Re: Reaction to potential PGP schism

[Cyril Brulebois]

Hi Daniel,

Quick backstory: I stayed away from hardware crypto for a long while
since there were so many incompatibilities, partial support, or side
patches to get basic things to work. Over time, it seems it got to a
point where it's mainstream enough that you can buy a Yubikey without
much of a second thought, and get GPG to work out of the box on it…

Daniel Kahn Gillmor  (2023-12-20):
> OpenPGP implementations have generally learned from those failures, and
> many of them are now much more resilient and can support the kinds of
> upgrade path that we need to consider.  For most of our
> signing/verifying-focused work, that means:
> 
>  - verifying tools should ignore signatures and certificates that they
>don't understand, while still validating signatures from certificates
>that they do understand
> 
>  - signing tools can make pairs of signatures, one "compatibility"
>signature and one "modern" signature
> 
> This means that for a debian signing/verification context, like package
> distribution, which has a global workflow, starting from an existing
> OpenPGP implementation, signing key and corresponding verification
> certificate, it looks like:
> 
>  0) upgrade the signing tool, and start upgrading some of the
>  verification tooling.
> 
>  1) create a new signing certificate with the new version, algorithm, or 
> feature.
> 
>  2) distribute the old+new certificates for the verifiers.
> 
>  3) make signatures with old+new in parallel
> 
>  4) complete upgrade of all verification tooling
> 
>  5) stop making signatures with old signing certificates

… what does this mean for anything that involves hardware-backed crypto?
I'm thinking Yubikeys and the like, but also HSMs that might be on the
critical path to sign things like GRUB, linux (at least for now), etc.

Even if we end up with a brand new gnupg release on the relevant signing
host(s), I fear hardware devices might not feature all the bits that are
needed for those new features?


Cheers,
-- 
Cyril Brulebois (k...@debian.org)<https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: amd64 running on Intel Celeron and Pentium?

[Cyril Brulebois]

Elmar Stellnberger  (2022-04-17):
> I haven´t heard yet of a Pentium IV supporting amd64.
> Likely it does not exist.

https://en.wikipedia.org/wiki/List_of_Intel_Pentium_4_processors seems
to disagree in general. Willamette seems to be old enough to be 32-bit
only though.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)<https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us

[Cyril Brulebois]

Steve McIntyre  (2019-03-04):
> And Mark says:
> 
> "we don't want to go rewinding version numbers in unstable; that could
> lead to all sorts of unforeseeable breakage.
> 
> much as we'd expected. Any more feedback please? Cyril prefers
> approach #2 below, I prefer #3.

To clarify: #2 was my preferred approach when we first tried to get #3 to
work, seeing how many things could need tweaking; #2 is mostly about
re-uploading packages that we know were working (albeit with different
version numbers), which looked more reassuring.

Given the amount of research we've done since then, it seems that we've
ironed out what could be an issue (mostly the fact we moved files from one
binary package to another one), and we didn't spot other packages having
relationships to either binary packages, that could have an issue with the
new layout. Building a binary package for real, even if in a chroot with
some specific versions also looks cleaner to me than repacking and
re-uploading old binaries.

Long story short: #3 looks good to me.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)<https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: [SECURITY] [DSA 3355-2] libvdpau regression update

[Cyril Brulebois]

Hi,

Daniel Reichelt  (2015-11-03):
> Hi *
> 
> the amd64 build for 0.8-3+deb8u2 seems to be missing from [1].
> 
> Is this an error or am I missing something?
> 
> 
> Thanks
> Daniel
> 
> 
> [1] http://security.debian.org/pool/updates/main/libv/libvdpau/

If I'm reading wanna-build right, it's Uploaded (as opposed to
Installed), since 2015-11-02 17:25:03.079505

So far as I can check, queued and dak on ftp-master seem rather happy:
| Nov  2 19:31:19 processing /libvdpau_0.8-3+deb8u2_amd64.changes
| Nov  2 19:31:19 libvdpau_0.8-3+deb8u2_amd64.changes processed successfully 
(uploader pkg-nvidia-de...@lists.alioth.debian.org)
and:
| 20151102193529|process-upload|dak|Processing changes 
file|libvdpau_0.8-3+deb8u2_amd64.changes
| 20151102193532|process-upload|dak|ACCEPT|libvdpau_0.8-3+deb8u2_amd64.changes

so it doesn't seem obvious to me what's happening here. Adding team@ to
the loop since I don't think I can check anything on the security.d.o
side.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: apt-build - Authentication warning overridden. - security issue?

[Cyril Brulebois]

Patrick Schleizer adrela...@riseup.net (2015-03-18):
 Hi,
 
 I was running:
 sudo apt-build install ccache
 
 And the output contained a message:
 
 WARNING: The following packages cannot be authenticated!
   ccache
 Authentication warning overridden.
 
 Is this just how apt-build works or could this be a security issue due
 to installing unauthenticated packages?

It probably wouldn't happen if the source snippet added at
installation time would be using “deb [trusted=yes]” instead of just
“deb”. Manually editing /etc/apt/sources.list.d/apt-build.list seems
to confirm that.

See /var/lib/dpkg/info/apt-build.postinst:
   debline=deb file:$repository_dir apt-build main

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 3053-1] openssl security update

[Cyril Brulebois]

Jonathan Wiltshire j...@debian.org (2014-10-18):
 Technically nothing is blocked yet (except udebs)

They were only blocked for a tiny number of days.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian

[Cyril Brulebois]

Conrad Nelson y...@marupa.net (2014-09-27):
 On Sun, 2014-09-28 at 06:33 +1000, Andrew McGlashan wrote:
  On 28/09/2014 4:29 AM, Martin Holub wrote:
   Please according to the Security Tracker [1,2] booth are fixed in stable
   and oldstable.
  
  NOT QUITE . fixed in stable [wheezy]
and oldstable-LTS [squeeze-lts] 
  
  
BUT NOT  oldstable  [squeeze] it is NOT fixed,
nor is it still supported.  :(
  
  Cheers
  A.
  
 
 What about Jessie?

kibi@arya:~$ rmadison -a source bash -s testing,unstable
  bash |   4.3-9.2 |testing | source
  bash |   4.3-9.2 |   unstable | source

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Checking for services to be restarted on a default Debian installation

[Cyril Brulebois]

Thijs Kinkhorst th...@debian.org (2014-09-01):
 My questions to this list:
 - Do people agree that this would be something that's good to have in
   a default installation? Are there drawbacks?

Having to know about debian-goodies always looked awkward to me. A
dedicated, easy to identify package looks like a nice idea to me.

 - If agreed, how would we approach this? I have to admit that I do not
   know who decides what is part of a default install or where this is
   implemented.

(Hopefully the following isn't too far from reality, just had a very
quick look.)

That would be the standard task, defined in tasksel (tasks/standard)
with “Packages: standard”, which pulls packages with that priority;
FWIW that task is a bit special since it's not defined as a task-$foo
package.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Missing ISO hash

[Cyril Brulebois]

Djones Boni 07ea86b...@gmail.com (2014-07-14):
 The Debian 7.6 update ISO hashes are missing on bt-dvd directory.
 http://cdimage.debian.org/debian-cd/7.6.0/amd64/bt-dvd/MD5SUMS
 http://cdimage.debian.org/debian-cd/7.6.0/*/bt-dvd/MD5SUMS
 
 They can be found in iso-dvd and jigdo-dvd.
 http://cdimage.debian.org/debian-cd/7.6.0/amd64/iso-dvd/MD5SUMS
 http://cdimage.debian.org/debian-cd/7.6.0/amd64/jigdo-dvd/MD5SUMS

This looks OK now.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: USN-2192-1: OpenSSL vulnerabilities

[Cyril Brulebois]

Testosticore testostic...@openmailbox.org (2014-05-07):
 Aren't we affected by this, too?
 
 http://www.ubuntu.com/usn/usn-2192-1/

Checking the security tracker would seem like an idea?
  https://security-tracker.debian.org/tracker/CVE-2010-5298
  https://security-tracker.debian.org/tracker/CVE-2014-0198

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: SHA256SUM/MD5SUM check sums do not match for installer-i386

[Cyril Brulebois]

Hi,

m...@xlist.pw m...@xlist.pw (2014-03-07):
 Hi,
 
 I downloaded wheezy from
 
 ftp://ftp2.de.debian.org/debian/dists/wheezy/main/installer-
 i386/current/images/*
 
 ftp://ftp.debian.org/debian/dists/wheezy/main/installer-i386/current/images/*
 
 and
 
 ftp://ftp.nl.debian.org/debian/dists/wheezy/main/installer-
 i386/current/images/*
 
 Checking with SHA256SUM und MD5SUM files I got the same checksum errors for 
 the same files I downloaded from different locations:
 
 user@host:~/download/debian-wheezy/images$ sha256sum --check SHA256SUMS|grep 
 FAILED
 3:./hd-media/gtk/vmlinuz: FAILED
 4:./hd-media/vmlinuz: FAILED
 10:./netboot/xen/vmlinuz: FAILED
 sha256sum: ./netboot/gtk/pxelinux.cfg/default: No such file or directory
 15:./netboot/gtk/pxelinux.cfg/default: FAILED open or read
 61:./netboot/gtk/debian-installer/i386/linux: FAILED
 sha256sum: ./netboot/pxelinux.cfg/default: No such file or directory
 64:./netboot/pxelinux.cfg/default: FAILED open or read
 110:./netboot/debian-installer/i386/linux: FAILED
 115:./cdrom/xen/vmlinuz: FAILED
 120:./cdrom/gtk/vmlinuz: FAILED
 121:./cdrom/vmlinuz: FAILED
 sha256sum: WARNING: 2 listed files could not be read
 sha256sum: WARNING: 8 computed checksums did NOT match
 
 user@host:~/download/debian-wheezy/images$ md5sum --check MD5SUMS|grep FAILED
 3:./hd-media/gtk/vmlinuz: FAILED
 4:./hd-media/vmlinuz: FAILED
 10:./netboot/xen/vmlinuz: FAILED
 md5sum: ./netboot/gtk/pxelinux.cfg/default: No such file or directory
 15:./netboot/gtk/pxelinux.cfg/default: FAILED open or read
 61:./netboot/gtk/debian-installer/i386/linux: FAILED
 md5sum: ./netboot/pxelinux.cfg/default: No such file or directory
 64:./netboot/pxelinux.cfg/default: FAILED open or read
 110:./netboot/debian-installer/i386/linux: FAILED
 115:./cdrom/xen/vmlinuz: FAILED
 120:./cdrom/gtk/vmlinuz: FAILED
 121:./cdrom/vmlinuz: FAILED
 md5sum: WARNING: 2 listed files could not be read
 md5sum: WARNING: 8 computed checksums did NOT match
 
 BTW, the same happens for installer-amd64.
 
 Who can be contacted to get the hash files fixed?

well, that worked for me, for 'ftp', 'ftp.fr', 'ftp.nl':
  lftp -c mirror 
ftp://XX.debian.org/debian/dists/wheezy/main/installer-i386/current/images
  cd images
  md5sum --check MD5SUMS 
  sha256sum --check SHA256SUMS

So it looks to me checksums are OK. (#704162 is not relevant.)

Make sure your downloads weren't truncated?

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)

[Cyril Brulebois]

Steven Chamberlain ste...@pyro.eu.org (2013-12-14):
 On 14/12/13 01:08, Henrique de Moraes Holschuh wrote:
  Yeah, I think Linux went through similar blindness braindamage sometime ago,
  but blind trust on rdrand has been fixed for a long time now, and it never
  trusted any of the other HRNGs (or used them for anything at all without a
  trip through rng-tools userspace until v3.12).
 
 I seem to remember that Ted T'so's committed the fix for this only after
 the release of Linux 3.2, so I assuemd wheezy's kernels might be still
 affected?

If you're talking about this:
| commit c2557a303ab6712bb6e09447df828c557c710ac9
| Author: Theodore Ts'o ty...@mit.edu
| Date:   Thu Jul 5 10:35:23 2012 -0400
| 
| random: add new get_random_bytes_arch() function
| […]

it was backported into 3.2.y, that would be 
7f5d5266f8a1f7f54707c15e028f220d329726f4
also known as v3.2.27~51.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: MIT discovered issue with gcc

[Cyril Brulebois]

Stefan Roas sr...@roath.org (2013-11-23):
 On Sat Nov 23, 2013 at 10:18:43, Robert Baron wrote:
  Second question:
  
  Doesn't memcpy allow for overlapping memory, but strcpy does not?  Isn't
  this why memcpy is preferred over strcpy?
 
 Nope. There's memmove for overlapping areas.

Indeed, easy enough to check anyway, opengroup memcpy gives you:
  http://pubs.opengroup.org/onlinepubs/007904975/functions/memcpy.html

Quoting it:
  The memcpy() function shall copy n bytes from the object pointed to by
  s2 into the object pointed to by s1. If copying takes place between
  objects that overlap, the behavior is undefined.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: There is Pidgin in security updates with same version but different checksum

[Cyril Brulebois]

Marko Randjelovic marko...@eunet.rs (2013-10-04):
 The package from security looks like error because it does not appear
 in apt-cache show, but exists in lists file and in
 http://security.debian.org/pool/updates/main/p/pidgin/.

Can you please elaborate? The above has got: 2.7.3-1+squeeze3

Current status across distributions is:
kibi@arya:~$ rmadison pidgin -a source
pidgin | 2.7.3-1+squeeze3 | oldstable | source
pidgin | 2.10.6-3~bpo60+1 | squeeze-backports | source
pidgin | 2.10.6-3 |stable | source
pidgin | 2.10.7-2 |   testing | source
pidgin | 2.10.7-2 |  unstable | source

so the 2.7.3-1+squeeze3 upload available through security for oldstable
got merged into oldstable proper during a point release.

What version are you chasing, for which distribution?

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Upcoming oldstable point release (6.0.8)

[Cyril Brulebois]

Adam D. Barratt a...@adam-barratt.org.uk (2013-09-22):
 The next point release for squeeze (6.0.8) is scheduled for Saturday 
 October 19th.  Oldstable NEW will be frozen during the preceding
 weekend.
 
 As usual, base-files can be uploaded at any point before the freeze.

I don't think I have anything d-i-ish for that one.

-boot@, anything I forgot?

Mraw,
KiBi.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130922191746.ge30...@mraw.org

Re: Upcoming stable point release (7.2)

[Cyril Brulebois]

Adam D. Barratt a...@adam-barratt.org.uk (2013-09-22):
 The next point release for wheezy (7.2) is scheduled for Saturday 
 October 12th.  Stable NEW will be frozen during the preceding weekend.

So there's a new linux kernel for that one:
  http://womble.decadent.org.uk/blog/linux-kernel-update-for-wheezy-3251-1.html

which I haven't tested at all; there's kfreebsd-9 as well, along with
flash-kernel, multipath-tools, gnupg, grub2, and libgcrypt11 (looking
at the udeb-producing packages on the current p-u summary[1]).

 1. http://release.debian.org/proposed-updates/stable.html

I wonder whether we need/want to fix iso-scan's #722711 in stable as
well. I haven't yet investigated if stable is affected and what the
fix looks like, though; just mentioning it in case somebody wants to
look into it.

-boot@, if anyone sees something that needs fixing in stable and
wasn't spotted/marked as such until now, please speak up.

Mraw,
KiBi.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130922192947.gf30...@mraw.org

Re: gpg signatures for Wheezy images

[Cyril Brulebois]

adrelanos adrela...@riseup.net (22/02/2013):
 Stable, http://cdimage.debian.org/debian-cd/6.0.6/i386/iso-dvd/ contains
 gpg signatures.
 
 Wheezy,
 http://cdimage.debian.org/cdimage/weekly-builds/i386/iso-dvd/ does
 not contain gpg signatures.
 
 Can you offer gpg signatures for Wheezy as well please?

http://cdimage.debian.org/cdimage/wheezy_di_rc1/ has signatures, as
well as previous releases.

See http://www.debian.org/News/2013/20130219 for the announcement.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Linux 3.2: backports some features from mainline kernel (3.7)?

[Cyril Brulebois]

Hi,

daniel curtis sidetripp...@gmail.com (15/12/2012):
 Kernel 3.7 is officially out. This Linux release includes many
 improvements practically in every aspect. Many changes also concerns
 security. Very interesting are: Cryptographically-signed kernel
 modules and - long awaited
 -
 symlink and hardlink restrictions (already in Linux 3.6), but it
 broke some programs, so it has been disabled by default, right?

from 
http://packages.debian.org/changelogs/pool/main/l/linux/linux_3.2.35-1/changelog.html
| linux (3.2.29-1) unstable; urgency=low
| …
|* fs: Update link security restrictions to match Linux 3.6:
|  - Drop kconfig options; restrictions can only be disabled by sysctl
|  - Change the audit message type from AUDIT_AVC (1400) to
|AUDIT_ANON_LINK (1702)
| …
| linux-2.6 (3.2.9-1) unstable; urgency=high
| …
|* fs: Introduce and enable security restrictions on links:
|  - Do not follow symlinks in /tmp that are owned by other users
|(sysctl: fs.protected_symlinks)
|  - Do not allow unprivileged users to create hard links to sensitive files
|(sysctl: fs.protected_hardlinks) (Closes: #609455)
|+ This breaks the 'at' package in stable, which will be fixed shortly
|  (see #597130)
|  The precise restrictions are specified in Documentation/sysctl/fs.txt in
|  the linux-doc-3.2 and linux-source-3.2 packages.

Anyway, I suspect you want to ask Linux kernel questions to Linux
kernel maintainers (meaning debian-kernel@).

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2566-1] exim4 security update

[Cyril Brulebois]

Tomas Pospisek tpo_...@sourcepole.ch (26/10/2012):
 They don't seem to be available anywhere I look, particularily not
 in the http://security.debian.org/ package repository or in the
 standard debian package repository neither for unstable nor for
 wheezy.
 
 http://incoming.debian.org/ has the versions indicated above,
 however the packages are not signed.
 
 What's the way forward from here? Will you rerun the incoming queue
 and build packages for security.debian.org or should users
 (blindly?) install the packages from incoming?

http://packages.qa.debian.org/e/exim4/news/20121026T084842Z.html says
the package was accepted a few hours ago.

https://buildd.debian.org/status/package.php?p=exim4suite=sid says
packages were built a few hours ago.

Please allow some time for packages to move from incoming to the
mirrors, and upgrade at this point.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2550-1] asterisk security update

[Cyril Brulebois]

Hi.

Herman van Rink r...@initfour.nl (19/09/2012):
 On 09/18/2012 11:40 PM, Michael Kozma wrote:
  Hello,
 
  I have an error with my sip config since i have updated the asterisk
  package :
 
  monitoring*CLI module load sip
  Unable to load module sip
  Command 'module load sip' failed.
  [Sep 18 23:31:39] WARNING[7931]: loader.c:393 load_dynamic_module:
 Error loading module 'sip': /usr/lib/asterisk/modules/sip.so: cannot
 open shared object file: No such file or directory
  [Sep 18 23:31:39] WARNING[7931]: loader.c:801 load_resource: Module
 'sip' could not be loaded.

Michael, that should be “chan_sip” apparently?

 I had a similar issue after this update, but not exactly.
 
 [Sep 19 08:41:32] WARNING[8405] loader.c: Error loading module
 'chan_sip.so': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol:
 sip_pvt_lock_full
 [Sep 19 08:41:32] WARNING[8405] loader.c: Module 'chan_sip.so' could not
 be loaded.

Herman, probably a consequence of debian/patches/AST-2012-010:
 
+static int reinvite_timeout(const void *data)
+{
…
+   struct ast_channel *owner = sip_pvt_lock_full(dialog);
…
+}

Looks like the patch is missing the addition of that needed function.

Added team@ in the loop, to make sure they see this.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: python 2.6.6 - python 2.6.8

[Cyril Brulebois]

Marc Haber mh+debian-secur...@zugschlus.de (25/06/2012):
 phyton is not listed in

(ahah)

 http://security-tracker.debian.org/tracker/CVE-2011-3389, does that
 mean that nobody yet identified python as being affected? How can
 python be added here?

Surely the links in “Please help us keep this information up-to-date by
reporting any discrepancies or change of states that you are aware of
and/or help us improve the quality of this information by
participating.” on the tracker home page is what you're looking for.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2670-1] wordpress security update

[Cyril Brulebois]

Marc Gorzala m...@gorzala.de (11/05/2012):
 auf c nutzen wir ja kein debian-wordpress

Please set proper To/Cc fields and leave this list alone, thanks already.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Antw: Re: [SECURITY] [DSA 2378-1] ffmpeg security update

[Cyril Brulebois]

Robyn Hurst rhu...@thomasu.edu (04.01.2012):
 Please remove me from this mailing list.

Stefan Grzenkowski sgrzenkow...@gebics.de (04/01/2012):
 please remove me,too

What about this? Both of you go read the mail you're replying to, and
then do what's mentioned there to get unsubscribed? kthxbye.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2122-2] New glibc packages fix privilege escalation

[Cyril Brulebois]

Florian Weimer f...@deneb.enyo.de (11/01/2011):
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 - -
 Debian Security Advisory DSA-2122-2   secur...@debian.org
 http://www.debian.org/security/Florian Weimer
 January 11, 2011   http://www.debian.org/security/faq
 - -
 
 Package: glibc
 Vulnerability  : missing input sanitization
 Problem type   : local
 Debian-specific: no
 CVE ID : CVE-2010-3847 CVE-2010-3856
 
 Colin Watson discovered that the update for stable relased in
 DSA-2122-1 did not complete address the underlying security issue in
↑ +ly

I obeyed the Reply-To, but maybe one should mail another address to
get typos fixed in the web version?

KiBi.


signature.asc
Description: Digital signature

Re: Nessus to be removed from Debian, please switch to OpenVAS

[Cyril Brulebois]

Javier Fernández-Sanguino Peña j...@computer.org (02/08/2009):
 I encourage people that are looking for an alternative to Nessus to switch to
 OpenVAS (Open Vulnerability Assessment Scanner) which is a Nessus fork (based
 on the 2.2.x branch) that is actively being maintained and is now available
 in Debian.

I'm not quite used to that, but that might be worse adding that to the
release notes?

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1786-1] New acpid packages fix denial of service

[Cyril Brulebois]

Nico Golde debian-security...@ngolde.de (04/05/2009):
 * Steffen Joeris wh...@debian.org [2009-05-04 05:25]:
  
  Debian Security Advisory DSA-1786-1  secur...@debian.org
  http://www.debian.org/security/  Steffen Joeris
  May 02, 2009  http://www.debian.org/security/faq
  
  
  Package: acpid
  Vulnerability  : denial of service
  Problem type   : remote
 
 Das sollte local sein.

People might have got it, but anyway: “should have been local” (or
“should be local”, I guess both senses are possible here).

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: mt-daapd #404640 introduces remote security hole

[Cyril Brulebois]

Alexander Kurtz kurtz.a...@googlemail.com (01/04/2009):
 since it took more than half a year until someone responded to the
 initial mail of #404640 and there are still SERIOUS REMOTE SECURITY
 ISSUES UNFIXED, I thougt I'd just drop a link:
 
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404640

YOU MUST BE KIDDING.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [LI#NCE-fWtY2-534] [SECURITY] [DSA 1737-1] New wesnoth packages fix several vulnerabilities

[Cyril Brulebois]

Dan Bassett t...@csl-tech.illinois.edu (11/03/2009):
 First of...
 HAHAHAHAHAHHAHAHAHAAHAHA

Ah?

 Secondly, not on any of our servers...

Hm, we don't care?

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [Koumbit #27201] [SECURITY] [DSA 1731-1] New ndiswrapper packages fix arbitrary code execution vulnerability

[Cyril Brulebois]

Antoine Beaupré via RT secur...@rt.koumbit.net (02/03/2009):
 Status: resolved

Status: we-don’t-care

Fix your mail setup.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: New Etch Point Release

[Cyril Brulebois]

Sythos syt...@sythos.net (10/02/2009):
 no lenny release as stable? :)

Good things come to those…

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

[Cyril Brulebois]

Celejar cele...@gmail.com (15/01/2009):
 Is there any automatic way to check whether a given system has any of
 the binary packages built from a given source package installed?

(without any deb-src) It looks like the following does what you want:
| grep-status -sPackage -F Package $source_package

Works for me with blender, xulrunner, graphviz as source package names.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

[Cyril Brulebois]

Celejar cele...@gmail.com (15/01/2009):
  (without any deb-src) It looks like the following does what you want:
  | grep-status -sPackage -F Package $source_package
  
  Works for me with blender, xulrunner, graphviz as source package names.

Bleh. Needed sleep :)

Make “-F Package” become “-F Source”. Unfortunately, if a binary package
is built from a source package with the same name, it isn't printed.
E.g.  “grep-status -sPackage -F Source graphviz” won't return graphviz,
even if it's installed, so you'll have to add a special-case.

Using --exact-match should help. What about the following?
| grep-status -X -sPackage -F Source $p; grep-status -X -sPackage -F Package $p

Might be suboptimal but oh well, it does (this time I hope…) answer your
question.

 According to the man page, your command merely prints the package
 fields of those packages whose package fields contains the string
 $source_package, as above.  Have I missed something?

Sorry about that.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities

[Cyril Brulebois]

Celejar cele...@gmail.com (14/01/2009):
  We recommend that you upgrade your xulrunner packages.
 
 On my Sid box, I only have 'xulrunner-1.9' from the official repo, and
 xulrunner only from 'debian-multimedia.org'.

That's the source package name. Binaries built from this source:
| $ LANG=C apt-cache showsrc xulrunner|grep ^Binary:|tr -d ,|sed -e 's/ 
/\n/g'|sort
| Binary:
| libmozillainterfaces-java
| libmozjs1d
| libmozjs1d-dbg
| libmozjs-dev
| python-xpcom
| spidermonkey-bin
| xulrunner-1.9
| xulrunner-1.9-dbg
| xulrunner-1.9-gnome-support
| xulrunner-dev

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Freeze exceptions for iceape/iceweasel/xulrunner?

[Cyril Brulebois]

Francesco Poli f...@firenze.linux.it (10/01/2009):
 On the other hand iceape [2], iceweasel [3], and xulrunner [4] seem to
 be in freeze, even though their unstable versions fix many
 vulnerabilities.
 
 Have freeze exceptions been already requested for them?

http://lists.debian.org/debian-release/

(no)

 Otherwise, are there plans to do so?

RC bugfixes are usually unblocked without the need for asking. Also,
security bugfixes for ice* packages are allowed by habit.

 P.S.: Please Cc: me on replies, as I am not a list subscriber.

Done.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution

[Cyril Brulebois]

Dominic Hargreaves [EMAIL PROTECTED] (10/12/2008):
 Looks like it is in the etch-proposed-updates/etch dist, though, if
 you wanted it. Volatile admins, is there something wrong with this
 package or has it just been forgotten about?

Correct according to:
http://release.debian.org/proposed-updates/stable.html

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: md5 hashes used in security announcements

[Cyril Brulebois]

Florian Weimer [EMAIL PROTECTED] (24/10/2008):
 I don't know to which address you sent the address, so I don't know if
 it's been overlooked.

[EMAIL PROTECTED] aka.
http://lists.debian.org/debian-security/2008/10/msg00030.html

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: 17 updates for Etch?!?! ¡!¡¡111oneonelevenoneone

[Cyril Brulebois]

Jim Popovitch [EMAIL PROTECTED] (26/07/2008):
 WTF?!?!?  Were all those apps + kernel updated today?

Point release, see [1]. I guess the announcement is on its way. Might be
sent once most architectures have all packages built.

 1. http://www.philkern.de/weblog/en/debian/etch_4.0r4.html

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Broken link on Debian CVE Web page (Was: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

[Cyril Brulebois]

On 13/05/2008, Stephane Bortzmeyer wrote:
 By the way, the page
 http://www.debian.org/security/cve-compatibility has a link
 http://security-tracker.debian.org/, labeled The Debian Security
 Tracker has the canonical list of CVE names, corresponding Debian
 packages, and this link is broken: there is no
 security-tracker.debian.org.

Just in case you don't know about it yet, try .net.

Mraw,
KiBi.


pgpGke0BxVdhq.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1466-1] New xorg-server packages fix several vulnerabilities

[Cyril Brulebois]

On 18/01/2008, Adrian Minta wrote:
 After this update vlc and possible other programs will not work
 anymore.

#461410.

Cheers,

-- 
Cyril Brulebois


pgpnq1t4YITN1.pgp
Description: PGP signature