Re: [SECURITY] [DSA 3027-1] libav security update
On Thu, 18 Sep 2014, Paul Wise wrote: On Thu, Sep 18, 2014 at 7:30 AM, Bruce Eason wrote: YIKES!! can i help? The Debian security team can always use some help finding, fixing and tracking security issues. Please read the following pages and join our IRC channel if you would like to help out. There is one thing that would be of great value: We need someone to go over the debian-backports packages for pending security updates, and notify the maintainers of the backports or the backports ML. Currently, at least file and libav are vulnerable in debian-backports. It is likely that other packages in debian-backports also require updates. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140918120732.ga19...@khazad-dum.debian.net
security issues in backports (Re: [SECURITY] [DSA 3027-1] libav security update
Hi, On Donnerstag, 18. September 2014, Henrique de Moraes Holschuh wrote: There is one thing that would be of great value: We need someone to go over the debian-backports packages for pending security updates, and notify the maintainers of the backports or the backports ML. I'm working on getting https://security-tracker.debian.org/tracker/status/release/stable-backports meaningful for this task. Give me some more days... ;-) Currently, at least file and libav are vulnerable in debian-backports. It is likely that other packages in debian-backports also require updates. oh, yes! :/ cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: security issues in backports (Re: [SECURITY] [DSA 3027-1] libav security update
Hi, On Donnerstag, 18. September 2014, Holger Levsen wrote: I'm working on getting https://security-tracker.debian.org/tracker/status/release/stable-backport s meaningful for this task. Give me some more days... ;-) for those not familar with the current security-tracker development: for the regular suites (oldstable, stable, testing and unstable) the above url works nicely, just for (oldstable|stable)-backports its currently not correctly implemented and thus broken. cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: concrete steps for improving apt downloading security and privacy
Holger Levsen wrote: Hi Hans, On Mittwoch, 16. Juli 2014, Hans-Christoph Steiner wrote: What I'm talking about already exists in Debian, but is rarely used. dpkg-sig creates a signature that is embedded in the .deb file. So that means no matter how the .deb file got onto a system, that signature can be verified. I'm proposing to start making dpkg-sig a standard part of official .deb files. This can be done in stages to make it manageable. Here's a rough idea of that: how about you file a bug against dpkg-sig and put your plan and justification in there. Here on the mailinglist it will just be lost... Finally did this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153 And someone else filed a bug to get apt-transport-https included in apt: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756535 .hc signature.asc Description: OpenPGP digital signature
RE: [SECURITY] [DSA 3025-2] apt regression update
UNSUBSCRIBE! - From: car...@debian.org To: debian-security-annou...@lists.debian.org Date: Thu, 18 Sep 2014 20:30:42 + Subject: [SECURITY] [DSA 3025-2] apt regression update -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3025-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso September 18, 2014 http://www.debian.org/security/faq - - Package: apt Debian Bug : 762079 The previous update for apt, DSA-3025-1, introduced a regression when file:/// sources are used and those are on a different partition than the apt state directory. This update fixes the regression. For reference, the original advisory follows. It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490). For the stable distribution (wheezy), this problem has been fixed in version 0.9.7.9+deb7u4. For the unstable distribution (sid), this problem has been fixed in version 1.0.9.1. We recommend that you upgrade your apt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUG0CmAAoJEAVMuPMTQ89EBM8P/2rKhZFYQZpbVVPkSd/97VcL 6j6lmyEAgazAr0NEnrihOxDmU5DW96+WzUaA7GMoe2AW+eptjKDkTo7B6HM1WuR9 VDwTsD8yRRSXHbzGEOa2b1OBTsWvdEQWHc/RIPhyiZ+JKETcvPdCA7ZItys5odch +4u1xlJX876Oz+OJy206Q/knJhrZUypgT6cm7WUAPxm+UyIxxj7Mzt5EL9i5okdf AppvyREbMou1XrU86nSKBGk4YZRkX8Eh2vPu9NiYLEn4eJs8SjuUV9OCr/QGVJxj 8ElZ9Lhv0orsySUzIWZagqBcg+PPHiqzykbuYSvDdAgjB4aQAPwlHbDUFLtyappX j5f9I4qGkmCbi7LXISScFopdzARWeObLIKxZe1C/jDjDoUNo81Hu7pSRWFvY6nar 02R3rIxLbbmqDI9h6Xd4/i7DkyVZ4shyeWeivBJ4y3kY7OB+dUXn7AelKH920whO 3P3GbXJM2iWPPAFqc0Du59HH8mmLr477n1RO7KtjyXR+3oCz+ikQ5dSqYSS4RDkt Jwd5fyTr0U4C1ghZwLQMJsJ435i5PpqYnjrs+oRRjFWyX0cofblHCcEaa5UL9h2X E4nKZ9YP5uHjU70b73Y7JiBAITv5/uB+9U5YBJNd4pftSTz8oocOtUwxdKM4tIg+ Yq0GAPy1aQfab62HfVES =IgUC -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1xuili-00039r...@master.debian.org
Re: concrete steps for improving apt downloading security and privacy
On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote: Finally did this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153 Please note that you proposal to add signatures to .deb files will break reproducible builds because the hash of the .deb will differ depending on who signed it: https://wiki.debian.org/ReproducibleBuilds I think it would be far better to ship detached signatures in the archive since that allows for reproducible builds and also means there could be more than one signer (say one buildd, one Debian sponsor and one package maintainer). -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6EGFXcOpT3K7C2imneW4FPxnypwQfNUMjuLZ3=k1pf...@mail.gmail.com
Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
On 09/19/2014 12:34 AM, Paul Wise wrote: On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote: Finally did this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153 Please note that you proposal to add signatures to .deb files will break reproducible builds because the hash of the .deb will differ depending on who signed it: https://wiki.debian.org/ReproducibleBuilds I think it would be far better to ship detached signatures in the archive since that allows for reproducible builds and also means there could be more than one signer (say one buildd, one Debian sponsor and one package maintainer). I agree with pabs on this. fwiw, i'm also hoping that we can ship at least one other signature for the upstream tarball (where such a thing exists): https://bugs.debian.org/759478 We also had a discussion in the reproducible-builds BoF at DC14 about how to deal with signatures on .buildinfo files, and came to the same conclusion: that a .buildinfo file should have detached signatures, to allow for multiple (corroborative) signers: https://wiki.debian.org/ReproducibleBuilds#A.buildinfo_signatures Note that a signature over a .buildinfo file should effectively cover the digest of the built .deb files, which should creates a strong cryptographic chain if you trust the hash function. Given that we would ultimately like one or more signed .buildinfo files shipped in the archive, and that they represent a way to have an builder's signature over a .deb, i think these make the idea of an internally-signed .deb redundant. Thanks to everyone who is thinking about and working on improving the cryptographic integrity of the archive! --dkg signature.asc Description: OpenPGP digital signature
Bug#479727: marked as done (security-tracker: Show unimportant issues in some way on package overview)
Your message dated Thu, 18 Sep 2014 07:53:49 +0200 with message-id 20140918055349.ga7...@lorien.valinor.li and subject line Re: Bug#479727: security-tracker: Show unimportant issues in some way on package overview has caused the Debian Bug report #479727, regarding security-tracker: Show unimportant issues in some way on package overview to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 479727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479727 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: security-tracker Severity: wishlist Hi, Currently, issues marked as unimportant disappear entirely off the radar, which is not a big problem. I think for clarity however it would be better if they were displayed somewhere so users can see we know that such a CVE applies to the package, but we just disregard it. Maybe one of the following options: - Add them between the other CVEs under Open or Resolved, but mark them specifically (e.g.: strike, or gray, ...) - Add a thrid section after Open and Resolved, being Non-issues. cheers, Thijs -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.18-6-686 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) ---End Message--- ---BeginMessage--- Hi Thijs, I just sumbled ofer #479727 in the BTS. I think this is already resolved since a while, the per package page shows the open unimportant. Closing the bug with this message. Regards, Salvatore---End Message---