Bug#949332: apparmor profile for fwknop
debian/patches/001_apparmor_profile.patch already adds
+ @{PROC}/@{pid}/net/ip_tables_names r,
+ /usr/sbin/xtables-nft-multi rix,
so 002_apparmor_profile.patch that adds the following
+ /etc/host.conf r,
+ /etc/resolv.conf r,
+ /etc/services r,
+ /run/resolvconf/resolv.conf r,
+ /sbin/ipset rix,
+ /usr/sbin/ipset rix,
should work for the ipset use case
--
Luca Filipozzi
Bug#949331: why nfq over pcap
> Is there any advantage to migrating users to NFQ? With PCAP: * fwknopd dies if interface is brought down / up With NFQ: * fwknopd does not die if the interface is brought down / up -- Luca Filipozzi
Bug#959157: patch does not address issue
Thank you for moving the bug report to the correct source package. The changes made do not address the bug, I'm afraid. wireguard-dkms fails to install because kernel-image 4.19.0-9 includes a backported change that is not caught by the pragmas in compat.h. This backport might be a Debian-ism that perhaps should not need to be handled in upstream, I'll admit, but wireguard-dkms (and upstream wireguard-linux-compat, of course), fail to build with 4.19.0-9. Let me know if you need anything else from me. -- Luca Filipozzi
Bug#959157: fix for CVE-2020-1749 in linux-image-4.19.0-9 breaks wireguard
Package: wireguard Version: 1.0.20200319-1~bpo10+1 Severity: grave Hello wireguard package maintainer, DSA 4667-1, a Linux security update released on 2020-04-28, includes a fix for CVE-2020-1749 that changes ipv6_stub to use ip6_dst_lookup_flow instead of ip6_dst_lookup. In wireguard-linux-compat/src/compat/compat.h, the following must be corrected such that ipv6_dst_lookup_flow is used for Debian linux kernel 4.19.0-9: 99 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 17, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(3, 16, 83) 100 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup_flow(b, c, d) 101 #elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 5) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 3, 18) && !defined(ISRHEL82)) 102 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, , c) + (void *)0 ?: dst 103 #endif Otherwise, line 102 is used and the code fails to build from source. Thanks, Luca -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (90, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages wireguard depends on: ii wireguard-dkms 0.0.20200318-1~bpo10+1 ii wireguard-tools 1.0.20200319-1~bpo10+1 wireguard recommends no packages. wireguard suggests no packages. -- no debconf information
Bug#949332: additional rules needed
ipset attempts to open additional files so the fwknop apparmor profile needs the following to avoid audit entries: /etc/host.conf r, /etc/services r, /run/resolvconf/resolv.conf r, The last one because resolvconf which turns /etc/resolv.conf into a symlink to /run/resolvconf/resolv.conf -- Luca Filipozzi
Bug#949332: fwknop-apparmor-profile: consider adding ipset to apparmor profile
Package: fwknop-apparmor-profile
Version: 2.6.10-2
Severity: wishlist
Dear Maintainer,
One of the interesting modes of operation of fwknop-server is the use of
CMD_CYCLE_OPEN / CMD_CYCLE_CLOSE to call ipset to add entries to a set.
Pedantic sytem administrators may find that automatic insertion of
chains to be irksome and prefer to create/use an ipset in their firewall
configurations.
Since the documented[1][2] mode of operation provides an example that
uses ipset, please consider adding ipset to the apparmor profile.
Thanks,
Luca
[1]: https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-with-ipset
[2]:
https://www.cipherdyne.org/blog/2015/12/single-packet-authorization-and-third-party-devices.html
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable'), (90, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-7-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fwknop-apparmor-profile depends on:
ii fwknop-server 2.6.10-2
fwknop-apparmor-profile recommends no packages.
fwknop-apparmor-profile suggests no packages.
-- Configuration Files:
/etc/apparmor.d/usr.sbin.fwknopd changed:
/usr/sbin/fwknopd {
#include
capability ipc_lock,
capability net_admin,
capability net_raw,
network inet raw,
network inet dgram,
network inet6 dgram,
network packet raw,
network packet dgram,
/bin/dash rix,
/bin/bash rix,
/etc/fwknop/access.conf r,
/etc/fwknop/fwknopd.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/protocols r,
@{PROC}/@{pid}/net/ip_tables_names r,
/root/.gnupg/* rwkl,
/run/fwknop/ rw,
/run/fwknop/* rwk,
/run/xtables.lock rwk,
/sbin/ipset rix,
/sbin/xtables-multi rix,
/usr/bin/gpg rix,
/usr/sbin/fwknopd mr,
/usr/sbin/ipset rix,
/usr/sbin/xtables-nft-multi rix,
/var/cache/nscd/passwd r,
}
-- no debconf information
Bug#949331: fwknop-server: consider building with nfq support
Package: fwknop-server Version: 2.6.10-2 Severity: wishlist Dear Maintainer, Please consider building fwknopd with both pcap and nfq support so that system administrators may elect to use nfq over pcap if their kernel supports it (which Debian stock kernels do). Thanks, Luca -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (90, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-7-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fwknop-server depends on: ii init-system-helpers 1.56+nmu1 ii iptables 1.8.2-4 ii libc62.28-10 ii libfko3 2.6.10-2 ii libpcap0.8 1.8.1-6 ii lsb-base 10.2019051400 fwknop-server recommends no packages. Versions of packages fwknop-server suggests: ii fwknop-apparmor-profile 2.6.10-2
Bug#949323: fwknop-server: does not wait for network-online so fails to start in pcap mode
Package: fwknop-server Version: 2.6.10-2 Severity: important Dear Maintainer, Thank you for packaging fwknop for Debian. The systemd service file for fwknop-server is missing a Wants directive: Wants=network-online.target <-- missing After=network-online.target Per the systemd documentation[1], both Wants and After are required when using the network-online.target. Without the Wants directive, fwknop-server, in PCAP mode, fails to start because the interface is not ready. Thanks, Luca [1]: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (90, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-7-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fwknop-server depends on: ii init-system-helpers 1.56+nmu1 ii iptables 1.8.2-4 ii libc62.28-10 ii libfko3 2.6.10-2 ii libpcap0.8 1.8.1-6 ii lsb-base 10.2019051400 fwknop-server recommends no packages. Versions of packages fwknop-server suggests: ii fwknop-apparmor-profile 2.6.10-2
Bug#870577: libapache2-mod-wsgi: after install of libapache2-mod-wsgi-py3, purge of this package disables wsgi module
Package: libapache2-mod-wsgi Version: 4.5.11-1 Severity: normal Dear Maintainer, Installing libapache2-mod-wsgi-py3 leaves libapache2-mod-wsgi in 'rc' state. Subsequent purge of libapache2-mod-wsgi causes 'wsgi' Apache2 module to be disabled (symlinks removed). Resolved with 'a2enmod wsgi'. postrm of libapache2-mod-wsgi might need tweaking. Luca -- System Information: Debian Release: 9.1 APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libapache2-mod-wsgi depends on: ii apache2-bin [apache2-api-20120211] 2.4.25-3+deb9u2 ii libc6 2.24-11+deb9u1 pn libpython2.7 ii python 2.7.13-2 libapache2-mod-wsgi recommends no packages. libapache2-mod-wsgi suggests no packages.
Bug#798033: www.debian.org: get.debian.org rejects HTTPS connections, but redirects to HTTPS site
On Wed, Feb 17, 2016 at 06:15:46PM -0800, Martin Michlmayr wrote: > * The Wanderer <wande...@fastmail.fm> [2015-09-04 12:17]: > > When I connect to http://get.debian.org/ in a Web browser, I am > > redirected to https://www.debian.org/CD/, which is a HTTPS site. > > However, the initial connection attempt is made over HTTP, and is > > potentially subject to external observation. > > > > When I connect to https://get.debian.org/, I get a near-instant > > "connection refused" or "failed to connect" error. > > > Initial testing seems to indicate that the same basic behavior occurs > > with cdimage.debian.org, which is the old name for the service now > > provided by get.debian.org. > > debian-admin: can you help with this? $ host get.debian.org get.debian.org is an alias for ftp.acc.umu.se. Carbon copying Niklas Edmundsson (maswan). Niklas, I can get provide an X.509 certificate. Let me know, Luca -- Luca Filipozzi http://www.crowdrise.com/SupportDebian
Bug#751883: planet.debian.org: https://planet.debian.org broken (certificate and webpage)
We have not deployed an X.509 certificate for planet.debian.org. In other words, planet.debian.org was never available via HTTPS. Currently, it's hosted on machines that host many other websites on the same IP address and you're getting the default HTTPS certificate. Since it is a goal to deploy an X.509 certificate, I'll leave this bug open. -- Luca Filipozzi http://www.crowdrise.com/SupportDebian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#721283: [www.debian.org] Please mention Bytemark's donation
On Sat, May 10, 2014 at 09:46:05AM +0200, Lucas Nussbaum wrote: On 08/05/14 at 22:56 +0200, Bernd Zeimetz wrote: [ CCing leader@ as I think its a rather important thing to discuss ] Hi, I object against adding new (and incomplete stuff) to a completely outdated page. We have a lot of people sponsoring hardware, parts, or monkey for hardware, including some who did never ever ask for a press release - or don't even want to have one and maybe don't want to be mentioned at all. Adding bytemark to https://www.debian.org/misc/equipment_donations looks weird to all those who sponsored stuff and who would like to be there, and maybe even weird to bytemark as they are listed with companies who donated a 20gb drive or similar things years ago (which was EXPENSIVE back at that time). That page needs to go away, or it needs to be kept uptodate by people who actually know who sponsored what and who wants/should be mentioned (and thats not the www team, sorry :)) - either the hardware donations people and/or the Auditors. Actually I think we should not publish single donations on the web page at all, at least not in this form. If there was a press release its in the archive, but keeping track of all donations is a hard task and prone to problems and errors, and having a general thank you page is at least easier to maintain until we found a proper way to keep track of who-sponsored-what-and-wants-to-be-published-how. Hi, I agree with you that some improvement is needed about how we manage and advertise donations. There are plans to do that, but this will likely take time. I don't think that we should stop advertising donations in the meantime. https://www.debian.org/misc/equipment_donations is useless, so I agreed (in my hw-don role) to it's being removed. bytemark is alread listed at https://www.debian.org/partners/ We need to rethink our bronze/silver/gold partner statuses. -- Luca Filipozzi http://www.crowdrise.com/SupportDebian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702087: 'guest' role has been created
previously, upstream and local firewalls had been opened now, a 'guest' role in the pg cluster has been created by alioth admins please test the pet importer and let us know the result -- Luca Filipozzi http://www.crowdrise.com/SupportDebian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698101: duplicate of ca-certificates
Debian already has the ca-certificates package [1] that contains these certificates. Why package them again? We should only have one package for these certificates, not many, in my opinion. IO::Socket::SSL's constructor accepts the SSL_ca_path named argument which you could set as /etc/ssl/certs rather than setting SSL_ca_file to Mozilla::CA::SSL_ca_file(). [1] http://packages.qa.debian.org/c/ca-certificates.html -- Luca Filipozzi Member, Debian System Administration Team -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698101: duplicate of ca-certificates
Please consider one of the two approaches: (1) modify the tests of libfinance-quote-perl to not require Mozilla::CA (2) package libmozilla-ca-perl but have it depend on and use ca-certificates. Please don't create a package with yet another set of root certificates. On Mon, Jan 14, 2013 at 03:42:21PM +0900, TANIGUCHI Takaki wrote: I tried to build libfinance-quote-perl package with importing from git HEAD repository locally. It did not required Mozilla::CA to build, but some tests were failed without Mozilla::CA. -- Luca Filipozzi Member, Debian System Administration Team -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#671626: m4/ntp_openssl.m4 fails to find SSL libraries
the buildd log shows that configure fails to find the SSL libraries: checking for openssl library directory... no this test is defined in m4/ntp_openssl.m4 the test looks for libcrypt.[so|a] and libssl.[so|a] in the following directories: /usr/lib /usr/lib/openssl /usr/sfw/lib /usr/local/lib /usr/local/ssl/lib /lib perhaps this test needs to be updated due to multiarch? -- Luca Filipozzi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#670597: libc6: /lib/ld-linux.so.3 symlink not set
Package: libc6 Version: 2.13-30 Severity: grave Dear Maintainer, In debugging why /usr/sbin/samhain returned 'No such file or directory', it became evident that the symlink in the subject line is not set: lfilipoz@hasse:~$ ldd /usr/sbin/samhain ... /lib/ld-linux.so.3 = /lib/ld-linux-armhf.so.3 (0xb6f51000) ... lfilipoz@hasse:~$ ls -l /lib/ld-linux.so.3 ls: cannot access /lib/ld-linux.so.3: No such file or directory Thanks, Luca -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: armhf (armv7l) Kernel: Linux 3.2.0-2-mx5 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libc-bin 2.13-30 ii libgcc1 1:4.7.0-3 libc6 recommends no packages. Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.42 ii glibc-doc none ii locales-all [locales] 2.13-30 -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598233: mirror submission for mirrors.ece.ubc.ca
On 11-01-16 10:55 AM, Simon Paillard wrote: Hi Luca, Last questions to complete information about the mirror at UBC: On Mon, Sep 27, 2010 at 08:45:38PM +0200, Simon Paillard wrote: On Mon, Sep 27, 2010 at 05:30:37PM +, Luca Filipozzi wrote: Package: mirrors Severity: wishlist Submission-Type: new Site: mirrors.ece.ubc.ca Aliases: xyzzy Could you please set the ftpsync MIRRORNAME to mirrors.ece.ubc.ca ? done Type: leaf Archive-architecture: ALL alpha amd64 arm armel hppa hurd-i386 i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 sparc Archive-http: /debian/ Archive-upstream: ravel.debian.org Backports-http: /debian-backports/ Backports-upstream: morricone.debian.org Volatile-http: /debian-volatile/ Volatile-upstream: mirror.csclub.uwaterloo.ca IPv6: no Updates: push Maintainer: Luca Filipozzimirr...@ece.ubc.ca Country: CA Canada Location: Vancouver Sponsor: UBC Electrical and Computer Engineering http://www.ece.ubc.ca/ Comment: backports not yet using push-based mirroring from morricone; How much bandwidth is available for this mirror ? only limited by UBC's link to the Internet... but we shouldn't advertise that -- Luca Filipozzi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598233: mirror submission for mirrors.ece.ubc.ca
Package: mirrors Severity: wishlist Submission-Type: new Site: mirrors.ece.ubc.ca Aliases: xyzzy Type: leaf Archive-architecture: ALL alpha amd64 arm armel hppa hurd-i386 i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 sparc Archive-http: /debian/ Backports-http: /debian-backports/ Volatile-http: /debian-volatile/ IPv6: no Archive-upstream: ravel.debian.org Backports-upstream: morricone.debian.org Volatile-upstream: mirror.csclub.uwaterloo.ca Updates: push Maintainer: Luca Filipozzi mirr...@ece.ubc.ca Country: CA Canada Location: Vancouver Sponsor: UBC Electrical and Computer Engineering http://www.ece.ubc.ca/ Comment: backports not yet using push-based mirroring from morricone; not all archs yet, either volatile is from 3rd-level ... would like to switch to push based mirroring from debian host at UBC-ECE if available -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598233: mirror submission for mirrors.ece.ubc.ca
On 10-09-27 11:45 AM, Simon Paillard wrote: Do you plan to mirror all archs for backports ? yes... don't think i'll have a space proble Could you please use ftpsync for backports and volatile mirroring? (you just need a ftpsync-volatile.conf and ftpsync-backports.conf). done! -- Luca Filipozzi Director of Operations, Electrical and Computer Engineering -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#433568: add vlan support
Package: debian-installer Severity: wishlist Please consider adding vlan support to debian-installer. There are cases (edge cases, admitedly) where machines and switches have been configured to use vlan tagging. A reinstall of these machines requires a network reconfiguration. vlan support in the installer would avoid this reconfiguration. Thanks for reading this far. -- Luca Filipozzi Linux gives us the power we need to crush those that oppose us. - switchlinux gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
