Bug#955038: Staat_der_Nederlanden_Root_CA_-_G2.crt still in package
The ca-certificates version 20200601 removes various old/obsolete certificates, but still contains one expired certificate: Staat_der_Nederlanden_Root_CA_-_G2.crt This expired on March 25 2020 and should probably also be removed. -- Hanno Böck https://hboeck.de/
Bug#893033: util-linux instead of bsdmainutils
Just wanted to add: The util-linux package (upstream) also contains a "look" tool and it doesn't have this filesize limitation. But it seems Debian's util-linux package is not shipping that tool. Maybe you should switch to provide look via util-linux instead of the limited version from bsdmainutils. -- Hanno Böck https://hboeck.de/
Bug#921663: Please add python-certbot update to jessie-backports
Package: python-certbot Regarding the Let's Encrypt / TLS-SNI-01 situation I think the python-certbot 0.28.0 update should be added to jessie-backports (for context see bugs #887399 and #888703). It seems to be common that people on Jessie installed python-certbot from the jessie-backports repository. Given that the version 0.10.2 will stop working in a few days I hope this can be sorted out quickly. (Background: Let's Encrypt will finally disable the TLS-SNI-01 domain validation method due to security issues, which in older certbot versions was the standard for apache+nginx setups.)
Bug#887399: Question about stable-updates
From what I understand the "stable-updates suite" is not part of the normal Debian stable distribution. I also don't see the update with an "apt update; apt upgrade". Is the plan to keep it that way? In effect this means all "normal" stable users who don't do anything extra will still have a broken setup in 2 weeks, because they relied on an automation technology that they hoped would solve their cert problems. I don't think this is an acceptable solution TBH.
Bug#911289: ca-certificates should remove Symantec certs
Package: ca-certificates Version: 20180409 I think most people are aware that browser vendors agreed to distrust certificates by Symantec and they no longer issue certificates (their business got sold to Digicert). This should also be reflected in the ca-certificates package and the Symantec roots should be removed (particularly as this package is acting as a de-facto upstream for several other distros). This needs some checking which certificates exactly shall be removed. Symantec operated under various different brand names (Thawte, Geotrust, and they also owned the old Verisign roots), and some of their roots have changed the owner and are excluded from the distrust.
Bug#891907: memcached should disable UDP by default
On Tue, 6 Mar 2018 18:58:22 +0100 Guillaume Delacour wrote: > The version 1.5.6 will be uploaded in the archive in a few days. > I'll try to propose a backport patch at least for versions in stretch > and jessie (with upstream review, if possible). Ubuntu has published fixes for several versions, maybe their patches can be used: https://bugs.launchpad.net/ubuntu/+source/memcached/+bug/1752831 -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 pgpJTGC6BH_k5.pgp Description: OpenPGP digital signature
Bug#891907: CVE-2018-1000115
This got CVE-2018-1000115 assigned.
Bug#891907: memcached should disable UDP by default
Package: memcached Version: 1.4.33-1 Memcached is currently involved in some massive ddos attacks, see e.g.: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ The UDP protocol of memcached can be abused for very effective DDoS amplification attacks and should therefore be considered dangerous. Upstream memcached has reacted to this by disabling UDP by default: https://github.com/memcached/memcached/wiki/ReleaseNotes156 In Debian memcached by default only listens to 127.0.0.1, but enables UDP. While the localhost-only protects default settings, it's still only a minor change away from creating an effective DDoS tool for a protocol that is hardly in use today. I recommend that you backport the upstream change and disable UDP by default.
Bug#874034: Debian should disable legacy vsyscall
Package: kernel The current Debian kernels support the legacy vsyscall method. This can be a security risk and is not needed within a modern system. Background: vsyscall was a method to map commonly used kernel functions into application space to a fixed address. It has been replaced by the more secure and flexible vdso mechanism. vsyscall is problematic, because it maps code to a fixed address, thus making ASLR (Address Space Layout Randomization) less effective. Due to this vsyscall has been redesigned into an "emulated" mode (which is what Debian's current kernels support) that reduces the amount of code and thus the attack surface. But still it's some code mapped to a fixed address and a legacy feature that shouldn't be needed any more. Currently Debian kernels have the option CONFIG_LEGACY_VSYSCALL_EMULATE=y This should be disabled and instead CONFIG_LEGACY_VSYSCALL_NONE=y should be set. Please note that this would still not remove the functionality, it would just disable it by default. By passing vsyscall=emulate to the boot command line users could still reactivate it. (By setting CONFIG_X86_VSYSCALL_EMULATION=n alternatively it could also be disabled entirely.) Compatibility risks: Modern glibc versions don't use vsyscall, so dynamic binaries won't be affected by this change (unless you happen to try to run a very old glibc version within a modern debian). Users trying to run very old static binaries may be negatively affected, as these may no longer run if they try to use vsyscall. Given that the release of Debian Buster is still some time away I think now would be a good time to implement such a change in unstable/testing, making it likely that potential problems would be discovered long before Buster gets released.
Bug#873122: HTTP Link to Keyring
Package: www.debian.org When downloading a Debian CD there's a webpage explaining how to verify signatures: https://www.debian.org/CD/verify This recommends to check the signatures with the keys from the Debian GPG keyring. However that link is HTTP, pointing to: http://keyring.debian.org/ It will immediately redirect to HTTPS, but an attacker could intercept that redirection and present a user with a malicious keyring instead. This makes the verification kinda pointless, as the keyring is delivered over a potentially insecure channel. The lack of HSTS on debian.org makes this particularly worriesome. Please change that link to HTTPS.
Bug#860256: chromium .desktop file Icon definition is not valid
Package: chromium Version: 56.0.2924.76-5 The .desktop file in the chromium deb is not valid according to the desktop-file-validate tool. The error is pretty self-explaining, it's referencing "chromium.png" for the Icon, it shouldn't do that (but only "chromium"): /usr/share/applications/chromium.desktop: error: (will be fatal in the future): value "chromium.png" for key "Icon" in group "Desktop Entry" is an icon name with an extension, but there should be no extension as described in the Icon Theme Specification if the value is not an absolute path
Bug#832920: HSTS
Please also add an HSTS header to enforce future connections to be HTTPS and avoid SSL Stripping attacks.
Bug#772765: fix
Just FYI: I also discovered this bug and tracked it down. It has nothing to do with debian and is a dovecot upstream bug. See here: http://dovecot.org/pipermail/dovecot/2015-April/100618.html Patch: http://dovecot.org/pipermail/dovecot/attachments/20150424/bade681d/attachment.bin pgpWrqnV69sBp.pgp Description: OpenPGP digital signature
Bug#783174: Randomized timestamps
What's happening here is that some TLS implementations and servers started randomizing their timestamps. Seems this happened on www.ptb.de. Other distributions sometimes have www.google.com set as their timesource. This is more reliable because google itself is using tlsdate for chromeos. On the long term the tls timestamp will probably go away anyway. An alternative is to use the HTTP header time. (or fix ntp, which is currently being done, but that's another story) I'd suggest debian patches tlsdate to use www.google.com. Reported upstream as well: https://github.com/ioerror/tlsdate/issues/172 pgpZ7KsNuERnr.pgp Description: OpenPGP digital signature
Bug#766314: unp uses deprecated "have" keyword in bash completion
Package: unp
Version: 2.0~pre7+nmu1
The bash completion file in the package unp uses the deprecated "have"
keyword.
According to bash completion this should no longer be used:
http://anonscm.debian.org/cgit/bash-completion/bash-completion.git/tree/bash_completion#n125
Bash completion rules should just apply unconditionally.
See attached patch for latest unp 2.0~pre7+nmu1diff -Naur unp-2.0~pre7+nmu1/bash_completion.d/unp unp-2.0~pre7+nmu1-1/bash_completion.d/unp
--- unp-2.0~pre7+nmu1/bash_completion.d/unp 2012-05-16 22:05:13.0 +0200
+++ unp-2.0~pre7+nmu1-1/bash_completion.d/unp 2014-10-22 10:34:20.343233166 +0200
@@ -1,6 +1,5 @@
# bash completion for unp
-have unp &&
_unp()
{
local cur
Bug#688383: Add audio/opus mimetype for .opus extension to mime.types
Package: mime-support Version: 3.53 Severity: wishlist Please add a line to mime.types for the new IETF opus audio codec. According to xiph, this should be audio/ogg with the extension .opus: https://wiki.xiph.org/OggOpus#Content_Type Or if one wants to be more precise, 'audio/ogg; codecs=opus'. This is also what the draft rfc here indicates: https://www.ietf.org/id/draft-terriberry-oggopus-01.txt There also exists the audio/opus mimetype, but it's considered to be only used for RTP streams: https://tools.ietf.org/html/draft-spittka-payload-rtp-opus-01 As far as I can see, there's no audio/opus fileextension, it's only used for streams. signature.asc Description: PGP signature
Bug#492369: xz support
I modified your last patch so it also includes .tar.xz-support. What's
probably missing is xz/lzma-support without .tar, I was too lazy to figure out
the gz/bzip2-logic.
diff -Naur unp-1.0.15/unp unp-1.0.15-1/unp
--- unp-1.0.15/unp 2008-05-18 02:55:54.0 +0200
+++ unp-1.0.15-1/unp 2009-12-22 14:01:13.0 +0100
@@ -38,20 +38,23 @@
}
%pkgmap = (
- cpio, "afio $or cpio",
- afio, "afio $or cpio",
- rpm2cpio, "rpm, afio $or cpio",
- unshar, sharutils,
- uudecode, sharutils,
- PPMd, ppmd,
- rar, "rar $or unrar $or unrar-free",
- ar, binutils,
- unarj, "unarj $or arj",
- hexbin, macutils,
+ "xz", "xz-utils",
+ "lzma", "lzma",
+ "7z", "p7zip $or p7zip-full",
+ "cpio", "afio $or cpio",
+ "afio", "afio $or cpio",
+ "rpm2cpio", "rpm, afio $or cpio",
+ "unshar", "sharutils",
+ "uudecode", "sharutils",
+ "PPMd", "ppmd",
+ "rar", "rar $or unrar $or unrar-free",
+ "ar", "binutils",
+ "unarj", "unarj $or arj",
+ "hexbin", "macutils",
#macunpack, macunpack,
- gunzip, gzip,
- bunzip2, bzip2,
- formail, "formail, mpack"
+ "gunzip", "gzip",
+ "bunzip2", "bzip2",
+ "formail", "formail, mpack"
);
&print_usage if ($#ARGV<0 || $ARGV[0] eq "-h");
@@ -153,6 +156,7 @@
if ($UNP_FILEstr =~ /CAB file/i) { set_command 'cabextract $UNP_FILE'; }
if ($UNP_FILEstr =~ /cpio/i) { set_command('afio -Z -v -i $UNP_FILE','cpio -i -d --verbose $UNP_ARGS < $UNP_FILE'); }
if ($UNP_FILEstr =~ /Zip.*archive/i) { set_command 'unzip $UNP_ARGS $UNP_FILE'; }
+ if ($UNP_FILEstr =~ /7-zip.*archive/i) { set_command '7z x $UNP_ARGS $UNP_FILE'; }
if ($UNP_FILEstr =~ /Zoo.*archive/i) { set_command 'unzoo -x $UNP_ARGS $UNP_FILE'; }
if ($UNP_FILEstr =~ /shell.*archive/i) { set_command 'unshar $UNP_ARGS $UNP_FILE'; }
if ($UNP_FILEstr =~ /Transport Neutral Encapsulation Format/i) { set_command 'tnef -v $UNP_ARGS $UNP_FILE'; }
@@ -214,12 +218,13 @@
# check also for _tar, because of broken filenames
if ($UNP_FILE =~ /(\.|_)tar$/i) { set_command 'tar -xvf $UNP_FILE $UNP_ARGS'; }
- if ($UNP_FILE =~ /(\.|_)rpm$/i) { set_command 'rpm2cpio < $UNP_FILE | cpio -i -d --verbose $UNP_ARGS';}
- if ($UNP_FILE =~ /(\.|_)tar\.gz$/i) { set_command 'tar -xvzf $UNP_FILE $UNP_ARGS'; }
+ if ($UNP_FILE =~ /(\.|_)rpm$/i) { set_command 'rpm2cpio < $UNP_FILE | cpio -i -d --verbose $UNP_ARGS';}
+ if ($UNP_FILE =~ /(\.|_)tar\.gz$/i) { set_command 'tar -xvzf $UNP_FILE $UNP_ARGS'; }
if ($UNP_FILE =~ /(\.|_)tar\.bz2$/i) { set_command 'bunzip2 -c $UNP_FILE | tar -xvf - $UNP_ARGS'; }
-
- if ($UNP_FILE =~ /\.tgz$/i) { set_command 'tar -xvzf $UNP_FILE $UNP_ARGS'; }
- if ($UNP_FILE =~ /\.(tzo|tar\.lzop)$/i) { set_command 'lzop -v -d $UNP_FILE | tar -xv $UNP_ARGS'; }
+ if ($UNP_FILE =~ /\.tgz$/i) { set_command 'tar -xvzf $UNP_FILE $UNP_ARGS'; }
+ if ($UNP_FILE =~ /\.(tzo|tar\.lzop)$/i) { set_command 'lzop -v -d $UNP_FILE | tar -xv $UNP_ARGS'; }
+ if ($UNP_FILE =~ /(\.|_)tar\.xz$/i) { set_command 'tar -xvJf $UNP_FILE $UNP_ARGS'; }
+ if ($UNP_FILE =~ /(\.|_)tar\.lzma$/i) { set_command 'lzma -cd $UNP_FILE | tar -xvf - $UNP_ARGS'; }
if ($UNP_FILE =~ /\.rar$/i) { set_command('rar x $UNP_ARGS $UNP_FILE || rar x -av- $UNP_ARGS $UNP_FILE','unrar x $UNP_ARGS $UNP_FILE || unrar x -av- $UNP_ARGS $UNP_FILE'); }
if ($UNP_FILE =~ /\.(ar|deb)$/i) { set_command 'ar -x -v $UNP_FILE $UNP_ARGS'; }
if ($UNP_FILE =~ /\.l(ha|zh)$/i) { set_command 'lha x $UNP_ARGS $UNP_FILE'; }
signature.asc
Description: This is a digitally signed message part.
Bug#440318: Hybrid auth available in svn snapshot
Hybrid auth based on gnutls is available in the svn version of vpnc. So bumping to an svn snapshot fixes this issue without license implications. You can find an svn snapshot here: http://distfiles.gentoo.org/distfiles/vpnc-0.5.3_p449.tar.bz2 -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://schokokeks.org - professional webhosting signature.asc Description: This is a digitally signed message part.
Bug#492369: Patch does not work
I get this when using your patch: [EMAIL PROTECTED] /tmp $ unp /usr/portage/distfiles/eix-0.14.2.tar.lzma Bareword found where operator expected at /usr/bin/unp line 42, near "7z" (Missing operator before z?) syntax error at /usr/bin/unp line 42, near "7z" Execution of /usr/bin/unp aborted due to compilation errors. signature.asc Description: This is a digitally signed message part.
