Bug#1066191: libapache2-mod-security2: when building an apache2 docker image with sid packages for armhf the build fails
Hi, as you already mention, the t64 transition is taking place right now. I'm quite sure this will be solved in some days/weeks. On Wed, Mar 13, 2024 at 12:39:11PM +0100, logo wrote: > Package: libapache2-mod-security2 > Version: 2.9.7-1+b1 > Severity: important > > Dear Maintainer, > > *** Reporter, please consider answering these questions, where appropriate *** > >* What led up to the situation? > time_64 migration >* What exactly did you do (or not do) that was effective (or > ineffective)? > Fails to build an Dockerfile with the following command: > > #MODSECURITY_VERSIONi=2.9.7-1+b1 > RUN set -x && apt-get update \ >&& apt-get -t sid install -o APT::Immediate-Configure=false -y > libapache2-mod-security2=$MODSECURITY_VERSION > >* What was the outcome of this action? > #10 0.187 Reading package lists... > #10 5.903 Building dependency tree... > #10 6.837 Reading state information... > #10 7.275 Some packages could not be installed. This may mean that you have > #10 7.275 requested an impossible situation or if you are using the unstable > #10 7.275 distribution that some required packages have not yet been created > #10 7.275 or been moved out of Incoming. > #10 7.275 The following information may help to resolve the situation: > #10 7.275 > #10 7.276 The following packages have unmet dependencies: > #10 7.690 libdb5.3t64 : Breaks: libdb5.3 (< 5.3.28+dfsg2-5) but > 5.3.28+dfsg2-1 is to be installed > #10 7.690 libgdbm6t64 : Breaks: libgdbm6 (< 1.23-5.1) but 1.23-5+b1 is to be > installed > #10 7.690 libgnutls30t64 : Breaks: libgnutls30 (< 3.8.3-1.1) but 3.8.3-1 is > to be installed > #10 7.690 libhogweed6t64 : Breaks: libhogweed6 (< 3.9.1-2.2) but 3.8.1-2 is > to be installed > #10 7.691 libnettle8t64 : Breaks: libnettle8 (< 3.9.1-2.2) but 3.9.1-2+b1 is > to be installed > #10 7.693 libssl3t64 : Breaks: libssl3 (< 3.1.5-1.1) but 3.1.5-1 is to be > installed > #10 7.699 E: Unable to correct problems, you have held broken packages. > >* What outcome did you expect instead? > Installed package > > > -- System Information: > > is not clear, as it is running in docker buildx v0.13.0 with docker buildx > build --platform=linux/arm/v7 on docker 25.0.4 in: > > Debian Release: 12.5 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, > 'stable') > Architecture: arm64 (aarch64) > > Kernel: Linux 6.1.0-18-arm64 (SMP w/4 CPU threads) > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > > Base image is debian:bookworm-slim > no other sid packages > > image builds fine for arm64 or amd64 > > I know that the package is currently the same in bookworm but I build on new > releases in sid. > > Please advise. > > Thank You > > Peter -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#758068: mod_security bad performance due to misuse of apr allocator
Hello, Nelson. We were going over the opened bugs on modsecurity-apache and noticed this old one. Upstream did not update his forwarded bug either. Is this still relevant to the current version or can we close it? Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1003868: Debian 11
tags 1003868 + pending thanks Hi, the configure option will be added in the next upload. Sorry Albert, old releases aren't built with it. Regards, Alberto On Fri, Sep 29, 2023 at 03:34:55PM +0200, Albert van der Veen wrote: > In response to the bug report that covers 2.9.3-1+deb10u1: Is > 2.9.3-3+deb11u1 built with the option --enable-collection-global-lock? > > Best, > Albert van der Veen -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1020303: Ping
On Sun, Oct 08, 2023 at 12:59:21PM +0100, Jonathan Wiltshire wrote: > Hi, > > On Mon, Jun 26, 2023 at 06:42:18PM +0100, Jonathan Wiltshire wrote: > > On Tue, Mar 21, 2023 at 12:58:31PM +0100, Alberto Gonzalez Iniesta wrote: > > > Hi, all. We're looking forward to uploading the latest CRS package to > > > bullseye-backports, but this will require this pending update to > > > bullseye. Any news on this front? > > > > Please go ahead. > > This request was approved but not uploaded in time for the previous point > release (11.8). Should it be included in 11.9, or should this request be > abandoned and closed? > Hi, Jonathan. Sorry I missed the previous point release. I thought, from Tobias last mail, that he would do the upload. I just made it. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1052710: bookworm-pu: package modsecurity/3.0.9-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: modsecur...@packages.debian.org, car...@debian.org, airw...@gmail.com Control: affects -1 + src:modsecurity [ Reason ] Fix for CVE-2023-38285, not DSA for it. [ Impact ] Possible DoS. [ Tests ] Manually tested by package maintainers. [ Risks ] Low risk, small patch from upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Changes in transformations functions. https://github.com/SpiderLabs/ModSecurity/pull/2934/files diff -Nru modsecurity-3.0.9/debian/changelog modsecurity-3.0.9/debian/changelog --- modsecurity-3.0.9/debian/changelog 2023-04-25 11:49:24.0 +0200 +++ modsecurity-3.0.9/debian/changelog 2023-09-25 14:43:11.0 +0200 @@ -1,3 +1,10 @@ +modsecurity (3.0.9-1+deb12u1) bookworm; urgency=medium + + * Applied upstream patch to fix DoS. +CVE-2023-38285 (Closes: #1042475) + + -- Ervin Hegedüs Mon, 25 Sep 2023 14:43:11 +0200 + modsecurity (3.0.9-1) unstable; urgency=medium * New upstream version. diff -Nru modsecurity-3.0.9/debian/patches/cve-2023-38285.diff modsecurity-3.0.9/debian/patches/cve-2023-38285.diff --- modsecurity-3.0.9/debian/patches/cve-2023-38285.diff1970-01-01 01:00:00.0 +0100 +++ modsecurity-3.0.9/debian/patches/cve-2023-38285.diff2023-09-25 14:43:11.0 +0200 @@ -0,0 +1,258 @@ +Description: Added fixes against CVE-2023-38285 + These modifications fix CVE-2023-38295. +Author: Ervin Hegedüs +Origin: upstream +Bug: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.10 +Last-Update: 2023-09-25 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: modsecurity/src/actions/transformations/remove_comments_char.cc +=== +--- modsecurity.orig/src/actions/transformations/remove_comments_char.cc modsecurity/src/actions/transformations/remove_comments_char.cc +@@ -1,6 +1,6 @@ + /* + * ModSecurity, http://www.modsecurity.org/ +- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) ++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at +@@ -15,12 +15,7 @@ + + #include "src/actions/transformations/remove_comments_char.h" + +-#include + #include +-#include +-#include +-#include +-#include + + #include "modsecurity/transaction.h" + #include "src/actions/transformations/transformation.h" +@@ -37,39 +32,40 @@ RemoveCommentsChar::RemoveCommentsChar(const std::string ) + + std::string RemoveCommentsChar::evaluate(const std::string , + Transaction *transaction) { +-int64_t i; +-std::string value(val); ++size_t i = 0; ++std::string transformed_value; ++transformed_value.reserve(val.size()); + +-i = 0; +-while (i < value.size()) { +-if (value.at(i) == '/' +-&& (i+1 < value.size()) && value.at(i+1) == '*') { +-value.erase(i, 2); +-} else if (value.at(i) == '*' +-&& (i+1 < value.size()) && value.at(i+1) == '/') { +-value.erase(i, 2); +-} else if (value.at(i) == '<' +-&& (i+1 < value.size()) +-&& value.at(i+1) == '!' +-&& (i+2 < value.size()) +-&& value.at(i+2) == '-' +-&& (i+3 < value.size()) +-&& value.at(i+3) == '-') { +-value.erase(i, 4); +-} else if (value.at(i) == '-' +-&& (i+1 < value.size()) && value.at(i+1) == '-' +-&& (i+2 < value.size()) && value.at(i+2) == '>') { +-value.erase(i, 3); +-} else if (value.at(i) == '-' +-&& (i+1 < value.size()) && value.at(i+1) == '-') { +-value.erase(i, 2); +-} else if (value.at(i) == '#') { +-value.erase(i, 1); ++while (i < val.size()) { ++if (val.at(i) == '/' ++&& (i+1 < val.size()) && val.at(i+1) == '*') { ++i += 2; ++} else if (val.at(i) == '*' ++&& (i+1 < val.size()) && val.at(i+1) == '/') { ++i += 2; ++} else if (val.at(i) == '<' ++&& (i+1 < val.size()) ++&& val.at(i+1) == '!' ++&& (i+2 < val.size()) ++&& val.at(i+2) == '-' ++&& (i+3 < val.size()) ++&& val.at(i+3) == '-') { ++i += 4; ++} else if (val.at(i) == '-' ++&& (i+1 < val.size()) && val.at(i+1) == '-' ++&& (i+2 < val.size()) && val.at(i+2) == '>') { ++i += 3; ++} else if (val.at(i) == '-' ++&& (i+1 < val.size()) && val.at(i+1) == '-')
Bug#1035748: unblock: modsecurity/3.0.9-1
Hi, Salvatore. Thanks for the heads up! Hi, Paul et al. Answering the questions on the referred page: 1) Yes, mainly a bugfix release as noted in its changelog [1] 2) The risks on the release quality are almost zero. Only libnginx-mod-http-modsecurity depends on it (being modsecurity a library). 3) No idea 4) No idea 5) Yes, including its Debian co-maintainer, Ervin Hegedus. 6) Yes 7) Its too long but mainly because of line numbers being updated in code comments, like: -#line 1459 "seclang-parser.yy" +#line 1461 "seclang-parser.yy" 8) Not that many code changes 9) Not that difficult :-) Cheers, Alberto [1] https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9 On Sat, May 27, 2023 at 10:33:27PM +0200, Salvatore Bonaccorso wrote: > Hi Alberto, > > On Wed, May 24, 2023 at 12:26:33PM +0200, Paul Gevers wrote: > > control: tags -1 moreinfo > > > > Hi, > > > > On Mon, 08 May 2023 18:16:51 +0200 Alberto Gonzalez Iniesta > > wrote: > > > A new upstream version of modsecurity fixes a security bug > > > (CVE-2023-28882, #1035083). > > > We also fixed a FTBFS in the meantime (#1034760). > > > Also nginx moved to pcre2, which we also did after the current version > > > in bookworm. > > > > Your message didn't reach our mail list, which typically is a bad sign > > because it means your debdiff is big. New upstream releases are typically > > not what we consider targeted fixes which are all we accept in this phase of > > the release. Please read the FAQ [1] and provide all relevant information > > pointed out there, particularly about upstream's policy on new releases. > > Did you saw Paul's query? I'm asking since the deadline for unblock > requests is tomorrow already. > > Regards, > Salvatore -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#949414: modsecurity: FTBFS with libxml2 not shipping xml2-config
Source: modsecurity Followup-For: Bug #949414 Control: notfixed -1 3.9.0-1 Control: fixed -1 3.0.9-1 Fix typo in package version. On Mon, May 01, 2023 at 10:37:07AM +0200, Tobias Frost wrote: > Source: modsecurity > Followup-For: Bug #949414 > Control: fixed -1 3.9.0-1 > Control: close -1 > > According to the Forwarded bug, > 'https://github.com/SpiderLabs/ModSecurity/pull/2714', > this has been fixed with 3.9.0, Debian upload 3.9.0-1 > > > > > -- System Information: > Debian Release: 12.0 > APT prefers stable-security > APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, > 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, > 'bullseye-fasttrack'), (100, 'bullseye-backports-staging'), (1, > 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 6.1.0-7-amd64 (SMP w/12 CPU threads; PREEMPT) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1020303: Ping
Hi, all. We're looking forward to uploading the latest CRS package to bullseye-backports, but this will require this pending update to bullseye. Any news on this front? Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1020303: bullseye-pu: package modsecurity-apache/2.9.3-3+deb11u2
On Mon, Dec 12, 2022 at 01:37:02PM +0100, Alberto Gonzalez Iniesta wrote: > On Wed, Dec 07, 2022 at 08:14:50PM +, Adam D. Barratt wrote: > > On Mon, 2022-09-19 at 19:25 +0200, Alberto Gonzalez Iniesta wrote: > > > modsecurity-crs has been released today [1]. It fixes a security > > > issue, > > > here is the announcement: > > > > > > CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME > > > header fields > > > abuse > > > > > [...] > > > Important: The mitigation against these vulnerabilities depends on > > > the > > > installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an > > > updated > > > version with backports of the security fixes in these versions. > > > If you fail to update ModSecurity, the webserver / engine will refuse > > > to start > > > with the following error message: "Error creating rule: Unknown > > > variable: > > > MULTIPART_PART_HEADERS". > > > > > [...] > > > As you may see in [1] a newer modsecurity is needed in other to apply > > > this fix. We, modsecurity packaging team, are preparing a patched > > > version of both modsecurity-apache (this bug report) and > > > libmodsecurity3 > > > (coming up). After that we'll upload the updated modsecurity-crs. > > > > > > > Apologies for the delay in getting back to you. > > > > It's not entirely clear to me from the above, but what happens if this > > modsecurity-apache update gets into a point release but the > > libmodsecurity3 update does not? You mention the latter as "coming up" > > above, but I can't see a request for it. > > Hi, Adam. > > We (mod-security packaging team) have decided to skip the update to > libmodsecurity3. No package depends on it as of today and the patch to > add this feature to the version in bullseye would be huge. We think the > user base is probably close to zero which makes the effort worthless. > > Thoghts? > Hi, Adam. Any updates on this front? Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1020303: bullseye-pu: package modsecurity-apache/2.9.3-3+deb11u2
On Wed, Dec 07, 2022 at 08:14:50PM +, Adam D. Barratt wrote: > On Mon, 2022-09-19 at 19:25 +0200, Alberto Gonzalez Iniesta wrote: > > modsecurity-crs has been released today [1]. It fixes a security > > issue, > > here is the announcement: > > > > CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME > > header fields > > abuse > > > [...] > > Important: The mitigation against these vulnerabilities depends on > > the > > installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an > > updated > > version with backports of the security fixes in these versions. > > If you fail to update ModSecurity, the webserver / engine will refuse > > to start > > with the following error message: "Error creating rule: Unknown > > variable: > > MULTIPART_PART_HEADERS". > > > [...] > > As you may see in [1] a newer modsecurity is needed in other to apply > > this fix. We, modsecurity packaging team, are preparing a patched > > version of both modsecurity-apache (this bug report) and > > libmodsecurity3 > > (coming up). After that we'll upload the updated modsecurity-crs. > > > > Apologies for the delay in getting back to you. > > It's not entirely clear to me from the above, but what happens if this > modsecurity-apache update gets into a point release but the > libmodsecurity3 update does not? You mention the latter as "coming up" > above, but I can't see a request for it. Hi, Adam. We (mod-security packaging team) have decided to skip the update to libmodsecurity3. No package depends on it as of today and the patch to add this feature to the version in bullseye would be huge. We think the user base is probably close to zero which makes the effort worthless. Thoghts? Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1023411: nmu: 2.4.3.7-4+b3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu tripwire_2.4.3.7-4+b3 . ANY . unstable . -m "Rebuild with new libc (Closes #1022791)" Tripwire is statically build and libc updates break it. Thanks. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1020629: O: netkit-tftp -- transitional package
Hi, Salvatore. Yes, I guess it'd be better to just remove it. Regards, Alberto On Sat, Sep 24, 2022 at 02:02:42PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Sat, Sep 24, 2022 at 01:39:17PM +0200, Alberto Gonzalez Iniesta wrote: > > Package: wnpp > > Severity: normal > > Control: affects -1 src:netkit-tftp > > > > I intend to orphan the netkit-tftp package. > > > > The package description is: > > This is a transitional package. It can safely be removed. > > Instead of orphaning, should this one be removed from unstable and so > for bookworm? > > Not a strong opinion, but just have seen that the binary package tftp > has been taken over by tftp-hpa and tftp is just depending on it beein > the transitional package. tftpd OTOH is still not just depending on > tftpd-hpa. > > Regards, > Salvatore -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#1020629: O: netkit-tftp -- transitional package
Package: wnpp Severity: normal Control: affects -1 src:netkit-tftp I intend to orphan the netkit-tftp package. The package description is: This is a transitional package. It can safely be removed.
Bug#1020628: O: netkit-rwho -- Clients to query the rwho server
Package: wnpp Severity: normal Control: affects -1 src:netkit-rwho I intend to orphan the netkit-rwho package. The package description is: The rwho command produces output similar to who, but for all machines on the local network. If no report has been received from a machine for 11 minutes then rwho assumes the machine is down, and does not report users last known to be logged into that machine. . The ruptime command gives a status line like uptime for each machine on the local network; these are formed from packets broadcast by each host on the network once a minute.
Bug#1020627: O: netkit-rwall -- Send a message to users logged on a host
Package: wnpp Severity: normal Control: affects -1 src:netkit-rwall I intend to orphan the netkit-rwall package. The package description is: The rwall command sends a message to the users logged into the specified host. The message to be sent can be typed in and terminated with EOF or it can be in a file.
Bug#1020626: O: mboxgrep -- Grep through mailboxes
Package: wnpp Severity: normal Control: affects -1 src:mboxgrep I intend to orphan the mboxgrep package. The package description is: mboxgrep is a small utility that scans either standard Unix mailboxes, Gnus nnml or nnmh mailboxes, MH mailboxes or Maildirs, and displays messages matching a basic, extended, or Perl-compatible regular expression.
Bug#1020624: O: netkit-bootparamd -- Boot parameter server
Package: wnpp Severity: normal Control: affects -1 src:netkit-bootparamd I intend to orphan the netkit-bootparamd package. The package description is: bootparamd is a server process that provides information to diskless clients necessary for booting. It consults the /etc/bootparams file to find the information it needs.
Bug#1020623: O: netkit-rsh -- client programs for remote shell connections
Package: wnpp Severity: normal Control: affects -1 src:netkit-rsh I intend to orphan the netkit-rsh package. The package description is: This package contains rsh, rcp and rlogin.
Bug#1020621: O: netkit-rusers -- Displays who is logged in to machines on local network
Package: wnpp Severity: normal Control: affects -1 src:netkit-rusers I intend to orphan the netkit-rusers package. The package description is: The rusers command produces output similar to who, but for the list of hosts or all machines on the local network. For each host responding to the rusers query, the hostname with the names of the users currently logged on is printed on each line. The rusers command will wait for one minute to catch late responders.
Bug#1020620: O: netkit-ntalk -- Chat with another user
Package: wnpp Severity: normal Control: affects -1 src:netkit-ntalk I intend to orphan the netkit-ntalk package. The package description is: Talk is a visual communication program which copies lines from your terminal to that of another user. . In order to talk locally, you will need to install the talkd package.
Bug#1020618: O: libapache-mod-evasive -- evasive module to minimize HTTP DoS or brute force attacks
Package: wnpp Severity: normal Control: affects -1 src:libapache-mod-evasive I intend to orphan the libapache-mod-evasive package. The package description is: mod_evasive is an evasive maneuvers module for Apache to provide some protection in the event of an HTTP DoS or DDoS attack or brute force attack. . It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. . This module only works on Apache 2.x servers
Bug#1020303: bullseye-pu: package modsecurity-apache/2.9.3-3+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: airw...@gmail.com, christian.fol...@netnea.com [ Reason ] modsecurity-crs has been released today [1]. It fixes a security issue, here is the announcement: CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME header fields abuse The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated version with backports of the security fixes in these versions. If you fail to update ModSecurity, the webserver / engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS". You can disable / remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround. -- As you may see in [1] a newer modsecurity is needed in other to apply this fix. We, modsecurity packaging team, are preparing a patched version of both modsecurity-apache (this bug report) and libmodsecurity3 (coming up). After that we'll upload the updated modsecurity-crs. [ Impact ] No support for the fixed version of modsecurity-crs. [ Risks ] Patch is not big. It has been tested. No risks should be expected. [ Checklist ] [x] *all* changes are documented in the d/changelog|patch [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Added patch to support new required variable "MULTIPART_PART_HEADERS". Will wait for your OK before uploading. Thanks. [1] https://github.com/coreruleset/coreruleset/releases diff -Nru modsecurity-apache-2.9.3/debian/changelog modsecurity-apache-2.9.3/debian/changelog --- modsecurity-apache-2.9.3/debian/changelog 2021-12-01 16:04:02.0 +0100 +++ modsecurity-apache-2.9.3/debian/changelog 2022-09-08 23:59:34.0 +0200 @@ -1,3 +1,9 @@ +modsecurity-apache (2.9.3-3+deb11u2) bullseye; urgency=medium + + * Added multipart_part_headers.patch + + -- Ervin Hegedus Thu, 08 Sep 2022 23:59:34 +0200 + modsecurity-apache (2.9.3-3+deb11u1) bullseye-security; urgency=high * Added json_depth_limit.patch diff -Nru modsecurity-apache-2.9.3/debian/patches/multipart_part_headers.patch modsecurity-apache-2.9.3/debian/patches/multipart_part_headers.patch --- modsecurity-apache-2.9.3/debian/patches/multipart_part_headers.patch 1970-01-01 01:00:00.0 +0100 +++ modsecurity-apache-2.9.3/debian/patches/multipart_part_headers.patch 2022-09-08 23:59:34.0 +0200 @@ -0,0 +1,410 @@ +Description: This patch adds MULTIPART_PART_HEADERS variable + ModSecurity creates from now a new variable: MULTIPART_PART_HEADERS + This needs for some special CoreRuleSet rules, which has allocated CVE's. +Author: Ervin Hegedus + +--- +Origin: other +Bug: not published yet +Last-Update: 2022-09-08 + +--- modsecurity-apache-2.9.3.orig/apache2/msc_multipart.c modsecurity-apache-2.9.3/apache2/msc_multipart.c +@@ -318,7 +318,14 @@ static int multipart_process_part_header + } + + msr->mpd->mpp_state = 1; ++msr->mpd->mpp_substate_part_data_read = 0; + msr->mpd->mpp->last_header_name = NULL; ++ ++/* Record the last part header line in the collection */ ++if (msr->mpd->mpp->last_header_line != NULL) { ++*(char **)apr_array_push(msr->mpd->mpp->header_lines) = msr->mpd->mpp->last_header_line; ++msr_log(msr, 9, "Multipart: Added part header line \"%s\"", msr->mpd->mpp->last_header_line); ++} + } else { + /* Header line. */ + +@@ -372,12 +379,28 @@ static int multipart_process_part_header + *error_msg = apr_psprintf(msr->mp, "Multipart: Part header too long."); + return -1; + } ++if ((msr->mpd->mpp->last_header_line != NULL) && (msr->mpd->mpp->last_header_name != NULL) ++&& (new_value != NULL)) { ++msr->mpd->mpp->last_header_line = apr_psprintf(msr->mp, ++"%s: %s",
Bug#995620: nmu: tripwire_2.4.3.7-3+b3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu tripwire_2.4.3.7-3+b3 . ANY . unstable . -m "Rebuild with new libc (Closes #994910)" Thanks.
Bug#994910: Uploading ASAP
tags 994910 + pending thanks Hi, I'll make an upload to unstable ASAP. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#992956: bullseye-pu: package modsecurity-crs/3.3.0-1
On Sat, Sep 04, 2021 at 03:17:25PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2021-08-25 at 16:55 +0200, Alberto Gonzalez Iniesta wrote: > > This [1] security bug was found in modsecurity-crs. > > As stated in #992863 by the security team, a DSA won't be issued > > (security team on Cc:) so I'm targeting bullseye proposed updates > > instead. > > > > >From reading #992863 and checking the Security Tracker, it appears that > the issue is already fixed in unstable. However, that fact is not > reflected in the BTS. Assuming that I haven't missed anything, please > add an appropriate fixed version to #992863 and go ahead. > Ooops, sorry I messed the original bug number in my upload to unstable as Salvatore found out. May I upload the packages for stable (#992956) and oldstable (#992863)? Only for stable and wait for an answer to #992863? Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#992956: bullseye-pu: package modsecurity-crs/3.3.0-1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Hi, (again, see #992863) This [1] security bug was found in modsecurity-crs. As stated in #992863 by the security team, a DSA won't be issued (security team on Cc:) so I'm targeting bullseye proposed updates instead. Here's the debdiff. Hope it's all OK. I'll wait for your instructions before uploading. Cheers, Alberto [1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 diff -Nru modsecurity-crs-3.3.0/debian/changelog modsecurity-crs-3.3.0/debian/changelog --- modsecurity-crs-3.3.0/debian/changelog 2020-08-16 20:24:09.0 +0200 +++ modsecurity-crs-3.3.0/debian/changelog 2021-08-24 17:40:57.0 +0200 @@ -1,3 +1,10 @@ +modsecurity-crs (3.3.0-1+deb11u1) bullseye; urgency=medium + + * Add upstream patch to fix request body bypass +CVE-2021-35368 (Closes: #992000) + + -- Alberto Gonzalez Iniesta Tue, 24 Aug 2021 17:40:57 +0200 + modsecurity-crs (3.3.0-1) unstable; urgency=medium * New upstream version 3.3.0 diff -Nru modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch --- modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch 1970-01-01 01:00:00.0 +0100 +++ modsecurity-crs-3.3.0/debian/patches/CVE-2021-35368.patch 2021-08-24 17:40:57.0 +0200 @@ -0,0 +1,136 @@ +From b05cd8569862ee9599edd153a09cbbca2c74600a Mon Sep 17 00:00:00 2001 +From: Walter Hop +Date: Wed, 30 Jun 2021 12:37:56 +0200 +Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +--- +diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +index f29ab3e1..2e5ce88f 100644 +--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +@@ -64,6 +64,15 @@ + + SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ + "id:9001000,\ ++phase:1,\ ++pass,\ ++t:none,\ ++nolog,\ ++ver:'OWASP_CRS/3.3.0',\ ++skipAfter:END-DRUPAL-RULE-EXCLUSIONS" ++ ++SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ ++"id:9001001,\ + phase:2,\ + pass,\ + t:none,\ +@@ -267,55 +276,60 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht + # + # Extensive checks make sure these uploads are really legitimate. + # +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001180,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-ver:'OWASP_CRS/3.3.0',\ +-chain" +-SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001182,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-ver:'OWASP_CRS/3.3.0',\ +-chain" +-SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ +-"chain" +-SecRule ARGS:destination "@streq admin/content/assets" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001184,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-ver:'OWASP_CRS/3.3.0',\ +-chain" +-SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" ++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++#"id:9001180,\ ++#phase:1,\ ++#pass,\ +#t:none,\ ++#nolog,\ ++#noauditlog,\ ++#ver
Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1
Hi Salvatore!! On Tue, Aug 24, 2021 at 03:17:36PM +0200, Salvatore Bonaccorso wrote: > Hi Alberto, > > On Tue, Aug 24, 2021 at 01:57:26PM +0200, Alberto Gonzalez Iniesta wrote: > > Package: release.debian.org > > Severity: normal > > Tags: buster > > User: release.debian@packages.debian.org > > Usertags: pu > > > > Hi, > > > > This [1] security bug was found in modsecurity-crs. > > As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA > > does not seem necessary (security team on Cc:) so I'm targeting buster > > proposed updates instead. > > > > Here's the debdiff. Hope it's all OK. > > > > I'll wait for your instructions before uploading. > > Correct, we marked the CVE as no-dsa for both buster an bullseye. I > would suggest to first fix this in unstable, which is sort of > aprerequisite to get the fix in stable and oldstable via the point > releases. Yes, updated package got in unstable today. > Do you have an update as well pending for bullseye? Yes, I'll open a new PU request for it too. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#992863: buster-pu: package modsecurity-crs/3.1.0-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, This [1] security bug was found in modsecurity-crs. As with the previous update (modsecurity-crs_3.1.0-1+deb10u1), a DSA does not seem necessary (security team on Cc:) so I'm targeting buster proposed updates instead. Here's the debdiff. Hope it's all OK. I'll wait for your instructions before uploading. Cheers, Alberto [1] https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog --- modsecurity-crs-3.1.0/debian/changelog 2019-11-03 14:34:05.0 +0100 +++ modsecurity-crs-3.1.0/debian/changelog 2021-08-24 12:37:59.0 +0200 @@ -1,3 +1,10 @@ +modsecurity-crs (3.1.0-1+deb10u2) buster; urgency=medium + + * Add upstream patch to fix request body bypass +CVE-2021-35368 (Closes: #992000) + + -- Alberto Gonzalez Iniesta Tue, 24 Aug 2021 12:37:59 +0200 + modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium * Add upstream patch to fix php script upload rules. diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch --- modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 1970-01-01 01:00:00.0 +0100 +++ modsecurity-crs-3.1.0/debian/patches/CVE-2021-35368.patch 2021-08-24 12:32:08.0 +0200 @@ -0,0 +1,130 @@ +From d3b116fce6c0dc8c8f6e4fbb4e3304af312b4812 Mon Sep 17 00:00:00 2001 +From: Walter Hop +Date: Wed, 30 Jun 2021 12:56:51 +0200 +Subject: [PATCH] Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +--- +diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +index 1f511c38..c9bb8693 100644 +--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +@@ -64,6 +64,14 @@ + + SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ + "id:9001000,\ ++phase:1,\ ++pass,\ ++t:none,\ ++nolog,\ ++skipAfter:END-DRUPAL-RULE-EXCLUSIONS" ++ ++SecRule :crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ ++"id:9001001,\ + phase:2,\ + pass,\ + t:none,\ +@@ -254,52 +262,58 @@ + # + # Extensive checks make sure these uploads are really legitimate. + # +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001180,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-chain" +-SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001182,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-chain" +-SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ +-"chain" +-SecRule ARGS:destination "@streq admin/content/assets" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" +- +-SecRule REQUEST_METHOD "@streq POST" \ +-"id:9001184,\ +-phase:1,\ +-pass,\ +-t:none,\ +-nolog,\ +-noauditlog,\ +-chain" +-SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ +-"chain" +-SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \ +-"chain" +-SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ +-"ctl:requestBodyAccess=Off" ++# Rule 9001180 was commented out in 2021 in order to fight CVE-2021-35368. ++# ++#SecRule REQUEST_METHOD "@streq POST" \ ++#"id:9001180,\ ++#phase:1,\ ++#pass,\ ++#t:none,\ ++#nolog,\ ++#noauditlog,\ ++#chain" ++#SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ ++#"chain" ++#SecRule REQUEST_COOKIES:/S?SESS
Bug#924352: Fixed upstream in 3.2.0
Version: 3.2.0-1 Hi, the fix for this issue [1] was included upstream in 3.2.0. Closing accordingly. Thanks Moritz for the heads up. [1] https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#970833:
On Thu, Dec 10, 2020 at 01:18:50PM +, Revial Marc wrote: > > Dear maintainer > Any chance this bug will be patch with the fix in Buster or bullseye ? > As we pay trustwave modsecurity rules, > > SecRemoteRules is use to download this rules. > Thanks for the helps Done. Sorry for the delay. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#967080: Fixed in 2.9.2-2
fixed 967080 2.9.2-2 thanks Hi, this was fixed in 2.9.2-2. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#874542: reclose, the wildcard was introduced in 2.9.2-2
fixed 874542 2.9.2-2 thanks The fix for this bug was included, as the changelog closing this bug shows, in 2.9.2-2. Thus, 2.9.2-1~bpo9+1 still had the bug.. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#957184: eurephia: diff for NMU version 1.1.0-6.1
Hi, Sudip. Thanks for the upload. No need to cancel it :-) On Mon, Nov 30, 2020 at 08:52:30PM +, Sudip Mukherjee wrote: > Control: tags 957184 + patch > Control: tags 957184 + pending > -- > > Dear maintainer, > > I've prepared an NMU for eurephia (versioned as 1.1.0-6.1) and > uploaded it to DELAYED/2. Please feel free to tell me if I > should cancel it. > > -- > Regards > Sudip > > diff -Nru eurephia-1.1.0/debian/changelog eurephia-1.1.0/debian/changelog > --- eurephia-1.1.0/debian/changelog 2016-09-16 08:38:26.0 +0100 > +++ eurephia-1.1.0/debian/changelog 2020-11-30 20:44:45.0 + > @@ -1,3 +1,11 @@ > +eurephia (1.1.0-6.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Fix ftbfs with GCC-10. (Closes: #957184) > +- Use fcommon with CFLAGS. > + > + -- Sudip Mukherjee Mon, 30 Nov 2020 20:44:45 > + > + > eurephia (1.1.0-6) unstable; urgency=medium > >* Make build reproducible. Thanks Chris Lamb for the patch! > diff -Nru eurephia-1.1.0/debian/rules eurephia-1.1.0/debian/rules > --- eurephia-1.1.0/debian/rules 2015-07-07 16:04:12.0 +0100 > +++ eurephia-1.1.0/debian/rules 2020-11-29 22:27:12.0 + > @@ -3,7 +3,7 @@ > dh $@ > > override_dh_auto_configure: > - $(shell DEB_CFLAGS_MAINT_APPEND="-fPIC -std=gnu89" dpkg-buildflags > --export=configure) ./configure --prefix /usr --plug-in --fw-iptables > --db-sqlite3 --sqlite3-path /var/lib/eurephia --eurephiadm --openvpn-src > /usr/include/openvpn > + $(shell DEB_CFLAGS_MAINT_APPEND="-fPIC -std=gnu89 -fcommon" > dpkg-buildflags --export=configure) ./configure --prefix /usr --plug-in > --fw-iptables --db-sqlite3 --sqlite3-path /var/lib/eurephia --eurephiadm > --openvpn-src /usr/include/openvpn > override_dh_auto_clean: > rm -rf configure.log > dh_auto_clean -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#968967: Same here
Hi, I experienced the same failure in two hosts. My config: Authuserfile/etc/proftpd/ftpd.passwd AuthOrder mod_auth_file.c DefaultRoot ~ RequireValidShell off SFTPEngine on Port SFTPLog /var/log/proftpd/sftp.log SFTPHostKey /etc/ssh/ssh_host_rsa_key SFTPCompression delayed SFTPPAMEngine off -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#962454: Link failures after upgrade to +deb10u1
On Thu, Jun 11, 2020 at 10:59:06AM +0200, Valentin Vidic wrote: > On Mon, Jun 08, 2020 at 12:29:35PM +0200, Alberto Gonzalez Iniesta wrote: > > Some weeks ago I upgraded corosync (3.0.1-2 -> 3.0.1-2+deb10u1) and > > started to notice these messages in my nodes (two node cluster): > > Jun 2 01:10:13 patty corosync[2346]: [KNET ] link: host: 2 link: 0 is > > down > > Jun 2 01:10:13 patty corosync[2346]: [KNET ] host: host: 2 (passive) > > best link: 1 (pri: 1) > > Jun 2 01:10:14 patty corosync[2346]: [KNET ] rx: host: 2 link: 0 is up > > Jun 2 01:10:14 patty corosync[2346]: [KNET ] host: host: 2 (passive) > > best link: 0 (pri: 1) > > Jun 3 03:11:07 patty corosync[2346]: [KNET ] link: host: 2 link: 1 is > > down > > Jun 3 03:11:07 patty corosync[2346]: [KNET ] host: host: 2 (passive) > > best link: 0 (pri: 1) > > Jun 3 03:11:08 patty corosync[2346]: [KNET ] rx: host: 2 link: 1 is up > > Jun 3 03:11:08 patty corosync[2346]: [KNET ] host: host: 2 (passive) > > best link: 0 (pri: 1) > > Hi, can you confirm that downgrading to the previous version solves the > link problem for you? > Hi, I'll try that this weekend and keep you updated. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#962454: Link failures after upgrade to +deb10u1
Source: corosync Version: 3.0.1-2+deb10u1 Severity: important Hi, Some weeks ago I upgraded corosync (3.0.1-2 -> 3.0.1-2+deb10u1) and started to notice these messages in my nodes (two node cluster): Jun 2 01:10:13 patty corosync[2346]: [KNET ] link: host: 2 link: 0 is down Jun 2 01:10:13 patty corosync[2346]: [KNET ] host: host: 2 (passive) best link: 1 (pri: 1) Jun 2 01:10:14 patty corosync[2346]: [KNET ] rx: host: 2 link: 0 is up Jun 2 01:10:14 patty corosync[2346]: [KNET ] host: host: 2 (passive) best link: 0 (pri: 1) Jun 3 03:11:07 patty corosync[2346]: [KNET ] link: host: 2 link: 1 is down Jun 3 03:11:07 patty corosync[2346]: [KNET ] host: host: 2 (passive) best link: 0 (pri: 1) Jun 3 03:11:08 patty corosync[2346]: [KNET ] rx: host: 2 link: 1 is up Jun 3 03:11:08 patty corosync[2346]: [KNET ] host: host: 2 (passive) best link: 0 (pri: 1) Notice the failure happens on with both links. One of the links is a cross-over cable. The other uses a bond with two interfaces. These errors are more common on one of the nodes that on the other. Some times they match (both nodes log the link failure), but most of the time only one node complains: Jun 4 01:16:23 selma corosync[52890]: [KNET ] link: host: 1 link: 0 is down Jun 4 01:16:23 selma corosync[52890]: [KNET ] host: host: 1 (passive) best link: 1 (pri: 1) Jun 4 01:16:24 selma corosync[52890]: [KNET ] rx: host: 1 link: 0 is up Jun 4 01:16:24 selma corosync[52890]: [KNET ] host: host: 1 (passive) best link: 0 (pri: 1) Jun 4 01:16:55 patty corosync[2346]: [KNET ] link: host: 2 link: 0 is down Jun 4 01:16:55 patty corosync[2346]: [KNET ] host: host: 2 (passive) best link: 1 (pri: 1) Jun 4 01:16:56 patty corosync[2346]: [KNET ] rx: host: 2 link: 0 is up Jun 4 01:16:56 patty corosync[2346]: [KNET ] host: host: 2 (passive) best link: 0 (pri: 1) Here's my config: totem { version: 2 cluster_name: web crypto_cipher: none crypto_hash: none interface { linknumber: 0 } interface { linknumber: 1 } } logging { fileline: off to_stderr: yes to_logfile: yes logfile: /var/log/corosync/corosync.log to_syslog: yes debug: off logger_subsys { subsys: QUORUM debug: off } } quorum { provider: corosync_votequorum expected_votes: 2 two_node: 1 } nodelist { node { name: patty nodeid: 1 ring0_addr: 192.168.144.1 ring1_addr: 10.10.1.5 } node { name: selma nodeid: 2 ring0_addr: 192.168.144.2 ring1_addr: 10.10.1.6 } } Any help is appreciated. Thanks, Alberto -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.6.0-1-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#955643: tripwire: FTBFS: dpkg-gencontrol: error: error occurred while parsing Built-Using field: glibc (= 2.30-4), libgcc1 (= ),
Hi, Lucas. On Fri, Apr 03, 2020 at 09:56:02PM +0200, Lucas Nussbaum wrote: > Source: tripwire > Version: 2.4.3.7-1 > Severity: serious > Justification: FTBFS on amd64 > Tags: bullseye sid ftbfs > Usertags: ftbfs-20200402 ftbfs-bullseye > > Hi, > > During a rebuild of all packages in sid, your package failed to build > on amd64. > > Relevant part (hopefully): > > > dh_gencontrol -- -VBuilt-Using="glibc (= 2.30-4), libgcc1 (= ), " > > dpkg-gencontrol: warning: Depends field of package tripwire: substitution > > variable ${shlibs:Depends} used, but is not defined > > dpkg-gencontrol: warning: can't parse dependency libgcc1 (= ) > > dpkg-gencontrol: error: error occurred while parsing Built-Using field: > > glibc (= 2.30-4), libgcc1 (= ), > > dh_gencontrol: error: dpkg-gencontrol -ptripwire -ldebian/changelog > > -Tdebian/tripwire.substvars -Pdebian/.debhelper/tripwire/dbgsym-root > > "-VBuilt-Using=glibc (= 2.30-4), libgcc1 (= ), " -UPre-Depends -URecommends > > -USuggests -UEnhances -UProvides -UEssential -UConflicts > > -DPriority=optional -UHomepage -UImportant -UBuilt-Using > > -DAuto-Built-Package=debug-symbols -DPackage=tripwire-dbgsym > > "-DDepends=tripwire (= \${binary:Version})" "-DDescription=debug symbols > > for tripwire" "-DBuild-Ids=29bff36c96f9f7f161804f634705648d102836ba > > 3a7a08dca92e1782576544245bf22db1edd8f5c7 > > a01ce61d78fff4d6276e5a8914e5ef3ed1dfee7a > > cc2f0ff87227a5dd8f907527250c554b8384d95c" -DSection=debug -UMulti-Arch > > -UReplaces -UBreaks returned exit code 25 > > dh_gencontrol: error: Aborting due to earlier error > > make: *** [debian/rules:85: binary-arch] Error 25 I just build the package with sbuild without any issues. Here's the relevant part: dh_gencontrol -- -VBuilt-Using="glibc (= 2.30-4), gcc-10 (= 10-20200418-1), " dpkg-gencontrol: warning: Depends field of package tripwire: substitution variable ${shlibs:Depends} used, but is not defined dpkg-gencontrol: warning: Depends field of package tripwire: substitution variable ${shlibs:Depends} used, but is not defined dh_md5sums dh_builddeb dpkg-deb: building package 'tripwire-dbgsym' in '../tripwire-dbgsym_2.4.3.7-1_amd64.deb'. dpkg-deb: building package 'tripwire' in '../tripwire_2.4.3.7-1_amd64.deb'. dpkg-genbuildinfo --build=binary dpkg-genchanges --build=binary >../tripwire_2.4.3.7-1_amd64.changes dpkg-genchanges: info: binary-only upload (no source code included) dpkg-source --after-build . dpkg-buildpackage: info: binary-only upload (no source included) Build finished at 2020-04-19T14:14:59Z I have no idea why in the rebuild this happened: > > dh_gencontrol -- -VBuilt-Using="glibc (= 2.30-4), libgcc1 (= ), " Instead of: > dh_gencontrol -- -VBuilt-Using="glibc (= 2.30-4), gcc-10 (= 10-20200418-1), " Maybe a glitch in the gcc-10 package? -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#949728: buster-pu: package modsecurity/3.0.3-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, A security issue (CVE-2019-19886) was found in Modsecurity 3.0.3. [1] A fixed package is already in unstable. This upload only applies upstream patch to fix that. Please consider 3.0.3-1+deb10u1 for the next buster update. Waiting for your OK to the upload. Thanks, Alberto [1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/ -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru modsecurity-3.0.3/debian/changelog modsecurity-3.0.3/debian/changelog --- modsecurity-3.0.3/debian/changelog 2018-12-12 08:17:40.0 +0100 +++ modsecurity-3.0.3/debian/changelog 2020-01-21 22:52:59.0 +0100 @@ -1,3 +1,9 @@ +modsecurity (3.0.3-1+deb10u1) buster; urgency=medium + + * Fixes CVE-2019-19886 (Closes: #949682) + + -- Ervin Hegedus Tue, 21 Jan 2020 21:52:59 + + modsecurity (3.0.3-1) unstable; urgency=medium [ Ervin Hegedüs ] diff -Nru modsecurity-3.0.3/debian/patches/cookieparse_fix.patch modsecurity-3.0.3/debian/patches/cookieparse_fix.patch --- modsecurity-3.0.3/debian/patches/cookieparse_fix.patch 1970-01-01 01:00:00.0 +0100 +++ modsecurity-3.0.3/debian/patches/cookieparse_fix.patch 2020-01-21 22:52:59.0 +0100 @@ -0,0 +1,92 @@ +Description: Fix cookie header parsing bug + There was a bug in the transaction.cc, if the Cookie header contains a field (cookie) + without '=', the engine doesn't evaulate it as cookie. If the cookie started with + '=', then the engine crashed. +Author: Ervin Hegedus + +--- +Origin: upstream, https://github.com/SpiderLabs/Misc/blob/master/ModSecurity_cookie_parsing_fix_303.patch +Bug: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/ +Last-Update: 2020-01-21 + + + +--- modsecurity-3.0.3.orig/src/transaction.cc modsecurity-3.0.3/src/transaction.cc +@@ -556,20 +556,63 @@ int Transaction::addRequestHeader(const + + if (keyl == "cookie") { + size_t localOffset = m_variableOffset; ++size_t pos; + std::vector cookies = utils::string::ssplit(value, ';'); ++ ++if (!cookies.empty()) { ++// Get rid of any optional whitespace after the cookie-string ++// (i.e. after the end of the final cookie-pair) ++std::string& final_cookie_pair = cookies.back(); ++while (!final_cookie_pair.empty() && isspace(final_cookie_pair.back())) { ++final_cookie_pair.pop_back(); ++} ++} ++ + for (const std::string : cookies) { +-std::vector s = utils::string::split(c, +- '='); +-if (s.size() > 1) { +-if (s[0].at(0) == ' ') { +-s[0].erase(0, 1); +-} +-m_variableRequestCookiesNames.set(s[0], +-s[0], localOffset); +- +-localOffset = localOffset + s[0].size() + 1; +-m_variableRequestCookies.set(s[0], s[1], localOffset); +-localOffset = localOffset + s[1].size() + 2; ++// skip empty substring, eg "Cookie: ;;foo=bar" ++if (c.empty() == true) { ++localOffset++; // add length of ';' ++continue; ++} ++ ++// find the first '=' ++pos = c.find_first_of("=", 0); ++std::string ckey = ""; ++std::string cval = ""; ++ ++// if the cookie doesn't contains '=', its just a key ++if (pos == std::string::npos) { ++ckey = c; ++} ++// else split to two substrings by first = ++else { ++ckey = c.substr(0, pos); ++// value will contains the next '=' chars if exists ++// eg. foo=bar=baz -> key: foo, value: bar=baz ++cval = c.substr(pos+1); ++} ++ ++// ltrim the key - following the modsec v2 way ++while (ckey.empty() == false && isspace(ckey.at(0))) { ++ckey.erase(0, 1); ++localOffset++; ++} ++ ++// if the key is empty (eg: "Cookie: =bar;") skip it ++if (ckey.empty() == true) { ++localOffset = localOffset + c.length() + 1; ++continue; ++} ++else { ++// handle cookie only if the key is not empty ++// set cookie name
Bug#949682: Denial of Service due to cooking handling
Package: libmodsecurity3 Version: 3.0.3-1 Severity: serious Tags: security upstream A security issue was discovered by Ervin Hegedüs in Modsecurity 3.0.3. More info: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/ Fixed package is already in unstable. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#944119: buster-pu: package modsecurity-crs/3.1.0-1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, This [1] security bug was found in modsecurity-crs. After contacting the security team, they said a DSA was not necessary and that I should proceed through p-u. So here's the debdiff. Hope it's all OK. I'll wait for your instructions before uploading. Cheers, Alberto [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773 -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog --- modsecurity-crs-3.1.0/debian/changelog 2019-11-03 14:34:05.0 +0100 +++ modsecurity-crs-3.1.0/debian/changelog 2018-11-27 09:12:54.0 +0100 @@ -1,10 +1,3 @@ -modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium - - * Add upstream patch to fix php script upload rules. -CVE-2019-13464 (Closes: #943773) - - -- Alberto Gonzalez Iniesta Sun, 03 Nov 2019 14:34:05 +0100 - modsecurity-crs (3.1.0-1) unstable; urgency=medium * New upstream release. diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch --- modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch 2019-11-03 14:30:47.0 +0100 +++ modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch 1970-01-01 01:00:00.0 +0100 @@ -1,102 +0,0 @@ -From 6090d6b0a90417f1a60aa68a01eb777cef2e1184 Mon Sep 17 00:00:00 2001 -From: "Federico G. Schwindt" -Date: Sat, 4 May 2019 11:03:52 +0100 -Subject: [PATCH] Also handle dot variant of X_Filename - -PHP will transform dots to underscore in variable names since dot is -invalid. - rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 +- - .../933110.yaml | 60 +++ - 2 files changed, 62 insertions(+), 2 deletions(-) - -Index: modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf -=== modsecurity-crs.orig/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf 2019-11-03 14:30:34.410293645 +0100 -+++ modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf 2019-11-03 14:30:34.406293506 +0100 -@@ -86,7 +86,7 @@ - # X_Filename, or X-File-Name to transmit the file name to the server; - # scan these request headers as well as multipart/form-data file names. - # --SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \ -+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \ - "id:933110,\ - phase:2,\ - block,\ -@@ -601,7 +601,7 @@ - # - # This rule is a stricter sibling of rule 933110. - # --SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ -+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ - "id:933111,\ - phase:2,\ - block,\ -Index: modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml -=== modsecurity-crs.orig/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml 2019-11-03 14:30:34.410293645 +0100 -+++ modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml 2019-11-03 14:30:34.406293506 +0100 -@@ -288,3 +288,63 @@ - uri: / - output: - no_log_contains: id "933110" -+ - -+test_title: 933110-20 -+desc: PHP script uploads -+stages: -+- stage: -+input: -+ dest_addr: 127.0.0.1 -+ headers: -+Host: localhost -+User-Agent: ModSecurity CRS 3 Tests -+X.Filename: a.php -+ port: 80 -+ uri: /upload2 -+output: -+ log_contains: id "933110" -+ - -+test_title: 933110-21 -+desc: PHP script uploads -+stages: -+- stage: -+input: -+ dest_addr: 127.0.0.1 -+ headers: -+Host: localhost -+User-Agent: ModSecurity CRS 3 Tests -+X.Filename: fda.php5... -+ port: 80 -+ uri: /upload6 -+output: -+ log_contains: id "933110" -+ - -+test_title: 933110-22 -+de
Bug#942217: nmu: libapache2-mod-security2_2.9.3-1
On Sat, Oct 12, 2019 at 05:01:38PM +0200, Alberto Gonzalez Iniesta wrote: > On Sat, Oct 12, 2019 at 03:57:14PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Sat, 2019-10-12 at 15:16 +0200, Alberto Gonzalez Iniesta wrote: > > > nmu libapache2-mod-security2_2.9.3-1 . amd64 . buster . -m "Build > > > with libapr-1.6.5" > > > > > > Looks like my build environment wasn't up to date when I built this. > > > The amd64 package is linked with an older version of libapr1 than the > > > one in Buster. > > > Sorry for the mess. > > > > What practical issues does this cause? > > > > It's probably just a warning, reported here: > https://github.com/SpiderLabs/ModSecurity/issues/2139 > Upstream commented on the issue: https://github.com/SpiderLabs/ModSecurity/issues/2139#issuecomment-541590904 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#942217: nmu: libapache2-mod-security2_2.9.3-1
On Sat, Oct 12, 2019 at 03:57:14PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Sat, 2019-10-12 at 15:16 +0200, Alberto Gonzalez Iniesta wrote: > > nmu libapache2-mod-security2_2.9.3-1 . amd64 . buster . -m "Build > > with libapr-1.6.5" > > > > Looks like my build environment wasn't up to date when I built this. > > The amd64 package is linked with an older version of libapr1 than the > > one in Buster. > > Sorry for the mess. > > What practical issues does this cause? > It's probably just a warning, reported here: https://github.com/SpiderLabs/ModSecurity/issues/2139 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#942217: nmu: libapache2-mod-security2_2.9.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu libapache2-mod-security2_2.9.3-1 . amd64 . buster . -m "Build with libapr-1.6.5" Looks like my build environment wasn't up to date when I built this. The amd64 package is linked with an older version of libapr1 than the one in Buster. Sorry for the mess. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#928053: Severity of bug #928053 is too high
Hi all, I'll try to clarify a bit on ModSecurity vs CRS, since I think it may be a bit confusing. On Mon, May 20, 2019 at 11:03:46PM +0200, Moritz Mühlenhoff wrote: > On Sat, May 11, 2019 at 06:45:13AM +0200, Christian Folini wrote: > > Hi Christian, > > Thanks for chiming in, much appreciated! But I need some further > clarification. > > > The Core Rule Set project explained the situation in > > https://coreruleset.org/20190425/regular-expression-dos-weaknesses-in-crs/ > > > > The CVEs were issues against the Regular Expression itself, not CRS running > > on ModSecurity. > > CVEs are not assigned for regular expressions by itself. And the CVE > description > explicitly refers to ModSecurity, so if those reports are not correct, the > CVE IDs should be rejected as MITRE. Moritz, the descriptions explicitly refer to CRS: "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS)" > > Debian Stable comes wtih ModSecurity 2. > > Debian Testing comes with ModSecurity 3. > > Debian stable actually has 3.0.0, but it doesn't matter here. There's 2 (or 3) separate "concepts" in this discussion: - ModSecurity. The WAF, usually a web server module (more on this later) - ModSecurity CRS. A collection of rules for the WAF. Debian stable has: - ModSecurity 2 (2.9.1) as an Apache2 module. - ModSecurity CRS 3.0.0. Which is "just" a collection of rules (as in the Regular Expressions). Buster will have (hopefully): - ModSecurity 2 (2.9.3) as an Apache2 module. - ModSecurity CRS 3.1.0. AND - libmodsecurity3 (3.0.3) as a library that can/will be used by future developments like an nginx, or apache, module no yet in Debian. > So if there's no circumstance where this triggers in modsecurity-crs, the > four CVE ID > should be rejected. Otherwise this will only cause confusion. Do you know who > requested > these? Rejects can be requested via https://cveform.mitre.org -> Select a > request type > -> Request an update to an existing CVE Entry. The thing is, this issue does not only depend on the regexps (in CRS) but in how the WAF using CRS deals with them. ModSecurity 2 (the apache module in stable and buster) has limits on regexps to avoid this kind of issues). ModSecurity 3 (the library), as Christian explained, has protection for most of this issues (4 out of 5), but... no package is actually using ModSecurity 3 yet. So the impact of this on Debian is close to none... > > CVE-2019-11387 > > ModSecurity 3 and thus NGINX 3 and thus Debian Unstable is affected at > > Paranoia Level 2 and above. The default setting is Paranoia Level 1. > > -> > > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1359#issuecomment-487344654 > > I don't understand. What does Nginx 3 have to do with it? There's not even > such a version in unstable, the latest is 1.14.2? Christian was referring to ModSecurity's nginx module still under development and NOT in Debian. I hope this mail was useful. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#928053: Adjusting severity
severity 928053 important thanks Hi, Thanks, Christian and Ervin, for your help. I'm lowering the severity of this bug since it does not really affect Debian (as explained in upstream link regarding this issue). If anyone disagrees with this change, please get in touch with me before raising it again. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#923297: src:netkit-ntalk: Build system transition, amend
Hi, Christoph. Thanks for checking this. I think your patch got lost on its way to the BTS. Regards, Alberto On Tue, Feb 26, 2019 at 12:42:07AM +0100, Christoph Biedl wrote: > Package: src:netkit-ntalk > Version: 0.17-16 > Severity: important > > Dear Maintainer, > > amendmend to #911154: > > While fixing the remaining netkit-derived packages I developed a few > more tools to detect regressions introduced in the build system switch > to cmake, especially with regard to constants defined during build. > > Upon re-checking my older submissions, I discovered some defects that > should see a fix. Please consider applying the patch below. > > Regards, > > Christoph > > PS: There are three more packages with differences: > netkit-rsh > netkit-rwall > netkit-rwho > But at a first glance it seems no harm is done there. > > > -- System Information: > Debian Release: buster/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.19.21 (SMP w/4 CPU cores) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: unable to detect > -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#920486: CVE-2018-20685 and CVE-2019-6111 for netkit-rsh
On Wed, Jan 30, 2019 at 11:17:51PM +0100, Salvatore Bonaccorso wrote: > Hi, Hi! > > netkit-rsh (0.17-20) unstable; urgency=medium > > . > >* Fix CVE-2018-20685 and CVE-2019-6111. (Closes: #920486) > > Thanks Hiroyuki YAMAMORI for the heads up. > > FTR, I have asked MITRE if those two CVEs should be used as well for > netkit-rsh or if it would need two new CVEs. Ooops! I should have asked before... Sorry. Do you (sec team) think we should prepare an upload with this fix for stable security? Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#920486: rsh-client: rcp has CVE-2018-20685 similar to scp
On Sat, Jan 26, 2019 at 02:20:06PM +0900, Hiroyuki YAMAMORI wrote: > Package: rsh-client > Version: 0.17-19 > Severity: important > Tags: security > > Refer Bug #919101 > > Dear Maintainer, > > netkit-rcp also has CVE-2018-20685 and CVE-2019-6111 similar to scp. Hi! Thanks for noticing. Attaching the patch so that others can check it. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 Index: netkit-rsh/rcp/rcp.c === --- netkit-rsh.orig/rcp/rcp.c 2019-01-28 16:30:24.396240311 +0100 +++ netkit-rsh/rcp/rcp.c 2019-01-28 16:37:53.927805155 +0100 @@ -747,6 +747,11 @@ size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') SCREWUP("size not delimited"); + if (*cp == '\0' || strchr(cp, '/') != NULL || + strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { + error("error: unexpected filename: %s", cp); + exit(1); + } if (targisdir) { char *newbuf; int need = strlen(targ) + strlen(cp) + 2;
Bug#877914: RFA: eurephia -- flexible OpenVPN authentication module
On Thu, Dec 27, 2018 at 07:51:45PM +0100, Manu Alén wrote: > On Wed, Dec 26, 2018 at 12:15PM +0100, Alberto Gonzalez wrote: > >> Hi, Manu. > >> > >> There's not much info to share. Package is still up for adoption. Feel > >> free to adopt it if you want. > >> > >> Regards, > >> > >> Alberto > > Hi Alberto, > > Yes, I have a bit of free time to take care of the development of OpenVPN and > some packages in which I’m working now. So I will adopt OpenVPN Hi, Manu. OpenVPN is NOT for adoption. This RFA is for *eurephia* only. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#877914: RFA: eurephia -- flexible OpenVPN authentication module
On Mon, Dec 24, 2018 at 01:08:09PM +0100, Manu Alén wrote: > On Sat, 7 Oct 2017 11:19:09 +0200 Alberto Gonzalez Iniesta > wrote: > > Package: wnpp > > Severity: normal > > > > I request an adopter for the eurephia package. > > > > The package description is: > > This plug-in enhances OpenVPN by adding user name and password > > authentication. > > An eurephia user account is a combination of minimum one OpenVPN SSL > > certificate and a user name with a password assigned. It is also possible > > to > > setup several eurephia user names to use a shared OpenVPN certificate. > > . > > In addition, eurephia will blacklist IP addresses, certificates and user > > names > > on too many failed attempts and it supports dynamic update of iptables > > rules > > which restricts network access per connection. > > . > > All information is stored in a database and all changes to the accounts > > will > > be effective immediately. At the moment eurephia supports the SQLite > > database. > > > > > Hi, I have a bit free time to do some tests if it is still available > > Please do not hesitate to share more info regarding this and I will help! > > You can contact with me in this email address or in manualen...@protonmail.com > Hi, Manu. There's not much info to share. Package is still up for adoption. Feel free to adopt it if you want. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#911154: netkit-ntalk misses the generator for configure
On Thu, Dec 06, 2018 at 06:42:33AM +0100, Christoph Biedl wrote: > tags -1 patch > user debian-rele...@lists.debian.org > usertags -1 + bsp-2018-12-ch-bern > thanks > > So here we go ... > > The files resulting from the conversion to cmake are not as terse as I > hoped they would be. Still, at least for me, this is an improvement > over to several handcrafted rules, especially for any future changes in > the Debian build system. > [snip] > ### Packages maintained by Alberto Gonzalez Iniesta > > * netkit-bootparamd > * netkit-ntalk > * netkit-rsh > * netkit-rusers > * netkit-rwall > * netkit-rwho > * netkit-tftp > > Alberto, you'll do me a favour if you could refrain from uploading > for a few days - I'll do some more checks and expect one or two more > things will come up that require an adjustment. > > Also, some formatting was done in my personal style. Feel free to apply > your $QUILT_REFRESH_ARGS on top of this. Hello, Christoph. Huge thanks for your massive work on this. I'll wait for any news from you for a few days. No problem at all. Cheers, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#914489: [Pkg-nagios-devel] Bug#914489: nagios-nrpe-plugin: SSL connections to "old" (as in Jessie) nagios-nrpe-server(s) broken
On Sat, Nov 24, 2018 at 08:45:21AM +0100, Sebastiaan Couwenberg wrote: > tags 914489 wontfix > thanks > > Hi Alberto, > > On 11/23/18 9:26 PM, Alberto Gonzalez Iniesta wrote: > > After updating nagios-nrpe-plugin in my monitoring host to > > 3.2.1-1~bpo9+1 most of my monitored instances fail to be checked. > > That is due to changes in openssl, we have no control over that. > > For machines with an old openssl you need to disable SSL with -n. > > Kind Regards, > > Bas > Hi Sebastiaan, Please consider adding a warning regarding this (openssl) issue to the nagios-nrpe-plugin package so that users don't have to struggle finding this out when they upgrade. Thanks for your work! Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#914489: nagios-nrpe-plugin: SSL connections to "old" (as in Jessie) nagios-nrpe-server(s) broken
Package: nagios-nrpe-plugin Version: 3.2.1-1~bpo9+1 Severity: important Hi, After updating nagios-nrpe-plugin in my monitoring host to 3.2.1-1~bpo9+1 most of my monitored instances fail to be checked. AFAICT only those running Stretch continue to work. The error from the new nagios-nrpe-plugin is as follows: Nov 23 21:08:29 check_nrpe: Error: (!log_opts) Could not complete SSL handshake with A.B.C.D: dh key too small I tried disabling Anonymous Diffie Hellman with '-d 0' but in that case it also fails to contact remote hosts with: Nov 23 21:08:34 check_nrpe: Error: (!log_opts) Could not complete SSL handshake with A.B.C.D: sslv3 alert handshake failure I could not find a combination of -d/-S/-2 that made possible to check nagios-nrpe-server from Jessie or previous releases. This is a major showstopper, since upgrading a monitoring host show not force someone to update *all* their monitored hosts. And -2 is of no use if it cannot check 2.x nagios-nrpe-servers. Please fix this for Buster, or at least include a huge warning before this hits those upgrading to Buster. -- System Information: Debian Release: 9.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nagios-nrpe-plugin depends on: ii libc6 2.24-11+deb9u3 ii libssl1.1 1.1.0f-3+deb9u2 nagios-nrpe-plugin recommends no packages. nagios-nrpe-plugin suggests no packages. -- no debconf information
Bug#911154: netkit-ntalk misses the generator for configure
On Mon, Nov 05, 2018 at 08:01:21AM +0100, Christoph Biedl wrote: > [ > Cc'ing *all* affected packages. Noisy, but all parties involved > should be aware of the progress. > ] > > Helmut Grohne wrote... > > > I'm not sure that adding our own confgen is maintainable in the long > > run. We already have very many build systems in Debian. We've learned > > the hard way that supporting many different build and packaging tools is > > expensive. Nowadays, most packages use debhelper and that kind of > > centralization bears benefits in modifiability. So I wonder whether > > outright replacing confgen usage (effectively reimplementing the build > > system for <= 15 packages) would be more maintainable in the long run. > > Most likely, that would make cross building just work. On the other > > hand, we'd have to extend the prospective confgen to support that use > > case. > > > > I'm suggesting that rewriting all those build systems using one of the > > standard tools (e.g. autotools, cmake, meson, maybe not qmake, ...) > > could mean less work. > > Switching to e.g. cmake means a one-time more-or-less complex manual > transition but afterwards the packaging should be in a sane state for > quite some time. Hi! Thanks a lot for looking into this, Christoph. > Still I assume this will be my job - however, the changes will go > beyond a sound NMU size. So I'll send out patches, and eventually go > the package salvaging way. Please, let me know if I can be of any help. I don't know anything about cmake, but I maintain (or upload) a bunch of affected netkit-* packages. I hope I can save you some work with those. > If someone more experienced in cmake wants to help, please get in > touch. Otherwise, allow me until end of November to create the fixes - > there is something called "real life" out there. Still my plan is to > salvage *all* packages. The expensive part is the thing called "setup > fee" somewhere else, and I'm mostly done with it. I'll look into your changes on bsd-finger and see if I can reproduce those on others. Thanks again, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#911209: FTBFS (some tests fail)
Package: modsecurity Version: 3.0.2-1 Severity: serious Yep, some tests are failing on all buildd. Looking into it. Thanks Santiago Vila for the heads up. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#909025: ITP: libmodsecurity3 -- ModSecurity v3 library component
Package: wnpp Severity: wishlist Owner: Alberto Gonzalez Iniesta * Package name: libmodsecurity3 Version : 3.0.2 Upstream Author : Trustwave Holdings, Inc. * URL : https://www.modsecurity.org/ * License : Apache-2.0 Programming Lang: C++ Description : ModSecurity v3 library component Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. In general, it provides the capability to load/interpret rules written in the ModSecurity SecRules format and apply them to HTTP content provided by your application via Connectors.
Bug#875885: netkit-tftp: does not trap ./configure errors
On Fri, Sep 15, 2017 at 05:17:44PM +0200, Helmut Grohne wrote: > Source: netkit-tftp > Version: 0.17-18.1 > Severity: serious > Justification: policy 4.6 > > netkit-tftp's debian/rules does not trap errors from ./configure. In > case ./configure fails, the build continues. This can produces > apparently successful misbuilds and is prohibited by the Debian policy > in section 4.6. > > Helmut Hello, Helmut. Have you tested your assertion? Because if ./configure fails, MCONFIG is not created and the build (make) fails: make[1]: Entering directory '/home/agi/debian/netkit-tftp/netkit-tftp/tftp' Makefile:3: ../MCONFIG: No such file or directory make[1]: *** No rule to make target '../MCONFIG'. Stop. make[1]: Leaving directory '/home/agi/debian/netkit-tftp/netkit-tftp/tftp' make: *** [Makefile:7: tftp.build] Error 2 Could you let me know how to reproduce a misbuild? Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#875885: netkit-tftp: does not trap ./configure errors
Hello, Raphael. Dead upstream requires few updates to a package. Anyway, I was just looking into that now. Regards, Alberto On Tue, Jul 03, 2018 at 09:44:46AM +0200, Raphael Hertzog wrote: > Hello Alberto, > > it's been 8 years that you haven't touched netkit-tftp and the package > has been removed from Debian testing due to the bug I'm replying to. > > Can you take care of fixing the bug and/or properly orphaning the package > if you are no longer interested in it? > > Regards, > > On Fri, 15 Sep 2017, Helmut Grohne wrote: > > Source: netkit-tftp > > Version: 0.17-18.1 > > Severity: serious > > Justification: policy 4.6 > > > > netkit-tftp's debian/rules does not trap errors from ./configure. In > > case ./configure fails, the build continues. This can produces > > apparently successful misbuilds and is prohibited by the Debian policy > > in section 4.6. > > > > Helmut > -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#863119: mboxgrep -P seems to match everything
On Mon, May 22, 2017 at 11:34:07AM +0200, Matus UHLAR - fantomas wrote: > Package: mboxgrep > Version: 0.7.9-1 > > when using the -P option, mboxgrep tends to match everything. > I have tried with simple string over a maildir, I got copy of the maildir... Hi, Sorry for the late reply. Could you provide an example? I'm not able to reproduce it: agi@var ~% wc -l Mail/INBOX 25526 Mail/INBOX agi@var ~% mboxgrep -P foo Mail/INBOX | wc -l 3084 Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#877915: RFA: openvpn-auth-ldap -- OpenVPN LDAP authentication module
Package: wnpp Severity: normal I request an adopter for the openvpn-auth-ldap package. The package description is: A plugin that implements username/password authentication via LDAP for OpenVPN 2.x. It features: . * Simple Apache-style configuration file. * LDAP group-based access restrictions. * Will authenticate against any LDAP server that supports LDAP simple binds -- including Active Directory.
Bug#877914: RFA: eurephia -- flexible OpenVPN authentication module
Package: wnpp Severity: normal I request an adopter for the eurephia package. The package description is: This plug-in enhances OpenVPN by adding user name and password authentication. An eurephia user account is a combination of minimum one OpenVPN SSL certificate and a user name with a password assigned. It is also possible to setup several eurephia user names to use a shared OpenVPN certificate. . In addition, eurephia will blacklist IP addresses, certificates and user names on too many failed attempts and it supports dynamic update of iptables rules which restricts network access per connection. . All information is stored in a database and all changes to the accounts will be effective immediately. At the moment eurephia supports the SQLite database.
Bug#877913: RFA: easy-rsa -- Simple shell based CA utility
Package: wnpp Severity: normal I request an adopter for the easy-rsa package. The package description is: This package eases the creation of certificates, for example for openvpn clients. . This was formerly part of the openvpn package.
Bug#865589: Ships a tmpfile in /usr and /etc, one overriding the other
tags 865589 + pending thanks On Fri, Jun 23, 2017 at 02:49:32AM +0200, Michael Biebl wrote: > Package: openvpn > Version: 2.4.3-1 > Severity: serious > > Hi, > > I just noticed that the latest openvpn update now ships a tmpfile in /etc: > /etc/tmpfiles.d/openvpn.conf > > This is odd, since the package also ships: > /usr/lib/tmpfiles.d/openvpn.conf > > tmpfiles in /etc/tmpfiles.d are reserved to the local administrator and > override a tmpfile with the same name from /usr/lib/tmpfiles.d > > Marking as RC, as something is clearly broken here, and > /usr/lib/tmpfiles.d/openvpn.conf being overriddden means that > /run/openvpn is no longer created. > Ooops, fixing ASAP. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#865555: RFA: openvpn -- virtual private network daemon
Package: wnpp Severity: normal Due to lack of time I request an adopter for the openvpn package. The package description is: OpenVPN is an application to securely tunnel IP networks over a single UDP or TCP port. It can be used to access remote sites, make secure point-to-point connections, enhance wireless security, etc. . OpenVPN uses all of the encryption, authentication, and certification features provided by the OpenSSL library (any cipher, key size, or HMAC digest). . OpenVPN may use static, pre-shared keys or TLS-based dynamic key exchange. It also supports VPNs with dynamic endpoints (DHCP or dial-up clients), tunnels over NAT or connection-oriented stateful firewalls (such as Linux's iptables). OpenVPN is an application to securely tunnel IP networks over a single UDP or TCP port. It can be used to access remote sites, make secure point-to-point connections, enhance wireless security, etc. . OpenVPN uses all of the encryption, authentication, and certification features provided by the OpenSSL library (any cipher, key size, or HMAC digest). . OpenVPN may use static, pre-shared keys or TLS-based dynamic key exchange. It also supports VPNs with dynamic endpoints (DHCP or dial-up clients), tunnels over NAT or connection-oriented stateful firewalls (such as Linux's iptables).
Bug#863351: unblock: openvpn/2.4.0-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package openvpn I've been contacted by a big Debian & OpenVPN user about a bug present in Stretch's OpenVPN version and fixed 2 minor reviews later. The bug was reported upstream [1] and results in clients not able to use the VPN after several reconnects. The patch seems nice and clear [2] (and applies cleanly). The bug impact could be substantial. The fixed package (2.4.0-6) has been tested by the forementioned user (that could reproduce the bug in previous versions). [1] https://community.openvpn.net/openvpn/ticket/879 [2] https://community.openvpn.net/openvpn/changeset/03d01f4f69cfc6768343b9f0f2dde2049e4882d2/ unblock openvpn/2.4.0-6 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru openvpn-2.4.0/debian/changelog openvpn-2.4.0/debian/changelog --- openvpn-2.4.0/debian/changelog 2017-05-11 14:15:21.0 +0200 +++ openvpn-2.4.0/debian/changelog 2017-05-22 14:59:49.0 +0200 @@ -1,3 +1,10 @@ +openvpn (2.4.0-6) unstable; urgency=medium + + * Apply upstream patch to fix shrinking MTU sizes on reconnects causing not +usable VPN tunnels. + + -- Alberto Gonzalez Iniesta <a...@inittab.org> Mon, 22 May 2017 14:59:49 +0200 + openvpn (2.4.0-5) unstable; urgency=high * Change typo fix in command line help. diff -Nru openvpn-2.4.0/debian/patches/series openvpn-2.4.0/debian/patches/series --- openvpn-2.4.0/debian/patches/series 2017-05-11 14:15:21.0 +0200 +++ openvpn-2.4.0/debian/patches/series 2017-05-22 14:57:31.0 +0200 @@ -7,3 +7,4 @@ CVE-2017-7479-prereq.patch CVE-2017-7479.patch wipe_tokens_on_de-auth.patch +upstream-issue-879.patch diff -Nru openvpn-2.4.0/debian/patches/upstream-issue-879.patch openvpn-2.4.0/debian/patches/upstream-issue-879.patch --- openvpn-2.4.0/debian/patches/upstream-issue-879.patch 1970-01-01 01:00:00.0 +0100 +++ openvpn-2.4.0/debian/patches/upstream-issue-879.patch 2017-05-22 14:59:14.0 +0200 @@ -0,0 +1,87 @@ +Index: openvpn/src/openvpn/forward.c +=== +--- openvpn.orig/src/openvpn/forward.c 2017-05-22 14:59:09.634938195 +0200 openvpn/src/openvpn/forward.c 2017-05-22 14:59:09.630937170 +0200 +@@ -866,9 +866,16 @@ + * will load crypto_options with the correct encryption key + * and return false. + */ ++uint8_t opcode = *BPTR(>c2.buf) >> P_OPCODE_SHIFT; + if (tls_pre_decrypt(c->c2.tls_multi, >c2.from, >c2.buf, , + floated, _start)) + { ++/* Restore pre-NCP frame parameters */ ++if (is_hard_reset(opcode, c->options.key_method)) ++{ ++c->c2.frame = c->c2.frame_initial; ++} ++ + interval_action(>c2.tmp_int); + + /* reset packet received timer if TLS packet */ +Index: openvpn/src/openvpn/init.c +=== +--- openvpn.orig/src/openvpn/init.c2017-05-22 14:59:09.634938195 +0200 openvpn/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200 +@@ -4055,6 +4055,8 @@ + c->c2.did_open_tun = do_open_tun(c); + } + ++c->c2.frame_initial = c->c2.frame; ++ + /* print MTU info */ + do_print_data_channel_mtu_parms(c); + +Index: openvpn/src/openvpn/openvpn.h +=== +--- openvpn.orig/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200 openvpn/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200 +@@ -263,7 +263,8 @@ + struct link_socket_actual from; /* address of incoming datagram */ + + /* MTU frame parameters */ +-struct frame frame; ++struct frame frame; /* Active frame parameters */ ++struct frame frame_initial; /* Restored on new session */ + + #ifdef ENABLE_FRAGMENT + /* Object to handle advanced MTU negotiation and datagram fragmentation */ +Index: openvpn/src/openvpn/ssl.c +=== +--- openvpn.orig/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200 openvpn/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200 +@@ -830,14 +830,7 @@ + return BSTR(); + } + +-/* +- * Given a key_method, return true if op +- * represents the required form of hard_reset. +- * +- * If key_method = 0, return true if any +- * form
Bug#863110: openvpn: VPN remains connected, but network is unreachable after 30-45 min and requires reconnect
Hi, could you test this using a wired connection? On Tue, May 23, 2017 at 10:25:16PM -0400, Prescott Hidalgo-Monroy wrote: > Despite the update to 2.4.0-6, I'm still experiencing the same issue as > before. > > The only information could find are from these errors from the syslog. It > took approximately 15-20 minutes for the display to shut off for power saving > (19:57), based off of the first error message. > > May 23 20:15:35 $hostname kernel: [ 1399.479807] perf: interrupt took too > long (2515 > 2500), lowering kernel.perf_event_max_sample_rate to 79500 > May 23 20:25:26 $hostname kernel: [ 1989.911138] perf: interrupt took too > long (3145 > 3143), lowering kernel.perf_event_max_sample_rate to 63500 > May 23 20:34:46 $hostname wpa_supplicant[639]: wlan0: > CTRL-EVENT-REGDOM-CHANGE init=BEACON_HINT type=UNKNOWN > May 23 20:34:47 $hostname wpa_supplicant[639]: dbus: > wpa_dbus_get_object_properties: failed to get object properties: > (org.freedesktop.DBus.Error.Failed) failed to parse RSN IE > May 23 20:34:47 $hostname wpa_supplicant[639]: dbus: Failed to construct > signal > May 23 20:38:03 $hostname kernel: [ 2747.578044] perf: interrupt took too > long (3936 > 3931), lowering kernel.perf_event_max_sample_rate to 50750 > May 23 20:53:10 $hostname nm-openvpn[1242]: WARNING: 'link-mtu' is used > inconsistently, local='link-mtu 1602', remote='link-mtu 1634' > May 23 20:53:10 $hostname nm-openvpn[1242]: WARNING: 'tun-mtu' is used > inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' > May 23 20:56:46 $hostname wpa_supplicant[639]: nl80211: > send_and_recv->nl_recvmsgs failed: -33 > > The final message is due to the ping I used to test the connection. > > Regards, > > Prescott > > Original Message > Subject: Re: Bug#863110: openvpn: VPN remains connected, but network is > unreachable after 30-45 min and requires reconnect > Local Time: May 22, 2017 8:58 AM > UTC Time: May 22, 2017 1:58 PM > From: a...@inittab.org > To: Prescott <presc...@hidalgo-monroy.com>, 863...@bugs.debian.org > Debian Bug Tracking System <sub...@bugs.debian.org> > > On Sun, May 21, 2017 at 06:40:31PM -0500, Prescott wrote: > > Package: openvpn > > Version: 2.4.0-5 > > Severity: important > > > > Dear Maintainer, > > > > After the upgrade to openvpn 2.4.0-5 (from *-4), an issue has been > > occuring where after having been connected to the VPN for an > > approximate amount of time of around 30-45 minutes, the network > > connection will drop. NetworkManager continues to state that the VPN > > is currently active, but no network is reachable. The only way to > > restart the VPN network is to bring the connection up again. > > > > As stated before, I am using openvpn through NetworkManger, and use > > nmcli with a configured VPN config file and a separate password file from a > > paid service I > > subscribe to. > > > > Hi, > > Could you try 2.4.0-6 just uploaded to unstable? It fixes an issue that > matches your symptoms. > > Regards, > > Alberto > -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#862928:
On Sun, May 21, 2017 at 01:16:21PM +0100, Jacob Mansfield wrote: > I'm having the same issue, systemd does not correctly start or stop the > openvpn daemon, and does not correctly report the status of the daemon. > Hi Jacob, please provide some debugging information. A 'me too' on a bug report marked as 'not a bug' by the reporter is not to stay open for long. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#863110: openvpn: VPN remains connected, but network is unreachable after 30-45 min and requires reconnect
On Sun, May 21, 2017 at 06:40:31PM -0500, Prescott wrote: > Package: openvpn > Version: 2.4.0-5 > Severity: important > > Dear Maintainer, > >After the upgrade to openvpn 2.4.0-5 (from *-4), an issue has been >occuring where after having been connected to the VPN for an >approximate amount of time of around 30-45 minutes, the network >connection will drop. NetworkManager continues to state that the VPN >is currently active, but no network is reachable. The only way to >restart the VPN network is to bring the connection up again. > >As stated before, I am using openvpn through NetworkManger, and use >nmcli with a configured VPN config file and a separate password file from > a paid service I >subscribe to. > Hi, Could you try 2.4.0-6 just uploaded to unstable? It fixes an issue that matches your symptoms. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#859153: openvpn: DNS leaks: /etc/openvpn/update-resolv-conf fails without openresolv installed.
On Thu, Mar 30, 2017 at 09:11:59PM -0400, demure wrote: > Package: openvpn > Version: 2.4.0-4 > Severity: important > > Dear Maintainer, > > In my use of openvpn on debian sid I have found that the following > settings only work after openresolv is installed, leading to DNS > leaking.: > > #/etc/openvpn/client/client.conf > dhcp-option DNS 8.8.8.8 > script-security 2 > up /etc/openvpn/update-resolv-conf > down /etc/openvpn/update-resolv-conf > > As such, I would suggest that openresolv should be either a dependency, > or as least listed as a recommends. Seems like it's already there. $ apt-cache show openvpn | grep resolv Suggests: openssl, resolvconf -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#858381: Openvpn inside systemd-nspawn stops shutdown of container
On Fri, Mar 24, 2017 at 08:41:00PM +0100, Daniel Schröter wrote: > On 03/21/2017 10:16 PM, Alberto Gonzalez Iniesta wrote: > > On Tue, Mar 21, 2017 at 09:27:28PM +0100, Daniel Schröter wrote: > >> this one > >> https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/openvpn-server%40.service.in > >> is included? > >> > >> For me it is different: > >> > > > > $ dpkg -L openvpn | grep openvpn-server > > (Sorry for my long response time.) > Yes I know this file. > > I enable openvpn via systemd template. My config is (and has not the > best name) under: > /etc/openvpn/server.conf > > So I enable it via: > systemctl enable openvpn@server > > If I also enable the one form github via: > systemctl enable my-openvpn@server > > And now diff those two files (see attachment because of the long lines) > they are different. > > I'm not a systemd expert. Maybe I understand something wrong. In order to use upstream's systemd unit files, you have to move your configuration to /etc/openvpn/server and enable it with: systemctl enable openvpn-server@server Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#858460: unblock: openvpn/2.4.0-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package openvpn. The latest upload only contains documentation updates related to the upgrade from Jessie. It'll help people with the changes in OpenVPN 2.4. Changes that already bit some people in testing (#852381 and #849909). This is the debdiff for it: diff -Nru openvpn-2.4.0/debian/changelog openvpn-2.4.0/debian/changelog --- openvpn-2.4.0/debian/changelog 2016-12-29 09:41:17.0 +0100 +++ openvpn-2.4.0/debian/changelog 2017-02-02 14:15:42.0 +0100 @@ -1,3 +1,10 @@ +openvpn (2.4.0-4) unstable; urgency=medium + + * Add NEWS entries on possible 2.4 migration issues. +(Closes: #852381, #849909) + + -- Alberto Gonzalez Iniesta <a...@inittab.org> Thu, 02 Feb 2017 14:15:42 +0100 + openvpn (2.4.0-3) unstable; urgency=medium * You shall run debdiff even when the change is only a word, or you may find diff -Nru openvpn-2.4.0/debian/NEWS openvpn-2.4.0/debian/NEWS --- openvpn-2.4.0/debian/NEWS 2016-12-27 22:55:13.0 +0100 +++ openvpn-2.4.0/debian/NEWS 2017-02-02 14:15:42.0 +0100 @@ -1,3 +1,17 @@ +openvpn (2.4.0-4) unstable; urgency=medium + +If you're upgrading a previous OpenVPN installation, you should check your +current CRL file expiraton date. "crl-verify" option now also checks that. +Regenerate your CRL file if the expiration date is in the past or your +clients won't be able to connect. + +OpenVPN 2.4 will try to connect using IPv6 first if you're using a hostname +with both A and entries, if your VPN server is still running a +previous (<2.4) version a long wait may occur until your 2.4 client tries +with the IPv4 address. + + -- Alberto Gonzalez Iniesta <a...@inittab.org> Thu, 02 Feb 2017 14:15:42 +0100 + openvpn (2.4.0-1) unstable; urgency=medium OpenVPN 2.4 removed tls-remote option. Current setups using that option Thanks, Alberto unblock openvpn/2.4.0-4 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#858381: Openvpn inside systemd-nspawn stops shutdown of container
On Tue, Mar 21, 2017 at 09:27:28PM +0100, Daniel Schröter wrote: > Hello > > On 03/21/2017 09:02 PM, Alberto Gonzalez Iniesta wrote: > > upstream's openvpn-server@.service unit is in fact included in > > Debian's package. > > this one > https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/openvpn-server%40.service.in > is included? > > For me it is different: > $ dpkg -L openvpn | grep openvpn-server -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#858381: Openvpn inside systemd-nspawn stops shutdown of container
On Tue, Mar 21, 2017 at 08:09:52PM +0100, Daniel Schröter wrote: > Package: openvpn > Version: 2.4.0-3 > > Hello, > > I'm using Debian stretch via systemd-nspawn inside a container: > root@ivy:~# machinectl > MACHINE CLASS SERVICEOS VERSION ADDRESSES > stretch container systemd-nspawn debian 9 192.168.178.43... > > 1 machines listed. > > > If I try to stop the container via > machinectl poweroff stretch > it hangs. If I stop (inside the container) openvpn before I poweroff the > container it works fine. > > If I replace the systemd service file with this one: > https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/openvpn-server%40.service.in > I can shutdown my container as expected. > > Can you update the service file? > > Thanks in advanced! > > Bye Hi, upstream's openvpn-server@.service unit is in fact included in Debian's package. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#851587: libapache2-modsecurity: prompting due to modified conffiles which were not modified by the user: /etc/apache2/mods-available/security2.conf
Control: severity -1 important Control: found -1 2.6.6-7 Hi, After some research, I traced the bug to a conffile rename that was done on May 2013 (2.6.6-7). That is, the bug is present on wheezy -> jessie transitions. There's nothing that can be done now to fix this prompt (those files are already "modified"). So getting modsecurity out of Stretch won't solve it (thus lowering the severity). I will remove the transitional package on my next upload, but that won't fix the issue for Stretch anyway. Regards, Alberto On Mon, Jan 16, 2017 at 05:59:41PM +0100, Andreas Beckmann wrote: > Package: libapache2-modsecurity > Version: 2.9.1-2 > Severity: serious > User: debian...@lists.debian.org > Usertags: piuparts > > Hi, > > during a test with piuparts I noticed your package failed the piuparts > upgrade test because dpkg detected a conffile as being modified and then > prompted the user for an action. As there is no user input, this fails. > But this is not the real problem, the real problem is that this prompt > shows up in the first place, as there was nobody modifying this conffile > at all, the package has just been installed and upgraded... > > This is a violation of policy 10.7.3, see > https://www.debian.org/doc/debian-policy/ch-files.html#s10.7.3, > which says "[These scripts handling conffiles] must not ask unnecessary > questions (particularly during upgrades), and must otherwise be good > citizens." > > https://wiki.debian.org/DpkgConffileHandling should help with figuring > out how to do this properly. > > In https://lists.debian.org/debian-devel/2009/08/msg00675.html and > followups it has been agreed that these bugs are to be filed with > severity serious. > > >From the attached log (scroll to the bottom...): > > Setting up libapache2-mod-security2 (2.9.1-2) ... > > Configuration file '/etc/apache2/mods-available/security2.conf' >==> Modified (by you or by a script) since installation. >==> Package distributor has shipped an updated version. > What would you like to do about it ? Your options are: > Y or I : install the package maintainer's version > N or O : keep your currently-installed version > D : show the differences between the versions > Z : start a shell to examine the situation >The default action is to keep your current version. > *** security2.conf (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing > package libapache2-mod-security2 (--configure): >end of file on stdin at conffile prompt > dpkg: dependency problems prevent configuration of libapache2-modsecurity: >libapache2-modsecurity depends on libapache2-mod-security2; however: > Package libapache2-mod-security2 is not configured yet. > > dpkg: error processing package libapache2-modsecurity (--configure): >dependency problems - leaving unconfigured > Setting up libcap2-bin (1:2.25-1) ... > Processing triggers for libc-bin (2.24-8) ... > Processing triggers for systemd (232-8) ... > Errors were encountered while processing: >libapache2-mod-security2 >libapache2-modsecurity > > > This was observed during a wheezy->jessie->stretch upgrade test. > > > cheers, > > Andreas -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#849563: Please enable lz4 support
Hi! Thanks for noticing (again). I installed the dependency on my build environment but forgot to add it to Build-Depends (duh!). Fixed now. Cheers, Alberto On Wed, Dec 28, 2016 at 11:54:38PM +0100, Laurent Bigonville wrote: > Package: src:openvpn > Version: 2.4.0-2 > Followup-For: Bug #849563 > > Hi, > > Are you sure you enable it? > > I can only see the changelog entry as difference with the previous > version. > > -- System Information: > Debian Release: stretch/sid > APT prefers unstable-debug > APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, > 'experimental-debug'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores) > Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4
On Sat, Dec 17, 2016 at 10:46:46AM +0100, Julien Cristau wrote: > On Tue, Dec 13, 2016 at 19:19:53 +0100, Michael Biebl wrote: > > > Am 13.12.2016 um 18:22 schrieb Michael Biebl: > > > Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045 > > > > > > Am 13.12.2016 um 18:02 schrieb Michael Biebl: > > >> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta: > > >>> Hi there, > > >>> > > >>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as > > >>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: > > >>> > > >>> Please also note: This option is now deprecated. It will be removed > > >>> either in OpenVPN v2.4 or v2.5. So please make sure you support the new > > >>> X.509 name formatting described with the --compat-names option as > > >>> soon as possible by updating your configurations to use > > >>> --verify-x509-name instead. > > >>> > > >>> IMHO this should have been fixed in network-manager-openvpn before 2.4 > > >>> arrived. > > >> > > >> Ok, thanks for the info. > > >> I've cloned this bug report for openvpn. It needs a versioned Breaks > > >> against network-manager-openvpn once a fixed version has been uploaded, > > >> to > > >> avoid breakage on partial uploads. > > >> > > >> I'll ping you once such a version is available. > > > > > > I've blocked the two bugs accordingly and forwarded the issue to upstream. > > > > Looking at https://codesearch.debian.net/search?q=tls-remote > > there are possibly more packages which are affected. > > Have you notified them about this and/or checked that they are not affected? > > > > I'm not sure if it's a bit late at this point of the release cycle to > > introduce such a change in openvpn. I've CCed the release-team on their > > input on this, i.e. whether we want openvpn in stretch 2.4 and how the > > removal of tls-remote should be handled. > > > Now is not the time to make incompatible changes affecting other > packages? How hard would it be to provide backwards compatibility here? Hi Julien, the change does not affect other packages, but setups using a deprecated option. A note will be added to NEWS.Debian. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#848062: Not such bug
Control: retitle -1 Warn users of removed tls-remote option Control: severity -1 normal Control: tags -1 + pending As Michael explains in #848024 this is not a bug and this does not break NetworkManager(-openvpn), but a deprecated (long time ago) option that is now gone. I'll add a NEWS.Debian entry to warn users. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Fails to connect after upgrade to openvpn 2.4
Control: reassign -1 network-manager-openvpn On Tue, Dec 13, 2016 at 04:31:35PM +0100, Michael Biebl wrote: > Control: reassign -1 openvpn > Control: severity -1 serious > Control: affects -1 network-manager-openvpn > > Am 13.12.2016 um 11:33 schrieb dann frazier: > > Package: network-manager-openvpn > > Version: 1.2.6-2 > > Severity: normal > > > > After upgrading to openvpn 2.4~rc1-2, my VPN connection began to fail: > > > > Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized > > option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote > > (2.4_rc1) > > (Options error: Unrecognized option or missing or extra parameter(s) in > > [CMD-LINE]:1: tls-remote (2.4_rc1) > > > > I'm working around this by reverting to openvpn 2.3.11-2. > > > Dear openvpn maintainers, > > could you have a look at this bug report please. > It seems the new openvpn rc release breaks the NetworkManager openvpn > plugin. > I've bumped it to RC, so the package doesn't migrate to testing for now. > > If there is something which needs to be fixed on the > network-manager-openvpn, please clone this bug report or reassign back. > Hi there, The --tls-remote was removed in OpenVPN 2.4, and was already marked as DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: Please also note: This option is now deprecated. It will be removed either in OpenVPN v2.4 or v2.5. So please make sure you support the new X.509 name formatting described with the --compat-names option as soon as possible by updating your configurations to use --verify-x509-name instead. IMHO this should have been fixed in network-manager-openvpn before 2.4 arrived. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#828477: Building against openssl1.0 for the time being
Control: unblock 827061 by -1 Uploaded 2.4~rc1-1 build against openssl1.0 until upstream moves to 1.1 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1
On Thu, Nov 24, 2016 at 07:39:01PM +0100, Julien Cristau wrote: > On Thu, Nov 10, 2016 at 16:54:41 +0100, Alberto Gonzalez Iniesta wrote: > > > On Thu, Nov 10, 2016 at 03:38:12PM +, Adam D. Barratt wrote: > > > > > > On Wed, 2016-11-02 at 12:51 +0100, Alberto Gonzalez Iniesta wrote: > > > > I was asked to update modsecurity-crs in Jessie in order to fix #838009. > > > > The fix is trivial [1] and was uploaded to unstable a while ago [2], > > > > > > The BTS's metadata disagrees on that. > > > > Sorry, the fix was for another bug number (same bug): > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826710 > > > The metadata on #838009 still needs fixing, either by merging it with > #826710 or by separately marking it as fixed in some version in > unstable/testing. Hi, Thanks for the corrections. Please find attached the debdiff file in the right direction. #838009 as marked as fixed in unstable/testing and #826710 will be marked accordingly if this upload happens. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 diff -Nru modsecurity-crs-2.2.9/debian/changelog modsecurity-crs-2.2.9/debian/changelog --- modsecurity-crs-2.2.9/debian/changelog 2014-09-23 13:22:21.0 +0200 +++ modsecurity-crs-2.2.9/debian/changelog 2016-11-17 11:19:17.0 +0100 @@ -1,3 +1,10 @@ +modsecurity-crs (2.2.9-1+deb8u1) stable; urgency=medium + + * Fix typo in modsecurity_crs_16_session_hijacking.conf. +(Closes: #838009) + + -- Alberto Gonzalez Iniesta <a...@inittab.org> Thu, 17 Nov 2016 11:18:03 +0100 + modsecurity-crs (2.2.9-1) unstable; urgency=medium * New upstream version diff -Nru modsecurity-crs-2.2.9/debian/patches/fix_838009.patch modsecurity-crs-2.2.9/debian/patches/fix_838009.patch --- modsecurity-crs-2.2.9/debian/patches/fix_838009.patch 1970-01-01 01:00:00.0 +0100 +++ modsecurity-crs-2.2.9/debian/patches/fix_838009.patch 2016-11-17 11:13:04.0 +0100 @@ -0,0 +1,13 @@ +Index: modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf +=== +--- modsecurity-crs.orig/optional_rules/modsecurity_crs_16_session_hijacking.conf modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf +@@ -46,7 +46,7 @@ SecRule RESPONSE_HEADERS:/Set-Cookie2?/ + + SecRule :SESSIONID "@eq 1" "chain,phase:5,id:'981063',nolog,pass,t:none" + SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)" "chain,nolog,capture,t:none" +-SecRule TX:1 ".*" "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" ++SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" + + SecRule :SESSIONID "@eq 1" "chain,phase:5,id:'981064',nolog,pass,t:none" + SecRule REQUEST_HEADERS:User-Agent ".*" "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}" diff -Nru modsecurity-crs-2.2.9/debian/patches/series modsecurity-crs-2.2.9/debian/patches/series --- modsecurity-crs-2.2.9/debian/patches/series 2013-07-12 11:24:40.0 +0200 +++ modsecurity-crs-2.2.9/debian/patches/series 2016-11-17 11:14:55.0 +0100 @@ -3,3 +3,4 @@ GeoLiteCity_path.patch lua_path.patch perl_path.patch +fix_838009.patch
Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1
On Thu, Nov 10, 2016 at 03:38:12PM +, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Wed, 2016-11-02 at 12:51 +0100, Alberto Gonzalez Iniesta wrote: > > I was asked to update modsecurity-crs in Jessie in order to fix #838009. > > The fix is trivial [1] and was uploaded to unstable a while ago [2], > > The BTS's metadata disagrees on that. > > > but > > I'm not sure if it deserves an upload to stable. What's your opinion on > > it? > > If the description in the bug log is accurate, and enabling the > configuration as shipped breaks Apache, then I think it's worth fixing. > We'd need to see a debdiff of a proposed package built and tested on > jessie before confirming however. > Please find attached the debdiff for the fixed package. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 diff -Nru modsecurity-crs-2.2.9/debian/changelog modsecurity-crs-2.2.9/debian/changelog --- modsecurity-crs-2.2.9/debian/changelog 2016-11-17 11:19:17.0 +0100 +++ modsecurity-crs-2.2.9/debian/changelog 2014-09-23 13:22:21.0 +0200 @@ -1,10 +1,3 @@ -modsecurity-crs (2.2.9-1+deb8u1) stable; urgency=medium - - * Fix typo in modsecurity_crs_16_session_hijacking.conf. -(Closes: #838009) - - -- Alberto Gonzalez Iniesta <a...@inittab.org> Thu, 17 Nov 2016 11:18:03 +0100 - modsecurity-crs (2.2.9-1) unstable; urgency=medium * New upstream version diff -Nru modsecurity-crs-2.2.9/debian/patches/fix_838009.patch modsecurity-crs-2.2.9/debian/patches/fix_838009.patch --- modsecurity-crs-2.2.9/debian/patches/fix_838009.patch 2016-11-17 11:13:04.0 +0100 +++ modsecurity-crs-2.2.9/debian/patches/fix_838009.patch 1970-01-01 01:00:00.0 +0100 @@ -1,13 +0,0 @@ -Index: modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf -=== modsecurity-crs.orig/optional_rules/modsecurity_crs_16_session_hijacking.conf -+++ modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf -@@ -46,7 +46,7 @@ SecRule RESPONSE_HEADERS:/Set-Cookie2?/ - - SecRule :SESSIONID "@eq 1" "chain,phase:5,id:'981063',nolog,pass,t:none" - SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)" "chain,nolog,capture,t:none" --SecRule TX:1 ".*" "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" -+SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" - - SecRule :SESSIONID "@eq 1" "chain,phase:5,id:'981064',nolog,pass,t:none" - SecRule REQUEST_HEADERS:User-Agent ".*" "t:none,t:sha1,t:hexEncode,nolog,setvar:session.ua_hash=%{matched_var}" diff -Nru modsecurity-crs-2.2.9/debian/patches/series modsecurity-crs-2.2.9/debian/patches/series --- modsecurity-crs-2.2.9/debian/patches/series 2016-11-17 11:14:55.0 +0100 +++ modsecurity-crs-2.2.9/debian/patches/series 2013-07-12 11:24:40.0 +0200 @@ -3,4 +3,3 @@ GeoLiteCity_path.patch lua_path.patch perl_path.patch -fix_838009.patch
Bug#843906: Please remove tftpd in favour of tftpd-hpa
On Thu, Nov 10, 2016 at 03:38:37PM +, Ian Jackson wrote: > Package: tftpd > Version: 0.17-18 > > AFAICT netkit's tftpd is inferior to tftpd-hpa in every respect: > https://wiki.debian.org/Tftp > > netkit-tftpd is not capable of booting some modern computers. For > example, I have a Softiron ARM64 server with UEFI firmware which > require support for the file size option. > > aftpd and dnsmasq seem like it still has good reasons to exist. > Unlike netkit-tftp they are at least not a problem if people happen to > get them through not knowing better. > > I suggest that we should: > > * Remove the netkit-tftp package. > * Have tftpd-hpa Provide tftpd. > > If this is not a good idea then we should probably rename the > netkit-tftp binary package `tftpd' and replace it with a suitable > transitional package. > > What do you think ? Hi Ian, I'm quite busy right now for this. If you want to see the change for Stretch feel free to do the appropiate changes. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1
On Thu, Nov 10, 2016 at 03:38:12PM +, Adam D. Barratt wrote: > > On Wed, 2016-11-02 at 12:51 +0100, Alberto Gonzalez Iniesta wrote: > > I was asked to update modsecurity-crs in Jessie in order to fix #838009. > > The fix is trivial [1] and was uploaded to unstable a while ago [2], > > The BTS's metadata disagrees on that. Sorry, the fix was for another bug number (same bug): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826710 I'll prepare a debdiff. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi there, I was asked to update modsecurity-crs in Jessie in order to fix #838009. The fix is trivial [1] and was uploaded to unstable a while ago [2], but I'm not sure if it deserves an upload to stable. What's your opinion on it? Thanks, Alberto [1] -SecRule TX:1 ".*" "chain,t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" +SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var} [2] Uploaded modsecurity-crs_2.2.9-2 on September 19 -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#813920: Second (additional) patch
Hullo, Please find attached a patch to fix the following error on gnupod_addsong: $ gnupod_addsong Can't use a hash as a reference at /usr/share/perl5/GNUpod/FileMagic.pm line 365 Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 --- FileMagic.pm.orig 2016-07-22 18:26:01.287639095 +0200 +++ FileMagic.pm 2016-07-22 18:18:42.091089864 +0200 @@ -362,7 +362,7 @@ foreach (keys(%{$in})) { my $kvp = __flatten($_, $exclude); # key next if !defined($kvp); - my $v = __flatten(%{$in}->{$_}, $exclude); # value + my $v = __flatten($in->{$_}, $exclude); # value $kvp .= " : ".$v if (defined($v) && ("$v" ne "")); push @out, $kvp; } @@ -418,9 +418,9 @@ my $case = "check"; if (ref($options) eq "HASH") { - $joinby = %{$options}->{joinby}if defined(%{$options}->{joinby}); - $wspace = lc(%{$options}->{wspace})if defined(%{$options}->{wspace}); - $case = lc(%{$options}->{case}) if defined(%{$options}->{case}); + $joinby = $options->{joinby}if defined($options->{joinby}); + $wspace = lc($options->{wspace})if defined($options->{wspace}); + $case = lc($options->{case}) if defined($options->{case}); } my $merged = "";
Bug#813920: Patch removing "defined(....)"
tags + patch thanks Hiya, As suggested in the error message (Maybe you should just omit the defined()?), removing it seems to fix this. Removing brackets would end in a different error. Please find patch attached. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 --- XMLhelper.pm.orig 2016-07-22 17:38:11.631804901 +0200 +++ XMLhelper.pm 2016-07-22 17:37:12.131626030 +0200 @@ -359,7 +359,7 @@ print OUT " \n"; } elsif(my $phr = get_plpref($current_plname)) { #plprefs found.. - if (defined(@{$XDAT->{playlists}->{data}->{$current_plname}})) { #the playlist is not empty + if (@{$XDAT->{playlists}->{data}->{$current_plname}}) { #the playlist is not empty print OUT "\n ".mkfile({playlist=>$phr}, {return=>1,noend=>1})."\n"; foreach(@{$XDAT->{playlists}->{data}->{$current_plname}}) { print OUT " $_\n";
Bug#804968: Ready for next upload
On Mon, Jul 04, 2016 at 07:38:29PM +0200, Michael Biebl wrote: > Hi Alberto > > On Mon, 23 May 2016 09:59:34 +0200 Alberto Gonzalez Iniesta > <a...@inittab.org> wrote: > > tags 804968 + pending > > thanks > > You marked this bug as pending a while ago but since then no upload has > happened neither do I find a corresponding commit in the git repository > of the package. > Could you give us an update on the issue and maybe prepare an upload > with the initscripts dependency dropped completely? Hi Michael, I was waiting to do some more changes to the source package. Since that hasn't happened yet, I'll upload the package now. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#825997: openvpn 2.3.11 breaks connections to Mikrotik routers, 2.3.10 works fine
On Mon, Jun 13, 2016 at 10:09:56AM +0200, Kamil Kachyňa wrote: > It is fixed in RouterOS version 6.36rc28 (Release candidate) > > *) ovpn - fixed compatibility with OpenVPN 2.3.11; > > Hi Kamil, Thanks for the info! Closing now. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#797877: openvpn: '/bin/systemctl stop openvpn.service' causes openvpn to ask the VPN passwords!
On Thu, Sep 03, 2015 at 11:14:44AM +0200, Francois Gouget wrote: > Dear Maintainer, > > Tearing down the VPNs should not require asking the passwords needed to > connect to the > VPN server! Yet in my case running either '/etc/init.d/openvpn stop' or simply > '/bin/systemctl stop openvpn.service' brings up the KWallet dialog. Are you running that command as your (unpriviledged, but logged in locally) user? Or as root? If the right answer is the former, the one asking for your password is systemd. With something like this: $ systemctl restart openvpn AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to restart 'openvpn.service'. If that's the case, OpenVPN has nothing to do with it. You may want to run that with sudo (in order to avoid password prompts). Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#792653: Probably related to CapabilityBoundingSet
On Tue, May 10, 2016 at 12:53:17PM -0400, Simon Deziel wrote: > Hi Alberto and Jim, > > On 2016-05-10 12:45 PM, Alberto Gonzalez Iniesta wrote: > > So sorry took me this long to answer. I'm pretty sure this is related to > > capabilities. Could try copying /lib/systemd/system/openvpn@.service to > > /etc/systemd/system/openvpn@.service and removin the > > CapabilityBoundingSet line from it? > > Systemd provides a nice command for just this: > > systemctl edit openvpn@.service > > This will run $EDITOR and you'll be able to override just the part that > you need. In Jim's case, setting CapabilityBoundingSet to be empty > should do it: > > [Service] > CapabilityBoundingSet= > Nice! Thanks Simon! -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#792653: Probably related to CapabilityBoundingSet
On Fri, Feb 19, 2016 at 11:56:10PM +, Jim Barber wrote: > > So perhaps another capability is stopping this file from being run? > I saw no other log messages relating to failure to access or run the > /usr/local/sbin/openvpn-ip script anywhere. Hi Jim, So sorry took me this long to answer. I'm pretty sure this is related to capabilities. Could try copying /lib/systemd/system/openvpn@.service to /etc/systemd/system/openvpn@.service and removin the CapabilityBoundingSet line from it? Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#819919: openvpn: fails to start
On Sun, Apr 03, 2016 at 09:55:43PM +, Tomas Volf wrote: > Package: openvpn > Version: 2.3.10-1 > Severity: important > Tags: patch > > Dear Maintainer, > > when I tried to start openvpn after updating to testing I got following > error lines in the log: > > Apr 03 21:46:06 wolfsden ovpn-server[6837]: OpenVPN 2.3.10 > x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] > built on Jan 21 2016 > Apr 03 21:46:06 wolfsden ovpn-server[6837]: library versions: OpenSSL > 1.0.2g 1 Mar 2016, LZO 2.08 > Apr 03 21:46:06 wolfsden ovpn-server[6837]: daemon() failed or > unsupported: Resource temporarily unavailable (errno=11) > Apr 03 21:46:06 wolfsden ovpn-server[6837]: Exiting due to fatal error > > It's caused by this line in /lib/systemd/system/openvpn@.service: > > LimitNPROC=10 > > when the line is commented out, it starts fine. > > (Possibly) relevant info: This is debian system running under OpenVZ. Hello Tomas, No one else complained about this option (and it's been there for a while). As you point out, the issue may occur due to your "special" environment. Since the value is recommended upstream I'd rather not change it. I'll add a note in README.Debian, closing this bug report. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#792653: Probably related to CapabilityBoundingSet
Hi, Did you run "systemctl daemon-reload" after changing the .service file? I'll upload 2.3.10 soon, can you check if it works with it? Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#792880: openvpn does not start
Hi, In both cases, did you run "systemctl daemon-reload" after adding the configuration files? The systemd unit files for each configuration a generated only after a daemon-reload or on system boot. Regards, Alberto On Mon, Dec 14, 2015 at 08:58:03PM +0100, Diego Fernández Durán wrote: > Hi, > > I'm having this same problem in Debian 8.2. with openvpn 2.3.4-5. > > As the original reporter starting openvpn with > # _SYSTEMCTL_SKIP_REDIRECT=1 /etc/init.d/openvpn start > works. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#772812: Still reproducible?
Hi all, Is this still an issue with newer versions of OpenVPN? THanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#808117: openvpn: post-install error: grep: /etc/openvpn/…: No such file or directory
On Wed, Dec 16, 2015 at 09:31:06AM +0100, Thorsten Glaser wrote: > Package: openvpn > Version: 2.3.8-1 > Severity: normal > > […] > Preparing to unpack .../openvpn_2.3.8-1_x32.deb ... > Unpacking openvpn (2.3.8-1) over (2.3.7-2+b1) ... > […] > Setting up openvpn (2.3.8-1) ... > Restarting virtual private network daemon.:grep: > /etc/openvpn/vpnig42org.conf: No such file or directory > grep: /etc/openvpn/vpnig42org.conf: No such file or directory > grep: /etc/openvpn/vpnig42org.conf: No such file or directory > vpnig42org. > […] > > I don’t know how it would come to that name in the first place: > > tglase@tglase:~ $ ll /etc/openvpn/ > > total 16 > -rw-r--r-- 1 root root 9397 Okt 19 09:25 tgwrk.conf > -rwxr-xr-x 1 root root 1301 Sep 9 2013 update-resolv-conf* > tglase@tglase:~ $ fgrep -c ig42 /etc/default/openvpn > Running systemd? Maybe you deleted that file without running "systemctl daemon-reload"? -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#792309: closed by Alberto Gonzalez Iniesta <a...@inittab.org> (Bug#791829: fixed in openvpn 2.3.7-2)
On Mon, Dec 14, 2015 at 07:56:45PM +0100, Michal Hocko wrote: > On Mon, Dec 14, 2015 at 07:52:16PM +0100, Alberto Gonzalez Iniesta wrote: > > On Mon, Dec 14, 2015 at 07:43:28PM +0100, Michal Hocko wrote: > > > On Sat, Sep 19, 2015 at 10:25:15PM +0200, Michal Hocko wrote: > > > > On Tue, Sep 08, 2015 at 09:39:05AM +, Debian Bug Tracking System > > > > wrote: > > > > > This is an automatic notification regarding your Bug report > > > > > which was filed against the openvpn package: > > > > > > > > > > #792309: init script no longer asks for user/passwd and fails > > > > > connection > > > > > > > > > > It has been closed by Alberto Gonzalez Iniesta <a...@inittab.org>. > > > > > > > > > > Their explanation is attached below along with your original report. > > > > > If this explanation is unsatisfactory and you have not received a > > > > > better one in a separate message then please contact Alberto Gonzalez > > > > > Iniesta <a...@inittab.org> by > > > > > replying to this email. > > > > > > > > The problem still seems to be present with 2.3.7-2: > > > > > > And the same is true for 2.3.7-2+b1. Should I open a new bug report > > > or we should continue with the current one? > > > > The same one should be ok. I'm very sorry with the time this is taking. > > But I can't figure out what's wrong with 2.3.8 and systemd > > FWIW I am not using the systemd. > I know. The problem is: uploading 2.3.8 fixing this bug, will break the same feaute for systemd users. Funny, eh? :-) -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#792309: closed by Alberto Gonzalez Iniesta <a...@inittab.org> (Bug#791829: fixed in openvpn 2.3.7-2)
On Mon, Dec 14, 2015 at 07:43:28PM +0100, Michal Hocko wrote: > On Sat, Sep 19, 2015 at 10:25:15PM +0200, Michal Hocko wrote: > > On Tue, Sep 08, 2015 at 09:39:05AM +, Debian Bug Tracking System wrote: > > > This is an automatic notification regarding your Bug report > > > which was filed against the openvpn package: > > > > > > #792309: init script no longer asks for user/passwd and fails connection > > > > > > It has been closed by Alberto Gonzalez Iniesta <a...@inittab.org>. > > > > > > Their explanation is attached below along with your original report. > > > If this explanation is unsatisfactory and you have not received a > > > better one in a separate message then please contact Alberto Gonzalez > > > Iniesta <a...@inittab.org> by > > > replying to this email. > > > > The problem still seems to be present with 2.3.7-2: > > And the same is true for 2.3.7-2+b1. Should I open a new bug report > or we should continue with the current one? The same one should be ok. I'm very sorry with the time this is taking. But I can't figure out what's wrong with 2.3.8 and systemd, uploading that version would break password prompt for many users. I'll try to sort this out ASAP. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#804885: jessie-pu: package openvpn/2.3.4-5
On Thu, Nov 12, 2015 at 06:15:42PM +, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On 2015-11-12 16:48, Alberto Gonzalez Iniesta wrote: > >I'd like to upload openvpn for the next point release. The reason is a > >serious bug (#785200 and #787090) hitting multiple users. Diff is pretty > >small: > > > >diff -Nru openvpn-2.3.4/debian/changelog openvpn-2.3.4/debian/changelog > >--- openvpn-2.3.4/debian/changelog 2014-12-01 18:11:08.0 > >+0100 > >+++ openvpn-2.3.4/debian/changelog 2015-11-12 17:19:14.0 > >+0100 > >@@ -1,3 +1,10 @@ > >+openvpn (2.3.4-5+deb8u1) stable; urgency=medium > >+ > >+ * Add --no-block to if-up.d script to avoid hanging boot on > >+interfaces with openvpn instances. (Closes: #787090, #785200) > > The BTS metadata for those bugs indicates that they also affect unstable and > aren't currently fixed there. I think that's just a side-effect of one of > the submitters having incorrectly re-opened the bug after it was marked as > done in an unstable upload. If that's correct, please re-close it with the > appropriate version; otherwise, please explain what's happening with fixing > the issue in unstable. > > Regards, > > Adam Hi Adam, The bug was fixed in Sid in 2.3.7-1 and the reopened by mistake when asking for the Jessie fix. It should properly tagged now. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#804885: jessie-pu: package openvpn/2.3.4-5
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hiya Release Team, I'd like to upload openvpn for the next point release. The reason is a serious bug (#785200 and #787090) hitting multiple users. Diff is pretty small: diff -Nru openvpn-2.3.4/debian/changelog openvpn-2.3.4/debian/changelog --- openvpn-2.3.4/debian/changelog 2014-12-01 18:11:08.0 +0100 +++ openvpn-2.3.4/debian/changelog 2015-11-12 17:19:14.0 +0100 @@ -1,3 +1,10 @@ +openvpn (2.3.4-5+deb8u1) stable; urgency=medium + + * Add --no-block to if-up.d script to avoid hanging boot on +interfaces with openvpn instances. (Closes: #787090, #785200) + + -- Alberto Gonzalez Iniesta <a...@inittab.org> Thu, 12 Nov 2015 17:16:28 +0100 + openvpn (2.3.4-5) unstable; urgency=high * Apply upstream patch that fixes possible DoS by authenticated diff -Nru openvpn-2.3.4/debian/openvpn.if-up.d openvpn-2.3.4/debian/openvpn.if-up.d --- openvpn-2.3.4/debian/openvpn.if-up.d2014-03-17 17:48:14.0 +0100 +++ openvpn-2.3.4/debian/openvpn.if-up.d2015-11-12 17:20:19.0 +0100 @@ -13,7 +13,7 @@ for vpn in $IF_OPENVPN; do ## check systemd present if [ -d $SYSTEMD ]; then - $SYSTEMCTL start openvpn@$vpn + $SYSTEMCTL --no-block start openvpn@$vpn else $OPENVPN_INIT start $vpn fi Thanks, Alberto -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-rc7-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)