Re: Security hole in kernel fixed?

On 2024-05-15 at 03:05, Hans wrote: > Dear developers, As usual, most of us here are not Debian developers, even if some of us may be software developers. > in April 2024 the security hole CVE-2023-6546 was discovered in linux-image, > and I believe, it > is fixed in kernel 6.1.0

Security hole in kernel fixed?

Dear developers, in April 2024 the security hole CVE-2023-6546 was discovered in linux-image, and I believe, it is fixed in kernel 6.1.0 (from debian/stable) as soon after this a new kernel was released. However, there is no new kernel 6.5.0-*-bpo released at that time, so my question

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

led by Debian? You can find a reference for advisories here: https://www.debian.org/security/ And you can be fed info by email by subscribing to: https://lists.debian.org/debian-security-announce/ Between those last two links your specific question here is answered but in case you obj

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

On 2024-03-30, fxkl4...@protonmail.com wrote: > so is this a threat to us normal debian users > if so how do we fix it Debian stable is not affected, Debian testing, unstable and experimental must be updated. https://lists.debian.org/debian-security-announce/2024/msg00057.html

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

ic key) passed to RSA_public_decrypt, checked > against a simple fingerprint, and decrypted with a fixed ChaCha20 key > before the Ed448 signature verification..." Also see > <https://www.openwall.com/lists/oss-security/2024/03/30/36>. > > On Fri, Mar 29, 2024 at 1:52 PM Jeffrey W

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

ature verification..." Also see <https://www.openwall.com/lists/oss-security/2024/03/30/36>. On Fri, Mar 29, 2024 at 1:52 PM Jeffrey Walton wrote: > > Seems relevant since Debian adopted xz about 10 years ago. > > -- Forwarded message - > From: Andres Fr

Re: Fwd: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

Hello, On Fri, Mar 29, 2024 at 01:52:18PM -0400, Jeffrey Walton wrote: > Seems relevant since Debian adopted xz about 10 years ago. Though we do not know how or why this developer has come to recently put apparent exploits in it, so we can't yet draw much of a conclusion beyond "sometimes people

Re: Fwd: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

On Fri, Mar 29, 2024 at 01:52:18PM -0400, Jeffrey Walton wrote: > Seems relevant since Debian adopted xz about 10 years ago. > Also note that this has been addressed in Debian: https://lists.debian.org/debian-security-announce/2024/msg00057.html Provided here for the benefit tho

Re: seeding /dev/random from a security key

On Tue, Mar 26, 2024 at 7:12 PM Björn Persson wrote: > > Jeffrey Walton wrote: > > For what you want to do, and if I am parsing it correctly... I would > > write a daemon in C [...] > > Only in the unlikely case that both RNGD and SCDrand turn out unsuitable > somehow. Writing and compiling a

Re: seeding /dev/random from a security key

Jeffrey Walton wrote: > For what you want to do, and if I am parsing it correctly... I would > write a daemon in C [...] Only in the unlikely case that both RNGD and SCDrand turn out unsuitable somehow. Writing and compiling a daemon is no less work than compiling an already written daemon. >

Re: seeding /dev/random from a security key

; > Be careful of rng-tools. It does not do a good job for non-mainstream > > generators, like VIA's Padlock Security Engine. And rng-tools did not > > support generators for architectures, like you would find on ARM, > > aarch64 and PowerPC. > > I figure it can be used

Re: seeding /dev/random from a security key

computer instead of buying a tiny dongle? > Be careful of rng-tools. It does not do a good job for non-mainstream > generators, like VIA's Padlock Security Engine. And rng-tools did not > support generators for architectures, like you would find on ARM, > aarch64 and PowerPC. I

Re: seeding /dev/random from a security key

On Mon, Mar 25, 2024 at 4:33 PM Björn Persson wrote: > > In a quest to acquire hardware random number generators for seeding > /dev/random on servers that lack a built-in entropy source, I'm > investigating how random data can be obtained from a security key such > as a Ni

Re: seeding /dev/random from a security key

her security keys can be used instead. Security keys are available from multiple vendors, but it's hard to find any information about the random number generators inside them. > OneRNG is still in production. I tried to buy one of those a while ago, but I couldn't because the shop didn't like m

Re: seeding /dev/random from a security key

On Mon, Mar 25, 2024 at 06:09:02PM -0400, e...@gmx.us wrote: > On 3/25/24 17:27, Andy Smith wrote: > > The thread covers how to make rngd feed /dev/random from a OneRNG in > > Debian 12, but it is no longer possible to tell if that does > > anything useful. > > If not from devices like this, from

Re: seeding /dev/random from a security key

On 3/25/24 17:27, Andy Smith wrote: The thread covers how to make rngd feed /dev/random from a OneRNG in Debian 12, but it is no longer possible to tell if that does anything useful. If not from devices like this, from where does Debian get its randomness? -- For is it not written,

Re: seeding /dev/random from a security key

Hi, On Mon, Mar 25, 2024 at 09:24:23PM +0100, Björn Persson wrote: > Does anyone know of another way to obtain random data from devices of > this kind? I have some EntropyKeys and some OneRNGs. I have the rngd packaged in Debian feeding /dev/random from them. This had an actual noticeable

seeding /dev/random from a security key

Hello! In a quest to acquire hardware random number generators for seeding /dev/random on servers that lack a built-in entropy source, I'm investigating how random data can be obtained from a security key such as a Nitrokey, Yubikey or a similar device. RNGD version 6 from https://github.com

Re: No Release file for Security Update

Tixy wrote: > On Thu, 2024-01-18 at 12:06 -0600, John Hasler wrote: > > Tixy writes: > > > Where could your machine be getting this IP address from?  It's > > > the same IP address shown in your output when you used the > > > incorrect address 'ftp.security.debian.org' and for me that > > >

SOLVED Re: No Release file for Security Update SOLVED

://deb.debian.org/debian/ bookworm-updates main non-free-firmware contrib non-free deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware contrib non-free deb http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-free deb-src http

Re: No Release file for Security Update

On Thu, Jan 18, 2024 at 10:59:48AM -0600, John Hasler wrote: > Host gives me the same result. However, apt says: > > 0% [Connecting to security-debian.org (57.128.81.193)] security-debian.org and security.debian.org are different names.

Re: No Release file for Security Update

gt; > > I was using the address that George _said_ he used in his email, > > > > obviously he was wrong and just mis-typing emails rather than copy and > > > > pasting in what he was actually using :-( > > > > Of course you're also guilty John ;-) saying 'ftp.security.debian.org' > > resolved, but at least you pasted a command showing what you really > > used :-) And now you can all point out that it was me that was misquoting the address and using a dot where in fact everyone else was using a hyphen in 'debian-security'. I'll now slink away red faced and try and find a hole big enough to crawl into... -- Tixy

Re: No Release file for Security Update

On Thu, 2024-01-18 at 18:16 +, Tixy wrote: > On Thu, 2024-01-18 at 12:06 -0600, John Hasler wrote: > > Tixy writes: > > > Where could your machine be getting this IP address from?  It's the > > > same IP address shown in your output when you used the incorrect > > > address

Re: No Release file for Security Update

On Thu, 2024-01-18 at 12:06 -0600, John Hasler wrote: > Tixy writes: > > Where could your machine be getting this IP address from?  It's the > > same IP address shown in your output when you used the incorrect > > address 'ftp.security.debian.org' and for me that doesn't resolve to > > any IP

Re: No Release file for Security Update

status: NOERROR, id: 2686 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ftp.security-debian.org. IN A ;; ANSWER SECTION: ftp.security-debian.org. 3296 IN CNAME

Re: No Release file for Security Update

On Thu, 2024-01-18 at 10:48 -0500, Thomas George wrote: > On 1/17/24 20:52, Greg Wooledge wrote: > > On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: > > > deb http://ftp.security-debian.org/debian-security/ bookworm-security main > > > non-free non-free

Re: No Release file for Security Update

Host gives me the same result. However, apt says: 0% [Connecting to security-debian.org (57.128.81.193)] and times out. Using "nameserver 8.8.8.8" changes nothing. -- John Hasler j...@sugarbit.com Elmwood, WI USA

Re: No Release file for Security Update

Thomas George wrote: > I typed the above line exactly. apt-get update searches for > security.debian.org:80 [57.128.81.193] and times out, no connection Gene writes: > And that is not the address I get from here It's the one I get from here, and it times out. My DNS is working. -- John Hasler

Re: No Release file for Security Update SOLVED

non-free deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware contrib non-free deb http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-free deb-src http://security.debian.org/debian-security bookworm-security main non-free

Re: No Release file for Security Update

On 1/17/24 22:54, Todd Zullinger wrote: Greg Wooledge wrote: On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: deb http://ftp.security-debian.org/debian-security/ bookworm-security main non-free non-free-firmware Stop guessing, and *read* what you were told to use. https

Re: No Release file for Security Update

On Thu, Jan 18, 2024 at 10:59:34AM -0500, gene heskett wrote: > And that is not the address I get from here > ping -c1 security.debian.org > PING security.debian.org (151.101.2.132) 56(84) bytes of data. > 64 bytes from 151.101.2.132 (151.101.2.132): icmp_seq=1 ttl=59 time=15.8 ms > > Your dns

Re: No Release file for Security Update

On 1/18/24 10:49, Thomas George wrote: On 1/17/24 20:52, Greg Wooledge wrote: On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: deb http://ftp.security-debian.org/debian-security/ bookworm-security main non-free non-free-firmware Stop guessing, and *read* what you were told

Re: No Release file for Security Update

On 1/18/24 10:49, Thomas George wrote: On 1/17/24 20:52, Greg Wooledge wrote: On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: deb http://ftp.security-debian.org/debian-security/ bookworm-security main non-free non-free-firmware Stop guessing, and *read* what you were told

Re: No Release file for Security Update

On 1/17/24 20:52, Greg Wooledge wrote: On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: deb http://ftp.security-debian.org/debian-security/ bookworm-security main non-free non-free-firmware Stop guessing, and *read* what you were told to use. https://lists.debian.org/debian

update of bookworm-security failed Formerly Re: No Release file for Security Update

* non-free-firmware, though. Also, if you don't want to use plain http, you can change this to https. deb http://ftp.debian.org/debian/ bookworm-security  main non-free non-free-firmware This one is incorrect, but someone else already addressed that one. Be sure you actually follow

Re: No Release file for Security Update

-firmware > > deb http://ftp.debian.org/debian/ bookworm-updates main non-free > non-free-firmware > > # deb http://ftp.debian.org/debian/ bookworm-backports main non-free > non-free-firmware > > deb http://ftp.debian.org/debian/ bookworm-security  main non-free > non-

Re: No Release file for Security Update

Greg Wooledge wrote: > On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: >> deb http://ftp.security-debian.org/debian-security/ bookworm-security main >> non-free non-free-firmware > > Stop guessing, and *read* what you were told to use. > > https://lists.

Re: No Release file for Security Update

On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: > deb http://ftp.security-debian.org/debian-security/ bookworm-security main > non-free non-free-firmware Stop guessing, and *read* what you were told to use. https://lists.debian.org/debian-user/2024/01/msg00778.html

Re: No Release file for Security Update

don't want to use plain http, you can change this to https. deb http://ftp.debian.org/debian/ bookworm-security  main non-free non-free-firmware This one is incorrect, but someone else already addressed that one. Be sure you actually follow their instructions correctly. The hostnames

Re: No Release file for Security Update

, you can change this to https. > deb http://ftp.debian.org/debian/ bookworm-security  main non-free > non-free-firmware This one is incorrect, but someone else already addressed that one. Be sure you actually follow their instructions correctly. The hostnames security.debian.org and ftp.secu

Re: No Release file for Security Update

On 1/17/24 16:13, Tom Furie wrote: Thomas George writes: deb http://ftp.debian.org/debian/ bookworm-security  main non-free non-free-firmware Err:5 http://ftp.debian.org/debian bookworm-security Release   404  Not Found [IP: 151.101. I entered you suggested line as http

Re: No Release file for Security Update

Thomas George writes: > deb http://ftp.debian.org/debian/ bookworm-security  main non-free > non-free-firmware > Err:5 http://ftp.debian.org/debian bookworm-security Release >   404  Not Found [IP: 151.101. Your source is incorrect. The security repo is at "http://security.

Re: No Release file for Security Update

-firmware # deb http://ftp.debian.org/debian/ bookworm-backports main non-free non-free-firmware deb http://ftp.debian.org/debian/ bookworm-security  main non-free non-free-firmware sources.list (END) root@Phoenix:/etc/apt# apt-get update Hit:1 http://ftp.debian.org/debian bookworm InRelease

Re: No Release file for Security Update

On Tue, Jan 16, 2024 at 05:48:27PM +0100, Marco Moock wrote: > Am 16.01.2024 um 11:30:09 Uhr schrieb Thomas George: > > > The result was  bookworm InRelease, bookworm-updates InRelease, > > bookworm-secutity Relesse 404 Not Found [IP: 146.75.30.132 80] > ^ > > There seems to be a

Re: No Release file for Security Update

Am 16.01.2024 um 11:30:09 Uhr schrieb Thomas George: > The result was  bookworm InRelease, bookworm-updates InRelease, > bookworm-secutity Relesse 404 Not Found [IP: 146.75.30.132 80] ^ There seems to be a typo!

Re: No Release file for Security Update

On Tue, Jan 16, 2024 at 11:30:09AM -0500, Thomas George wrote: > I commented out the dvd and added to sources.list lines for bookworm, > bookworm-updates and bookworm-security. What lines did you add? > Ran apt-get update > > The result was  bookworm InRelease, bookworm-up

No Release file for Security Update

My system is Bookworm installed from the first DVD which was downloaded with the checksums and successfully checked. I commented out the dvd and added to sources.list lines for bookworm, bookworm-updates and bookworm-security. Ran apt-get update The result was  bookworm InRelease, bookworm

Re: Where to report CVEs missing from the security tracker ?

On 2024-01-09 16:57 +0100, Jorropo wrote: > Hello, there are 6 CVEs on the golang-go package which are not on > https://security-tracker.debian.org/tracker/status/release/stable They are there, just not shown by default. Toggle the "include issues tagged no-dsa" checkbox t

Where to report CVEs missing from the security tracker ?

Hello, there are 6 CVEs on the golang-go package which are not on https://security-tracker.debian.org/tracker/status/release/stable I couldn't find them either there https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=golang-go The list is: - CVE-2023-29409 https://pkg.go.dev

Re: APT preferring `stable` over `stable-security`

On 26/12/2023 23:23, Dan Ritter wrote: https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release (quoted entirely) But omitting a couple of links to comments from developers that APT::Default-Release is deprecated. A tool to debug issues with upgrades is apt

Re: APT preferring `stable` over `stable-security`

>> What am I missing? > https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release Indeed! Thank you! Apparently the release notes didn't warn me loudly enough about it :-( Stefan

Re: APT preferring `stable` over `stable-security`

>> I take it this is bookworm. In that case, you also need: >> >> # bookworm-updates, to get updates before a point release is made; >> # see >> https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports >> deb http://deb.debian.org/debian bookworm-updates main

Re: APT preferring `stable` over `stable-security`

after > > apt install openssh-server/stable-security > > did the machine get the new version :-( > > The `sources.list` files says: > > deb http://security.debian.org/ stable-security main > deb http://deb.debian.org/debian stable main > > and the `ap

Re: APT preferring `stable` over `stable-security`

>> The `sources.list` files says: >> >> deb http://security.debian.org/ stable-security main >> deb http://deb.debian.org/debian stable main > > I take it this is bookworm. In that case, you also need: > > # bookworm-updates, to get updates before a poi

Re: APT preferring `stable` over `stable-security`

On Tue, 26 Dec 2023 11:12:01 -0500 Stefan Monnier wrote: > The `sources.list` files says: > > deb http://security.debian.org/ stable-security main > deb http://deb.debian.org/debian stable main I take it this is bookworm. In that case, you also need: # bookworm-updates, to

APT preferring `stable` over `stable-security`

I noticed today that one of my machines was still running openssh 1:9.2p1-2+deb12u1 rather than 1:9.2p1-2+deb12u2 even though it is supposed to do its unattended-upgrades, so I tried a manual upgrade and the result was still the same. Only after apt install openssh-server/stable-security

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

es Aufsichtsrats: Dr. Markus Forschner > ​ > Hi, For Ubuntu reference of which versions are or are not affected, see: https://ubuntu.com/security/CVE-2023-44487 Regards Phil -- Playing the game for the games sake. * Debian Maintainer Web: * Debian Wiki: https://wiki.debian.org/Phil

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

On Tue, 28 Nov 2023 08:56:28 + "Marold Marcus (DC-AE/ESW1)" wrote: Hello Marold, Firstly, we're (for the most part) users, not developers. >I would like to request an upgrade of the curl package (Linux Ubuntu >Core 22 / Secondly, we're _Debian_ users not Ubuntu. You'll have to take it up

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

to by users. It's not the place to officially report bugs, at least not if you want them to be read by the package maintainers and to have some sort of audit trail. Looking at: https://security-tracker.debian.org/tracker/CVE-2023-44487 https://security-tracker.debian.org/tracker/source-

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

Am 28.11.2023 um 08:56:28 Uhr schrieb Marold Marcus (DC-AE/ESW1): > I would like to request an upgrade of the curl package (Linux Ubuntu > Core 22 / Jammy) to Nghttp2 v1.57.0 because of > CVE-2023-44487: > HTTP/2 Rapid Reset. That is the debian

Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

Hello, I would like to request an upgrade of the curl package (Linux Ubuntu Core 22 / Jammy) to Nghttp2 v1.57.0 because of CVE-2023-44487: HTTP/2 Rapid Reset. https://nghttp2.org/blog/2023/10/10/nghttp2-v1-57-0/ Thank you in advance. Mit

Re: Security question about daemon-init

On 29/08/2023 18:35, Bhasker C V wrote: Apologies in advance for cross-group posting. I have enabled selinux  and after carefully allowing certain permissions, I have put my system in enforcing mode I do see a suspicious line like this [  115.089395] audit: type=1400

Security question about daemon-init

Apologies in advance for cross-group posting. I have enabled selinux and after carefully allowing certain permissions, I have put my system in enforcing mode I do see a suspicious line like this [ 115.089395] audit: type=1400 audit(1693329979.841:11): avc: denied { getattr } for pid=3104

PS/PDF etc in import-im6.q16 not allowed by security policy

[3rd attempt; first two flagged as spam] On Thu 08 Jun 2023 at 17:11:01 (+0200), Roger Price wrote: > On Thu, 8 Jun 2023, Greg Wooledge wrote: > > > Roger, what is the full command that you used? When I tested with > > "import foo.png" it worked as expected. One might assume that that's

Re: Link to import-im6.q16 not allowed by security policy ?

On Thu, Jun 08, 2023 at 04:51:44PM +0200, Roger Price wrote: > I used to type "import foo.jpg" but got into the habit of typing "import > /tmp/foo" which produces the error message. > > So this afternoon I went back to typing "import foo.jpg" and this works > correctly, exactly as expected.

Re: Link to import-im6.q16 not allowed by security policy ?

On Thu, 8 Jun 2023, Greg Wooledge wrote: Roger, what is the full command that you used? When I tested with "import foo.png" it worked as expected. Previously I used to type "import foo.jpg" but got into the habit of typing "import /tmp/foo" which I now understand produces the error message.

Re: Link to import-im6.q16 not allowed by security policy ?

On Thu, 8 Jun 2023, Greg Wooledge wrote: Roger, what is the full command that you used? When I tested with "import foo.png" it worked as expected. I used to type "import foo.jpg" but got into the habit of typing "import /tmp/foo" which produces the error message. So this afternoon I went

Re: Link to import-im6.q16 not allowed by security policy ?

Hi, Greg Wooledge wrote: > You must have got a completely different set of Google results than I did. That's a known effect from Google watching people digging in the web. But maybe this time it's only the search string. I entered attempt to perform an operation not allowed by the secur

Re: Link to import-im6.q16 not allowed by security policy ?

On Thu, Jun 08, 2023 at 02:39:11PM +0200, Thomas Schmitt wrote: > Hi, > > Roger Price wrote: > > > import-im6.q16: attempt to perform an operation not allowed by the > > > security > > > policy `PS' @ error/constitute.c/IsCoderAuthorized/421. > >

Re: Link to import-im6.q16 not allowed by security policy ?

Hi, Roger Price wrote: > > import-im6.q16: attempt to perform an operation not allowed by the security > > policy `PS' @ error/constitute.c/IsCoderAuthorized/421. Greg Wooledge wrote: > I tried googling the error message, and I get extremely confusing results, > but as

Re: Link to import-im6.q16 not allowed by security policy ?

he soft link > > ln -s /usr/bin/import /usr/bin/screen-grab > > Now, whenever I try to run screen-grab or import or import-im6.q16 I get the > error message: > > import-im6.q16: attempt to perform an operation not allowed by the security > policy `PS' @ error/constitut

Link to import-im6.q16 not allowed by security policy ?

I try to run screen-grab or import or import-im6.q16 I get the error message: import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/421. So I removed the link, but calls to import still produce the error message.

Re: Bullseye debian security support?

Hello, On Wed, May 31, 2023 at 11:37:34AM -0700, John Conover wrote: > How long will Debian Bullseye have debian security team support after > Bookworm is announced? LTS planning is here: https://wiki.debian.org/LTS bullseye will be LTS-supported til june 2026 (not yet clearly d

Bullseye debian security support?

How long will Debian Bullseye have debian security team support after Bookworm is announced? Thanks, John -- John Conover, cono...@panix.com, http://www.johncon.com/

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

very much >> >> Harri > > > "In Mitre's CVE dictionary: [..] CVE-2023-25690, CVE-2023-27522 [...] > > For the stable distribution (bullseye), these problems have been fixed > in version 2.4.56-1~deb11u1. > > We recommend that you upgrade your apache2 pa

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

llseye), these problems have been fixed in version 2.4.56-1~deb11u1. We recommend that you upgrade your apache2 packages." https://www.debian.org/security/2023/dsa-5376 $ apt policy apache2 apache2: Installed: 2.4.56-1~deb11u1 Candidate: 2.4.56-1~deb11u1 Version table: *** 2.4.56-1~de

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

isn't in Bullseye either. It is 2.4.56-1~deb11u1 that got to stable-security. So I think that you need to wait for another update for Bullseye, but since the regressions were fixed only yesterday, this may take several days. See when something new appears on https://tracker.debian.org/pkg/apache2 Y

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

On 2023-04-03 14:49:16, Vincent Lefevre wrote: What about apache2 2.4.56-2? This version is not in Bullseye. Only 2.4.56-1, introducing the regressions.

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

Hi, On 2023-04-03 14:27:48 +0200, Harald Dunkel wrote: > AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate > CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue > with high severity). Good thing. > > Unfortunately this introduced 2 regressions for mod_rewrite and > http2,

apache2: fix the regressions introduced by security upgrade in Bullseye?

Hi folks, AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue with high severity). Good thing. Unfortunately this introduced 2 regressions for mod_rewrite and http2, see

Re: Debian security team support for Bullseye?

On 2023-01-07 11:22 -0800, John Conover wrote: > How much longer will Debian security team support Bullseye? For one year after the release of Bookworm, whenever that may be. > The LTS Wiki page is kind of confusing as to when I have to upgrade to > Bookworm. It seems to project tha

Debian security team support for Bullseye?

How much longer will Debian security team support Bullseye? The LTS Wiki page is kind of confusing as to when I have to upgrade to Bookworm. Thanks, John -- John Conover, cono...@panix.com, http://www.johncon.com/

Re: apt update fails due to Label and Version changes for buster security

On 2022-12-16 13:00, Tim Woodall wrote: Thanks Tim, I will root around in the docs a little more. Strange because I've done multiple updates since your last backup date of Dec 2nd and not had this issue. H. -- Regards, John Boxall

Re: apt update fails due to Label and Version changes for buster security

InRelease Get:2 http://security.debian.org/debian-security buster/updates InRelease [34.8 kB] Hit:3 http://dl.google.com/linux/chrome/deb stable InRelease Hit:4 http://deb.debian.org/debian buster-updates InRelease E: Repository 'http://security.debian.org/debian-security buster/updates InRelease

Re: apt update fails due to Label and Version changes for buster security

/debian-security buster/updates InRelease [34.8 kB] Hit:3 http://dl.google.com/linux/chrome/deb stable InRelease Hit:4 http://deb.debian.org/debian buster-updates InRelease E: Repository 'http://security.debian.org/debian-security buster/updates InRelease' changed its 'Label' value from 'Debian

Re: apt update fails due to Label and Version changes for buster security

On Thu, 15 Dec 2022, John Boxall wrote: The following happened just now when updating my Buster system: + apt update Hit:1 http://deb.debian.org/debian buster InRelease Get:2 http://security.debian.org/debian-security buster/updates InRelease

apt update fails due to Label and Version changes for buster security

The following happened just now when updating my Buster system: + apt update Hit:1 http://deb.debian.org/debian buster InRelease Get:2 http://security.debian.org/debian-security buster/updates InRelease [34.8 kB] Hit:3 http://dl.google.com

Re: does apt upgrade & full-upgrade packages from Security Updates (Debian Security Advisories (DSA))

On Sun, Nov 13, 2022 at 09:56:21AM +, jindam, vani wrote: > i have only deb http://deb.debian.org/debian bullseye main contrib non-free > in my sources.list. > > does apt upgrade & full-upgrade packages from Security Updates (Debian > Security Advisories (DSA))? &g

Re: does apt upgrade & full-upgrade packages from Security Updates (Debian Security Advisories (DSA))

On Sun, Nov 13, 2022 at 09:56:21AM +, jindam, vani wrote: > i have only deb http://deb.debian.org/debian bullseye main contrib non-free > in my sources.list. > > does apt upgrade & full-upgrade packages from Security Updates (Debian > Security Advisories (DSA))?

does apt upgrade & full-upgrade packages from Security Updates (Debian Security Advisories (DSA))

i have only deb http://deb.debian.org/debian bullseye main contrib non-free in my sources.list. does apt upgrade & full-upgrade packages from Security Updates (Debian Security Advisories (DSA))? which is correct? deb http://security.debian.org/debian-security bullseye-security main con

Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update

; > >> August and as you noted, it's getting security updates too. > > > I'm just curious if this is the first time that a kernel _version_ bump > > took place within the trajectory of a single Debian version? Or have kernel > > _version_ changes always taken plac

Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update

On Wed, Nov 02, 2022 at 12:45:57PM -0500, Nicholas Geovanis wrote: > > > On 2022-11-02 03:40, Anssi Saari wrote: > > >> Looks like a linux-5.10 source package was indeed added to Buster in > > >> August and as you noted, it's getting security updates too. > I

Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update

On Wed, Nov 2, 2022, 9:35 AM Anssi Saari wrote: > John Boxall writes: > > > On 2022-11-02 03:40, Anssi Saari wrote: > >> Looks like a linux-5.10 source package was indeed added to Buster in > >> August and as you noted, it's getting security updates too. Ther

Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update

John Boxall writes: > On 2022-11-02 03:40, Anssi Saari wrote: >> Looks like a linux-5.10 source package was indeed added to Buster in >> August and as you noted, it's getting security updates too. There's some >> info on the what and when at https://tracker.debian.org/pk

Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update

On 2022-11-02 03:40, Anssi Saari wrote: Looks like a linux-5.10 source package was indeed added to Buster in August and as you noted, it's getting security updates too. There's some info on the what and when at https://tracker.debian.org/pkg/linux-5.10 but I don't know the why. Here

Re: [SECURITY] [DLA 3173-1] linux-5.10 security update

gt; August and as you noted, it's getting security updates too. There's some > info on the what and when at https://tracker.debian.org/pkg/linux-5.10 > but I don't know the why. > Maybe this is for Buster's LTS lifecycle and 4.19 is expected to go EOL > before Buster does?

Re: Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update

John Boxall writes: > Did I miss something in the last three years? When did buster go to a > 5.10 kernel? My buster system is still on kernel 4.19. Looks like a linux-5.10 source package was indeed added to Buster in August and as you noted, it's getting security updates too. There's som

Fwd: [SECURITY] [DLA 3173-1] linux-5.10 security update

Did I miss something in the last three years? When did buster go to a 5.10 kernel? My buster system is still on kernel 4.19. Forwarded Message Subject: [SECURITY] [DLA 3173-1] linux-5.10 security update Resent-Date: Tue, 1 Nov 2022 20:58:06 + (UTC) Resent-From: debian

Subject: OT: for posterity: iproute -- dos program by David F. Mischler: (was: CVE security vulnerabilities, versions and ... )

On Wednesday, August 10, 2022 08:55:20 AM Dan Ritter wrote: > rhkra...@gmail.com wrote: > > I.e., if a computer on the LAN contacted a computer outside the LAN, NAT > > would allow incoming data from that external computer, but not allow > > incoming data from other external computers. > > That's

Re: NFC security key on a desktop

On Saturday, July 9, 2022 9:23 PM, I wrote: >> Has anyone managed to get an NFC reader working with a security key on a >> Debian desktop? If so, I'd like to know how to set that up. On Sunday, July 10, 2022 2:34 PM, Celejar replied: > No actual experience with NFC (I

  1   2   3   4   5   6   7   8   9   10   >