh_phpcomposer: dh_phpcomposer --sourcedirectory=$(CURDIR)/debian/roundcube-core/usr/share/ roundcube but with that I get: phpcomposer:Debian-require=php5-common, php5-common (>= 5.3.7), php-roundcube- plugin-installer (>= 0.1.6), php-roundcube-plugin-installer (<< 0.2~~), php- auth-sasl (>= 1.0.6), php-auth-sasl (<< 1.1~~), php-net-idna2 (>= 0.1.1), php- net-idna2 (<< 0.2~~), php-net-sieve (>= 1.3.4), php-net-sieve (<< 1.4~~), php- mail-mime (>= 1.9.0), php-mail-mime (<< 1.10~~), php-net-smtp (>= 1.7.1), php- net-smtp (<< 1.8~~), php-patchwork-utf8 (>= 1.2.3), php-patchwork-utf8 (<< 1.3~~) phpcomposer:Debian-require-dev=php-crypt-gpg, phpunit phpcomposer:Debian-suggest=php-net-ldap2, php-net-ldap3 do i miss an option for dh_phpcomposer to get rid of these << XX~~ parts? Or are they needed? regards, sandro -- Am Saturday 13 February 2016, 15:43:06 schrieb David Pr?vot: > Package: roundcube-core > Version: 1.1.4+dfsg.1-1 > Severity: important > > Hi, > > According to composer.json-dist, there shouldn?t be any php-auth > dependency. Instead, it should read something like: > > Depends: php-auth-sasl (>= 1.0.6), > php-net-idna2 (>= 0.1.1), > php-net-sieve (>= 1.3.4), > php-mail-mime (>= 1.9.0), > php-net-smtp (>= 1.4.2), > php-patchwork-utf8 (>= 1.2.3) > Suggests: php-net-ldap2 (>= 2.1.0), > php-net-ldap3 > > pkg-php-tools may be useful to translate those dependencies > automatically, and to keep them up to date. > > Since php-auth ?is not maintained? [0], we?d like to get read of it > ASAP, thus the important severity. > > 0: https://pear.php.net/package/Auth > > I?ll open a serious bug against php-auth, and block it by this one. You > may wish to update your package before it gets auto-removed. > > Regards > > David -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From taffit at debian.org Tue Feb 23 00:34:07 2016 From: taffit at debian.org (David =?UTF-8?Q?Pr=C3=A9vot?=) Date: Mon, 22 Feb 2016 20:34:07 -0400 Subject: [Pkg-roundcube-maintainers] Bug#814664: Bug#814664: Incorrect hardcoded php-auth and other dependencies In-Reply-To: <2364778.8aXY6mosKu@tuxin> References: <20160213194306.GA23976@mikado.tilapin.org> <2364778.8aXY6mosKu@tuxin> Message-ID: <7df786ae8f2606184983d726b8e23326.squirrel@webmail.tilapin.org> Hi Sandro, > but with that I get: > phpcomposer:Debian-require=php5-common, php5-common (>= 5.3.7), > php-roundcube-plugin-installer (>= 0.1.6), php-roundcube-plugin-installer (<< 0.2~~), [ ] > do i miss an option for dh_phpcomposer to get rid of these << XX~~ parts? > Or are they needed? They are actually a fair translation of the composer.json file content (IOW, nothing wrong with these << XX~~ parts). You can have a look at the Composer doc for the reference documentation, and follow up to pkg-php-pear at l.d.o if you disagree with the current translation (everything can be improved ;). Regards David From bugs at sandroknauss.de Tue Feb 23 20:48:26 2016 From: bugs at sandroknauss.de (Sandro =?ISO-8859-1?Q?Knau=DF?=) Date: Tue, 23 Feb 2016 21:48:26 +0100 Subject: [Pkg-roundcube-maintainers] 1.1.4-3 to sid Message-ID: <1884238.Ua5qO2o7Rf@tuxin> Hey, I actually pushed the fix for #814664 and made some further cleanups for roundcube, so I think we should push these to sid to get not autormd again from testing. The nessaery changes are available in git already. @Vincent: Am I right, that you are the only one you has upload permissions? Regards, sandro -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From bernat at debian.org Tue Feb 23 20:58:13 2016 From: bernat at debian.org (Vincent Bernat) Date: Tue, 23 Feb 2016 21:58:13 +0100 Subject: [Pkg-roundcube-maintainers] 1.1.4-3 to sid In-Reply-To: <1884238.Ua5qO2o7Rf@tuxin> ("Sandro =?utf-8?Q?Knau=C3=9F=22's?= message of "Tue, 23 Feb 2016 21:48:26 +0100") References: <1884238.Ua5qO2o7Rf@tuxin> Message-ID: ? 23 f?vrier 2016 21:48 +0100, Sandro Knau? ?: > I actually pushed the fix for #814664 and made some further cleanups for > roundcube, so I think we should push these to sid to get not autormd again > from testing. The nessaery changes are available in git already. > > @Vincent: Am I right, that you are the only one you has upload > permissions? Any DD can upload. Lunar is part of the team too. But maybe you are asking if I have given some permissions to DM? I don't remember doing so. I can do that for you if you want. -- Make the coupling between modules visible. - The Elements of Programming Style (Kernighan & Plauger) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From bugs at sandroknauss.de Tue Feb 23 22:45:02 2016 From: bugs at sandroknauss.de (Sandro =?ISO-8859-1?Q?Knau=DF?=) Date: Tue, 23 Feb 2016 23:45:02 +0100 Subject: [Pkg-roundcube-maintainers] 1.1.4-3 to sid In-Reply-To: References: <1884238.Ua5qO2o7Rf@tuxin> Message-ID: <7834588.lzBCjx3vvI@tuxin> Hey, > Any DD can upload. Lunar is part of the team too. But maybe you are > asking if I have given some permissions to DM? I don't remember doing > so. I can do that for you if you want. I just looked at the upload history and saw that you were the only one uploading. But still a DD should be part of the team - Okay yes he could also just sign the upload of any team member. If you d'accord with giving upload permissions to me I would appreciate it. On the other side I also like the idea of a review process, so that another team member looks though the changes... Regards, sandro -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From bernat at debian.org Wed Feb 24 06:56:29 2016 From: bernat at debian.org (Vincent Bernat) Date: Wed, 24 Feb 2016 07:56:29 +0100 Subject: [Pkg-roundcube-maintainers] 1.1.4-3 to sid In-Reply-To: <7834588.lzBCjx3vvI@tuxin> ("Sandro =?utf-8?Q?Knau=C3=9F=22's?= message of "Tue, 23 Feb 2016 23:45:02 +0100") References: <1884238.Ua5qO2o7Rf@tuxin> <7834588.lzBCjx3vvI@tuxin> Message-ID: ? 23 f?vrier 2016 23:45 +0100, Sandro Knau? ?: >> Any DD can upload. Lunar is part of the team too. But maybe you are >> asking if I have given some permissions to DM? I don't remember doing >> so. I can do that for you if you want. > > I just looked at the upload history and saw that you were the only one > uploading. But still a DD should be part of the team - Okay yes he could also > just sign the upload of any team member. > > If you d'accord with giving upload permissions to me I would appreciate it. On > the other side I also like the idea of a review process, so that another team > member looks though the changes... I have granted you the right to upload. I can still do reviews of course. Your latest changes are OK for me. Try to upload them (maybe wait a bit if you receive this mail just after I wrote it, dunno how much time it takes for the process to be complete). -- Let the machine do the dirty work. - The Elements of Programming Style (Kernighan & Plauger) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From ftpmaster at ftp-master.debian.org Wed Feb 24 14:25:50 2016 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 24 Feb 2016 14:25:50 +0000 Subject: [Pkg-roundcube-maintainers] Processing of roundcube_1.1.4+dfsg.1-2_source.changes Message-ID: roundcube_1.1.4+dfsg.1-2_source.changes uploaded successfully to localhost along with the files: roundcube_1.1.4+dfsg.1-2.dsc roundcube_1.1.4+dfsg.1-2.debian.tar.xz Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Wed Feb 24 16:54:14 2016 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 24 Feb 2016 16:54:14 +0000 Subject: [Pkg-roundcube-maintainers] roundcube_1.1.4+dfsg.1-2_source.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 24 Feb 2016 15:17:35 +0100 Source: roundcube Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite3 roundcube-plugins Architecture: source Version: 1.1.4+dfsg.1-2 Distribution: unstable Urgency: medium Maintainer: Debian Roundcube Maintainers Changed-By: Sandro Knau? Description: roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack roundcube-core - skinnable AJAX based webmail solution for IMAP servers roundcube-mysql - metapackage providing MySQL dependencies for RoundCube roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube Closes: 801973 809769 814664 Changes: roundcube (1.1.4+dfsg.1-2) unstable; urgency=medium . [ Vincent Bernat ] * Use an empty array for plugin configuration templates to ensure Roundcube knows the configuration file is valid. Closes: #809769. * Pre-Depends on appriopriate dpkg version for dir_to_symlink. Related to #810980. . [ Sandro Knau? ] * Use dh_phpcomposer to track php dependencies. (Closes: #814664) * Use safe urls for VCS fields * Bumped compat level to 9 * Updated lintian overrides * Added php-pear to depends for roundcube-core. (Closes: #801973) * Bump Standards-Version to 3.9.7 Checksums-Sha1: e83ba3ad9550de926bc8c763356ed60cb111c158 2434 roundcube_1.1.4+dfsg.1-2.dsc 43120f28c754efdd2cb72b86a28bff01dcbd4559 1764420 roundcube_1.1.4+dfsg.1-2.debian.tar.xz Checksums-Sha256: 85546c34c7af6b72ed0572d74922cda6b1568460da7551e1a088c239c2661526 2434 roundcube_1.1.4+dfsg.1-2.dsc 4c3db51bdfd3fd8c0b05d45e5b6255a765c3be3b4ba7dc8cd7e4a57a28e12f4b 1764420 roundcube_1.1.4+dfsg.1-2.debian.tar.xz Files: 96ff5ac91d7959291cfa64a48235c00b 2434 web extra roundcube_1.1.4+dfsg.1-2.dsc 2a70c09035a5dae8108641a4a879e311 1764420 web extra roundcube_1.1.4+dfsg.1-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWzbu4AAoJEOOtsAhQYFY28ysP/R2LMbrfUSoSKNE+VQ7vweai bLzJiUqUWNJ0CCdlQT0ezs/5FDpTHE2dbwP+yZHLTGlhUGIGAiI386Fl168b1gaA XRWZ7xKDzoAwoIdLj8ImpeGaGP5ZAyDzuigZ4PPuOi+3fgrHxa/Mtde/0tWLZ96R w86IMc+MpkYdfdNoaaBB3uG2TIej2bg566h5RBy+njxl8oSU3B5hq+IARWBc4U3F fAKW1TfFYOM3ZnecHVJ9FKuaen51TmYE0rBzlLCBCg3dxqZ2sfFaJ7oZNkGQOeMV oFiiES73DLQIaIaGOMWQtHLuhTWM/i7io4DzcYdW/kMF9AHhbExf5F78oedDMfpI tWM6Y3xck1HC9YJ3lCMl9kMZe6EhIQgXweVTukwAj+Unz9/C9b7h50uAnmGWdQRJ 2tTQMip1IVWT8LsMKAd2WO+O/8K/ltr4MsW7YPyE8aiHQd2wKR3aRlyF7ugen+ha CGpiboIDXs4JdZgJ/G/NwlWJ/PGU/g7dPrKEPgIuZ44xC1LXJdYczJYuF8hLfviS LhjjBoK1H72f8QhRAFkur9qZfqQewrLNLKvgyWEe5V9kzKcyURJoL8sLqkH0egPj s9aCyFw10WSE/EYhjB/iz7EpzHbv1fRkfBVBbLljc7XnncpSvOoWg/5B1+e7T0fe UFAsU/JXJ1JsWTpjXQVi =uvNX -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Wed Feb 24 16:57:04 2016 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 24 Feb 2016 16:57:04 +0000 Subject: [Pkg-roundcube-maintainers] Bug#801973: marked as done (error 255 on package configuration) References: <56210331.5000709@proxymail.eu> Message-ID: Your message dated Wed, 24 Feb 2016 16:54:14 +0000 with message-id and subject line Bug#801973: fixed in roundcube 1.1.4+dfsg.1-2 has caused the Debian Bug report #801973, regarding error 255 on package configuration to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 801973: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801973 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: e-mmanuel Subject: error 255 on package configuration Date: Fri, 16 Oct 2015 16:01:21 +0200 Size: 6312 URL: -------------- next part -------------- An embedded message was scrubbed... From: =?utf-8?q?Sandro_Knau=C3=9F?= Subject: Bug#801973: fixed in roundcube 1.1.4+dfsg.1-2 Date: Wed, 24 Feb 2016 16:54:14 +0000 Size: 5962 URL: From owner at bugs.debian.org Wed Feb 24 16:57:08 2016 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 24 Feb 2016 16:57:08 +0000 Subject: [Pkg-roundcube-maintainers] Bug#809769: marked as done (roundcube: Error log is filled with messages that config file cannot be loaded) References: <56898D90.8070503@mail.ru> Message-ID: Your message dated Wed, 24 Feb 2016 16:54:14 +0000 with message-id and subject line Bug#809769: fixed in roundcube 1.1.4+dfsg.1-2 has caused the Debian Bug report #809769, regarding roundcube: Error log is filled with messages that config file cannot be loaded to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 809769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809769 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Dmitry Katsubo Subject: roundcube: Error log is filled with messages that config file cannot be loaded Date: Sun, 3 Jan 2016 22:07:28 +0100 Size: 3089 URL: -------------- next part -------------- An embedded message was scrubbed... From: =?utf-8?q?Sandro_Knau=C3=9F?= Subject: Bug#809769: fixed in roundcube 1.1.4+dfsg.1-2 Date: Wed, 24 Feb 2016 16:54:14 +0000 Size: 5986 URL: From owner at bugs.debian.org Wed Feb 24 16:57:15 2016 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 24 Feb 2016 16:57:15 +0000 Subject: [Pkg-roundcube-maintainers] Bug#814664: marked as done (Incorrect hardcoded php-auth and other dependencies) References: <20160213194306.GA23976@mikado.tilapin.org> Message-ID: Your message dated Wed, 24 Feb 2016 16:54:14 +0000 with message-id and subject line Bug#814664: fixed in roundcube 1.1.4+dfsg.1-2 has caused the Debian Bug report #814664, regarding Incorrect hardcoded php-auth and other dependencies to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 814664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814664 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: David =?iso-8859-1?Q?Pr=E9vot?= Subject: Incorrect hardcoded php-auth and other dependencies Date: Sat, 13 Feb 2016 15:43:06 -0400 Size: 3638 URL: -------------- next part -------------- An embedded message was scrubbed... From: =?utf-8?q?Sandro_Knau=C3=9F?= Subject: Bug#814664: fixed in roundcube 1.1.4+dfsg.1-2 Date: Wed, 24 Feb 2016 16:54:14 +0000 Size: 5985 URL: