Infodrom Oldenburg

Add possibility to add --textmode to signing commands, which is required for using this module for digitally signing mail with GnuPG.

See PEAR feature request

• Adjusted the URL to the Webapps Policy Draft
• Filled the section about PHP applications by deferring to the Webapps Policy Draft

• Emphasise on the need to split files in an application in order to be able to provide a web-accessible directory and one which is not accessible to the web-user.
• Adjusted the logic, i.e. adding a 'not' when talking about content that shouldn't be executed and hence not placed in a web-accessible directory.
• Capitalise Apache (since PHP and Perl are used in their respective spelling as well)
• Capitalise PHP once (must've been forgotton before)
• Added a link to the debian policy for documentation
• Added some notes about most common PHP application insecurities

UIDL refers to unique-id listing and provides a unique identifier for each and every message, thus uniquely identifies a message within a maildrop and which persists across sessions. The server should never reuse an unique-id in a given maildrop, for as long as the entity using the unique-id exists.

Deletion of automatically added attachments from the TicketComposer is very slow since it requires form POST processing.

The patch below moves this functionality to JavaScript only so no immediate backend call is required anymore. This will speed up deletion and thus composing a new ticket.

The LiveGrid class allows to specify text and select filters for each column so that the displayed rows of the grid can be limited to several conditions that have to match at the same time. For checkboxes (i.e. the Rico.TableColumn.checkbox control) this does not exactly apply.

However, the space could be used for special controls that operate as "check all" and "uncheck all" for the visible checkboxes in that particular column. This patch adds a possibility to create custom filter controls for columns, e.g. plus and minus signs for checkbox columns.

This patch allows developers to specify more complex filters than simple equality or LIKE filters. This opens room for filters that make utilise set relations such as "fieldvalue IN (?)". The question mark is replaced in the backend ricoXmlResponse.php by the filter value supplied by the Rico.Buffer.AjaxSQL.

This patch adds back the possibility to display HTML code in LiveGrid columns that broke in Firefox 20.x. Before this one could return HTML code such as <img src="...something"> that was parsed as proper image tag.

The behaviour of the XML parser in XmlHttpRequest has changed. This breaks display of HTML elements returned by AJAX/SQL backends.

The behaviour differs from other browsers and older versions of the same browser. It is possible that it'll be changed back in Firefox 21.x and higher.

This breaks Icons and other HTML code in Rico.LiveGrid cells

This patch has been rejected upstream - since the fix should be applied to Firefox instead.

This patch fixes a problem with with regards to select filters.

When the filter value is stored in a cookie the filter is automatically reapplied on page reload. If table values have changed in the meantime so that the original filter value is not available anymore the LiveGrid will display 0 rows and the select filter element will display __ALL__ (since the value it is set to is not available).

The problem could be resolved by filtering for a different value and then resetting the filter select element back to __ALL__. However, since the filter already displays __ALL__ most users won't notice that the grid is already filtered.

The default setting results in archived todo jobs always being displayed. Once you have worked on a sufficiently large number of jobs the list will grow and you'll have trouble finding new jobs in all the archived ones. Unfortunately the show_archive_elements setting is not stored in the user's profile so changing this in a session will not last.

This patch changes the default setting to not display archived jobs in the summary and in the todo list. This can still be toggled in an open session via right mouse click on the grey bar in the todo overview.

This patch adds several bugfixes and improvements to the nice calendar by Oliver Bryant:

• fix leap year calculation
• allow the week to start with arbitrary day (0=sun, 1=mon etc.)
• add close button
• allow past dates
• allow other delimiters besides '/'
• add path to images
• make everything configurable via »calendar(options)«
• use the current month and year as default for all empty/broken input
• add »popcalendar(id)« function for image buttons

This patch adds support for /etc/cvs.passwd instead of individual CVSROOT/passwd files. The latter has the disadvantage of passwords being distributed via CVS and maybe cvsweb/viewcvs as well. This poses a security risk.

Hence, Debian System Administration has introduced the /etc/cvs.passwd file for real passwords. The format of the password lines is the same as for CVSROOT/passwd. Each password section is prefixed with the name of the corresponding CVS repository.

The current version of cvsweb is not able to act CGI-less like it is configured on http://cvs.debian.org/ and http://cvs.infodrom.org/. It can only be used as /cgi-bin/cvsweb. This is unfortunate since not only viewcvs (Python) supported this but also the older version of cvsweb (Perl).

Fortunately, the required changes are only minimal:

1. Don't turn zero / into one /, the rule was probably intended to reduce multiple slashes into only one. However, without the /cgi-bin/ component, there would not be one slash in the first place.
2. Only apply the thttpd rule if the script is executed from within thttpd, and not from within Apache, for example.
3. Only add /$where to the URL if $where is about, which is not the case when called without the /cgi-bin/ component
4. Decode the Query string before splitting it by /;/ since ";" could be encoded as "%3b", which is the case for an Apache redirect if you don't request "noescape|NE"

The current version of cvsweb is not able to act CGI-less like it is configured on http://cvs.debian.org/ and http://cvs.infodrom.org/. It can only be used as /cgi-bin/cvsweb. This is unfortunate since not only viewcvs (Python) supported this but also the older version of cvsweb (Perl).

Fortunately, the required changes are only minimal:

1. Don't turn zero / into one /, the rule was probably intended to reduce multiple slashes into only one. However, without the /cgi-bin/ component, there would not be one slash in the first place.
2. Only apply the thttpd rule if the script is executed from within thttpd, and not from within Apache, for example.
3. Only add /$where to the URL if $where is about, which is not the case when called without the /cgi-bin/ component
4. Decode the Query string before splitting it by /;/ since ";" could be encoded as "%3b", which is the case for an Apache redirect if you don't request "noescape|NE"

Since we are using dchroot on the .debian.org machines and maintenance of the machines result in a lot of manual tasks, I took the liberty to improve this program so that it is more helpful:

• Read configuration from conffile instead of compiled in
• Hence, added a conffile parser
• Revealed and added the copyright
• Added --listpath for unique chroot locations
• Properly implemented --list
• Implemented user limitation
• Added a way to execute a command in a chroot environment
• Added a manpage
• Package it up, as upstream and for Debian (-admin)

When not all picture files are attributed with a memo or if more pictures are listed in the memo file than exist on the disk, galrey will fail. I discovered three problems with this:

1. When a memo file is used, only filenames from the memo file are used, but not necessarily all files found.

   Fix: after building @orderedfiles, check agains the original list and push missing files to the end.

2. When a memo file is used, only filenames from the memo file are used, but the number of files to work on are already determined, hence some files would be left out if the memo file contains more descriptions than files.

   Fix: Recalculate the number of files to process or 3.

3. When a memo file is used, all included filenames are used, also non-existing ones, making identify fail. Also some files weren't used due to the above.

   Fix: Check whether the file exists before pushing it to @orderedfiles.

The following patch contains fixes 1 and 3, hence automatically fixing 2.

The first problem fixed is broken dropping and regaining of privileges. The hanterm program runs setgid utmp normally, so it can modify the utmp file. Upon startup it drops privileges. Fine so long, but unfortunately it regains them way too early and forgets to drop them again. Hence, any problem would occur with gid=utmp, which is bad. This has been fixed and privileges are only regained right before the utmp file is written and dropped afterwards.

The second problem fixed in this patch covers some buffer overflows in font argument handling. The program uses fixed length strings but did not check for the length of user supplied arguments, which resulted in a segmentation fault, which, even worse, was able to be exploited so in connection with the first error the attacker could gain gid-utmp access (or root on other sytems than Debian).

These fonts are non-free and must not be distributed freely. Therefore only the source for the Debian package is distributed here but no binary packages anymore.

Adjustments for the version of teTeX in Debian GNU/Linux 3.0 alias woody

These fonts are non-free and must not be distributed freely. Therefore only the source for the Debian package is distributed here but no binary packages.

Adjustments for the new LaTeX font system in Debian unstable April 23rd 2003, which is actually much better organized since it relies on files in /etc/texmf/updmap.d where we only need to place the humanist map file and call update-updmap afterwards.

Added a dependency against tetex-base (>> 2.0-0) which should reflect the real dependency.

These fonts are non-free and must not be distributed freely. Therefore only the source for the Debian package is distributed here but no binary packages.

Adjustments for the new LaTeX font system in Debian unstable as of July 28th 2004.

These fonts are non-free and must not be distributed freely. Therefore only the source for the Debian package is distributed here but no binary packages.

Added a warning text to the postinst in case tetex-bin/upd_map is set to false (which was the case for Ruth and Benny, for some strange reason).

This should be the version suitable for Debian GNU/Linux 3.1 alias sarge.

During the installation a medium priority question (console-tools/archs) is displayed which lists all possible keyboard types for mipsel (AT, LK, USB) but has the default set to AT.

The problem is that this question is only displayed when the user explicitly asks the installer to display medium priority dialog boxes as well. On a mipsel system that doesn't have an AT keyboard connected the user would be trapped into an AT keyboard, effectively rendering his keyboard unusable.

According to RFC 2818 Section 3.1 certificates may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

I was looking for a way to tell Lynx to accept the certificates that the package ca-certificates in Debian collects and maintains.

I noticed that apparently Lynx only accepts the mention of a file containing all valid certificates via the environment variable SSL_CERT_FILE but did not support a configuration option for this.

I would like to use a system wide setting since it would integrate lynx well in the Debian CA architecture. This patch adds a configuration option SSL_CERT_FILE to /etc/lynx.cfg.

I noticed that the changelog of the development version 2.8.7dev.5 claims to add support to the X.509 extension subjectAltName. However, upon reading the source code it turned out that this feature is only available when lynx is using OpenSSL but not when it uses GnuTLS.

Therefore I worked on support for subjectAltName for GnuTLS in Lynx on my own.

In the default configuration anybody can create an account in MoinMoin. Unfortunately this is abused by spammers that create pages filled with SPAM directly after creating their account. This needs to stop.

This patch expects a global variable 'mail_create' that contains a valid mail address of the operator of the wiki. They need to manually confirm each account creation request. A newly created account is disabled by default and can only be enabled by the operator of the wiki. In this particular setup this refers to using sudo and sed to activate the account or remove the spam account. Notification of mail is performed via mail.

The problem is that muttprofile checks for an empty file list but forgets to take care of the case where only the active profile link is discovered.

Currently, in the advanced search neither in JavaScript nor in PHP it is accepted that one selects only a manufacturer for a search. It may, however, be interesting for users to just list all products from certain companies.

This patch extends checks in both JavaScript and PHP so that selecting only a particular manufacturer works. Handling of the corresponding variable inside the search result is also improved.

However it is not if the uucp site is actually foo.com with the name foo and there is no foo.$mydomain. In that case Postfix would try to send out mails with an invalid envelope from address which could (and actually does) cause destination mail servers to reject the mail. Bummer.

This patch will make rmail look for the From: line in the originating mail and use that information as envelope from. This will only work if the address passes a very easy sanity check, i.e. contains an at-sign or a bang. If that's not the case the original method is used.

Without this patch the queuepath CGI only understands arguments directly added to the request path and expects the web server to work accordingly. This may not be the case all the time.

This patch adds support for QUERY_PATH so that the system still works. This permits the use of URLs of the form queuegraph.cgi?/image.png as well.

, diff, , dsc, , changes, , deb, , orig.tar.

In some RSS files the global <title> attribute is rather bogus. For example the web log of Ken Coar says "The Rodent's Burrow", the title from Larry Ewing is "Free Food (for Cowboys)" and so on. When this is converted into a mail by rss2email it's easily confused as spam.

In order to preserve this, I've created an override table in which rss2email can look up the title to use for the From: line.

, diff, , dsc, , changes, , deb, , orig.tar.

When rss2email is processing old entries of an RSS file it is difficult for the user to find out from which date the content of such mail is. Many RDF files, in particular weblogs, do contain a <pubDate> attribute that could be used.

One major change between version 2.30 and 2.51 is that the body of a plain/text mail is not wrapped at about 75 columns anymore. That makes reading quite difficult.

, diff, , dsc, , changes, , deb, , orig.tar.

1. Add a semicolon to the manpage where sysmond otherwise complains about a missing semicolon.
2. Add a note to the configuration that the DEBUGGING section needs to be written, so it's no dangling cross reference anymore.
3. Don't display ^@ (0x00) anymore when no problems occurred, instead display a space (0x20).
4. Allow to not specify a username and/or password for the pop3 test type.
5. Make the pop3 check type more flexible, i.e. take care of the case when no username or no password was specified

The ICQ UIN attribute was missing from the public listing.

The fingerprints weren't displayed due to a misspelling. I also took the freedom to get them formatted properly.

The public key blocks weren't displayed as well. This slows down lookups a lot, though.

I noticed that a login lookup on db.debian.org can take up several minutes when the digital key has many signatures on it. The reason is that for each and every login lookup the keyring data is built, which takes a while with large numbers of signatures.

Hence, I've changed the semantic. The key is no longer part of the normal output but can only be accessed via the "/field[,field[..]]" feature. A note has been added to the normal output.

The program now also works fine from the commandline.

Additionally, this package will work until 2003, thus the October 4th, 2001 bug is fixed.

This has been fixed byintroducing /tmp/xsane-${LOGNAME:-$UID} as location for all temporary files, created securely upon startup.