Re: [SECURITY] [DSA 3661-1] charybdis security update

[Michael P. Hofmann]

unsubscribe



MPHOFMANN 
MS MIT Business School 
dipl.Ing.ETH  lic.oec.HSG 
+41 78 796 4010 <+41787964010>

On Tue, Sep 6, 2016 at 10:14 PM, Moritz Muehlenhoff  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> - 
> -
> Debian Security Advisory DSA-3661-1   secur...@debian.org
> https://www.debian.org/security/   Moritz Muehlenhoff
> September 06, 2016https://www.debian.org/security/faq
> - 
> -
>
> Package: charybdis
> CVE ID : CVE-2016-7143
>
> It was discovered that incorrect SASL authentication in the Charybdis
> IRC server may lead to users impersonating other users.
>
> For the stable distribution (jessie), this problem has been fixed in
> version 3.4.2-5+deb8u2.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 3.5.3-1.
>
> We recommend that you upgrade your charybdis packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-annou...@lists.debian.org
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJXzyNLAAoJEBDCk7bDfE42/dMQAIsNQ4zlAtfTjmleZDjR33tq
> 9dcDMeS1LNF2DHlMj7JRJVIOXJMOqcu9RQqWqHfrDkXIEO5VnOdL+mqHNuvP9aTe
> qE4jyVgiboHfckfe1vt4KehC8o7bYv3oiqZm0uwqa0ojAbfbTxMybhX63kqJXI0S
> v6n3wad4Yz74/4UbEff3OoFMtxtVu9Y3y1x5E1xSEVprSd/NrHd5leoOAfToDiZP
> jOG6YPNF7YglCj0kP86GD4wGYcq+9fIh9dP12TeuC6ySRO4/lfFV6FOMvWA2JvWM
> MA7fhwbYqwywldGryMmD24xreJlcT4/DiOXhK3o3NaLRn5ox2gS0dxf2iB0irfeY
> edP0lRSghqRlKBWH7LqHY6y6s1qJC2nMW/wz+0jzouKHkzjeZgmxI3meeUl3MRjh
> B6LViFrhDk2YVAwNX9ODe4GctgHpleBA7WbdG6VITWnwjPFl5aCT8s1tpDkg/cv2
> hr6Vuvt/JFZ68JtU7PsfsZka/Xpy6xUT1GMxQBRTGI8tOh8kptuJf3iW6hpVYD7U
> Rq3iiWjvAgtRm4Ijr20DswdeQ4FjV9GyKPvfVhLMcxjdeueV4D4ddG79FzER0jFD
> Iq/3P7QdnC1ar3xYU4/s76dRO82Mk5DIAXnkZtR4+rV7tvk5YuJUgJ/ES04MBpjO
> EsYP4ZEaoQG98KzSjE9b
> =fQTH
> -END PGP SIGNATURE-
>
>

Verification of downloads/mirrors from $MIRROR//debian/dists/jessie/main/installer-amd64/

[Mirko Vogt]

Hello,

I'm using libvirt/virt-install and Debian (stable) as guest system for a
few VMs and I'd like to use a trusted/verifiable source for the Debian
system which ends up running inside those VMs.

Using `virt-install` provides several ways of how to install/bootstrap
such a system, however as I need to inject a preseed script (d-i), it
apparently only leaves me with the option of pointing to the location of
an installer via `--location`.

Background is that injecting preseed scripts only work when
`virt-install` is invoked with `--location` (not `--cdrom`). Although
according to the man page it should work, ISO images - which could be
easily verified - can't be used in conjunction with `--location`.

That leaves me with invoking `virt-install` with e.g.
  `--location
/var/lib/libvirt/roots/debian/dists/jessie/main/installer-amd64/` ,
  `--location
http://ftp.debian.org/debian/dists/jessie/main/installer-amd64/`
or similar.

However for those bootstrapping methods I fail to find any way of
verification (signatures, checksumming, etc.) at all.
Even simple HTTPS wasn't available on *any* of the mirrors I tried.

So, my question basically is: Is there any way for me to verify the
downloaded installer which I seem to need when using `virt-install` in
conjunction with a preseed-script?
Alternative: Can I inject a preseed script when using `virt-install` in
conjunction with a verifiable ISO installation media?

Thanks a lot in advance

  - mirko

Re: [SECURITY] [DSA 3660-1] chromium-browser security update

[Paul Wise]

On Tue, Sep 6, 2016 at 7:32 AM, Raúl Cuza wrote:

> Is there a web link with this info?

https://www.debian.org/security/2016/dsa-3660 (not yet online)
https://security-tracker.debian.org/tracker/DSA-3660-1

-- 
bye,
pabs

https://wiki.debian.org/PaulWise