The ca-certificates version 20200601 removes various old/obsolete
certificates, but still contains one expired certificate:
Staat_der_Nederlanden_Root_CA_-_G2.crt
This expired on March 25 2020 and should probably also be removed.
--
Hanno Böck
https://hboeck.de/
rsion from bsdmainutils.
--
Hanno Böck
https://hboeck.de/
Package: python-certbot
Regarding the Let's Encrypt / TLS-SNI-01 situation I think the
python-certbot 0.28.0 update should be added to jessie-backports (for
context see bugs #887399 and #888703).
It seems to be common that people on Jessie installed python-certbot
from the jessie-backports
From what I understand the "stable-updates suite" is not part of the
normal Debian stable distribution. I also don't see the update with an
"apt update; apt upgrade".
Is the plan to keep it that way?
In effect this means all "normal" stable users who don't do anything
extra will still have a
Package: ca-certificates
Version: 20180409
I think most people are aware that browser vendors agreed to distrust
certificates by Symantec and they no longer issue certificates (their
business got sold to Digicert).
This should also be reflected in the ca-certificates package and the
Symantec
published fixes for several versions, maybe their patches
can be used:
https://bugs.launchpad.net/ubuntu/+source/memcached/+bug/1752831
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgpJTGC6BH_k5.pgp
Description: OpenPGP digital signature
This got CVE-2018-1000115 assigned.
Package: memcached
Version: 1.4.33-1
Memcached is currently involved in some massive ddos attacks, see e.g.:
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
The UDP protocol of memcached can be abused for very effective DDoS
amplification attacks and should
Package: kernel
The current Debian kernels support the legacy vsyscall method. This can
be a security risk and is not needed within a modern system.
Background:
vsyscall was a method to map commonly used kernel functions into
application space to a fixed address. It has been replaced by the more
Package: www.debian.org
When downloading a Debian CD there's a webpage explaining how to verify
signatures:
https://www.debian.org/CD/verify
This recommends to check the signatures with the keys from the Debian
GPG keyring. However that link is HTTP, pointing to:
http://keyring.debian.org/
It
Package: chromium
Version: 56.0.2924.76-5
The .desktop file in the chromium deb is not valid according to the
desktop-file-validate tool.
The error is pretty self-explaining, it's referencing
"chromium.png" for the Icon, it shouldn't do that (but only "chromium"):
Please also add an HSTS header to enforce future connections to be
HTTPS and avoid SSL Stripping attacks.
Just FYI: I also discovered this bug and tracked it down. It has
nothing to do with debian and is a dovecot upstream bug.
See here:
http://dovecot.org/pipermail/dovecot/2015-April/100618.html
Patch:
http://dovecot.org/pipermail/dovecot/attachments/20150424/bade681d/attachment.bin
What's happening here is that some TLS implementations and
servers started randomizing their timestamps. Seems this happened on
www.ptb.de.
Other distributions sometimes have www.google.com set as their
timesource. This is more reliable because google itself is using
tlsdate for chromeos.
On the
Package: unp
Version: 2.0~pre7+nmu1
The bash completion file in the package unp uses the deprecated have
keyword.
According to bash completion this should no longer be used:
http://anonscm.debian.org/cgit/bash-completion/bash-completion.git/tree/bash_completion#n125
Bash completion rules should
Package: mime-support
Version: 3.53
Severity: wishlist
Please add a line to mime.types for the new IETF opus audio codec.
According to xiph, this should be audio/ogg with the extension .opus:
https://wiki.xiph.org/OggOpus#Content_Type
Or if one wants to be more precise, 'audio/ogg; codecs=opus'.
I modified your last patch so it also includes .tar.xz-support. What's
probably missing is xz/lzma-support without .tar, I was too lazy to figure out
the gz/bzip2-logic.
diff -Naur unp-1.0.15/unp unp-1.0.15-1/unp
--- unp-1.0.15/unp 2008-05-18 02:55:54.0 +0200
+++ unp-1.0.15-1/unp
Hybrid auth based on gnutls is available in the svn version of vpnc. So
bumping to an svn snapshot fixes this issue without license implications. You
can find an svn snapshot here:
http://distfiles.gentoo.org/distfiles/vpnc-0.5.3_p449.tar.bz2
--
Hanno Böck Blog: http
I get this when using your patch:
[EMAIL PROTECTED] /tmp $ unp /usr/portage/distfiles/eix-0.14.2.tar.lzma
Bareword found where operator expected at /usr/bin/unp line 42, near 7z
(Missing operator before z?)
syntax error at /usr/bin/unp line 42, near 7z
Execution of /usr/bin/unp aborted
19 matches
Mail list logo
