Re: Re: [SECURITY] [DSA 4371-1] apt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, 2019-01-24 at 23:37 +0100, Edgar Remmel wrote: > Thanks a lot Yves-Alexis for reply and advice! > > > Also it's likely that > > you need to ask this to Raspbian, not Debian. > > Please give me a 2.nd try in this list. If it will become obviosly to be > a problem of Raspbian I will change to them. It's not a Raspbian “problem”, but yes, you're using Raspbian packages and mirrors, not Debian's. > > But by sudo "apt -o Acquire::http::AllowRedirect=false upgrade" > I always got the following error messages after my confirm to install: > > Err:1 http://raspbian.raspberrypi.org/raspbian stretch/main armhf > libapt-pkg5.0 armhf 1.4.9 > 302 Found [IP: 93.93.128.193 80] Yes, 302 is HTTP redirect code, and you asked to refuse redirects (in order to prevent exploitation by an attacker). That's why it fails. > > Besides according to your recommendation I tried this too: > > deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main > in /etc/apt/sources.list. That's actually a bad idea I think. Raspbian rebuilds packages for a different architecture: raspbian armhf is not Debian armhf, so it's not guaranteed to work on any raspberry pi. Also don't try to upgrade using packages downloaded from Debian, you really need to go to Raspbian for that. > > But running an update command an error showed up that the key doesn't > match, so this failed too. > > So please let me know - what is your conclusion? > > It's a question for Raspbian - and I should ask there now? Yes, please contact them. I'm unsure if they published an advisory or something though. Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxK2m0ACgkQ3rYcyPpX RFtxdQf9GgPNtgvcBHsoZyYMVlR6AdG/xyvPhJwUcU+Nre6ME7+MnfMsdm5guGXc aEWfaSSWaKh1A2Cb1bjkboYqLNMbXNVuK7ZPzisYLYuNwwROjZiDVZckBW6g36SC bNumfcPzE6FkW8jFnJWtw/6KNUJkBd4b2Akjydl/Fd2uWFkXiLBXXhfQXKsAs7s2 CyWeggrlZIPsiHAh/FqSt82D4w3jXw+3oYkbuIDIz08GsMhtEuUmsCyw1tmZg0MH Kc1Vda07myBydcYKt7K0r0TGrQJwmOidwlldvgVyxiAax1qMWvpIE6/6wlwllQLM uoY2AcZAKU4+RZ6vIyGmRo6CwGB+Ag== =qOcn -END PGP SIGNATURE-
Re: Re: [SECURITY] [DSA 4371-1] apt security update
Thanks a lot Yves-Alexis for reply and advice! > Also it's likely that > you need to ask this to Raspbian, not Debian. Please give me a 2.nd try in this list. If it will become obviosly to be a problem of Raspbian I will change to them. > It would help to paste the exact error messages. The command "sudo apt -o Acquire::http::AllowRedirect=false update" ran fine. By apt "list --upgradable" these 5 packages are displayed: apt/stable 1.4.9 armhf [upgradable from: 1.4.8] apt-transport-https/stable 1.4.9 armhf [upgradable from: 1.4.8] apt-utils/stable 1.4.9 armhf [upgradable from: 1.4.8] libapt-inst2.0/stable 1.4.9 armhf [upgradable from: 1.4.8] libapt-pkg5.0/stable 1.4.9 armhf [upgradable from: 1.4.8] But by sudo "apt -o Acquire::http::AllowRedirect=false upgrade" I always got the following error messages after my confirm to install: Err:1 http://raspbian.raspberrypi.org/raspbian stretch/main armhf libapt-pkg5.0 armhf 1.4.9 302 Found [IP: 93.93.128.193 80] Err:2 http://raspbian.raspberrypi.org/raspbian stretch/main armhf libapt-inst2.0 armhf 1.4.9 302 Found [IP: 93.93.128.193 80] Err:3 http://raspbian.raspberrypi.org/raspbian stretch/main armhf apt armhf 1.4.9 302 Found [IP: 93.93.128.193 80] Err:4 http://raspbian.raspberrypi.org/raspbian stretch/main armhf apt-utils armhf 1.4.9 302 Found [IP: 93.93.128.193 80] Err:5 http://raspbian.raspberrypi.org/raspbian stretch/main armhf apt-transport-https armhf 1.4.9 302 Found [IP: 93.93.128.193 80] E: Failed to fetch http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/libapt-pkg5.0_1.4.9_armhf.deb 302 Found [IP: 93.93.128.193 80] E: Failed to fetch http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/libapt-inst2.0_1.4.9_armhf.deb 302 Found [IP: 93.93.128.193 80] E: Failed to fetch http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt_1.4.9_armhf.deb 302 Found [IP: 93.93.128.193 80] E: Failed to fetch http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt-utils_1.4.9_armhf.deb 302 Found [IP: 93.93.128.193 80] E: Failed to fetch http://raspbian.raspberrypi.org/raspbian/pool/main/a/apt/apt-transport-https_1.4.9_armhf.deb 302 Found [IP: 93.93.128.193 80] E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? I tried to use a command with --fix-missing but this didn't work. Maybe I used the wrong syntax. > Can you provide the links you used and the hash it gives you locally? This was a second problem when I tried to solve it by manual instalaltion. For the downloads I used the links you have posted and found some dismatched hashes in these files: apt-dbgsym_1.4.9_armhf.deb Local Hash = 734604633a87aac1b6bdf1ded6ed9a398122be8654690e6acc9a195c3d6dab14 apt-utils-dbgsym_1.4.9_armhf.deb - Local Hash = 42b07cdf359a7dcca06533bb3672039b62cd850a3f65d63f9a92ed6ed20537f1 libapt-inst2.0-dbgsym_1.4.9_armhf.deb Local Hash = 35044d57c7832041eb212fdab5893dc168b25ab4f7f6f50e00a471ac9f7213dc libapt-pkg5.0-dbgsym_1.4.9_armhf.deb Local Hash = d4e59e53e471b11c2bcd1ecf39f71bb50214b97ba492ba7b767301816266ce37 But meanwhile I see that I don't need those files because they are obviosly not displayed by apt --upgradable list. And the hashes for the 5 needed packages seem to match. > Try dpkg - -l |grep apt dpkg --list |grep apt worked for me. That's the result: ii apt 1.4.8armhf commandline package manager ii apt-listchanges 3.10 all package change history notification tool ii apt-transport-https 1.4.8armhf https download transport for APT ii apt-utils 1.4.8armhf package management related utility programs ii aptitude0.8.7-1 armhf terminal-based package manager ii aptitude-common 0.8.7-1 all architecture independent files for the aptitude package manager ii firmware-realtek1:20161130-3+rpt4all Binary firmware for Realtek wired/wifi/BT adapters ii libapt-inst2.0:armhf1.4.8armhf deb package format runtime library ii libapt-pkg5.0:armhf 1.4.8armhf package management runtime library ii python-apt-common 1.1.0~beta5 all Python interface to libapt-pkg (locales) ii python3-apt 1.1.0~beta5 armhf Besides according to your recommendation I tried this too: deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main in /etc/apt/sources.list. But running an update command an error showed up that the key doesn't match, so this failed too. So please let me know - what is your conclusion? It's a question for Raspbian - and I should ask there now? Or can I install the 5 upgrade files qouted above manually without greater dan
Re: [SECURITY] [DSA 4371-1] apt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, 2019-01-24 at 15:08 +0100, Edgar Remmel wrote: > Hello, Hi Edgar, adding debian-security mailing list since it's the proper place to ask about his. > > the above security update was linked by a security forum. > > As the commands worked fine for my Linux system the upgrade command > failed on my Raspberry Pi 3 (OS Rasbian lite based on Stretch stable) > because unable to find the packages. It would help to paste the exact error messages. But it's likely that your sources use redirect and is thus broken by the option. Also it's likely that you need to ask this to Raspbian, not Debian. > > I downloaded the 11 files for armhf architecture to install them > manually. But suprisingly for 4 files the hashes don't match: > > apt-dbgsym_1.4.9_armhf.deb > > apt-utils-dbgsym_1.4.9_armhf.deb > > libapt-inst2.0-dbgsym_1.4.9_armhf.deb > > libapt-pkg5.0-dbgsym_1.4.9_armhf.deb Can you provide the links you used and the hash it gives you locally? My feeling is that you try to download Raspbian packages which have been rebuilt and thus you need to look at a Raspbian advisory. > > Can I install the Architecutre independet files instead and do I need > the Source archives for installing working correctly? > possbl You only need the updated version of the packages you already have. Try dpkg - -l |grep apt to get that list. Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxJzc0ACgkQ3rYcyPpX RFuJ9Qf+JL5i3rpshbjA0qPkEK2sI+E2h3jlXQv71gbkxJL9TRIRN+gyvgnMjF6o Lg8IcOuebNlBf3mvMwpW++5fF5Mjrar3/BRXv/LvE+kww2tpvxdu8qb/XVAJ5WpZ MWfbyHLOqcrB9GWuk5llFpMbLM8Ay+tL7WQI7b8ulLUgocf6CuxwPOA+f8r2jJHv nvEtTn0sg99gIjB7xsOMBwgezX4PPMO4AZuop4j7qWD3xqmgkc9TT/NoZeM3FufG /fA86k76LeatCxWkqahMV+K1i6dm9v6CkPOrWGyaSVYBi12/psJPo5q1MKeoO1qk 00Bzx7psFdl5n6DABCOIcuhatsRoJA== =RCyT -END PGP SIGNATURE-