RE: [SECURITY] [DSA 3031-1] apt security update
Hi Daniel I get these message - see below, is this something I need to pass on or can I be removed from the list, means nothing to me I'm afraid. Andrea -Original Message- From: Salvatore Bonaccorso [mailto:car...@debian.org] Sent: 23 September 2014 17:18 To: debian-security-annou...@lists.debian.org Subject: [SECURITY] [DSA 3031-1] apt security update -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3031-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso September 23, 2014 http://www.debian.org/security/faq - - Package: apt CVE ID : CVE-2014-6273 The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the 'http' apt method binary, or potentially to arbitrary code execution. Two regression fixes were included in this update: * Fix regression from the previous update in DSA-3025-1 when the custom apt configuration option for Dir::state::lists is set to a relative path (#762160). * Fix regression in the reverificaiton handling of cdrom: sources that may lead to incorrect hashsum warnings. Affected users need to run apt-cdrom add again after the update was applied. For the stable distribution (wheezy), this problem has been fixed in version 0.9.7.9+deb7u5. We recommend that you upgrade your apt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUIZySAAoJEAVMuPMTQ89EpYgQAJV8hIcR+bcVcknG/UFghYxa a9xWm4+QymddTn7ob56UVwTjQX+kOEOGRibSTRuBtD28VXO8KkEsQorORN/MYaHR hQ0sH17gylhZ3Z5DxexHtQdRjdXmQih+p4ByUeQlc0vQkuCSzbEqVjDGDCe9mylI tFqAsnDepKbiULtIryXptA08cxoIjEIQWhaTALGrbHcjczoj1tFwxdFIv0dQLcBe VO1aiGka+s1X6HVVInf47BDzJWcnJ7nMmqUqrllwBHpoES2711aV/FfkA4Ip27qp 0+ZNwYudHVXqPhhyTrfseUGFIBk5yhZY4pNXNutrVK3OfOL9ojl9pcOZcA7ffWSF j1ZGO6gBsZuX1B9Mvzwk0cakmxajK8sMsbmXd6vqsGNMfqQu04lezE3E14qUmrU+ HIsCfI/ioOiZolVOQ97NoNIBO5u6B0jQX8zzYsIavRYjTSfbWBXmgs+om5nhEA0o KtjXwgiAUZAY4ZZY6XJJuOHLKti9gI2mr5ngveBiBQifT8hg6d7elguuS+mpd79C SqyjxAVRdM3zhJFdnuIymP3trGD5pNcEdgMatTHA0DaL7+qqxNUrYDktSWA2EHqa 6rxvvZ54zHb0juq5cvYLxg9FLABTuK9/65+CDJQAno0ZV4IEop4HyZg/lAj/B1Pz mPsR+i5n2DFdnhZaLqcb =EYc2 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1xwsn5-0007lx...@master.debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/28e9cc6e2dc01a9818e5f72832131...@mail.gmail.com
Re: [SECURITY] [DSA 3031-1] apt security update
On Wed, Sep 24, 2014 at 4:25 PM, Andrea Whitney wrote: I get these message - see below, is this something I need to pass on or can I be removed from the list, means nothing to me I'm afraid. I recommend you unsubscribe and have your sysadmin subscribe instead. Each of you need to enter your email address into this form, press the appropriate button and reply to the confirmation email that you will receive. https://lists.debian.org/debian-security-announce/ -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6h3+b6-zyakmvndeoowhsrn5mt4gfja6dqudsf0hjv...@mail.gmail.com
Upcoming stable point release (7.7)
Hi, The next point release for wheezy (7.7) is scheduled for Saturday, October 18th. Stable NEW will be frozen during the preceding weekend. Regards, Adam -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1411585956.15708.2.ca...@jacala.jungle.funky-badger.org
bash 4.2 for squeeze
Hi, is there a bash upgrade for squeeze to address below cve? https://www.debian.org/security/2014/dsa-3032 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cagysloexexm4bvw03vph+ch+ayckcq0xjkokxrlqcgr4tpq...@mail.gmail.com
Re: bash 4.2 for squeeze
Hi, On Wed, September 24, 2014 21:43, Darko Gavrilovic wrote: Hi, is there a bash upgrade for squeeze to address below cve? https://www.debian.org/security/2014/dsa-3032 Updates to squeeze-lts are announced on the debian-lts-announce list. There you will find that this bug has indeed been addressed Updates will be available within the hour from primary mirrors. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/b00ca421196510e13c19934c5c2e13e7.squir...@aphrodite.kinkhorst.nl
Re: bash 4.2 for squeeze
On Wed, Sep 24, 2014 at 03:43:42PM -0400, Darko Gavrilovic wrote: Hi, is there a bash upgrade for squeeze to address below cve? https://www.debian.org/security/2014/dsa-3032 There is already a squeeze lts security announcement but my mirrors do not yet have the update. So it should be available with the next mirror pulse. Cheers, Sven -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924194633.gk3...@timegate.de
Re: bash 4.2 for squeeze
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/24/2014 09:43 PM, Darko Gavrilovic wrote: Hi, is there a bash upgrade for squeeze to address below cve? https://www.debian.org/security/2014/dsa-3032 Squeeze is not supported anymore, tho there are still updates available for squeeze-lts [1]. Probably bash is not on the mirrors yet, tho already at incoming [2]. hth, .kloschi [1] https://wiki.debian.org/LTS/Using#Add_squeeze-lts_to_your_sources.list [2] http://incoming.debian.org/debian-buildd/pool/main/b/bash/ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQGcBAEBAgAGBQJUIyAIAAoJEJhnRHRRn9SyWfsMAKcgEbHRky8EpsA9U6pdyStY NygHEjK0RzOE3T99JWUtMp3tgR+YSbygSm5F/h0OU3MTjC6SGafIKnKZpAwTxecc JqHtcjey1+Rqpm3D+5rfDYqnlTwOLF2Yynt8NaKjwk/QuTFaCyqJC/hzK/1Bvykw YaVpJFQ+erOXdTw/4RxW5SvYaRonCST5uFBn7PVmQwqqc5AWWRtaDOTVvbIYTi9m yIHMQHU66XaLqJxD4q8nziAP7sLj5ZIoC1ROQBc4y3gt3aloIhZCyhQm1ZWDU/EV 2pll8MJIrudBYLg9wRUOC9Pv40VNglONVqZ6S5Alze646Qs6gMggdgwokYJ9pLov QgPG862SMjidS3fYBs8TDrMLnKRx+2NDuxgGytlr7hJq0qZVqaNS/SMe4vDbx47A 50ElsN23M16cr9Y4iW4AZpiJUxrL5MuNzmkzPLqfw7yckHCAQ5hg/zgZ48WqDoI6 pl7jR204RSEZk7zm6TL7Q8jOwQWIXfOiU7bvJ3VqFA== =uKql -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5423200f.7080...@subsignal.org
Re: [SECURITY] [DSA 3033-1] nss security update
Yes, this is the perfect thing for our website Love you Me Sent from my iPhone On Sep 24, 2014, at 8:30 PM, Yves-Alexis Perez cor...@debian.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3033-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez September 25, 2014 http://www.debian.org/security/faq - - Package: nss CVE ID : CVE-2014-1568 Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library) was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack. An attacker could craft ASN.1 data to forge RSA certificates with a valid certification chain to a trusted CA. For the stable distribution (wheezy), this problem has been fixed in version 2:3.14.5-1+deb7u2. For the testing distribution (jessie), this problem has been fixed in version 2:3.17.1. For the unstable distribution (sid), this problem has been fixed in version 2:3.17.1. We recommend that you upgrade your nss packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCgAGBQJUI2CBAAoJEG3bU/KmdcCldbsIAKpmbb4XdAU3Lwr0aqXQ5UTt Tg+w2bZ8nKgZr2e+apkdlCqOd7QLnvUrykhUGe4HAwCcb38BUV8xhA+sdAfrXhdQ S7XOev+zgWtcu3FOylluRg5hMxBetqbZCtKHZ97NzbzX0IVMNXOMBNXsXOBSlxJd 8H5d30zcUtMCYQVMhj3tUDkTTZuo1POp7MA44RkL13ORMlDcRSbYacicyRZbFtOk P6/i9Caq657Sm0MXjRCDet+jdtTIpCucF/nW+jXsWyzqtA5OJphic2UX9cG05LzC hYyVKHITZVkuSQVqqX6+EwVaA9nn1DerX48Jqty+7dLWUdHVhs30WTRjx0Ip/dw= =HZF1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140925002335.ga22...@scapa.corsac.net -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/blu404-eas102272cbd32c531cf3ad24484...@phx.gbl
Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
Daniel Kahn Gillmor wrote: Thanks for the discussion, Hans. On 09/19/2014 02:47 PM, Hans-Christoph Steiner wrote: Packages should not be accepted into any official repo, sid included, without some verification builds. A .deb should remain unchanged once it is accepted into any official repo (maybe experimental could be an exception, but not sid). I think that is essential. But some repositories could have different rules for package inclusion than others, right? for example, say debian wanted to offer an unstable-reproducible suite, which only permitted packages that had been independently rebuilt reproducibly by multiple DDs and at least two different buildds. Ideally, the packages that are shared between this repository and other repositories would be identical. Note that if .deb files are internally signed, two developers *cannot* create the same exact .deb if they do not share their secret keys. You're missing one key detail here, let's see if I can suss it out: * the builds are _exactly_ the same, except the signatures * the embedded signature does not sign the signature files (see jar and apk formats, which are almost the same, for examples) * anyone can just copy other dev's signature into the package and it will validate because the package contents are exactly the same * the signature files sign the package contents, not the hash of whole .deb file (i.e. control.tar.gz and data.tar.gz). Therefore two developers can easily create the same .deb if that have access to the signature file since they can just copy it. No need to run the signing process again. If people create their own .deb files in a reproducible process, then copy in the same signature files, then the hash of the .deb will be the same. I see no reason for changing the .deb between sid and testing, except for perhaps how existing implementations are doing it. It is usually worth the work to do things right way, rather than the easy way. I agree with this sentiment, i think we're trying to sort out what is the right way. The build verification process needs to happen between the package upload and publishing to sid or security updates. Two builds is easy: the .deb that the uploader generates and the one the Debian process makes. That is probably enough. In Debian's case, it probably is too complicated to include multiple signatures. In that case, there should be only one canonical signature by dak once the build verification signature threshold has been passed. Then all of the other signatures could be added to .buildinfo or .changes or whatever other file. but the .buildinfo file is designed to say i generated the .deb that matches this digest exactly, which the corroborating builder cannot do, because they cannot produce the internal signature. No need to produce the signature, just copy it! Plus, we now have two different places to look for signatures. one canonical one and then some external ones, and the signatures themselves have different properties (one signs parts of the deb, the other signs the whole .deb; one signs the build environment, the other does not, etc) Definitely look at jar signing, it handles multiple signatures fine. I see no reason why you can't include an unlimited number of signatures in a .deb. Changing the number of signatures will change the hash of the .deb, that is why there needs to be a canonical set of signatures for each .deb. As for signing the hash of the entire .deb, that is what apt already gives us, that does not need to be reproduced in the dpkg-sig embedded signature. For people who want to verify the contents of a .deb with any kind of signature, then a tool will have to compare the hashes of control.tar.gz and data.tar.gz. Another option is to do it like f-droid.org does. F-droid.org generates a APK signing key for each app, then manages the signing on a specialized signing server. Or another option is just requiring all the signers to be from the debian-keyring, rather than an exact match for previous signers. Again, i think this is getting ahead of the discussion. i'm not proposing that we try to set debian (or other derived distro) archive policy here, i just think we want to think In any case, the .deb needs to remain unchanged. right. but it can't be unchanged if the archive distributor decides that a different signer is the canonical signer. So you're making the contents of the .deb dependent on archive policy, rather than the other way around. I *want* ubuntu and debian and mint to all ship the exact same .deb for any packages that are reproducible (and eventually, all packages!) that they share, and i also want those different distros to be able to produce the reproducible .deb independently of one another. If foo_1.2-3_mipsel.deb is built first on the ubuntu builders and ubuntu decides to include it in the archive, and then debian is able to reproduce that build
Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
On 2014-09-24 23:05, Hans-Christoph Steiner wrote: * the signature files sign the package contents, not the hash of whole .deb file (i.e. control.tar.gz and data.tar.gz). So preinst and friends would not be signed? Sounds dangerous to me. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140925035052.GA20936@fama
Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
W. Martin Borgert wrote: On 2014-09-24 23:05, Hans-Christoph Steiner wrote: * the signature files sign the package contents, not the hash of whole .deb file (i.e. control.tar.gz and data.tar.gz). So preinst and friends would not be signed? Sounds dangerous to me. All package contents would be signed, except the signature itself. The signature would be a separate file in the ar archive of the .deb that signs control.tar.gz and data.tar.gz. See jar or apk format for an example of how this works. .hc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5423991b.5010...@at.or.at
External check
CVE-2014-0170: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54226930.nimgthzhee+t7moq%atomo64+st...@gmail.com
Re: Guidance on no-dsa and adding entries to dsa/dla-needed.txt
Hi, On Dienstag, 23. September 2014, Michael Gilbert wrote: There is a page that lists candidates for DTSA (Debian Testing Security Announcements), which aren't actually done anymore I can remove it, if it's really not used at all anymore. , but something like that would be very useful for DSA and DLA candidates. how were those candidates determined? Then the separate text files could go away, and we can just use no-dsa in the CVE list to keep those pages up to date. you mean those dsa-needed.txt and dla-needed.txt files? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Guidance on no-dsa and adding entries to dsa/dla-needed.txt
Hi all, On Wed, Sep 24, 2014 at 02:37:00PM +0200, Holger Levsen wrote: [...] Then the separate text files could go away, and we can just use no-dsa in the CVE list to keep those pages up to date. you mean those dsa-needed.txt and dla-needed.txt files? We could. But right now we also use the (dla|dsa)-needed.txt lists to have an assigment who is working on what DSA/DLA. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924124251.ga31...@lorien.valinor.li
Processed: user www.debian....@packages.debian.org, forcibly merging 762254 751403, usertagging 751403
Processing commands for cont...@bugs.debian.org: user www.debian@packages.debian.org Setting user to www.debian@packages.debian.org (was taf...@debian.org). forcemerge 762254 751403 Bug #762254 [www.debian.org] explain LTS on the www.d.o website Bug #751403 [www.debian.org] www.debian.org: /News/2014/20140424 missing link how to use squeeze LTS 761945 was blocked by: 762254 762255 761945 was not blocking any bugs. Added blocking bug(s) of 761945: 751403 Merged 751403 762254 usertags 751403 content Usertags were: content news. Usertags are now: content news. thanks Stopping processing here. Please contact me if you need assistance. -- 751403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751403 761945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761945 762254: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762254 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141158582314426.transcr...@bugs.debian.org