Re: [DNG] DSA openssl openssl1.0
On Mon, 2 Apr 2018 23:08:49 +0200 Florian Zieboll wrote: > Hi leloft, > > the logs of my nearest Ascii computer report, that the upgrades did > already happen on last Friday: > > - Fri Mar 30 10:58:23 CEST 2018 - > The following packages will be upgraded: > libssl1.0.2 libssl1.1 openssl > > and from a Jessie system nearby: > > - Fri Mar 30 00:45:06 CEST 2018 - > The following packages will be upgraded: > libssl1.0.0 openssl more precisely for Ascii (note the differing patch numbers of libssl1.0 and libssl1.1): (1.0.2l-2+deb9u3) over (1.0.2l-2+deb9u2) (1.1.0f-3+deb9u2) over (1.1.0f-3+deb9u1) (1.1.0f-3+deb9u2) over (1.1.0f-3+deb9u1) lg, f. -- \ \\ \ \ | | / \ | ILS SONT FOUX| |CES ROMAINS!| \__/ pgpZEB_N_YDOQ.pgp Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] DSA openssl openssl1.0
On Mon, 2 Apr 2018 13:17:31 +0100 leloft wrote: > Hi devs, > > I am having difficulties finding the security update for the > openssl1.0 package (Debian Security Advisory DSA-4158-1 addressing > CVE-2018-0739) > > There is no problem with openssl: > Debian package openssl: stretch (libs): 1.1.0f-3+deb9u2 > > Issuing > # apt-cache policy openssl | grep -B 1 ascii > returns > > 1.1.0f-3+deb9u2 500 > 500 http://pkgmaster.devuan.org/merged ascii-security/main > amd64 Packages > 100 http://pkgmaster.devuan.org/merged > ascii-proposed-updates/main amd64 Packages > 1.1.0f-3+deb9u1 500 > 500 http://pkgmaster.devuan.org/merged ascii/main amd64 > Packages > > > But when I do the same for openssl1.0, I am getting confusing results > Debian package openssl1.0: stretch (misc): 1.0.2l-2+deb9u3 > > Issuing > # apt-cache policy openssl1.0 | grep -B 1 ascii > returns nothing > > Issuing > #apt-cache policy openssl1* | grep deb > returns > 1.1.0f-3+deb9u2 500 > 1.1.0f-3+deb9u1 500 > 1.0.1t-1+deb8u8 500 > 1.0.1t-1+deb8u7 500 > 3.5.8-5+deb9u3 500 > 3.5.8-5+deb9u1 500 > 3.3.8-6+deb8u7 500 > 3.3.8-6+deb8u6 500 > 7.52.1-5+deb9u5 500 > 7.52.1-5+deb9u4 500 > 7.38.0-4+deb8u10 500 > 7.38.0-4+deb8u8 500 > 2.0.21-stable-2+deb8u1 500 > > The first four of these are openssl packages. > > Despite much searching, I cannot find the openssl1.0 package > 1.0.2l-2+deb9u3. > > The searches were carried out from a bootstrapped ceres installation > using a sources list that contained the (main contrib > non-free) repositories: > > /merged >*: jessie, ascii, beowulf, ceres >*-security: jessie, ascii, beowulf >*-updates: jessie, ascii, beowulf >*-proposed-updates: jessie, ascii, beowulf >*-backports: jessie, ascii > /devuan >*: jessie, ascii, beowulf, ceres, experimental >*-proposed: jessie, ascii >*-proposed-security: jessie, ascii > > The brief was to pinpoint any DSA whose patch is *not* > already available in Devuan. My question is therefore this: > > Is the openssl1.0 package not available in ascii, although it is > available in stretch or is there a devuan repository that I have not > identified? > > I can post the full sources.list if that would help to resolve this > query. > > Many Thanks > > leloft Hi leloft, the logs of my nearest Ascii computer report, that the upgrades did already happen on last Friday: - Fri Mar 30 10:58:23 CEST 2018 - The following packages will be upgraded: libssl1.0.2 libssl1.1 openssl and from a Jessie system nearby: - Fri Mar 30 00:45:06 CEST 2018 - The following packages will be upgraded: libssl1.0.0 openssl libre Grüße, Florian -- \ \\ \ \ | | / \ | ILS SONT FOUX| |CES ROMAINS!| \__/ pgpiaB5GYvR8K.pgp Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] DSA Ascii to Apr2
Sun, 01 Apr 2018 13:16:40 + [SECURITY] [DSA 4161-1] python-django security update 1:1.10.7-2+deb9u1 Confirmed Sun, 1 Apr 2018 22:30:47 +0200 [SECURITY] [DSA 4162-1] irssi security update 1.0.7-1~deb9u1 Confirmed Note: unpatched version 1.0.7-1 in beowulf and ceres Sun, 1 Apr 2018 14:52:37 +0200 [SECURITY] [DSA 4160-1] libevt security update 20170120-1+deb9u1 Confirmed Sun, 1 Apr 2018 14:11:22 +0200 [SECURITY] [DSA 4159-1] remctl security update 3.13-1+deb9u1 Confirmed Thu, 29 Mar 2018 21:40:38 + [SECURITY] [DSA 4158-1] openssl1.0 security update Patched Version: 1.0.2l-2+deb9u3 ***openssl1.0 Package does not appear to be available in ascii*** See separate email Thu, 29 Mar 2018 20:57:40 + [SECURITY] [DSA 4157-1] openssl security update 1.1.0f-3+deb9u2 Confirmed Wed, 28 Mar 2018 22:31:37 + [SECURITY] [DSA 4156-1] drupal7 security update 7.52-2+deb9u3 Confirmed Wed, 28 Mar 2018 22:37:50 +0200 [SECURITY] [DSA 4155-1] thunderbird security update 1:52.7.0-1~deb9u1 Confirmed Note: unpatched version 1:52.7.0-1 in beowulf and ceres Tue, 27 Mar 2018 22:10:10 +0200 [SECURITY] [DSA 4153-1] firefox-esr security update 52.7.3esr-1~deb9u1 Confirmed Note: unpatched version 52.7.3esr-1 in beowulf and ceres Tue, 27 Mar 2018 17:49:56 + [SECURITY] [DSA 4152-1] mupdf security update 1.9a+ds1-4+deb9u3 Confirmed Mon, 26 Mar 2018 20:30:29 + [SECURITY] [DSA 4151-1] librelp security update 1.2.12-1+deb9u1 Confirmed Note: jessie-backports contains 1.2.12-1~bpo8+1 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] DSA openssl openssl1.0
Hi devs, I am having difficulties finding the security update for the openssl1.0 package (Debian Security Advisory DSA-4158-1 addressing CVE-2018-0739) There is no problem with openssl: Debian package openssl: stretch (libs): 1.1.0f-3+deb9u2 Issuing # apt-cache policy openssl | grep -B 1 ascii returns 1.1.0f-3+deb9u2 500 500 http://pkgmaster.devuan.org/merged ascii-security/main amd64 Packages 100 http://pkgmaster.devuan.org/merged ascii-proposed-updates/main amd64 Packages 1.1.0f-3+deb9u1 500 500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages But when I do the same for openssl1.0, I am getting confusing results Debian package openssl1.0: stretch (misc): 1.0.2l-2+deb9u3 Issuing # apt-cache policy openssl1.0 | grep -B 1 ascii returns nothing Issuing #apt-cache policy openssl1* | grep deb returns 1.1.0f-3+deb9u2 500 1.1.0f-3+deb9u1 500 1.0.1t-1+deb8u8 500 1.0.1t-1+deb8u7 500 3.5.8-5+deb9u3 500 3.5.8-5+deb9u1 500 3.3.8-6+deb8u7 500 3.3.8-6+deb8u6 500 7.52.1-5+deb9u5 500 7.52.1-5+deb9u4 500 7.38.0-4+deb8u10 500 7.38.0-4+deb8u8 500 2.0.21-stable-2+deb8u1 500 The first four of these are openssl packages. Despite much searching, I cannot find the openssl1.0 package 1.0.2l-2+deb9u3. The searches were carried out from a bootstrapped ceres installation using a sources list that contained the (main contrib non-free) repositories: /merged *: jessie, ascii, beowulf, ceres *-security: jessie, ascii, beowulf *-updates: jessie, ascii, beowulf *-proposed-updates: jessie, ascii, beowulf *-backports: jessie, ascii /devuan *: jessie, ascii, beowulf, ceres, experimental *-proposed: jessie, ascii *-proposed-security: jessie, ascii The brief was to pinpoint any DSA whose patch is *not* already available in Devuan. My question is therefore this: Is the openssl1.0 package not available in ascii, although it is available in stretch or is there a devuan repository that I have not identified? I can post the full sources.list if that would help to resolve this query. Many Thanks leloft ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] DSA Jessie to Apr2
Sun, 01 Apr 2018 13:16:40 + [SECURITY] [DSA 4161-1] python-django security update 1.7.11-1+deb8u3 Confirmed Thu, 29 Mar 2018 20:57:40 + [SECURITY] [DSA 4157-1] openssl security update 1.0.1t-1+deb8u8 Confirmed Thu, 29 Mar 2018 21:40:38 + [SECURITY] [DSA 4158-1] openssl1.0 security update Patched Version: 1.0.2l-2+deb9u3 Note: jessie-backports contains 1.0.2l-1~bpo8+1 Wed, 28 Mar 2018 22:31:37 + [SECURITY] [DSA 4156-1] drupal7 security update 7.32-1+deb8u11 Confirmed Wed, 28 Mar 2018 22:37:50 +0200 [SECURITY] [DSA 4155-1] thunderbird security update 1:52.7.0-1~deb8u1 Confirmed Wed, 28 Mar 2018 09:21:30 + [SECURITY] [DSA 4154-1] net-snmp security update 5.7.2.1+dfsg-1+deb8u1 Tue, 27 Mar 2018 22:10:10 +0200 [SECURITY] [DSA 4153-1] firefox-esr security update 52.7.3esr-1~deb8u1 Confirmed Tue, 27 Mar 2018 17:49:56 + [SECURITY] [DSA 4152-1] mupdf security update 1.5-1+deb8u4 Confirmed Mon, 26 Mar 2018 20:30:29 + [SECURITY] [DSA 4151-1] librelp security update 1.2.7-2+deb8u1 Confirmed ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbootable system due to cryptsetup depending to two libs in /usr
Hi, fsmithred writes: > On 04/01/2018 10:29 AM, Klaus Ethgen wrote: >> Hi, >> >> Am So den 1. Apr 2018 um 15:14 schrieb fsmithred: In fact, debian did intentional break libpopt as the version in ascii installs to /lib but the version in ceres installs to /usr. >> [...] >>> Nothing installs to /lib anymore, because it's just a symlink to /usr/lib. >>> You can get this on ascii with a debootstrap install. >> >> Well, that is only true if you have the pöttering usrmerge package >> installed. If you do a minimal ascii bootstrap, you don't get infected >> by that package. >> >> The pöttering followers invented that to break all installations with >> separate /usr. In fact, that package damages your whole system >> sustainably. >> >> Regards >>Klaus >> -- > > The usrmerge package is not installed here. I can't find it mentioned in > apt history or bootstrap.log. It's only in buster/beowulf and sid/ceres. > Guess I'll have to do another debootstrap of ascii and see if it's still > happening. FTR, debootstrap has --merged-usr and --no-merged-usr options, with the latter documented[1] as the default, since jessie-backports (which has debootstrap-1.0.89). [1]: https://manpages.debian.org/debootstrap Not one to overly rely on default for "stuff that matters", my Devuan Docker image build scripts explicitly specify it in their debootstrap invocation[2]. Please note that these runs in a Debian jessie container that has been migrated to Devuan and uses debootstrap-1.0.87 which also has these options. [2]: https://gitlab.com/paddy-hack/devuan/blob/master/bootstrap.sh#L18 Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
