[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please unblock paste and sqlalchemy

Hi,

Could you unblock paste and sqlalchemy source packages?
Both are waiting in unstable.


About paste 1.0.1-1:
====================

It's a new upstream release, but it contains only security fix
(compared to 1.0-1), it has a TEMP name in CVE:

paste 1.0-1 allowed escaping the root (and reading files) when used with
paste.httpserver (this does not effect other servers, and does not apply when
proxying requests from Apache to paste.httpserver)

`debdiff paste_1.0-1.dsc paste_1.0.1-1.dsc` output is attached as paste.debdiff


About sqlalchemy 0.3.1-2
========================

It fixes RC (serious) bug #403767: Licensing information is missing

`debdiff sqlalchemy_0.3.1-1.dsc sqlalchemy_0.3.1-2.dsc` output is attached as
sqlalchemy.debdiff


Please CC: me on replies,
Thanks in advance
-- 
:wq!

diff -Nru /tmp/9RYLp5NsNr/paste-1.0/debian/changelog /tmp/h6T8ArgtUG/paste-1.0.1/debian/changelog
--- /tmp/9RYLp5NsNr/paste-1.0/debian/changelog	2006-12-20 14:47:03.000000000 +0100
+++ /tmp/h6T8ArgtUG/paste-1.0.1/debian/changelog	2006-12-20 14:47:04.000000000 +0100
@@ -1,3 +1,12 @@
+paste (1.0.1-1) unstable; urgency=medium
+
+  * New upstream release. This release includes *only* the security
+    fix, version 1.1 (released simultaneously) will be uploaded to
+    experimental (due to Etch freeze)
+  * Added XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control
+
+ -- Piotr Ozarowski <ozarow@gmail.com>  Mon, 18 Dec 2006 13:15:20 +0100
+
 paste (1.0-1) unstable; urgency=low
 
   * New upstream release
diff -Nru /tmp/9RYLp5NsNr/paste-1.0/debian/control /tmp/h6T8ArgtUG/paste-1.0.1/debian/control
--- /tmp/9RYLp5NsNr/paste-1.0/debian/control	2006-12-20 14:47:03.000000000 +0100
+++ /tmp/h6T8ArgtUG/paste-1.0.1/debian/control	2006-12-20 14:47:04.000000000 +0100
@@ -7,6 +7,8 @@
 Build-Depends-Indep: python (>= 2.3.5-11), python-all-dev, python-central (>= 0.5.6), python-setuptools (>= 0.6b3-1), python-docutils
 Standards-Version: 3.7.2
 XS-Python-Version: >= 2.4
+XS-Vcs-Svn: svn://svn.debian.org/python-modules/packages/paste/trunk/
+XS-Vcs-Browser: http://svn.debian.org/wsvn/python-modules/packages/paste/trunk/?op=log
 
 Package: python-paste
 Architecture: all
diff -Nru /tmp/9RYLp5NsNr/paste-1.0/docs/news.txt /tmp/h6T8ArgtUG/paste-1.0.1/docs/news.txt
--- /tmp/9RYLp5NsNr/paste-1.0/docs/news.txt	2006-10-22 22:56:34.000000000 +0200
+++ /tmp/h6T8ArgtUG/paste-1.0.1/docs/news.txt	2006-12-18 01:23:36.000000000 +0100
@@ -3,6 +3,12 @@
 
 .. contents::
 
+1.0.1
+-----
+
+* Security fix for StaticURLParser (only applies when using
+  ``paste.httpserver`` publically without an Apache frontend).
+
 1.0
 ---
 
diff -Nru /tmp/9RYLp5NsNr/paste-1.0/paste/urlparser.py /tmp/h6T8ArgtUG/paste-1.0.1/paste/urlparser.py
--- /tmp/9RYLp5NsNr/paste-1.0/paste/urlparser.py	2006-10-22 22:56:41.000000000 +0200
+++ /tmp/h6T8ArgtUG/paste-1.0.1/paste/urlparser.py	2006-12-18 01:23:40.000000000 +0100
@@ -435,6 +435,8 @@
         self.root_directory = root_directory
         if root_directory is not None:
             self.root_directory = os.path.normpath(self.root_directory)
+        else:
+            self.root_directory = os.path.normpath(directory)
         self.cache_max_age = cache_max_age
         
     def __call__(self, environ, start_response):
diff -Nru /tmp/9RYLp5NsNr/paste-1.0/Paste.egg-info/PKG-INFO /tmp/h6T8ArgtUG/paste-1.0.1/Paste.egg-info/PKG-INFO
--- /tmp/9RYLp5NsNr/paste-1.0/Paste.egg-info/PKG-INFO	2006-10-22 22:57:21.000000000 +0200
+++ /tmp/h6T8ArgtUG/paste-1.0.1/Paste.egg-info/PKG-INFO	2006-12-18 01:24:29.000000000 +0100
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: Paste
-Version: 1.0
+Version: 1.0.1
 Summary: Tools for using a Web Server Gateway Interface stack
 Home-page: http://pythonpaste.org
 Author: Ian Bicking
diff -Nru /tmp/9RYLp5NsNr/paste-1.0/PKG-INFO /tmp/h6T8ArgtUG/paste-1.0.1/PKG-INFO
--- /tmp/9RYLp5NsNr/paste-1.0/PKG-INFO	2006-10-22 22:57:23.000000000 +0200
+++ /tmp/h6T8ArgtUG/paste-1.0.1/PKG-INFO	2006-12-18 01:24:32.000000000 +0100
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: Paste
-Version: 1.0
+Version: 1.0.1
 Summary: Tools for using a Web Server Gateway Interface stack
 Home-page: http://pythonpaste.org
 Author: Ian Bicking
diff -Nru /tmp/9RYLp5NsNr/paste-1.0/setup.py /tmp/h6T8ArgtUG/paste-1.0.1/setup.py
--- /tmp/9RYLp5NsNr/paste-1.0/setup.py	2006-10-22 22:56:45.000000000 +0200
+++ /tmp/h6T8ArgtUG/paste-1.0.1/setup.py	2006-12-18 01:23:40.000000000 +0100
@@ -2,7 +2,7 @@
 # revision (set to True for real releases)
 RELEASE = False
 
-__version__ = '1.0'
+__version__ = '1.0.1'
 
 from setuptools import setup, find_packages
 import sys, os

diff -u sqlalchemy-0.3.1/debian/copyright sqlalchemy-0.3.1/debian/copyright
--- sqlalchemy-0.3.1/debian/copyright
+++ sqlalchemy-0.3.1/debian/copyright
@@ -4,16 +4,73 @@
+Since Thu, 7 Sep 2006 20:58:45 +0200 it is co-maintained by
+Piotr Ożarowski <ozarow@gmail.com>
+
 It was originally downloaded from http://sqlalchemy.org/
 
-Upstream Author: Mike Bayer et al <mike_mp@zzzcomputing.com>
+Upstream Author: Mike Bayer <mike_mp@zzzcomputing.com>
+
+Copyright (C) 2004,2005,2006 Michael Bayer mike_mp@zzzcomputing.com
 
 Copyright:
 
---8<--
-SQLAlchemy is licensed under an MIT-style license (see LICENSE).
-Other incorporated projects may be licensed under different licenses.
-All licenses allow for non-commercial and commercial use.
---8<--
+ This is the MIT license: http://www.opensource.org/licenses/mit-license.php
+
+ Copyright (c) 2005, 2006 Michael Bayer and contributors. SQLAlchemy is a
+ trademark of Michael Bayer.
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
+
+-----------------------------------------------------------
+
+test/coverage.py file (only in source package):
+
+ Copyright 2001 Gareth Rees.  All rights reserved.
+ Copyright 2004-2006 Ned Batchelder.  All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the
+    distribution.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ DAMAGE.
+
+-----------------------------------------------------------
 
-I did not see any other licenses or copyrights in the source tree.
-Here's the LICENSE file:
+The Debian packaging is (C) 2006, Tommi Virtanen <tv@debian.org> and Piotr
+Ożarowski <ozarow@gmail.com> - it is licensed under the GPL.
 
-# See the file LICENSE at the top of the source tree.
+On Debian systems, the complete text of the GNU General Public License
+can be found in `/usr/share/common-licenses/GPL'.
diff -u sqlalchemy-0.3.1/debian/changelog sqlalchemy-0.3.1/debian/changelog
--- sqlalchemy-0.3.1/debian/changelog
+++ sqlalchemy-0.3.1/debian/changelog
@@ -1,3 +1,21 @@
+sqlalchemy (0.3.1-2) unstable; urgency=medium
+
+  * debian/copyright file updated (closes: #403767)
+
+ -- Piotr Ozarowski <ozarow@gmail.com>  Wed, 20 Dec 2006 00:02:53 +0100
+
+sqlalchemy (0.3.3-1) experimental; urgency=low
+
+  * New upstream release
+
+ -- Piotr Ozarowski <ozarow@gmail.com>  Fri, 15 Dec 2006 15:36:00 +0100
+
+sqlalchemy (0.3.2-1) experimental; urgency=low
+
+  * New upstream release
+
+ -- Piotr Ozarowski <ozarow@gmail.com>  Mon, 11 Dec 2006 18:09:00 +0100
+
 sqlalchemy (0.3.1-1) unstable; urgency=low
 
   * New upstream release

Attachment: pgp07NmnaY_8_.pgp
Description: PGP signature

Reply to: