Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
Am 22.09.14 um 01:52 schrieb Paul Wise: On Mon, Sep 22, 2014 at 2:04 AM, Elmar Stellnberger wrote: A package with some new signatures added is no more the old package. That is exactly what we do *not* want for reproducible builds. It should have a different checksum and be made available again for update. The Debian archive does not allow files to change their checksum, so every signature addition requires a new version number. That sounds like a bad idea to me. Yes, that is something we definitely do not want. Nonetheless it would still be an issue to have the package and the signatures in one file because we usually need them together. My only idea to realize this in spite of the said objection would be another proposal: Put the .deb and the signatures into one .ar called .sdeb and make tools like dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone offers some packages for download that will be in the form of .sdebs while official debian repositories may separate both kinds of files. User interfaces like http://debtags.debian.net/search/ could then generate .sdebs on the fly to satisfy petted users. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/541fd8a3.3030...@gmail.com
Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
On 09/22/2014 04:07 AM, Elmar Stellnberger wrote: Am 22.09.14 um 01:52 schrieb Paul Wise: The Debian archive does not allow files to change their checksum, so every signature addition requires a new version number. That sounds like a bad idea to me. Yes, that is something we definitely do not want. Nonetheless it would still be an issue to have the package and the signatures in one file because we usually need them together. My only idea to realize this in spite of the said objection would be another proposal: Put the .deb and the signatures into one .ar called .sdeb and make tools like dpkg work on .sdebs or on .deb + signatures respecively. Whenever someone offers some packages for download that will be in the form of .sdebs while official debian repositories may separate both kinds of files. User interfaces like http://debtags.debian.net/search/ could then generate .sdebs on the fly to satisfy petted users. This is almost exactly what i proposed a couple days ago on the reproducible-builds mailing list [0], except that i used the extension .debs instead of .sdeb :) --dkg [0] http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20140915/000432.html signature.asc Description: OpenPGP digital signature
Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
On 09/21/2014 02:04 PM, Elmar Stellnberger wrote: a well programmed dpkg-cmp. ... and as long as the tool should not be available simply un-ar and compare the data.tar.gz-s. fwiw, this suggestion fails to compare the contents of control.tar.gz, which includes the maintainer scripts (preinst, postinst, etc). If someone wanted to damage your system with a modified package, modified preinst and postinst scripts would be much more effective (they run as root, automatically upon package installation!) than just tweaking a given binary. i just wanted to point out that this theoretical dpkg-cmp is at least slightly more complex than the above suggestion makes it out to be. And of course there are many other tools already that use plain old cmp or digest comparisons against .deb packages already, and thinking about how to interoperate with existing infrastructure is important. --dkg signature.asc Description: OpenPGP digital signature
External check
CVE-2014-3640: RESERVED CVE-2014-3655: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/541fc594.ntlxna38rcvtdumw%atomo64+st...@gmail.com
Guidance on no-dsa and adding entries to dsa/dla-needed.txt
Hello, I'm in the process of reviewing open CVE in oldstable and deciding whether it must be added to dla-needed.txt or not. I have multiple questions: 1/ is there a page on the security tracker that lists packages with open vulnerabilities in stable/oldstable which are neither unimportant, nor marked no-dsa and not present in dsa/dla-needed ? (I could not find one) Shall I file a wishlist request for this ? 2/ Since we decided early-on to mark squeeze as no-dsa when wheezy was also marked as such, I wonder what I should do when no such decision has been made yet (i.e. the package is not in dsa-needed.txt but the CVE entry also doesn't have any no-dsa or unimportant tag). I would like to have some guidelines on when it's appropriate to mark something as no-dsa or when it's better to add it to dsa/dla-needed (apparently I made a bad decision once already, since Moritz reverted http://anonscm.debian.org/viewvc/secure-testing?view=revisionrevision=28950) This information is not available in http://security-team.debian.org/security_tracker.html Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140922123017.gb20...@x230-buxy.home.ouaza.com
Re: Guidance on no-dsa and adding entries to dsa/dla-needed.txt
Hi Raphael, thanks for your work on triaging oldstable related CVEs! On Montag, 22. September 2014, Raphael Hertzog wrote: 1/ is there a page on the security tracker that lists packages with open vulnerabilities in stable/oldstable which are neither unimportant, nor marked no-dsa and not present in dsa/dla-needed ? (I could not find one) I have patches very much pending (=I will probably bring them live today or if not today, then tomorrow) which allow you to set proper filters for https://security-tracker.debian.org/tracker/status/release/oldstable so you can there see what you wanna see. cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#762069: marked as done (security-tracker does not update NVD information anymore)
Your message dated Mon, 22 Sep 2014 19:14:23 +0200 with message-id 20140922171423.GA26721@eldamar.local and subject line Re: Bug#762069: security-tracker does not update NVD information anymore has caused the Debian Bug report #762069, regarding security-tracker does not update NVD information anymore to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 762069: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762069 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: security-tracker Severity: normal Tags: confirmed Hi, I'm looking into this problem, but would like to have documented the problem in the BTS. Currently since we switched to fetch information trough https updates of NVD information for the security-tracker does not work anymore. Makefile contains a update-nvd target, which fetches the nvde-$year information via https: wget -q -Odata/nvd/$$name https://nvd.nist.gov/download/$$name ERROR: The certificate of `nvd.nist.gov' is not trusted. ERROR: The certificate of `nvd.nist.gov' hasn't got a known issuer. Solution: We need (as for example also needed for qa's vcs-watch) our own CA store for the security-tracker which is used on soler. Regards, Salvatore ---End Message--- ---BeginMessage--- Hi This is now done by keeping a certificate store for the sectracker user which is the used when fetching the data. Regards, Salvatore---End Message---
Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)
Hi, On Montag, 22. September 2014, Christoph Biedl wrote: While the new appearence of the security tracker is a *huge* improvemnt, both in information details and design, thanks for that, thanks! As a suggestion for the above issue: + squeeze, squeeze (security) 5.04-5+squeeze5 [gray]No longer supported¹ | squeeze (lts) 5.04-5+squeeze7 [green]fixed + wheezy5.11-2+deb7u3 [light red]fix pending² | wheezy (security) 5.11-2+deb7u5 [green]fixed | jessie, sid 1:5.19-2[green]fixed I like the idea of using more colors... + ¹ The squeeze suite has been discontinued. Use the squeeze-lts version That's (slightly) misleading and wrong, though. + ² Will be handled in due course. Use the wheezy (security) version The footnotes are part of the text. And yes, they'd have to appear on every page. Your opinion on that? yes, true, the security tracker still has some bugs which need to be fixed. Specific suggestions (like colors or footnotes) are best suggested in seperate short bugs, yet best with patches :-) That said, I don't agree with the described urgency / panic. Debian might look bad because of bad things we do or good things we dont do, but seldomly because our security tracker is too accurate (or even inaccurate/wrong at times) :-) cheers, Holger signature.asc Description: This is a digitally signed message part.
Bug#642987: EOL-support patch updated, to apply against new checkboxes code
Hi, see mail subject and attached file. [00:53] h01ger | buxy: i have a patch to display end-of-life too, #642987 - i just dont like abusing urgency for it as i do. i'd rather have florians db remodelling.. but I might still commit this one to svn, as perfect is the enemy of good also here, and the EOL code can also be refactored, once the modell is redone :) cheers, Holger From a96948b3ef4e4a40107cc8f00b9af584b6d26fb6 Mon Sep 17 00:00:00 2001 From: Holger Levsen hol...@layer-acht.org Date: Sat, 13 Sep 2014 02:02:42 +0200 Subject: [PATCH] Display end-of-life information in the web view. (Closes: #642987) --- bin/tracker_service.py| 7 ++- lib/python/bugs.py| 4 ++-- lib/python/security_db.py | 8 +--- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/bin/tracker_service.py b/bin/tracker_service.py index d3c8b10..83a53bd 100644 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -29,6 +29,7 @@ class BugFilter: ('low_urgency', 'low', 'urgency'), ('unimportant_urgency', 'unimportant', 'urgency'), ('unassigned_urgency', 'not_yet_assigned', 'urgency'), + ('endoflife_urgency', 'end-of-life', 'urgency'), ('remote', 'hide remote scope', 'scope'), ('local', 'hide local scope', 'scope'), @@ -76,7 +77,9 @@ class BugFilter: and urg == 'unimportant' filteruna = not self.params['unassigned_urgency'] \ and urg == 'not yet assigned' -return filterlow or filtermed or filterhigh or filterund or filteruni or filteruna +filterend = not self.params['endoflife_urgency'] \ +and urg == 'end-of-life' +return filterlow or filtermed or filterhigh or filterund or filteruni or filteruna or filterend def remoteFiltered(self, remote): filterr = self.params['remote'] and remote and remote is not None @@ -420,6 +423,8 @@ data source.)], else: rel = '(unstable)' urgency = str(n.urgency) + if urgency == 'end-of-life': + urgency = self.make_red('end-of-life') if n.fixed_version: ver = str(n.fixed_version) if ver == '0': diff --git a/lib/python/bugs.py b/lib/python/bugs.py index a147e74..9247085 100644 --- a/lib/python/bugs.py +++ b/lib/python/bugs.py @@ -24,7 +24,7 @@ class Urgency(debian_support.PseudoEnum): pass def listUrgencies(): urgencies = {} -urgs = ('high', 'medium', 'low', 'unimportant', 'not yet assigned') +urgs = ('high', 'medium', 'low', 'unimportant', 'end-of-life', 'not yet assigned') for u in range(len(urgs)): urgencies[urgs[u]] = Urgency(urgs[u], -u) Urgency.urgencies = urgencies @@ -579,7 +579,7 @@ class FileBase(debian_support.PackageFile): comments.append(('NOTE', r)) elif v == 'end-of-life': pkg_notes.append(PackageNoteParsed - (p, '0', 'unimportant', + (p, None, 'end-of-life', release=release)) if d: # Not exactly ideal, but we have to diff --git a/lib/python/security_db.py b/lib/python/security_db.py index 088d4b5..52abb93 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -274,7 +274,7 @@ class DB: subrelease TEXT NOT NULL, status TEXT NOT NULL CHECK (status IN ('vulnerable', 'fixed', 'unknown', 'undetermined', - 'partially-fixed', 'todo')), + 'partially-fixed', 'todo', 'end-of-life')), reason TEXT NOT NULL, PRIMARY KEY (bug_name, release, subrelease))) @@ -1305,7 +1305,8 @@ class DB: AND n.id = vulnlist.note ORDER BY vulnlist.package)): if fixed_version == '0' or urgency == 'unimportant' \ - or kind not in ('source', 'binary', 'unknown'): +or urgency == 'end-of-life' \ +or kind not in ('source', 'binary', 'unknown'): continue # Normalize FAKE-* names a bit. The line number (which @@ -1500,7 +1501,8 @@ class DB: # packages as vulnerable. (If unstable_fixed == '0', # release-specific annotations cannot create # vulnerabilities, either.) -if total_urgency == 'unimportant' or unstable_fixed == '0': +if total_urgency == 'unimportant' or unstable_fixed == '0' \ +or total_urgency == 'end-of-life': continue if
Processed: merge
Processing commands for cont...@bugs.debian.org: severity 762288 wishlist Bug #762288 [security-tracker] security-tracker: available versions table is unnecessary Severity set to 'wishlist' from 'normal' merge 761963 762288 Bug #761963 [security-tracker] security-tracker: consolidate vulnerable/fixed per release in overviews Bug #762288 [security-tracker] security-tracker: available versions table is unnecessary Merged 761963 762288 thanks Stopping processing here. Please contact me if you need assistance. -- 761963: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761963 762288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141142706226717.transcr...@bugs.debian.org