Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Hilmar Preuße
Package: release.debian.org
Severity: normal
Tags: stretch
User: [hidden email]
Usertags: pu

Dear Release managers,

the package fixes two critical issues, which impact the usability of the
mod_sftp proftp module and the proftp package itself.
There are situations, where users can't connect to an proftp server using
sftp in case the client is recent enough.  Further I removed the debconf
call as it causes a hang in postinst.  Debconf integration has been removed
for buster anyway.

- Issue is solved in Debian unstable since 1.3.6c-1
- Both bugs are set to important
- debdiff is attached

I tested a build on Debian oldstable and the reporters confirmed that the
patch solved both issues.  The debdiff is against deb9u4, which has been
uploaded by the sec team.

Consider to include it in Debian oldstable. Thanks!

Thanks, Hilmar!
-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 5.4.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--
sigmentation fault

1.3.5b-4+deb9u4_1.3.5b-4+deb9u5.diff (7K) Download Attachment
signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Adam D. Barratt
Control: tags -1 + moreinfo

On Thu, 2020-03-12 at 21:54 +0100, Hilmar Preusse wrote:

> the package fixes two critical issues, which impact the usability of
> the mod_sftp proftp module and the proftp package itself.
> There are situations, where users can't connect to an proftp server
> using sftp in case the client is recent enough.  Further I removed
> the debconf call as it causes a hang in postinst.  Debconf
> integration has been removed
> for buster anyway.
>
> - Issue is solved in Debian unstable since 1.3.6c-1
>

I'm afraid that I'm slightly confused on this point:

adsb@coccia:~$ grep debconf proftpd-dfsg-1.3.6c/debian/proftpd-basic.postinst
        ucf --debconf-ok ${file}.proftpd-new $file
. /usr/share/debconf/confmodule

That looks like the debconf modules are still be pulled in in unstable.

Regards,

Adam

Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Hilmar Preuße
Am 12.04.2020 um 23:45 teilte Adam D. Barratt mit:

Hi Adam,

> I'm afraid that I'm slightly confused on this point:
>
> adsb@coccia:~$ grep debconf proftpd-dfsg-1.3.6c/debian/proftpd-basic.postinst
> ucf --debconf-ok ${file}.proftpd-new $file
> . /usr/share/debconf/confmodule
>
> That looks like the debconf modules are still be pulled in in unstable.
>
Seems, we did not remove all references to debconf back in 2017 and we
still read the confmodule file. However we don't use that code any more
since 2017:

commit c02d6aa7e53180030150bcb7bafecb5bc65ce245
Author: Francesco Paolo Lovergine <[hidden email]>
Date:   Fri Jan 27 17:28:24 2017 +0100

    Fixed residual debconf support.

commit 81a40ed6042d63ea8593c1d04bcc2dcadd821592
Author: Francesco Paolo Lovergine <[hidden email]>
Date:   Fri Jan 27 14:49:49 2017 +0100

    Updated NEWS file about new version without debconf support.

commit b0acf6578dec55470659c80967b20d645c88c25b
Author: Francesco Paolo Lovergine <[hidden email]>
Date:   Fri Jan 27 14:43:47 2017 +0100

    Removed debconf support and maintainer support for non-standalone mode.

Therefore we don't change anything in the functionality if we stop
reading /usr/share/debconf/confmodule .

Hilmar
--
sigfault
#206401 http://counter.li.org


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Julien Cristau-6
Control: tag -1 moreinfo

On Mon, Apr 13, 2020 at 05:40:43PM +0200, Hilmar Preuße wrote:

> Am 12.04.2020 um 23:45 teilte Adam D. Barratt mit:
>
> Hi Adam,
>
> > I'm afraid that I'm slightly confused on this point:
> >
> > adsb@coccia:~$ grep debconf proftpd-dfsg-1.3.6c/debian/proftpd-basic.postinst
> > ucf --debconf-ok ${file}.proftpd-new $file
> > . /usr/share/debconf/confmodule
> >
> > That looks like the debconf modules are still be pulled in in unstable.
> >
> Seems, we did not remove all references to debconf back in 2017 and we
> still read the confmodule file. However we don't use that code any more
> since 2017:
>
> commit c02d6aa7e53180030150bcb7bafecb5bc65ce245
> Author: Francesco Paolo Lovergine <[hidden email]>
> Date:   Fri Jan 27 17:28:24 2017 +0100
>
>     Fixed residual debconf support.
>
> commit 81a40ed6042d63ea8593c1d04bcc2dcadd821592
> Author: Francesco Paolo Lovergine <[hidden email]>
> Date:   Fri Jan 27 14:49:49 2017 +0100
>
>     Updated NEWS file about new version without debconf support.
>
> commit b0acf6578dec55470659c80967b20d645c88c25b
> Author: Francesco Paolo Lovergine <[hidden email]>
> Date:   Fri Jan 27 14:43:47 2017 +0100
>
>     Removed debconf support and maintainer support for non-standalone mode.
>
> Therefore we don't change anything in the functionality if we stop
> reading /usr/share/debconf/confmodule .
>
This is still present in sid, so re-adding the moreinfo tag.

Cheers,
Julien

Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Hilmar Preuße
In reply to this post by Adam D. Barratt
Am 12.04.2020 um 23:45 teilte Adam D. Barratt mit:

Hi Adam,

Ho about that one: will deb9u5 accepted for next oldstable release?

Thanks!

> I'm afraid that I'm slightly confused on this point:
>
> adsb@coccia:~$ grep debconf proftpd-dfsg-1.3.6c/debian/proftpd-basic.postinst
> ucf --debconf-ok ${file}.proftpd-new $file
> . /usr/share/debconf/confmodule
>
> That looks like the debconf modules are still be pulled in in unstable.
>
Seems, we did not remove all references to debconf back in 2017 and we
still read the confmodule file. However we don't use that code any more
since 2017:

commit c02d6aa7e53180030150bcb7bafecb5bc65ce245
Author: Francesco Paolo Lovergine <[hidden email]>
Date:   Fri Jan 27 17:28:24 2017 +0100

    Fixed residual debconf support.

commit 81a40ed6042d63ea8593c1d04bcc2dcadd821592
Author: Francesco Paolo Lovergine <[hidden email]>
Date:   Fri Jan 27 14:49:49 2017 +0100

    Updated NEWS file about new version without debconf support.

commit b0acf6578dec55470659c80967b20d645c88c25b
Author: Francesco Paolo Lovergine <[hidden email]>
Date:   Fri Jan 27 14:43:47 2017 +0100

    Removed debconf support and maintainer support for non-standalone mode.

Therefore we don't change anything in the functionality if we stop
reading /usr/share/debconf/confmodule .

Hilmar
--
sigfault
#206401 http://counter.li.org




signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Adam D. Barratt
On Sat, 2020-05-09 at 15:57 +0200, Hilmar Preuße wrote:
> Am 12.04.2020 um 23:45 teilte Adam D. Barratt mit:
>
> Hi Adam,
>
> Ho about that one: will deb9u5 accepted for next oldstable release?
>

As Julien mentioned in a mail that you should have received on April
26th, if you want to remove the debconf calls in stretch then they need
to be removed in unstable first.

Per your own previous response:

> Seems, we did not remove all references to debconf back in 2017 and
we
> still read the confmodule file. However we don't use that code any
more
> since 2017:

Whether the package in unstable actually uses debconf to manage its
configuration, it *does* still source the debconf confmodule in
proftpd-basic.postinst, which is the call that you're proposing to
remove in the stretch update.

Regards,

Adam

Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Hilmar Preuße
Am 09.05.2020 um 16:22 teilte Adam D. Barratt mit:
> On Sat, 2020-05-09 at 15:57 +0200, Hilmar Preuße wrote:

Hi Adam,

>> Ho about that one: will deb9u5 accepted for next oldstable release?
>
> As Julien mentioned in a mail that you should have received on April
> 26th, if you want to remove the debconf calls in stretch then they need
> to be removed in unstable first.
>
I did not get any many from Julien. Anyway: I've uploaded the requested
change to Debian unstable yesterday. Is this sufficient to get deb9u5
into oldstable?

Thanks!

Hilmar
--
sigfault
#206401 http://counter.li.org


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Adam D. Barratt
Control: tags -1 -moreinfo +confirmed

On Tue, 2020-05-19 at 09:07 +0200, Hilmar Preuße wrote:

> Am 09.05.2020 um 16:22 teilte Adam D. Barratt mit:
> > On Sat, 2020-05-09 at 15:57 +0200, Hilmar Preuße wrote:
>
> Hi Adam,
>
> > > Ho about that one: will deb9u5 accepted for next oldstable
> > > release?
> >
> > As Julien mentioned in a mail that you should have received on
> > April 26th, if you want to remove the debconf calls in stretch then
> > they need to be removed in unstable first.
> >
> I did not get any many from Julien.

Apparently web.de has blacklisted his mail server (and/or surrounding
network) for some reason.

> Anyway: I've uploaded the requested
> change to Debian unstable yesterday. Is this sufficient to get deb9u5
> into oldstable?
>

Sure, please go ahead.

Regards,

Adam

Reply | Threaded
Open this post in threaded view
|

Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5

Hilmar Preuße

Am 28.05.2020 um 23:54 teilte Adam D. Barratt mit:
> On Tue, 2020-05-19 at 09:07 +0200, Hilmar Preuße wrote:

Hi Adam,

>> Anyway: I've uploaded the requested
>> change to Debian unstable yesterday. Is this sufficient to get deb9u5
>> into oldstable?
>>
>
> Sure, please go ahead.
>

I've uploaded proftpd-dfsg_1.3.5b-4+deb9u5 into the archive. Please process.

Thanks!

Hilmar
--
sigfault
#206401 http://counter.li.org


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#953745: proftpd-dfsg 1.3.5b-4+deb9u5 flagged for acceptance

Adam D. Barratt
In reply to this post by Hilmar Preuße
package release.debian.org
tags 953745 = stretch pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian stretch.

Thanks for your contribution!

Upload details
==============

Package: proftpd-dfsg
Version: 1.3.5b-4+deb9u5

Explanation: fix handling SSH_MSG_IGNORE packets