Re: Why no security support for binutils? What to do about it?
> Some of its checks look inherently dangerous, e.g. the bash -n check for > shell syntax. Why would bash -n be dangerous? signature.asc Description: OpenPGP digital signature
Re: [SECURITY] [DSA 3909-1] samba security update
On 14.07.2017 16:19, Sven Hartge wrote: > For me the binary packages have dependencies unfulfillable in Jessie: > > The following packages have unmet dependencies: > samba-common-bin : Depends: libncurses5 (>= 6) but 5.9+20140913-1+b1 is > to be installed > Depends: libreadline7 (>= 6.0) but it is not installable > Depends: libtinfo5 (>= 6) but 5.9+20140913-1+b1 is > to be installed > Depends: samba-libs (= 2:4.2.14+dfsg-0+deb8u7) but > 2:4.2.14+dfsg-0+deb8u6 is to be installed Same here. Thanks for jumping in and reporting this, I wasn't sure if I hadn't just messed up my apt-pinning... > The 32bit i386 packages on the hand are fine, probably because they > were built by a buildd. On an i386 VM the upgrade ran fine here as well. Cheers Daniel signature.asc Description: OpenPGP digital signature
Re: Some Debian package upgrades are corrupting rsync "quick check" backups
On 01/28/2017 03:51 PM, Holger Levsen wrote: > On Sat, Jan 28, 2017 at 03:04:56PM +0100, Daniel Reichelt wrote: >> I highly suspect this stems from packages' rules files supporting >> reproducible builds. > > I rather think this is due to binNMUs not modifying debian/changelog… > (in the source package while it's modified in the binary packages…) > Makes sense. Thanks for the clarification, Holger. signature.asc Description: OpenPGP digital signature
Re: Some Debian package upgrades are corrupting rsync "quick check" backups
Hi, I highly suspect this stems from packages' rules files supporting reproducible builds. The only way I see to solve this would be for the "reproducible builds" infrastructure to hard-wire new timestamps at release-time of a new package version. Also: this is not limited to rsync. Basically any tool relying on (mtime/file size) as a changed indicator is affected by this. Even if the tool in question relied on (mtime/file size/inode number), "changed checks" could be subverted in situations where changes are made to the file directly instead of writing a new file and moving it into place (thus retaining the inode number). Cheers Daniel signature.asc Description: OpenPGP digital signature
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
On 11/03/2015 08:30 AM, Ansgar Burchardt wrote: > dak needs to forget that it has seen the file. Which means either > resigning it or ftp-master telling dak to do so. I just did the latter > and moved the upload back to the processing queue. Just tried the update and it worked fine. Thanks for the quick fix! Daniel
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
Hi * the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. Is this an error or am I missing something? Thanks Daniel [1] http://security.debian.org/pool/updates/main/libv/libvdpau/ On 11/02/2015 08:27 PM, Alessandro Ghedini wrote: > - > Debian Security Advisory DSA-3355-2 secur...@debian.org > https://www.debian.org/security/ Alessandro Ghedini > November 02, 2015 https://www.debian.org/security/faq > - > > Package: libvdpau > Debian Bug : 802625 > > The previous update for libvdpau, DSA-3355-1, introduced a regression in > the stable distribution (jessie) causing a segmentation fault when the > DRI_PRIME environment variable is set. For reference, the original > advisory text follows. > > Florian Weimer of Red Hat Product Security discovered that libvdpau, the > VDPAU wrapper library, did not properly validate environment variables, > allowing local attackers to gain additional privileges. > > For the stable distribution (jessie), this problem has been fixed in > version 0.8-3+deb8u2. > > We recommend that you upgrade your libvdpau packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > >
Re: Verification of netboot installer and firmware files
On 09/06/2015 07:14 PM, Paul Wise wrote: > On Sun, Sep 6, 2015 at 10:20 AM, Daniel Reichelt wrote: > >> [1] >> http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/ > > ftp://ftp.debian.org/debian/dists/stretch/Release > ftp://ftp.debian.org/debian/dists/stretch/Release.gpg > >> [3] http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/ > > Probably better to use the ISO images that include firmware, these are signed: > > http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current/amd64/iso-cd/ > Paul, thanks a lot for the hints. That'll do... Daniel
Verification of netboot installer and firmware files
Hey there I'm wondering if there's a practical way to verify the netboot installer files and firmware archives provided via [1]-[3]. I couldn't find anything similar to the signed (md5|shaX)sum files provided for the ISOs, nor any lines in the official installation guide about verification. Am I missing s.th.? Looking forward to suggestions! If I'm really the first one to bring this up: IMHO the simplest solution would be to gpg-sign the hash lists under [1]/[2] and provide signed hash lists for [3] as well. Thanks Daniel [1] http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/ [2] http://d-i.debian.org/daily-images/amd64/daily/ [3] http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/
Re: [SECURITY] [DSA 3074-1] php5 security update
Just filed a bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770105 cheers daniel -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/546bc6d3.9040...@nachtgeist.net
Re: [SECURITY] [DSA 2550-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Moritz > > Please test/report, whether the packages located at > > http://people.debian.org/~jmm/ fix the problem for you. Could you please publish the source package as well? And is this going to go into squeeze-updates eventually? Cheers Daniel (@moritz: sry for double-posting...) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQYuUBAAoJEIWTgWPaKFdzzTgP+QFfFGoV832ZwcAmhxJvwGko UTh+q4m+HLnpZSmRMJMQsXD1yaL7aPxdX/ro0ZWlE7b4cKYnQJ50MVGvxyWI9OIG ENh1nemiVGvyCsbEKVQ6ockIbRllYT3IWjmaAmKu+/CmmbUjUFafEd/wgRvK5mDG 1C363bXDZla+8NblI/LJnvlvXoP6zt9sgmywdYlg4lZy/x7vo69sUbXXhvcA6f3h kKAqGlQwNdZN4Wc8PhmtQQyFDhK1MM3v+L7jEwgWpTdCMmByPGPiWDn21fQte6Dz joEeUbfRekHTKYKynEN41clfL7SIAyVOhTjt9HfRBss+TjquQ1yQdwt4MXTD8iKE 08XAmIge7mbOW7Edypc/dlHPLn3lxfI/M3kpOKfGL+16SpLRHCFoYzbBAzxF2ASi cWoayD74V/0mE0qWt58/m14ahAFQs6g5ypYKIm+AT2IxNGL9f8Z8XswE+Qm0MQTz qIrWXfe0UZ3lA5gh2ocNh9tVRbY78VtCBKgJKt3DtatBZUAJfyhGDMb0vowL6fp0 YKZnTeozW/fEc6IVuR38Xi19350JFdAlLUUYgeNdM7LFICJvbMFzBTFKXHtQgTgX 5ZsE/Z/WA8A8dUNo0OZ6ZikU+m8zrxYFgXwaYhPVrMcwRbhCDu30H2KSMGVOqoer FeQ0HGCxuE9rjgMO27nR =5J/q -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5062e501.7040...@nachtgeist.net