On Tue, Mar 24, 2026 at 01:14:17PM +0000, Dominic Hargreaves wrote: > I'm a DD but not the maintainer of this package, and this bug affects me > (I discovered earlier in the week). I will try and help fix the issue > in Debian. > > It looks like a minimal fix might be > > https://github.com/duosecurity/duo_unix/pull/324 > > but I have not yet verified this. > > I will try and prepare updated packages for Debian unstable, stable and > oldstable, but I won't have time to work on this until Thursday. > > I'm actually not sure what happens on the 31st March as it's already > 100% failing for me, I think. However if it will help someone I will try > and see if we can get things fixed in all releases by 31st March, using > the stable-updates suite.
In actual fact, the minimal fix doesn't work, because the servers block old clients by version number (hence the 403 errors I was seeing in the logs, which I had assumed were a confusing translation of cert errors into HTTP errors). I think the only resolution to this is going to be to upgrade to the new upstream release, which is doable for Debian unstable, although I haven't been able to get that far today. Assuming I do get to it in a few days, this still won't be of immediate help for stable users, since it's a large change that I don't think would be approved for stable. But at least it could be backported. Dominic
