Sync xymon 4.3.17-2 (universe) from Debian unstable (main)

Bug #1325129 reported by Axel Beckert
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xymon (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Please sync xymon 4.3.17-2 (universe) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * Fix embedded c-ares's use of outdated config.{guess,sub},
    resolving FTBFS on newer arches.
  * Fix embedded c-ares's use of outdated config.{guess,sub},
    resolving FTBFS on newer arches.
  * Use autotools-dev for newer arches, resolving FTBFS.

The Debian package fixes the handling of the embedded code copy of
c-ares properly by no more building against it but against the
system's copy.

It also fixes the following issues reported in Ubuntu:

  * #1042821 post-install script fails
  * #1069227 xymon-client 4.3.7-1 postinst failed: pkill found nothing to kill
  * #1172436 Filenames not updated in xymon-client.logrotate

Additionally it fixes:

  * CVE-2013-4173
  * Apache 2.4 integration (not reported in Ubuntu but reported
    upstream on IRC)

Changelog entries since current utopic version 4.3.7-1ubuntu2:

xymon (4.3.17-2) unstable; urgency=low

  * Upload to unstable again.

  [ Christoph Berg ]
  * Always write /var/run/xymon/xymonclient-include.cfg on clients

  [ Axel Beckert ]
  * Add build-dependency on libc-ares-dev to avoid using embedded code
    copy at xymonnet/c-ares-1.7.3.tar.gz
  * Fix includes for graph definitions (xymongraph.d → graphs.d)
    + Add a Breaks for hobbit-plugins << 20140519~
  * Remove reference to /etc/apache2/ from xymon-client.NEWS
  * Fix remaining issues of the Apache 2.2 → 2.4 transition
    (modifies mostly debian/rules, xymon.postinst and xymon.maintscript)
    + Fix conffile paths in README.Debian and xymon.maintscript
    + Use dh_apache2 and apache2-maintscript-helper
    + Add build-dependency on dh-apache2.
    + Add lintian override for missing-build-dependency-for-dh_-command
      (see #748688)
    + Enable Apache's mod_rewrite + CGI support automatically in postinst
    + Add patch to switch default configuration to Apache 2.4 style
      authorization.
    + Closes: #669776
  * Let xymon depend on perl until after the Jessie release to make sure
    prename is there for the data migration from hobbit to xymon.
  * Add lintian override for apache2-reverse-dependency-calls-invoke-rc.d
    -- it finds the fallback for apache2-maintscript-helper unavailability

 -- Axel Beckert <email address hidden> Tue, 20 May 2014 22:56:11 +0200

xymon (4.3.17-1) experimental; urgency=low

  [ Axel Beckert ]
  * New upstream release
    - Fixes remote file deletion vulnerability (Closes: #717895,
      CVE-2013-4173)
    - Refreshed and updated patches where needed
  * Apache 2.2 → 2.4 Migration:
    + Rename /etc/apache2/conf.d/xymon to …/conf-available/xymon.conf
      (Fixes lintian warnings non-standard-apache2-configuration-name and
      apache2-reverse-dependency-uses-obsolete-directory)
  * Add -W option to "netstat -ant" in client/xymonclient-linux.sh to
    avoid IPv6 address truncating in ports check. (Closes: #734867)
  * Bump Standards-Version to 3.9.5 (no changes)
  * Add a debian/upstream/metadata file according to DEP-12.

  [ Christoph Berg ]
  * Rename /etc/xymon/xymongraph.d to graphs.d to match graphs.cfg.
  * Move the include patching for clientlaunch.cfg/d from debian/rules to the
    hobbitvars patch.

 -- Axel Beckert <email address hidden> Fri, 28 Feb 2014 23:33:43 +0100

xymon (4.3.11-1) experimental; urgency=low

  [ Axel Beckert ]
  * New upstream release
    - Removed patch 622069-sslv2-deprecation (solved upstream)
    - Refreshed and updated patches where needed
    - Add build/test-clockgettime-librt to debian/clean
  * Update dependencies for smooth upgrade: xymon-client breaks earlier
    versions of xymon and xymon depends on a current xymon-client.
    (Closes: #699611)
  * Add build-dependency on procps so that the build system finds the
    paths to uptime and top.
  * xymon-client: Depend on procps for pkill in postinst script
    (Closes: #679706; LP: #1042821)
  * xymon-client: Ignore exit code of pkill in postinst script
    (LP: #1069227)
  * debian/rules improvements:
    + No more ignore dh_lintian failures
    + Use dh_auto_clean
  * Update watch file:
    + ignore pre-built binary packages for distributions which use
      .tar.gz. as package suffix.
    + support release canditates
  * Add patch to support scientific notation for NCV data.
  * Bump Standards-Version to 3.9.4 (no changes)
  * Fixed the following lintian warnings:
    + vcs-field-not-canonical
    + hardening-no-fortify-functions (by passing CPPFLAGS via CFLAGS)
    + hardening-no-relro (by passing LDFLAGS via CFLAGS)
    + duplicate-files (xymonserver-migration.cfg)
  * Apply wrap-and-sort.

  [ Christoph Berg ]
  * Migrate /etc/default/hobbit-client on upgrade (Closes: #679766)
  * Remove trailing slash from Alias in Apache configs (Closes: #603151)
  * Mount a tmpfs on /var/lib/xymon/tmp if TMPFSSIZE is set in
    /etc/default/xymon-client.
  * Update logrotate config for /var/log/xymon.

 -- Axel Beckert <email address hidden> Thu, 23 May 2013 23:03:49 +0200

CVE References

Revision history for this message
Dmitry Shachnev (mitya57) wrote :
Download full text (4.1 KiB)

This bug was fixed in the package xymon - 4.3.17-2
Sponsored for Axel Beckert (xtaran)

---------------
xymon (4.3.17-2) unstable; urgency=low

  * Upload to unstable again.

  [ Christoph Berg ]
  * Always write /var/run/xymon/xymonclient-include.cfg on clients

  [ Axel Beckert ]
  * Add build-dependency on libc-ares-dev to avoid using embedded code
    copy at xymonnet/c-ares-1.7.3.tar.gz
  * Fix includes for graph definitions (xymongraph.d → graphs.d)
    + Add a Breaks for hobbit-plugins << 20140519~
  * Remove reference to /etc/apache2/ from xymon-client.NEWS
  * Fix remaining issues of the Apache 2.2 → 2.4 transition
    (modifies mostly debian/rules, xymon.postinst and xymon.maintscript)
    + Fix conffile paths in README.Debian and xymon.maintscript
    + Use dh_apache2 and apache2-maintscript-helper
    + Add build-dependency on dh-apache2.
    + Add lintian override for missing-build-dependency-for-dh_-command
      (see #748688)
    + Enable Apache's mod_rewrite + CGI support automatically in postinst
    + Add patch to switch default configuration to Apache 2.4 style
      authorization.
    + Closes: #669776
  * Let xymon depend on perl until after the Jessie release to make sure
    prename is there for the data migration from hobbit to xymon.
  * Add lintian override for apache2-reverse-dependency-calls-invoke-rc.d
    -- it finds the fallback for apache2-maintscript-helper unavailability

 -- Axel Beckert <email address hidden> Tue, 20 May 2014 22:56:11 +0200

xymon (4.3.17-1) experimental; urgency=low

  [ Axel Beckert ]
  * New upstream release
    - Fixes remote file deletion vulnerability (Closes: #717895,
      CVE-2013-4173)
    - Refreshed and updated patches where needed
  * Apache 2.2 → 2.4 Migration:
    + Rename /etc/apache2/conf.d/xymon to …/conf-available/xymon.conf
      (Fixes lintian warnings non-standard-apache2-configuration-name and
      apache2-reverse-dependency-uses-obsolete-directory)
  * Add -W option to "netstat -ant" in client/xymonclient-linux.sh to
    avoid IPv6 address truncating in ports check. (Closes: #734867)
  * Bump Standards-Version to 3.9.5 (no changes)
  * Add a debian/upstream/metadata file according to DEP-12.

  [ Christoph Berg ]
  * Rename /etc/xymon/xymongraph.d to graphs.d to match graphs.cfg.
  * Move the include patching for clientlaunch.cfg/d from debian/rules to the
    hobbitvars patch.

 -- Axel Beckert <email address hidden> Fri, 28 Feb 2014 23:33:43 +0100

xymon (4.3.11-1) experimental; urgency=low

  [ Axel Beckert ]
  * New upstream release
    - Removed patch 622069-sslv2-deprecation (solved upstream)
    - Refreshed and updated patches where needed
    - Add build/test-clockgettime-librt to debian/clean
  * Update dependencies for smooth upgrade: xymon-client breaks earlier
    versions of xymon and xymon depends on a current xymon-client.
    (Closes: #699611)
  * Add build-dependency on procps so that the build system finds the
    paths to uptime and top.
  * xymon-client: Depend on procps for pkill in postinst script
    (Closes: #679706; LP: #1042821)
  * xymon-client: Ignore exit code of pkill in postinst script
    (LP: #1069227)
  * debian/rules improvements:
    + No ...

Read more...

Changed in xymon (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.