Your message dated Thu, 6 Aug 2020 18:43:15 +0100 with message-id <20200806174315.gq16...@tack.einval.com> and subject line Re: Debian Strech 9.13 ISO Download - Firefox says its containing a virus has caused the Debian Bug report #966538, regarding firefox-esr: Firefox accuses debian-9.13.0-amd64-netinst.iso of containing malware to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 966538: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966538 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: firefox-esr Version: 68.10.0esr-1~deb10u1 Severity: normal Dear Maintainer, examining https://lists.debian.org/debian-cd/2020/07/msg00056.html i downloaded https://cdimage.debian.org/mirror/cdimage/archive/9.13.0/amd64/iso-cd/debian-9.13.0-amd64-netinst.iso by the Firefox of a 6 day old Debian 10 installation. Like the OP of the debian-cd mail, i experience on the first download of that file a warning, that it contains a virus. The downloaded ISO passes the usual verification by gpg and sha512sum. See https://lists.debian.org/debian-cd/2020/07/msg00057.html for the details of my verification. I could not get more info from the warning dialog window. Clicking on the "open" button brought me to a dialog which offers me to put the ISO image somewhere esle. I also failed to find any info about the virus scanner in firefox. -- Package-specific info: $ dpkg -s firefox-esr Package: firefox-esr Status: install ok installed ... Architecture: amd64 Version: 68.10.0esr-1~deb10u1 ... Conffiles: /etc/firefox-esr/firefox-esr.js cebd145f0dd82696213e50218ff1a1bf -- Addons package information -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firefox-esr depends on: ii debianutils 4.8.6.1 ii fontconfig 2.13.1-2 ii libasound2 1.1.8-1 ii libatk1.0-0 2.30.0-2 ii libc6 2.28-10 ii libcairo-gobject2 1.16.0-4 ii libcairo2 1.16.0-4 ii libdbus-1-3 1.12.16-1 ii libdbus-glib-1-2 0.110-4 ii libevent-2.1-6 2.1.8-stable-4 ii libffi6 3.2.1-9 ii libfontconfig1 2.13.1-2 ii libfreetype6 2.9.1-3+deb10u1 ii libgcc1 1:8.3.0-6 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libglib2.0-0 2.58.3-2+deb10u2 ii libgtk-3-0 3.24.5-1 ii libjsoncpp1 1.7.4-3 ii libpango-1.0-0 1.42.4-8~deb10u1 ii libstartup-notification0 0.12-6 ii libstdc++6 8.3.0-6 ii libvpx5 1.7.0-3+deb10u1 ii libx11-6 2:1.6.7-1 ii libx11-xcb1 2:1.6.7-1 ii libxcb-shm0 1.13.1-2 ii libxcb1 1.13.1-2 ii libxcomposite1 1:0.4.4-2 ii libxdamage1 1:1.1.4-3+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1+b3 ii procps 2:3.3.15-2 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages firefox-esr recommends: ii libavcodec58 7:4.1.6-1~deb10u1 Versions of packages firefox-esr suggests: ii fonts-lmodern 2.004.5-6 pn fonts-stix | otf-stix <none> ii libcanberra0 0.30-7 ii libgssapi-krb5-2 1.17-3 ii libgtk2.0-0 2.24.32-3 ii pulseaudio 12.2-4+deb10u1 -- no debconf information
--- End Message ---
--- Begin Message ---Hey Thomas, I hope you're keeping ok! On Thu, Jul 30, 2020 at 04:05:54PM +0200, Thomas Schmitt wrote: > >Well, as upstream programmer i could - intentionally or as victim of >malware myself - be the culprit who sneaks malware into a Debian ISO. >I try hard to keep my machines clean and my moral reputable, but in the end >i do not dare to be more affirmative than "Quite surely". > >> I've raised a few tickets with Google > >Please notify bug 966538 about any progress. Nothing visibly came from any of those tickets. It seems Google have a habit of ignoring you, unless you submit to their rules and set up a webmaster account on their system. Ugh. :-( Maswan (admin at acc.umu.se, the hoster for cdimage.d.o) has dug into this, and it *seems* that our problem was totally unrelated to the Debian ISO images themselves. Instead, a different Windows program hosted elsewhere on the acc.umu.se download service has been flagged as malware and that tainted everything hosted at their site. He's cleaned up that file and as *far* as I can see the Debian ISO downloads are working OK here, with no warnings from FF or Chromium. I'm tagging this bug as done as it seems to be clear now. To the submitters and anybody else listening: please re-open if you still see a problem. -- Steve McIntyre, Cambridge, UK. st...@einval.com < sladen> I actually stayed in a hotel and arrived to find a post-it note stuck to the mini-bar saying "Paul: This fridge and fittings are the correct way around and do not need altering"
--- End Message ---
