Package: ca-certificates
Version: 20210119
Severity: normal
X-Debbugs-Cc: s.egb...@sbcglobal.net
Dear Maintainer,
A group of auditors were reviewing the CA inclusion process
and have examined the `update-ca-certificates` and its code.
This issue is not about the PKI nor its certificate
Actual workaround is to remove ‘noexec” from both /tmp and /var. Tested it
working without “noexec” mount options on ‘apt upgrade exim4-base’ to versio
‘4.94.2-7’
This makes it like a major work-stoppage of dealing with 1,000s of those
hardened Debian systems.
> On Oct 5, 2021, at 4:00 PM,
workaround of removing ‘noexec’ from /tmp partition in /etc/fstab still doesn’t
work.
00 [TERM="linux" TTY="/dev/tty1" COLUMNS="80" LINES="25"]
[?2004hroot@circa:~# apt upgrade exim4-base
[?2004l
Reading package lists... 0%
Reading package lists... 100%
Reading package lists... Done
WORKAROUND
Remove the “no exec” from /tmp mount point options in /etcfstab, reboot, then
attempt ‘apt upgrade exim4-base’ so that Perl script for ‘exam-config’ can
continue.
OUTPUT of failed upgrade:
~# apt upgrade exim4-base
[?2004l
Reading package lists... 0%
Reading package lists...
There is still a Mismatched SOCK filespec implemented by chronyd and chronyc.
The saving grace was that loopback network interface hid this bug very well and
saved the day for nearly everyone (who is not an expert Chronyd configurer)...
That is, until the directive 'cmddeny 127.0.0.1' is
.
>
> After having stopped chronyd, please run the command below when using the
> 'bindacqdevice' directive and attach the chronyd_debug.txt file.
>
> # strace -o chronyd_debug.txt chronyd -d -F -1
OK, I did some more testing on my so-called fix: SO_BINDTOADDRESS define
statement made no
t 9:10 AM, Vincent Blut wrote:
>
> Le 2021-09-28 12:54, S Egbert a écrit :
>> Trying attachment again.
>
> Thanks. To see what happens when blocking only a small number of specific
> syscalls, could you please run the following command and attach the
> chronyd-debug.
Summary:
The syscall filter daemon option flag -F is the cure.
Using '-F 0' to disable the syscall filter works. No other settings are
workable.
A summary table:
Chrony -- daemon flags used --
Version -F0 -F1 -F-1
--- -- -- --
4.0-9ok SIGSYS SIGSYS
>> Trying attachment again.
>
> Thanks. To see what happens when blocking only a small number of specific
> syscalls, could you please run the following command and attach the
> chronyd-debug.txt file?
>
> # timeout 10 strace -o chronyd-debug.txt -e trace=setsockopt chronyd -d -F 2
so why did it not use the Unix socket but fell back to 127.0.0.1 approach?
i wonder what happens if i do ‘cmddeny all’?
Trying attachment again.
It failed under iPhone 14.5.
Should succeed with Thunderbird/macOS
# ps auxwww | grep chronyd
_chrony 3597 0.0 0.0 18972 3696 ?S11:00 0:00
/usr/sbin/chronyd -F 1 -L 0
_chrony 3598 0.0 0.0 10780 2984 ?S11:00 0:00
On Tue, 06 Sep 2016 20:32:46 -0400 Steve Egbert
wrote:
Workaround to this is to downgrade the main libpam0g package to meet the
dev-package's version:
sudo apt-get install libpam0g=1.1.8-3.1+deb8u1+b1
>
> The following packages have unmet dependencies:
>
I too have the same problem on Debian as 3 others do.
As a former Ethernet driver developer, I noticed that the queue is empty
when the interrupt was fired. And that it appeared hung in the Linux
qdisc portion at Interrupt context, to a point of having watchdog timer
expiring.
My relevant
13 matches
Mail list logo