Bug#743892: please include security.debian.org in sources.list

[Daniel Roesler]

The AWS ELB servers are apparently vulnerable, too, so don't update
your SSL certs on ELB until they are confirmed fixed.

https://forums.aws.amazon.com/thread.jspa?threadID=149690&tstart=0

On Mon, Apr 7, 2014 at 5:48 PM, Jonathan Landis  
wrote:
> Package: cloud.debian.org
>
> The heartbleed bug has created a situation in which servers must be upgraded
> immediately. At the moment the default mirrors listed in the Debian Wheezy
> AMI image don't have the patches yet, but security.debian.org does. So users
> of the existing image have to update sources.list on each of their servers
> if they want to get patched ASAP.
>
> Is there any reason not to include security.debian.org in sources.list by
> default?
>
>
> --
> To UNSUBSCRIBE, email to debian-cloud-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: https://lists.debian.org/53434779.2010...@calibersecurity.com
>


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#743892: please include security.debian.org in sources.list

[Daniel Roesler]

Thanks for patching quickly all!

When can we expect the cloudfront.debian.net repos to be updated with the fix?

On Tue, Apr 8, 2014 at 8:03 AM, Anders Ingemann  wrote:
> Already merged about an hour ago ;-)
>
>
> Anders
>
>
> On 8 April 2014 16:57, Bromberger, James  wrote:
>>
>> I've pushed a patch to bootstrap-vz that should fix this; pending review
>> and merge req pull by Anders.
>>
>>
>>
>>   James
>>
>>
>>
>>
>>
>> James Bromberger | Solution Architect | Amazon Web Services
>>
>> E: jame...@amazon.com   P: +61 422 166 708   T:@JamesBromberger
>>
>>
>>
>> From: Jimmy Kaplowitz [mailto:jkaplow...@google.com]
>> Sent: Tuesday, 8 April 2014 5:22 PM
>> To: Anders Ingemann; 743...@bugs.debian.org
>> Cc: Jonathan Landis
>> Subject: Bug#743892: please include security.debian.org in sources.list
>>
>>
>>
>> The http.debian.net source is presumably the wheezy version of this:
>>
>>
>>
>> http://www.debian.org/News/2011/20110215
>>
>>
>>
>> - Jimmy
>>
>>
>>
>> On Tue, Apr 8, 2014 at 12:02 AM, Anders Ingemann 
>> wrote:
>>
>> On 8 April 2014 02:48, Jonathan Landis  wrote:
>> >
>> > Package: cloud.debian.org
>> >
>> > The heartbleed bug has created a situation in which servers must be
>> > upgraded immediately. At the moment the default mirrors listed in the 
>> > Debian
>> > Wheezy AMI image don't have the patches yet, but security.debian.org does.
>> > So users of the existing image have to update sources.list on each of their
>> > servers if they want to get patched ASAP.
>> >
>> > Is there any reason not to include security.debian.org in sources.list
>> > by default?
>> >
>> >
>> > --
>> > To UNSUBSCRIBE, email to debian-cloud-requ...@lists.debian.org
>> > with a subject of "unsubscribe". Trouble? Contact
>> > listmas...@lists.debian.org
>> > Archive: https://lists.debian.org/53434779.2010...@calibersecurity.com
>> >
>>
>> > Is there any reason not to include security.debian.org in sources.list
>> > by default?
>>
>> Not really. There is a hanging PR at
>> https://github.com/andsens/bootstrap-vz/pull/33
>> It's hanging because I never got an answer to my question: What's the
>> difference between:
>>
>> http://security.debian.org/  wheezy/updates ...
>> and
>> http://http.debian.net/  wheezy-updates ...
>> ?
>>
>> I am pretty sure only the first one should be there, but I can't for the
>> life of me figure out why wheezy-updates was added. Is it a bogus source?
>>
>> The source is here.
>>
>>
>>
>>
>
>


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org