Re: Reaction to potential PGP schism

2023-12-21 Thread Cyril Brulebois 
Hi Daniel,

Quick backstory: I stayed away from hardware crypto for a long while
since there were so many incompatibilities, partial support, or side
patches to get basic things to work. Over time, it seems it got to a
point where it's mainstream enough that you can buy a Yubikey without
much of a second thought, and get GPG to work out of the box on it…

Daniel Kahn Gillmor  (2023-12-20):
> OpenPGP implementations have generally learned from those failures, and
> many of them are now much more resilient and can support the kinds of
> upgrade path that we need to consider.  For most of our
> signing/verifying-focused work, that means:
> 
>  - verifying tools should ignore signatures and certificates that they
>don't understand, while still validating signatures from certificates
>that they do understand
> 
>  - signing tools can make pairs of signatures, one "compatibility"
>signature and one "modern" signature
> 
> This means that for a debian signing/verification context, like package
> distribution, which has a global workflow, starting from an existing
> OpenPGP implementation, signing key and corresponding verification
> certificate, it looks like:
> 
>  0) upgrade the signing tool, and start upgrading some of the
>  verification tooling.
> 
>  1) create a new signing certificate with the new version, algorithm, or 
> feature.
> 
>  2) distribute the old+new certificates for the verifiers.
> 
>  3) make signatures with old+new in parallel
> 
>  4) complete upgrade of all verification tooling
> 
>  5) stop making signatures with old signing certificates

… what does this mean for anything that involves hardware-backed crypto?
I'm thinking Yubikeys and the like, but also HSMs that might be on the
critical path to sign things like GRUB, linux (at least for now), etc.

Even if we end up with a brand new gnupg release on the relevant signing
host(s), I fear hardware devices might not feature all the bits that are
needed for those new features?


Cheers,
-- 
Cyril Brulebois (k...@debian.org)<https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: amd64 running on Intel Celeron and Pentium?

2022-04-17 Thread Cyril Brulebois 
Elmar Stellnberger  (2022-04-17):
> I haven´t heard yet of a Pentium IV supporting amd64.
> Likely it does not exist.

https://en.wikipedia.org/wiki/List_of_Intel_Pentium_4_processors seems
to disagree in general. Willamette seems to be old enough to be 32-bit
only though.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)<https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us

2019-03-04 Thread Cyril Brulebois 
Steve McIntyre  (2019-03-04):
> And Mark says:
> 
> "we don't want to go rewinding version numbers in unstable; that could
> lead to all sorts of unforeseeable breakage.
> 
> much as we'd expected. Any more feedback please? Cyril prefers
> approach #2 below, I prefer #3.

To clarify: #2 was my preferred approach when we first tried to get #3 to
work, seeing how many things could need tweaking; #2 is mostly about
re-uploading packages that we know were working (albeit with different
version numbers), which looked more reassuring.

Given the amount of research we've done since then, it seems that we've
ironed out what could be an issue (mostly the fact we moved files from one
binary package to another one), and we didn't spot other packages having
relationships to either binary packages, that could have an issue with the
new layout. Building a binary package for real, even if in a chroot with
some specific versions also looks cleaner to me than repacking and
re-uploading old binaries.

Long story short: #3 looks good to me.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)<https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: [SECURITY] [DSA 3355-2] libvdpau regression update

2015-11-02 Thread Cyril Brulebois 
Hi,

Daniel Reichelt  (2015-11-03):
> Hi *
> 
> the amd64 build for 0.8-3+deb8u2 seems to be missing from [1].
> 
> Is this an error or am I missing something?
> 
> 
> Thanks
> Daniel
> 
> 
> [1] http://security.debian.org/pool/updates/main/libv/libvdpau/

If I'm reading wanna-build right, it's Uploaded (as opposed to
Installed), since 2015-11-02 17:25:03.079505

So far as I can check, queued and dak on ftp-master seem rather happy:
| Nov  2 19:31:19 processing /libvdpau_0.8-3+deb8u2_amd64.changes
| Nov  2 19:31:19 libvdpau_0.8-3+deb8u2_amd64.changes processed successfully 
(uploader pkg-nvidia-de...@lists.alioth.debian.org)
and:
| 20151102193529|process-upload|dak|Processing changes 
file|libvdpau_0.8-3+deb8u2_amd64.changes
| 20151102193532|process-upload|dak|ACCEPT|libvdpau_0.8-3+deb8u2_amd64.changes

so it doesn't seem obvious to me what's happening here. Adding team@ to
the loop since I don't think I can check anything on the security.d.o
side.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: apt-build - Authentication warning overridden. - security issue?

2015-03-19 Thread Cyril Brulebois 
Patrick Schleizer  (2015-03-18):
> Hi,
> 
> I was running:
> sudo apt-build install ccache
> 
> And the output contained a message:
> 
> WARNING: The following packages cannot be authenticated!
>   ccache
> Authentication warning overridden.
> 
> Is this just how apt-build works or could this be a security issue due
> to installing unauthenticated packages?

It probably wouldn't happen if the source snippet added at
installation time would be using “deb [trusted=yes]” instead of just
“deb”. Manually editing /etc/apt/sources.list.d/apt-build.list seems
to confirm that.

See /var/lib/dpkg/info/apt-build.postinst:
   debline="deb file:$repository_dir apt-build main"

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 3053-1] openssl security update

2014-10-18 Thread Cyril Brulebois 
Jonathan Wiltshire  (2014-10-18):
> Technically nothing is blocked yet (except udebs)

They were only blocked for a tiny number of days.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian

2014-09-27 Thread Cyril Brulebois 
Conrad Nelson  (2014-09-27):
> On Sun, 2014-09-28 at 06:33 +1000, Andrew McGlashan wrote:
> > On 28/09/2014 4:29 AM, Martin Holub wrote:
> > > Please according to the Security Tracker [1,2] booth are fixed in stable
> > > and oldstable.
> > 
> > NOT QUITE . fixed in stable [wheezy]
> >   and "oldstable-LTS" [squeeze-lts] 
> > 
> > 
> >   BUT NOT  oldstable  [squeeze] it is NOT fixed,
> >   nor is it still supported.  :(
> > 
> > Cheers
> > A.
> > 
> 
> What about Jessie?

kibi@arya:~$ rmadison -a source bash -s testing,unstable
  bash |   4.3-9.2 |testing | source
  bash |   4.3-9.2 |   unstable | source

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Checking for services to be restarted on a default Debian installation

2014-09-01 Thread Cyril Brulebois 
Thijs Kinkhorst  (2014-09-01):
> My questions to this list:
> - Do people agree that this would be something that's good to have in
>   a default installation? Are there drawbacks?

Having to know about debian-goodies always looked awkward to me. A
dedicated, easy to identify package looks like a nice idea to me.

> - If agreed, how would we approach this? I have to admit that I do not
>   know who decides what is part of a default install or where this is
>   implemented.

(Hopefully the following isn't too far from reality, just had a very
quick look.)

That would be the standard task, defined in tasksel (tasks/standard)
with “Packages: standard”, which pulls packages with that priority;
FWIW that task is a bit special since it's not defined as a task-$foo
package.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: CVE-2012-5560 (mate-settings-daemon): not an issue with any package version in Debian

2014-08-04 Thread Cyril Brulebois 
Hi,

Mike Gabriel  (2014-08-04):
> Dear security team,
> 
> Please note that not package version of mate-settings-daemon in
> Debian is affected by CVE-2012-5560. See [1] for the fix applied
> upstream over a year ago.
> 
> Can you please update information provided at [2]?
> 
> Thanks!
> Mike
> 
> 
> [1] https://github.com/mate-desktop/mate-settings-daemon/pull/22
> [2] 
> https://security-tracker.debian.org/tracker/source-package/mate-settings-daemon

putting the security team (team@) in the loop to make sure your message
isn't lost.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Missing ISO hash

2014-07-14 Thread Cyril Brulebois 
Djones Boni <07ea86b...@gmail.com> (2014-07-14):
> The Debian 7.6 update ISO hashes are missing on bt-dvd directory.
> http://cdimage.debian.org/debian-cd/7.6.0/amd64/bt-dvd/MD5SUMS
> http://cdimage.debian.org/debian-cd/7.6.0/*/bt-dvd/MD5SUMS
> 
> They can be found in iso-dvd and jigdo-dvd.
> http://cdimage.debian.org/debian-cd/7.6.0/amd64/iso-dvd/MD5SUMS
> http://cdimage.debian.org/debian-cd/7.6.0/amd64/jigdo-dvd/MD5SUMS

This looks OK now.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: USN-2192-1: OpenSSL vulnerabilities

2014-05-06 Thread Cyril Brulebois 
Testosticore  (2014-05-07):
> Aren't we affected by this, too?
> 
> http://www.ubuntu.com/usn/usn-2192-1/

Checking the security tracker would seem like an idea?
  https://security-tracker.debian.org/tracker/CVE-2010-5298
  https://security-tracker.debian.org/tracker/CVE-2014-0198

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: SHA256SUM/MD5SUM check sums do not match for installer-i386

2014-03-07 Thread Cyril Brulebois 
Hi,

m...@xlist.pw  (2014-03-07):
> Hi,
> 
> I downloaded wheezy from
> 
> ftp://ftp2.de.debian.org/debian/dists/wheezy/main/installer-
> i386/current/images/*
> 
> ftp://ftp.debian.org/debian/dists/wheezy/main/installer-i386/current/images/*
> 
> and
> 
> ftp://ftp.nl.debian.org/debian/dists/wheezy/main/installer-
> i386/current/images/*
> 
> Checking with SHA256SUM und MD5SUM files I got the same checksum errors for 
> the same files I downloaded from different locations:
> 
> user@host:~/download/debian-wheezy/images$ sha256sum --check SHA256SUMS|grep 
> FAILED
> 3:./hd-media/gtk/vmlinuz: FAILED
> 4:./hd-media/vmlinuz: FAILED
> 10:./netboot/xen/vmlinuz: FAILED
> sha256sum: ./netboot/gtk/pxelinux.cfg/default: No such file or directory
> 15:./netboot/gtk/pxelinux.cfg/default: FAILED open or read
> 61:./netboot/gtk/debian-installer/i386/linux: FAILED
> sha256sum: ./netboot/pxelinux.cfg/default: No such file or directory
> 64:./netboot/pxelinux.cfg/default: FAILED open or read
> 110:./netboot/debian-installer/i386/linux: FAILED
> 115:./cdrom/xen/vmlinuz: FAILED
> 120:./cdrom/gtk/vmlinuz: FAILED
> 121:./cdrom/vmlinuz: FAILED
> sha256sum: WARNING: 2 listed files could not be read
> sha256sum: WARNING: 8 computed checksums did NOT match
> 
> user@host:~/download/debian-wheezy/images$ md5sum --check MD5SUMS|grep FAILED
> 3:./hd-media/gtk/vmlinuz: FAILED
> 4:./hd-media/vmlinuz: FAILED
> 10:./netboot/xen/vmlinuz: FAILED
> md5sum: ./netboot/gtk/pxelinux.cfg/default: No such file or directory
> 15:./netboot/gtk/pxelinux.cfg/default: FAILED open or read
> 61:./netboot/gtk/debian-installer/i386/linux: FAILED
> md5sum: ./netboot/pxelinux.cfg/default: No such file or directory
> 64:./netboot/pxelinux.cfg/default: FAILED open or read
> 110:./netboot/debian-installer/i386/linux: FAILED
> 115:./cdrom/xen/vmlinuz: FAILED
> 120:./cdrom/gtk/vmlinuz: FAILED
> 121:./cdrom/vmlinuz: FAILED
> md5sum: WARNING: 2 listed files could not be read
> md5sum: WARNING: 8 computed checksums did NOT match
> 
> BTW, the same happens for installer-amd64.
> 
> Who can be contacted to get the hash files fixed?

well, that worked for me, for 'ftp', 'ftp.fr', 'ftp.nl':
  lftp -c mirror 
ftp://XX.debian.org/debian/dists/wheezy/main/installer-i386/current/images
  cd images
  md5sum --check MD5SUMS 
  sha256sum --check SHA256SUMS

So it looks to me checksums are OK. (#704162 is not relevant.)

Make sure your downloads weren't truncated?

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)

2013-12-14 Thread Cyril Brulebois 
Steven Chamberlain  (2013-12-14):
> On 14/12/13 01:08, Henrique de Moraes Holschuh wrote:
> > Yeah, I think Linux went through similar blindness braindamage sometime ago,
> > but blind trust on rdrand has been fixed for a long time now, and it never
> > trusted any of the other HRNGs (or used them for anything at all without a
> > trip through "rng-tools" userspace until v3.12).
> 
> I seem to remember that Ted T'so's committed the fix for this only after
> the release of Linux 3.2, so I assuemd wheezy's kernels might be still
> affected?

If you're talking about this:
| commit c2557a303ab6712bb6e09447df828c557c710ac9
| Author: Theodore Ts'o 
| Date:   Thu Jul 5 10:35:23 2012 -0400
| 
| random: add new get_random_bytes_arch() function
| […]

it was backported into 3.2.y, that would be 
7f5d5266f8a1f7f54707c15e028f220d329726f4
also known as v3.2.27~51.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: MIT discovered issue with gcc

2013-11-23 Thread Cyril Brulebois 
Stefan Roas  (2013-11-23):
> On Sat Nov 23, 2013 at 10:18:43, Robert Baron wrote:
> > Second question:
> > 
> > Doesn't memcpy allow for overlapping memory, but strcpy does not?  Isn't
> > this why memcpy is preferred over strcpy?
> 
> Nope. There's memmove for overlapping areas.

Indeed, easy enough to check anyway, "opengroup memcpy" gives you:
  http://pubs.opengroup.org/onlinepubs/007904975/functions/memcpy.html

Quoting it:
  The memcpy() function shall copy n bytes from the object pointed to by
  s2 into the object pointed to by s1. If copying takes place between
  objects that overlap, the behavior is undefined.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: There is Pidgin in security updates with same version but different checksum

2013-10-03 Thread Cyril Brulebois 
Marko Randjelovic  (2013-10-04):
> The package from security looks like error because it does not appear
> in apt-cache show, but exists in lists file and in
> http://security.debian.org/pool/updates/main/p/pidgin/.

Can you please elaborate? The above has got: 2.7.3-1+squeeze3

Current status across distributions is:
kibi@arya:~$ rmadison pidgin -a source
pidgin | 2.7.3-1+squeeze3 | oldstable | source
pidgin | 2.10.6-3~bpo60+1 | squeeze-backports | source
pidgin | 2.10.6-3 |stable | source
pidgin | 2.10.7-2 |   testing | source
pidgin | 2.10.7-2 |  unstable | source

so the 2.7.3-1+squeeze3 upload available through security for oldstable
got merged into oldstable proper during a point release.

What version are you chasing, for which distribution?

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Upcoming stable point release (7.2)

2013-09-22 Thread Cyril Brulebois 
Adam D. Barratt  (2013-09-22):
> The next point release for "wheezy" (7.2) is scheduled for Saturday 
> October 12th.  Stable NEW will be frozen during the preceding weekend.

So there's a new linux kernel for that one:
  http://womble.decadent.org.uk/blog/linux-kernel-update-for-wheezy-3251-1.html

which I haven't tested at all; there's kfreebsd-9 as well, along with
flash-kernel, multipath-tools, gnupg, grub2, and libgcrypt11 (looking
at the udeb-producing packages on the current p-u summary[1]).

 1. http://release.debian.org/proposed-updates/stable.html

I wonder whether we need/want to fix iso-scan's #722711 in stable as
well. I haven't yet investigated if stable is affected and what the
fix looks like, though; just mentioning it in case somebody wants to
look into it.

-boot@, if anyone sees something that needs fixing in stable and
wasn't spotted/marked as such until now, please speak up.

Mraw,
KiBi.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130922192947.gf30...@mraw.org

Re: Upcoming oldstable point release (6.0.8)

2013-09-22 Thread Cyril Brulebois 
Adam D. Barratt  (2013-09-22):
> The next point release for "squeeze" (6.0.8) is scheduled for Saturday 
> October 19th.  Oldstable NEW will be frozen during the preceding
> weekend.
> 
> As usual, base-files can be uploaded at any point before the freeze.

I don't think I have anything d-i-ish for that one.

-boot@, anything I forgot?

Mraw,
KiBi.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130922191746.ge30...@mraw.org

Re: gpg signatures for Wheezy images

2013-02-22 Thread Cyril Brulebois 
adrelanos  (22/02/2013):
> Stable, http://cdimage.debian.org/debian-cd/6.0.6/i386/iso-dvd/ contains
> gpg signatures.
> 
> Wheezy,
> http://cdimage.debian.org/cdimage/weekly-builds/i386/iso-dvd/ does
> not contain gpg signatures.
> 
> Can you offer gpg signatures for Wheezy as well please?

http://cdimage.debian.org/cdimage/wheezy_di_rc1/ has signatures, as
well as previous releases.

See http://www.debian.org/News/2013/20130219 for the announcement.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Linux 3.2: backports some features from mainline kernel (3.7)?

2012-12-15 Thread Cyril Brulebois 
Hi,

daniel curtis  (15/12/2012):
> Kernel 3.7 is officially out. This Linux release includes many
> improvements practically in every aspect. Many changes also concerns
> security. Very interesting are: Cryptographically-signed kernel
> modules and - long awaited
> -
> symlink and hardlink restrictions (already in Linux 3.6), but it
> broke some programs, so it has been disabled by default, right?

from 
http://packages.debian.org/changelogs/pool/main/l/linux/linux_3.2.35-1/changelog.html
| linux (3.2.29-1) unstable; urgency=low
| …
|* fs: Update link security restrictions to match Linux 3.6:
|  - Drop kconfig options; restrictions can only be disabled by sysctl
|  - Change the audit message type from AUDIT_AVC (1400) to
|AUDIT_ANON_LINK (1702)
| …
| linux-2.6 (3.2.9-1) unstable; urgency=high
| …
|* fs: Introduce and enable security restrictions on links:
|  - Do not follow symlinks in /tmp that are owned by other users
|(sysctl: fs.protected_symlinks)
|  - Do not allow unprivileged users to create hard links to sensitive files
|(sysctl: fs.protected_hardlinks) (Closes: #609455)
|+ This breaks the 'at' package in stable, which will be fixed shortly
|  (see #597130)
|  The precise restrictions are specified in Documentation/sysctl/fs.txt in
|  the linux-doc-3.2 and linux-source-3.2 packages.

Anyway, I suspect you want to ask Linux kernel questions to Linux
kernel maintainers (meaning debian-kernel@).

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2566-1] exim4 security update

2012-10-26 Thread Cyril Brulebois 
Tomas Pospisek  (26/10/2012):
> They don't seem to be available anywhere I look, particularily not
> in the http://security.debian.org/ package repository or in the
> standard debian package repository neither for unstable nor for
> wheezy.
> 
> http://incoming.debian.org/ has the versions indicated above,
> however the packages are not signed.
> 
> What's the way forward from here? Will you rerun the incoming queue
> and build packages for security.debian.org or should users
> (blindly?) install the packages from incoming?

http://packages.qa.debian.org/e/exim4/news/20121026T084842Z.html says
the package was accepted a few hours ago.

https://buildd.debian.org/status/package.php?p=exim4&suite=sid says
packages were built a few hours ago.

Please allow some time for packages to move from incoming to the
mirrors, and upgrade at this point.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2550-1] asterisk security update

2012-09-19 Thread Cyril Brulebois 
Hi.

Herman van Rink  (19/09/2012):
> On 09/18/2012 11:40 PM, Michael Kozma wrote:
> > Hello,
> >
> > I have an error with my sip config since i have updated the asterisk
> > package :
> >
> > monitoring*CLI> module load sip
> > Unable to load module sip
> > Command 'module load sip' failed.
> > [Sep 18 23:31:39] WARNING[7931]: loader.c:393 load_dynamic_module:
> Error loading module 'sip': /usr/lib/asterisk/modules/sip.so: cannot
> open shared object file: No such file or directory
> > [Sep 18 23:31:39] WARNING[7931]: loader.c:801 load_resource: Module
> 'sip' could not be loaded.

Michael, that should be “chan_sip” apparently?

> I had a similar issue after this update, but not exactly.
> 
> [Sep 19 08:41:32] WARNING[8405] loader.c: Error loading module
> 'chan_sip.so': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol:
> sip_pvt_lock_full
> [Sep 19 08:41:32] WARNING[8405] loader.c: Module 'chan_sip.so' could not
> be loaded.

Herman, probably a consequence of debian/patches/AST-2012-010:
 
+static int reinvite_timeout(const void *data)
+{
…
+   struct ast_channel *owner = sip_pvt_lock_full(dialog);
…
+}

Looks like the patch is missing the addition of that needed function.

Added team@ in the loop, to make sure they see this.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: python 2.6.6 -> python 2.6.8

2012-06-25 Thread Cyril Brulebois 
Marc Haber  (25/06/2012):
> phyton is not listed in

(ahah)

> http://security-tracker.debian.org/tracker/CVE-2011-3389, does that
> mean that nobody yet identified python as being affected? How can
> python be added here?

Surely the links in “Please help us keep this information up-to-date by
reporting any discrepancies or change of states that you are aware of
and/or help us improve the quality of this information by
participating.” on the tracker home page is what you're looking for.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Upcoming stable point release (6.0.5)

2012-05-14 Thread Cyril Brulebois 
Shaun  (14/05/2012):
> How are they different to the usual drip-feed of security updates that
> you get from day-to-day via 'apt-get update; apt-get upgrade' ?  Are
> point updates likely to contain non-security related fixes? i.e.
> important but not CRITICAL updates?
> 
> I'm just wondering why they're needed at all? Unless it's just so that
> it's helpful for people downloading the current stable to not have to
> install a vast quantity of updates post-install on a fresh system?

Surely the announce covers your questions?
  http://lists.debian.org/debian-announce/2012/msg9.html

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2670-1] wordpress security update

2012-05-12 Thread Cyril Brulebois 
Marc Gorzala  (11/05/2012):
> auf c nutzen wir ja kein debian-wordpress

Please set proper To/Cc fields and leave this list alone, thanks already.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Antw: Re: [SECURITY] [DSA 2378-1] ffmpeg security update

2012-01-04 Thread Cyril Brulebois 
Robyn Hurst  (04.01.2012):
> Please remove me from this mailing list.

Stefan Grzenkowski  (04/01/2012):
> please remove me,too

What about this? Both of you go read the mail you're replying to, and
then do what's mentioned there to get unsubscribed? kthxbye.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2122-2] New glibc packages fix privilege escalation

2011-01-11 Thread Cyril Brulebois 
Florian Weimer  (11/01/2011):
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> - -
> Debian Security Advisory DSA-2122-2   secur...@debian.org
> http://www.debian.org/security/Florian Weimer
> January 11, 2011   http://www.debian.org/security/faq
> - -
> 
> Package: glibc
> Vulnerability  : missing input sanitization
> Problem type   : local
> Debian-specific: no
> CVE ID : CVE-2010-3847 CVE-2010-3856
> 
> Colin Watson discovered that the update for stable relased in
> DSA-2122-1 did not complete address the underlying security issue in
↑ +ly

I obeyed the Reply-To, but maybe one should mail another address to
get typos fixed in the web version?

KiBi.


signature.asc
Description: Digital signature

Re: Nessus to be removed from Debian, please switch to OpenVAS

2009-08-02 Thread Cyril Brulebois 
Javier Fernández-Sanguino Peña  (02/08/2009):
> I encourage people that are looking for an alternative to Nessus to switch to
> OpenVAS (Open Vulnerability Assessment Scanner) which is a Nessus fork (based
> on the 2.2.x branch) that is actively being maintained and is now available
> in Debian.

I'm not quite used to that, but that might be worse adding that to the
release notes?

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1786-1] New acpid packages fix denial of service

2009-05-03 Thread Cyril Brulebois 
Nico Golde  (04/05/2009):
> * Steffen Joeris  [2009-05-04 05:25]:
> > 
> > Debian Security Advisory DSA-1786-1  secur...@debian.org
> > http://www.debian.org/security/  Steffen Joeris
> > May 02, 2009  http://www.debian.org/security/faq
> > 
> > 
> > Package: acpid
> > Vulnerability  : denial of service
> > Problem type   : remote
> 
> Das sollte local sein.

People might have got it, but anyway: “should have been local” (or
“should be local”, I guess both senses are possible here).

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: mt-daapd #404640 introduces remote security hole

2009-04-01 Thread Cyril Brulebois 
Alexander Kurtz  (01/04/2009):
> since it took more than half a year until someone responded to the
> initial mail of #404640 and there are still SERIOUS REMOTE SECURITY
> ISSUES UNFIXED, I thougt I'd just drop a link:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404640

YOU MUST BE KIDDING.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [LI#NCE-fWtY2-534] [SECURITY] [DSA 1737-1] New wesnoth packages fix several vulnerabilities

2009-03-11 Thread Cyril Brulebois 
Dan Bassett  (11/03/2009):
> First of...
> HAHAHAHAHAHHAHAHAHAAHAHA

Ah?

> Secondly, not on any of our servers...

Hm, we don't care?

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [Koumbit #27201] [SECURITY] [DSA 1731-1] New ndiswrapper packages fix arbitrary code execution vulnerability

2009-03-02 Thread Cyril Brulebois 
Antoine Beaupré via RT  (02/03/2009):
> Status: resolved

Status: we-don’t-care

Fix your mail setup.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: New Etch Point Release

2009-02-09 Thread Cyril Brulebois 
Sythos  (10/02/2009):
> no lenny release as stable? :)

Good things come to those…

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

2009-01-15 Thread Cyril Brulebois 
Celejar  (15/01/2009):
> > (without any deb-src) It looks like the following does what you want:
> > | grep-status -sPackage -F Package $source_package
> > 
> > Works for me with blender, xulrunner, graphviz as source package names.

Bleh. Needed sleep :)

Make “-F Package” become “-F Source”. Unfortunately, if a binary package
is built from a source package with the same name, it isn't printed.
E.g.  “grep-status -sPackage -F Source graphviz” won't return graphviz,
even if it's installed, so you'll have to add a special-case.

Using --exact-match should help. What about the following?
| grep-status -X -sPackage -F Source $p; grep-status -X -sPackage -F Package $p

Might be suboptimal but oh well, it does (this time I hope…) answer your
question.

> According to the man page, your command merely prints the package
> fields of those packages whose package fields contains the string
> $source_package, as above.  Have I missed something?

Sorry about that.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

2009-01-15 Thread Cyril Brulebois 
Celejar  (15/01/2009):
> Is there any automatic way to check whether a given system has any of
> the binary packages built from a given source package installed?

(without any deb-src) It looks like the following does what you want:
| grep-status -sPackage -F Package $source_package

Works for me with blender, xulrunner, graphviz as source package names.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

2009-01-14 Thread Cyril Brulebois 
Celejar  (14/01/2009):
> > We recommend that you upgrade your xulrunner packages.
> 
> On my Sid box, I only have 'xulrunner-1.9' from the official repo, and
> xulrunner only from 'debian-multimedia.org'.

That's the source package name. Binaries built from this source:
| $ LANG=C apt-cache showsrc xulrunner|grep ^Binary:|tr -d ,|sed -e 's/ 
/\n/g'|sort
| Binary:
| libmozillainterfaces-java
| libmozjs1d
| libmozjs1d-dbg
| libmozjs-dev
| python-xpcom
| spidermonkey-bin
| xulrunner-1.9
| xulrunner-1.9-dbg
| xulrunner-1.9-gnome-support
| xulrunner-dev

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Freeze exceptions for iceape/iceweasel/xulrunner?

2009-01-09 Thread Cyril Brulebois 
Francesco Poli  (10/01/2009):
> On the other hand iceape [2], iceweasel [3], and xulrunner [4] seem to
> be in freeze, even though their unstable versions fix many
> vulnerabilities.
> 
> Have freeze exceptions been already requested for them?

http://lists.debian.org/debian-release/

(no)

> Otherwise, are there plans to do so?

RC bugfixes are usually unblocked without the need for asking. Also,
security bugfixes for ice* packages are allowed by habit.

> P.S.: Please Cc: me on replies, as I am not a list subscriber.

Done.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

2008-12-10 Thread Cyril Brulebois 
Dominic Hargreaves <[EMAIL PROTECTED]> (10/12/2008):
> Looks like it is in the etch-proposed-updates/etch dist, though, if
> you wanted it. Volatile admins, is there something wrong with this
> package or has it just been forgotten about?

Correct according to:
http://release.debian.org/proposed-updates/stable.html

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: md5 hashes used in security announcements

2008-10-24 Thread Cyril Brulebois 
Florian Weimer <[EMAIL PROTECTED]> (24/10/2008):
> I don't know to which address you sent the address, so I don't know if
> it's been overlooked.

[EMAIL PROTECTED] aka.
http://lists.debian.org/debian-security/2008/10/msg00030.html

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [DSA 1629-1] Etch postfix packages older than base

2008-08-19 Thread Cyril Brulebois 
Ewen McNeill <[EMAIL PROTECTED]> (19/08/2008):
> Would it be possible to rerelease this fix for Debian Etch with a
> higher package version number? Either 2.3.8-3etch1 or 2.3.8-2+b1etch1
> or similar would seem to do.

#495604 is pending.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: 17 updates for Etch?!?! ¡!¡¡111oneonelevenoneone

2008-07-26 Thread Cyril Brulebois 
Jim Popovitch <[EMAIL PROTECTED]> (26/07/2008):
> WTF?!?!?  Were all those apps + kernel updated today?

Point release, see [1]. I guess the announcement is on its way. Might be
sent once most architectures have all packages built.

 1. http://www.philkern.de/weblog/en/debian/etch_4.0r4.html

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Broken link on Debian CVE Web page (Was: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-13 Thread Cyril Brulebois 
On 13/05/2008, Stephane Bortzmeyer wrote:
> By the way, the page
>  has a link
> http://security-tracker.debian.org/, labeled "The Debian Security
> Tracker has the canonical list of CVE names, corresponding Debian
> packages," and this link is broken: there is no
> security-tracker.debian.org.

Just in case you don't know about it yet, try .net.

Mraw,
KiBi.


pgpGke0BxVdhq.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1466-1] New xorg-server packages fix several vulnerabilities

2008-01-18 Thread Cyril Brulebois 
On 18/01/2008, Adrian Minta wrote:
> After this update vlc and possible other programs will not work
> anymore.

#461410.

Cheers,

-- 
Cyril Brulebois


pgpnq1t4YITN1.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1375-1] New OpenOffice.org packages fix arbitrary code execution

2007-09-20 Thread Cyril Brulebois 
Alexander Klauer <[EMAIL PROTECTED]> (20/09/2007):
> My gpg says BAD signature from "Martin Schulze <[EMAIL PROTECTED]>".
> Is it just me or is there something wrong with Martin's message?

Mine is OK (just after having downloaded #801EA932). Maybe you should
update your local copy of his key?

Cheers,

-- 
Cyril Brulebois


pgp9hd5Lozr0G.pgp
Description: PGP signature