Re: Old kernel versions cleaned out of packages list
Hi, 30 août 2023, 07:19 de car...@debian.org: > They were cleaned up to make up space, as they are superseeded by > newer versions. > > In future this might even happen more automatically and the old > package auto-decrufted from the archive once new version are present > in the archive. > I totally understand that storage is not infinite and that space must be made sometimes. However, wouldn't be automatic and systematic purge contrary to the purpose of snapshot.debian.org? Or maybe would it be an exception here because we have no choice? Thanks in advance. l0f4r0
[SECURITY] [DSA 5486-1] json-c security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5486-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 30, 2023 https://www.debian.org/security/faq - - Package: json-c CVE ID : CVE-2021-32292 An invalid memory access was discovered in json-c, a JSON library which could result in denial of service. For the oldstable distribution (bullseye), this problem has been fixed in version 0.15-2+deb11u1. We recommend that you upgrade your json-c packages. For the detailed security status of json-c please refer to its security tracker page at: https://security-tracker.debian.org/tracker/json-c Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTvg0kACgkQEMKTtsN8 TjbBag//SgTS3cthPTxMvtMctQnwOtbmjPNqjhWb8WVaesTs+y67+z38V1OWc6kd d5Lzxv0O9iHHOq78X8I7OEXDwltfcxNqlxMqNN2vYsTGeC4/ciVibn2PHYQbfist EM/cRifQsKDFZ8xb1R6t67kpSjy2ufiyODFkI/+q88qCzC2NrrtpL7/bGDEU+k6U 61Ff7CYIntg8dW9FGGiZE7aeBQX6qF8o+6smsmRM+352xuv58lJdduy3IcxfSEFF WzMY6GrkbZEl1VqbjVWjjKGkfDaMHXzgsPmiAfqce36WXhcZeAVLMbVLgs2+ebcZ J/SP+tRkLqX7LNMpf/JjfAeYQTlR8855wEkpVGUa/l/idkEp3UxVKJzrdwLxZFiC 38eE5ySywDKUeNWIF55ieA0+fDnepLmIbLc8OD2n9FVy4trMFLiyDvaRMGw5kdP5 XdTJi44J8YtMO0BwFdryOX5Pqpl2WBGcXEcI4QxmdmoBAGz5pWp+kURCmou6t/h0 JO6Lmc40T5jCnPT72OQM8Od7HjPgabm8L4I3McQjGNT4F1uwTe8MiTRoJQgdXrJQ z4cuQ+Ifo29jZVJTdGrDBZi/OLfc73NZXrBakWj/ZHc4Ifu0cRQAxTxFhMWnmJZh XV9lFoC5Qf8XsBy99xIMJ6yjhT9SjIY6a+8xXgfw6Dlk0kt6pIg= =J1IA -END PGP SIGNATURE-
[SECURITY] [DSA 5485-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5485-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 30, 2023 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581 CVE-2023-4584 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the oldstable distribution (bullseye), these problems have been fixed in version 102.15.0esr-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 102.15.0esr-1~deb12u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTvgbMACgkQEMKTtsN8 TjYyYQ/5AXRB+aU6RXtKeVkBOmIZpPzJPaSpdRNJ1YUK+V4yn9Pfsyowi+KWcGGw pp84zjhSlkc3ewNWvcMhyKyEB7wWRhnDE/VyxmdpxsS4CydkZc8RecLxU8B9Kddy qkvuXoYlFjE9fitqgU2eT0plrkJTImH6dbr6klmDqK+yQu3wl/penpMxxJEJgOWo oKiLe5asJJrtjVcUMrHs9CO2YspXcvlj4IBIqEfwz8FrVX0R+uMZrFARPbC6nHkv HJ/CUXSv3dIGEjl6opFjGDNKkBpO2ZwB9K3HBxmD320jLUgkRwKCCvyr1g+ZfcBt WwEwy/dE3fNJkLU5VlDdzY8O5CG4+OeP4QdICaSVqoVE1PfRX+trriAsWjENLm6o aWu1FLqMLvPiyRGz1d3QNeSMOvYG3czycGH5nEMWztBDFDJ+xWBZ57xUcT5xTIZb zWz+1ZL1rYaIrNPGC1nFcX5uHnnf7rzNjl0H18+FEudUwhzKUDdLxoMWqXJVtju2 +YlY2OqKRQH8hrhVVuxv+L3oYF+jjQB/4hL1BrjB13K1Bqffeq5zSyKes7UfZ1AZ cSUVUsr3RKpCO7J+5lPOZqrThSBG3DWmmCBdl1AkZW4mv/g19EssM6zANYmZHzn8 MyyqcIGdT0srUNECfrXzSFQ7ZhpTKAvCYt2wzrQhOsb7hxP4sa8= =s7Qw -END PGP SIGNATURE-
Re: Old kernel versions cleaned out of packages list
Hi Salvatore, thank you very much for getting back to me. On Wed, Aug 30, 2023 at 07:18:42AM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Tue, Aug 29, 2023 at 02:52:55PM +0200, Adi Kriegisch wrote: > > Dear maintainers, > > > > I hope this is the correct mailing list for my issue: > > > > Apparently all older kernel versions have been removed from Debian > > Security's Packages list some time on August 26th before 19:07[1]. > > > > As I completely understand that the debian-security service is no archive > > for very old packages (like linux-image-5.10.0-9 for example), > > I'd very much apprechiate to at least keep one older version listed there > > as Debian itself also prefers to keep at least two kernel versions > > installed. > > > > The reason for this is that our monitoring system checks for packages not > > installed from a Debian repository and we got alerted for kernels > > linux-image-5.10.0-24 and linux-image-6.1.0-10. > > > > Is there any chance to get at least one more kernel "back"? :) > > They were cleaned up to make up space, as they are superseeded by > newer versions. > > In future this might even happen more automatically and the old > package auto-decrufted from the archive once new version are present > in the archive. I am absolutely in favor of cleaning up and actually this is what we're doing after upgrading kernels (apt --purge autoremove). No matter what, Debian keeps the latest two ABI versions, currently 5.10.0-24 and 5.10.0-25 or 6.1.0-10 and 6.1.0-11. We also try to do our best with testing upgrades from s-p-u where we once stumbled across an issue with mpt3sas and xen[1] (thank you very much, again, for your help with this!) which of course isn't easily possible for security upgrades. So there is value in having at least one older version available to reduce the risk of failure after an upgrade. And this is what I am asking for: would it be possible to just keep the kernels that Debian automatically keeps installed in the repository? all the best, Adi [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022126 signature.asc Description: PGP signature
External check
CVE-2020-23793: TODO: check, likely same fix as CVE-2016-9577 CVE-2023-38283: TODO: check CVE-2023-40590: TODO: check CVE-2023-4567: missing from list CVE-2023-4586: missing from list CVE-2023-4611: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
