Re: Bullseye security.debian.org codename misconfigured?
On 1/23/22, Stefan Fritsch wrote: > Am 22.01.22 um 21:07 schrieb Bjørn Mork: >> Stefan Fritsch writes: >> >>> # cat /etc/apt/apt.conf.d/11-default-release >>> APT::Default-Release "bullseye"; >> >> Just don't do that. It breaks all normal preferences and will end up >> preferring "bullseye" over anything else. Including >> "bullseye-security". > > This used to work until buster. But it turns out the release-notes > mention this problem and the correct syntax is now: > > APT::Default-Release "/^bullseye(|-security|-updates)$/"; > > > The failure mode of silently not installing security updates is bad, > though. But I don't see an easy way to fix that. Maybe apt should print > a warning if one uses a simple codename as Default-Release? Congratulations on finding the fix. That's cool. It falls in line with how the repositories are declared. With respect to a proposed warning, I spent years naively a-suming that security updates were part of the primary, single line repository declaration. A little 4-watt light bulb went off overhead during a Debian-User exchange a couple years ago. Prior to that thread, I'd been on outside security tech lists and had seen major update advisories but could never figure out why I was not seeing those same packages update on my Debian. This type of ongoing warning might upset some longstanding Users... unless there was a way to have it only be once a month.. or.. maybe have a way to trigger it off permanently via the command line interface for e.g. apt and apt-get. Another alternative could evolve into a teaching moment by having a warning state where to turn the warning OFF in e.g. an apt or apt-get config file. It could be something like the very fix found for this current thread. That might lead newer users to explore those types of files more and thus learn more about the inner workings of Debian. It was something along those lines that triggered my interest in regularly tearing into my own install's files a number of years ago now. :) Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with birdseed *
Re: debcheckroot v2.0 released
On 11/27/19, Elmar Stellnberger wrote: > > Am 25.11.19 um 12:35 schrieb Patrick Schleizer: >> Yes, forget about NSA and alike. Let's not assume quasi-omnipotent >> attackers. That leads to defeatist mindset which isn't productive. > >I would not let myself be defeated easily. Who has thought about > emails in your inbox which are deleted before you can see them? Easily > doable. They would just need to know your password. Or about outgoing > emails which do not reach their target. As far as I have learnt to know > it you can see them in the sent folder but they never appear on the > other side, not even in the spam-box. The worse thing is however if > someone wants to contact you and you do not even know about it, the > other one just thinking you did not reply. There have been two situations that, no, I can't name just this second, so this is anecdotal material *until I stumble back upon* the very real cases, BUT... Twice in the last maybe six months, there has been chatter about the receiving end's server(s) stopping the flow of incoming emails for unknown reasons. The occurrences were purely "glitches", NOT on purpose. It was either machine failure or accidentally Human-instigated mis-code or something that provoked the situations. End users found out when a sudden flood of sometimes OLD email suddenly hit their email inboxes. The last one was just in last few weeks. If and when I re-encounter that information, I'll post for posterity. :) As for the once formerly viewed and then now missing emails, been there, done there. Things being what they are in my own #Life, I've most definitely... "wondered" how the emails "disappeared" when they are NOT something I would have EVER deleted. It affects very few, less than a handful of correspondences. Sanity is found in realizing I have a VERY LARGE inbox.. and I'm surely just not using the right words for my queries. I've convinced myself that I'm using words that convey the same thoughts as the original messages but are not a search string-friendly match for the specific words that were originally written. :) Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with birdseed *
Re: Which one is better solution?
On 12/15/18, Ruslanas Gžibovskis wrote: > On Sat, 15 Dec 2018, 12:29 Shea Alterio >> As far as I know, pkexec doesn't validate arguments, so it might not be >> ideal if you are worried about people trying to trick it. >> >> On Sat, Dec 15, 2018 at 6:15 AM JungHwan Kang >> wrote: >> >>> Sometimes, I use a sudo command with -s options for keeping >>> environment variables for users account(sudoer). I also know -s option >>> runs the shell specified by the SHELL environment variable. But the >>> SHELL environment variable can be manipulated by other users having >>> the same privilege. >>> >>> So, I think an adversary is able to abuse the changing SHELL >>> environment variable for privilege escalation like a video below. (I >>> assume the adversary owned the permission for executing a shell on a >>> remote) >>> >>> https://youtu.be/JSQjIm7377o (unlisted state) >>> >>> I know it is uncertain when the sudo is executed with -s option by >>> sudoer. >>> >>> Anyway, I have thought of the solutions to the issue below. >>> - using a pkexec of a Policy kit, >>> - disable a ptrace function via kernel.yama.ptrace_scope, >>> CAP_SYS_PTRACE. >>> >>> Could you give some advice and comments? >>> > I prefer su or u+S on a script I've read the above responses and am not quite sure how this fits in but decided to post anyway. :) I started using "su" myself in last year or so. A blip that quickly left my memory was that I'd seen a hyphen ("-") used at some point but didn't understand the importance of adding the hyphen as needed BECAUSE "su" appeared to work just fine WITHOUT the hyphen. :) A few weeks ago, that very helpful topic came up on Debian-User, but now I can't find that reference. Via Super User/StackExchange [0], I *did* find: "Of noteworthyness: This is particularly useful when su-ing to root as without using the hypen to start a new login shell, your $PATH won't get updated and thus you won't be able to directly call root-only binaries in /sbin and /usr/sbin " That important detail about fits what was shared on Debian-User recently. Am additionally posting because it's not something newcomers (and even old timers) to that concept encounter very readily out there in the wild. :) Cindy :) [0] https://superuser.com/questions/453988/whats-the-difference-between-su-with-and-without-hyphen -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with birdseed *
Helping Debian Lists Address S*P*A*M (Was: Activate your GlobalTestMarket membership)
On 10/2/16, Paul Wise wrote: > > Please don't reply to spam nor quote it. Please *do* consider helping Debian out by reporting these things as fast as they occur. There are actually two potentials, one at the top and one at the bottom this very second, on Debian-Security's current "most recent page in the archives": https://lists.debian.org/debian-security/2016/10/ As an afterthought as I type the above, one of those emails, the original that triggered this line of thoughts, may have been bumped to the second page now because of this very email. Each singular email on Debian's email archive pages has a clickable "Report as" button on the top right hand corner of its page. It's long been my understanding that each "report" we submit is manually verified for its truthiness. It's further long been my understanding that Debian email server filters are then regularly updated per those reports and accordingly. But admittedly those last two observations could both be mistaken understandings on my part. My apologies in advance if so. :) Happy Debian'ing! Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with duct tape *
Re: the frustrated administrivia and misdirection hose lacks any abatement visible to mortals
On 5/24/16, Paul Wise wrote: > On Tue, May 24, 2016 at 4:28 AM, Drake Wilson wrote: > >> Lacking any obvious way to talk to the security team without potentially >> making my >> message look more urgent than it was, I leave it to whoever else can >> navigate the >> Debian social structure to take it up in the most appropriate manner. >> I've absolutely run >> out of nerves for having to clear this garbage out of my mailpile, so I'm >> done here. > > Two of the security team members responded to the bug report: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821113#25 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821113#20 > > So the only thing that needs doing now is for the listmasters to > implement the suggestions. A very... unscientific.. and unhumble.. observation from years of web surfing since 1994 is that I've only seen something of this type and magnitude one other time. It occurred over at W3C (World Wide Web Consortium). I mostly remember that because I remember making some kind of observation about that instance a few years ago now.. This feels rather... "organized". In the other instance, the organized effort was about getting web domains listed in permanent W3C archives that are searched by crawlers (spiders). Here, though, I don't know. It's not about domains this time. It's interesting it's going after Debian's security list(s). Like it's somehow trying to send a message that Debian's being bailed on related to that topic... Wandering off now wondering out loud... the percentage of people who have contacted the list in the manner that prompted this particular thread. Is that a normal unsubscribe ratio compared to all other Debian lists? Yes, I "get it", I understand that this scenario is that it's about a list redirect that some are not catching But a notable some of those some... are tech savvy enough to know how to read email headers to snag the unsubscribe email address regardless of any given listserv's setup. That's the first place they go before then exhausting other options (e.g. a list's homepage) bearing that info. Most unhumbly, the number posting publicly here indicating they do not know that technique... sure seems mathematically unordinary for lists of this caliber. Really wandering off now Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with duct tape *
Re: Which Debian packages leak information to the network?
On 5/18/16, Holger Levsen wrote: > On Wed, May 18, 2016 at 06:33:52PM +0200, Jakub Wilk wrote: >> Could you explain how any of these tools leak any information "without a >> user's consent/expectation"? > > gnome-calculator contacts a web page/service with currency exchange > information *on every start*, I think that's a good example of the kind > of programs Patrick is looking for. Ah, good one for developing a train of thought.. Instantly made me think of my weather app which reaches out to the Netherlands very regularly to garner its information. It would seemingly be disclosing a user chosen location to gather what it needs, but perhaps not. I (shamefully) don't know, *grin*. And there used to be a package install/uninstall documenting "popularity" program somewhere along the lines that I THINK was reporting back very quietly in the background. I can't remember what distro had that but it caused an understandable stink (an extended disgruntled discussion). Mentioning this one in case it likewise stirs up thoughts of anything operating similarly these days.. Just thinking out loud... :) Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with duct tape *
Re: [SECURITY] [DSA 3438-1] xscreensaver security update
On 1/11/16, Noah Meyerhans wrote: > On Mon, Jan 11, 2016 at 11:14:52AM -0500, Cindy-Sue Causey wrote: >> >> ** Not sure proper protocol but reinserted my original thought process >> And now me.. I didn't notice that (about the Announce list) >> originally. I've seen it happen a few times across the Net. It doesn't >> seem like that should be able to occur. It seems like Announce lists >> are regularly intended as a one-way admin only message source.. >> >> Just thinking out loud... that maybe the Announce list settings might >> need a quick once-over review depending on admin's intentions for it. > > The ability to send mail to the debian-security-announce list is > restricted, and the settings work as intended. Note that Debian security > announcements include a Reply-To header redirecting replies to the > debian-security@lists.debian.org discussion list, so it's possible to > send a reply and think that it did go through, when in fact it went to a > different mailing list. In fact, that's exactly what's happening here. > This thread is taking place on debian-security@lists.debian.org, even > though it was triggered by a reply to a security announcement on > debian-security-announce. Good deal. Crossed my mind that I didn't receive 2 copies but didn't think about checking online archives before posting my response. It's a great tip suggestion to now have in mind for those other unrelated listservs where it *does* happen, most often on federal dotGov government listservs of all things. *grin* Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * #RIP, Ian. Thank you and to all who contribute to Debian. It's a Life-affecting, Life-enhancing resource and tool in my usage case. *
Re: [SECURITY] [DSA 3438-1] xscreensaver security update
On 1/11/16, Povl Ole Haarlev Olsen wrote: > > Allow me to add some more noise. > > The original mail was sent to the debian-security-announce mailinglist, > not this list. The unsubscribe address for that list is: > > List-Unsubscribe: > <mailto:debian-security-announce-requ...@lists.debian.org?subject=unsubscribe> And now me.. I didn't notice that (about the Announce list) originally. I've seen it happen a few times across the Net. It doesn't seem like that should be able to occur. It seems like Announce lists are regularly intended as a one-way admin only message source.. Or not? Just thinking out loud... that maybe the Announce list settings might need a quick once-over review depending on admin's intentions for it. :) Or not. :) Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * #RIP, Ian. Thank you and to all who contribute to Debian. It's a Life-affecting, Life-enhancing resource and tool in my usage case. *
Re: NSA software in Debian
On 1/18/14, Marco Saller wrote: > Hey there, > > i am not sure if this question has been asked or answered yet, please do not > mind if i would ask it again. > Is it possible that the NSA or other services included investigative > software in some Debian packages? Hi, Marco.. This topic was discussed in *great* detail in August, 2013.. I'm sure I deleted some but there are still 47 related responses sitting in my inbox this second.. You can find the thread archived as "Compromising Debian Repositories": https://lists.debian.org/debian-security/2013/08/msg0.html Hope that helps.. Cindy Sue :) - :: - Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with duct tape * -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAO1P-kB-iBCH69KcoP6_cpOqR09f2AjF0KfW8R=xjamgn4j...@mail.gmail.com