[Bug 1325129] Re: Sync xymon 4.3.17-2 (universe) from Debian unstable (main)

Fri May 30 23:41:58 UTC 2014

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4173

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1325129

Title:
  Sync xymon 4.3.17-2 (universe) from Debian unstable (main)

Status in “xymon” package in Ubuntu:
  New

Bug description:
  Please sync xymon 4.3.17-2 (universe) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * Fix embedded c-ares's use of outdated config.{guess,sub},
      resolving FTBFS on newer arches.
    * Fix embedded c-ares's use of outdated config.{guess,sub},
      resolving FTBFS on newer arches.
    * Use autotools-dev for newer arches, resolving FTBFS.

  The Debian package fixes the handling of the embedded code copy of
  c-ares properly by no more building against it but against the
  system's copy.

  It also fixes the following issues reported in Ubuntu:

    * #1042821 post-install script fails 
    * #1069227 xymon-client 4.3.7-1 postinst failed: pkill found nothing to kill 
    * #1172436 Filenames not updated in xymon-client.logrotate 

  Additionally it fixes:

    * CVE-2013-4173
    * Apache 2.4 integration (not reported in Ubuntu but reported
      upstream on IRC)

  Changelog entries since current utopic version 4.3.7-1ubuntu2:

  xymon (4.3.17-2) unstable; urgency=low

    * Upload to unstable again.

    [ Christoph Berg ]
    *  Always write /var/run/xymon/xymonclient-include.cfg on clients

    [ Axel Beckert ]
    * Add build-dependency on libc-ares-dev to avoid using embedded code
      copy at xymonnet/c-ares-1.7.3.tar.gz
    * Fix includes for graph definitions (xymongraph.d → graphs.d)
      + Add a Breaks for hobbit-plugins << 20140519~
    * Remove reference to /etc/apache2/ from xymon-client.NEWS
    * Fix remaining issues of the Apache 2.2 → 2.4 transition
      (modifies mostly debian/rules, xymon.postinst and xymon.maintscript)
      + Fix conffile paths in README.Debian and xymon.maintscript
      + Use dh_apache2 and apache2-maintscript-helper
      + Add build-dependency on dh-apache2.
      + Add lintian override for missing-build-dependency-for-dh_-command
        (see #748688)
      + Enable Apache's mod_rewrite + CGI support automatically in postinst
      + Add patch to switch default configuration to Apache 2.4 style
        authorization.
      + Closes: #669776
    * Let xymon depend on perl until after the Jessie release to make sure
      prename is there for the data migration from hobbit to xymon.
    * Add lintian override for apache2-reverse-dependency-calls-invoke-rc.d
      -- it finds the fallback for apache2-maintscript-helper unavailability

   -- Axel Beckert <abe at debian.org>  Tue, 20 May 2014 22:56:11 +0200

  xymon (4.3.17-1) experimental; urgency=low

    [ Axel Beckert ]
    * New upstream release
      - Fixes remote file deletion vulnerability (Closes: #717895,
        CVE-2013-4173)
      - Refreshed and updated patches where needed
    * Apache 2.2 → 2.4 Migration:
      + Rename /etc/apache2/conf.d/xymon to …/conf-available/xymon.conf
        (Fixes lintian warnings non-standard-apache2-configuration-name and
        apache2-reverse-dependency-uses-obsolete-directory)
    * Add -W option to "netstat -ant" in client/xymonclient-linux.sh to
      avoid IPv6 address truncating in ports check. (Closes: #734867)
    * Bump Standards-Version to 3.9.5 (no changes)
    * Add a debian/upstream/metadata file according to DEP-12.

    [ Christoph Berg ]
    * Rename /etc/xymon/xymongraph.d to graphs.d to match graphs.cfg.
    * Move the include patching for clientlaunch.cfg/d from debian/rules to the
      hobbitvars patch.

   -- Axel Beckert <abe at debian.org>  Fri, 28 Feb 2014 23:33:43 +0100

  xymon (4.3.11-1) experimental; urgency=low

    [ Axel Beckert ]
    * New upstream release
      - Removed patch 622069-sslv2-deprecation (solved upstream)
      - Refreshed and updated patches where needed
      - Add build/test-clockgettime-librt to debian/clean
    * Update dependencies for smooth upgrade: xymon-client breaks earlier
      versions of xymon and xymon depends on a current xymon-client.
      (Closes: #699611)
    * Add build-dependency on procps so that the build system finds the
      paths to uptime and top.
    * xymon-client: Depend on procps for pkill in postinst script
      (Closes: #679706; LP: #1042821)
    * xymon-client: Ignore exit code of pkill in postinst script
      (LP: #1069227)
    * debian/rules improvements:
      + No more ignore dh_lintian failures
      + Use dh_auto_clean
    * Update watch file:
      + ignore pre-built binary packages for distributions which use
        .tar.gz. as package suffix.
      + support release canditates
    * Add patch to support scientific notation for NCV data.
    * Bump Standards-Version to 3.9.4 (no changes)
    * Fixed the following lintian warnings:
      + vcs-field-not-canonical
      + hardening-no-fortify-functions (by passing CPPFLAGS via CFLAGS)
      + hardening-no-relro (by passing LDFLAGS via CFLAGS)
      + duplicate-files (xymonserver-migration.cfg)
    * Apply wrap-and-sort.

    [ Christoph Berg ]
    * Migrate /etc/default/hobbit-client on upgrade (Closes: #679766)
    * Remove trailing slash from Alias in Apache configs (Closes: #603151)
    * Mount a tmpfs on /var/lib/xymon/tmp if TMPFSSIZE is set in
      /etc/default/xymon-client.
    * Update logrotate config for /var/log/xymon.

   -- Axel Beckert <abe at debian.org>  Thu, 23 May 2013 23:03:49 +0200

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xymon/+bug/1325129/+subscriptions