Your message dated Sat, 10 Aug 2019 10:08:09 +0000 with message-id <e1hwoid-000dxe...@fasolo.debian.org> and subject line Bug#932828: fixed in debian-edu-config 2.10.66 has caused the Debian Bug report #932828, regarding The initial LTSP chroot image should include the LDAP server certificate to improve security to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932828: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932828 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: debian-edu-config Version: 2.10.65 Severity: important After setting up a system including the 'LTSP-Server' profile, the LTSP chroot's SquashFS image (generated at installation time and used by NBD to provide an LTSP client's root filesystem) doesn't include the LDAP server certificate (pub key). The certificate will only be included in the image if it is rebuilt. As long as this isn't done, a MITM attack is possible. See the discussion in #931413. Wolfgang
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: debian-edu-config Source-Version: 2.10.66 We believe that the bug you reported is fixed in the latest version of debian-edu-config, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Holger Levsen <hol...@debian.org> (supplier of updated debian-edu-config package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 10 Aug 2019 11:41:47 +0200 Source: debian-edu-config Architecture: source Version: 2.10.66 Distribution: unstable Urgency: medium Maintainer: Debian Edu Developers <debian-edu@lists.debian.org> Changed-By: Holger Levsen <hol...@debian.org> Closes: 926933 928756 929964 930122 931366 931413 931680 932828 933183 933580 Changes: debian-edu-config (2.10.66) unstable; urgency=medium . [ Wolfgang Schweer ] * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure that all DHCP server information is getting through to LTSP clients. (LTSP used this option before, but switched to 'ipappend 3' during the Buster development cycle to ease setups with ProxyDHCP.) * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964) - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.) * Set environment variable to deal with Firefox profile. (Closes: #930122) This is a workaround for bug #930125, preventing firefox-esr startup issues if the mozilla profile is on an NFS share). - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes" as content. Thanks to Mike Gabriel for spotting the issue and providing this information. - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'. * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680) - While the reported arch is i686, LTSP uses i386. Set arch accordingly. * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366) - Remove outdated (and now wrong) logging section. * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828) - etc/ltsp/ltsp-build-client.conf: Don't create the image by default. - cf3/edu.cf: Define new class 'ltspimages'. - cf3/cf.finalize: Add code to include the LDAP server certificate for all possible use cases, to generate the image and to adjust various rights. * Provide Debian Edu RootCA certificate for download. (Closes: #933183) - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the rootCA file to the web server directory at certificate generation time. - Adjust cf3/cf.finalize to care for the rootCA file as well. - Adjust cf3/cf.workarounds to copy the rootCA file to the web server directory upon main server upgrade. * Fix loss of dynamically allocated v4 IP address. (Closes: #933580) - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due to changed behaviour of the ifupdown/dhclient/systemd combination and now also causes the loss of a dynamically allocated ipv4 IP address after 20 to 30 minutes after booting. - Add code to d/debian-edu-config.postinstall to implement the intended hostname update just after rebooting the system after a change. - Adjust Makefile. . [ Mike Gabriel ] * debian/debian-edu-config.fetch-ldap-cert: Make the script (and with it Debian Edu buster workstations) work in a Debian Edu environment where the main server (TJENER) is still on Debian Edu 8 or 9. (Closes: #926933) * debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server certificate only once per host to improve security. This re-introduces the behaviour of fetch-ldap-cert in stretch and earlier. (Closes: #931413). . [ Holger Levsen ] * Drop obsolete code in d-i/finish-install now that d-i uses haveged (via a newly introduced udeb) or a hardware RNG. (See #923675). * Bump standards version to 4.4.0, no changes needed. Checksums-Sha1: 04f13395ffcd3497ced2b6416d43326c80abb521 1918 debian-edu-config_2.10.66.dsc cdb03702ea336c096ea83a1299d1f101c74bd865 342532 debian-edu-config_2.10.66.tar.xz 3500f5cf337338572ea9d54571d30268032955a1 5232 debian-edu-config_2.10.66_source.buildinfo Checksums-Sha256: 3ae5532ded3a02e30e84131feba33a8a53a516da562a11fdebbbf37eb08861d0 1918 debian-edu-config_2.10.66.dsc f05b1de98fe91db73e26cdafb48295c8893e1f712453b4ab287f098c37c4d1d0 342532 debian-edu-config_2.10.66.tar.xz 218fc276448d872a81d6ad3a5117a0ad30f71ec1ac565e67e85434af8315062a 5232 debian-edu-config_2.10.66_source.buildinfo Files: e098730c4c8f29837c230f0c8db5a06a 1918 misc optional debian-edu-config_2.10.66.dsc 99a8f115b4fa8f67f073f0bccee6f9fa 342532 misc optional debian-edu-config_2.10.66.tar.xz 28301807f531b70fedeabb2e6404e289 5232 misc optional debian-edu-config_2.10.66_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl1Ok7oACgkQCRq4Vgaa qhyaJhAAggyyBQ3oamr/QU7WKvofET70WO3g189mEDhEaUMpf9+rASpg8N+Sj7V7 061pJhxoInwESdpPXmWgxZkNo7uJ2EH5eGaO39cDmKXOmu2bxL7Qe0n6veuDU6JW 0gk0+s2stNeyRF4CLqT3Ec+IuHNNRuxVOgiP1hoAvdb98LyzigfZ09rVOYe04R+c 5bby160jFykV0mDmaLkQBbHV/2eye1j98OSYCq1P1YEbWmTWHoM66rNTROSJ4900 dAI+FwHQ+5rn+rHTgE+0ydtrMrbIPso87tlsXHZQ9UF7NYGTPUodhE0bfErMrOvO k+DbrYH1FtsZ9lnmT0XBohl6W92EHJFlRCp/V5ar+xotGqOLRVpPsNLmFL6GROff eWsQka9IoXLUaEDluotBO+kB56c0Nm9KPjOoPQHnoiOqLLlcOrBh2yOGIPNOcYIv 50FgLoPqZIW6taF2Gkd+zUtuivTKNH4k/KbLtx7CjoKi5Nz84OYiL1rqxp0+PFwi iQSvoZVWJxV4p5sMB0HbVsj/cWaTNBbwRs8sE/20ha4P+Q+ONbzPZIWwafWT8N8X FZZZcQ0spY9o5x5R76c0cYtwqKCKdY+42vm+lSitcd0JACRLXoMdEfo0hdP5e8ds 74keRouTnwlI3pOHlkJtuKQIWycCIX9AC8EMvzQA5l8PbPYVy68= =tFxx -----END PGP SIGNATURE-----
--- End Message ---
