Bug#388946: marked as done (openssh-server: [annoying_notes] Abuse of debconf note(s))
Your message dated Fri, 29 Sep 2006 09:17:05 -0700
with message-id <E1GTL2v-0002MV-9a@spohr.debian.org>
and subject line Bug#388946: fixed in openssh 1:4.3p2-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: openssh-server
Version: N/A
Severity: normal
Hello,
As announced in
http://lists.debian.org/debian-devel/2006/09/msg00630.html, this bug
report is part of a mass bug filing campaign about the "abuse" of
debconf templates of type "note".
First of all, in case you fixed you package in the short timeframe
that happned between my announcement and this bug report, please
accept my apologies and, of course, feel free to ask me to close the
bug report...or just close it yourself.
One or more template(s) has/have been identified in openssh-server
debconf templates and an automated analysis mentions that it/they is/are
displayed to users at low or medium priority.
The debconf-devel(7) manpage makes it clear that the "note" type should
be used only for important notes that the user really should see.
On the other hand, the "low" priority is meant for very trivial items
that have defaults that will work in the vast majority of
cases. The "medium" priority is meant for normal items
that have reasonable defaults.
As such, a note should only be used for IMPORTANT stuff, so actually
all debconf notes should be priority high....or should not exist.
Please consider one of the following options:
- move the text of the debconf note to the README.Debian file. The drawback
is that the text will not be translatable anymore, which will be worked
in the future. However, given that your note is very rarely displayed,
this is indeed not a very strong drawback
- move the text to NEWS.Debian. This option should however rather be
reserved for future texts of the same kind as the contents of this file
is only displayed when users upgrade the package
- change the template type to "error" in case this note is meant to be
displayed only in some cases when a problem shows up during execution of
the maintainer's scripts. Please check debconf-devel(7) for details
- raise the priority to "high". This should be the last option to consider.
It should be used only in cases where you judge that the information you
display is VITAL for users of your package and that one could NOT USE IT
if not reading the note.
A dedicated check will be proposed to the lintian and linda package
maintainers so that future uses of low and medium priority note
templates will be discouraged in the future. So, if you wish you
package to be lintian-clean, then you need to fix this..:-)
Template(s) identified in your package:
openssh-server -- config:61 ssh/insecure_telnetd
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17-2-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:4.3p2-4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_4.3p2-4_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_4.3p2-4_powerpc.udeb
openssh-client_4.3p2-4_powerpc.deb
to pool/main/o/openssh/openssh-client_4.3p2-4_powerpc.deb
openssh-server-udeb_4.3p2-4_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_4.3p2-4_powerpc.udeb
openssh-server_4.3p2-4_powerpc.deb
to pool/main/o/openssh/openssh-server_4.3p2-4_powerpc.deb
openssh_4.3p2-4.diff.gz
to pool/main/o/openssh/openssh_4.3p2-4.diff.gz
openssh_4.3p2-4.dsc
to pool/main/o/openssh/openssh_4.3p2-4.dsc
ssh-askpass-gnome_4.3p2-4_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_4.3p2-4_powerpc.deb
ssh_4.3p2-4_all.deb
to pool/main/o/openssh/ssh_4.3p2-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 388946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 29 Sep 2006 16:28:24 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.3p2-4
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server - Secure shell server, an rshd replacement
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure shell client and server (transitional package)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 369395 381942 382966 388946 389995
Changes:
openssh (1:4.3p2-4) unstable; urgency=high
.
* Backport from 4.4p1 (since I don't have an updated version of the GSSAPI
patch yet):
- CVE-2006-4924: Fix a pre-authentication denial of service found by
Tavis Ormandy, that would cause sshd(8) to spin until the login grace
time expired (closes: #389995).
- CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The
signal handler was vulnerable to a race condition that could be
exploited to perform a pre-authentication denial of service. On
portable OpenSSH, this vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication is
enabled, but the likelihood of successful exploitation appears remote.
.
* Read /etc/default/locale as well as /etc/environment (thanks, Raphaël
Hertzog; closes: #369395).
* Remove no-longer-used ssh/insecure_rshd debconf template.
* Make ssh/insecure_telnetd Type: error (closes: #388946).
.
* debconf template translations:
- Update Portuguese (thanks, Rui Branco; closes: #381942).
- Update Spanish (thanks, Javier Fernández-Sanguino Peña;
closes: #382966).
Files:
d0f547d4d7d7b457789fad36b675b728 990 net standard openssh_4.3p2-4.dsc
fbf5d5159fe9aea1c08a4d121ecf12a6 168035 net standard openssh_4.3p2-4.diff.gz
21496ed39c6d844b971b638e00da1d76 1052 net extra ssh_4.3p2-4_all.deb
e930263cccb7ac6aec9f49254d7bbd2c 642622 net standard openssh-client_4.3p2-4_powerpc.deb
f0aa1192a564b3316666be7c8e8158ef 232998 net optional openssh-server_4.3p2-4_powerpc.deb
c78d0b0207790905f76880f0e94cdb63 99368 gnome optional ssh-askpass-gnome_4.3p2-4_powerpc.deb
3f6aef414856d86e8a6ce01e19c07b14 166746 debian-installer optional openssh-client-udeb_4.3p2-4_powerpc.udeb
1193ce5b48f8a36c18a134b5e786de07 169774 debian-installer optional openssh-server-udeb_4.3p2-4_powerpc.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFHUCf9t0zAhD6TNERAmLuAJ94JQOge6mYynW3SEdWBJBDDPBYwQCfbU/s
QsCdkLgbSjJudZR5a4LCpL0=
=CwZU
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: