Re: Bug#921663: Please add python-certbot update to jessie-backports
Hi Here are the reverse dependencies for that. (jessie_chroot)root@tigereye:~/build/certbot/python-certbot-0.28.0# apt-rdepends -r python3-cryptography Reading package lists... Done Building dependency tree Reading state information... Done python3-cryptography Reverse Depends: python3-openssl (0.14-1) python3-openssl Reverse Depends: python3-service-identity (1.0.0-3) python3-service-identity Does not look like much. // Ola On Sat, 9 Feb 2019 at 23:20, Brad Warren wrote: > Thanks for looking into that Ola. > > I think we could work around the python3-sphinx problem. It’s just used > for building the docs and python3-sphinx (>= 1.6) is not in Stretch despite > the Certbot package being updated there. It seems to me like something > similar could be done here. > > python3-cryptography certainly might be a problem though. > > > On Feb 9, 2019, at 12:27 PM, Ola Lundqvist wrote: > > > > Hi Holger and Brad > > > > Here is a little more extensive list of dependencies: > > > > python-certbot (of course as it is the one providing certbot) > > python3-acme (>= 0.26.0~) - not in jessie, available in backports > > python3-configargparse - not in jessie, available in backports > > python3-cryptography (>= 1.2) - update needed (affecting something > else?), available in backports > > python3-josepy - not in jessie > > python3-rfc3339 - not in jessie, available in backports > > python3-sphinx (>= 1.6) - update needed (affecting something else?) > > python-certbot-nginx > > python-certbot-apache > > > > python-certbot-nginx and python-certbot-apache do not seem to add any > additional dependencies that are not already in jessie. > > > > I have not checked if any of the above packages require further > dependencies so the list may grow larger. > > > > Best regards > > > > // Ola > > > > On Sat, 9 Feb 2019 at 20:58, Brad Warren wrote: > > > > > > > On Feb 9, 2019, at 6:19 AM, Holger Levsen > wrote: > > > > > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: > > >> I can also add that I have looked into this for myself and the number > of > > >> needed dependencies is rather large. So it is not just certbot that > need an > > >> update, we also need to include quite a few other packages too. > > > > > > how large exactly? > > > > > All of: > > > > - python-acme > > - python-certbot > > - python-certbot-apache > > - python-certbot-nginx > > - python-josepy > > > > would need to be added/updated like they were in Stretch. (The new > python-josepy package comes from it being split out of python-acme.) > > > > We have spent a lot of time upstream keeping compatibility with older > versions of our dependencies and not adding new dependencies with the goal > of making situations like this easier. > > > > With that said, these Debian packages have switched from Python 2 to > Python 3 since the last time they were updated in jessie-backports. The > switch to Python 3 would either need to be undone (as we have kept > compatibility with Python 2 upstream) or Python 3 versions of some of our > dependencies would need to be added. I am not sure how many packages would > be affected if the latter approach was taken. > > > > > > > > -- > > > tschau, > > > Holger > > > > > > > --- > > > holger@(debian|reproducible-builds|layer-acht).org > > > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A > AA1C > > > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology > > / o...@inguza.comFolkebogatan 26\ > > | o...@debian.org 654 68 KARLSTAD| > > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > > --- > > > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Bug#921663: Please add python-certbot update to jessie-backports
Thanks for looking into that Ola. I think we could work around the python3-sphinx problem. It’s just used for building the docs and python3-sphinx (>= 1.6) is not in Stretch despite the Certbot package being updated there. It seems to me like something similar could be done here. python3-cryptography certainly might be a problem though. > On Feb 9, 2019, at 12:27 PM, Ola Lundqvist wrote: > > Hi Holger and Brad > > Here is a little more extensive list of dependencies: > > python-certbot (of course as it is the one providing certbot) > python3-acme (>= 0.26.0~) - not in jessie, available in backports > python3-configargparse - not in jessie, available in backports > python3-cryptography (>= 1.2) - update needed (affecting something else?), > available in backports > python3-josepy - not in jessie > python3-rfc3339 - not in jessie, available in backports > python3-sphinx (>= 1.6) - update needed (affecting something else?) > python-certbot-nginx > python-certbot-apache > > python-certbot-nginx and python-certbot-apache do not seem to add any > additional dependencies that are not already in jessie. > > I have not checked if any of the above packages require further dependencies > so the list may grow larger. > > Best regards > > // Ola > > On Sat, 9 Feb 2019 at 20:58, Brad Warren wrote: > > > > On Feb 9, 2019, at 6:19 AM, Holger Levsen wrote: > > > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: > >> I can also add that I have looked into this for myself and the number of > >> needed dependencies is rather large. So it is not just certbot that need an > >> update, we also need to include quite a few other packages too. > > > > how large exactly? > > > All of: > > - python-acme > - python-certbot > - python-certbot-apache > - python-certbot-nginx > - python-josepy > > would need to be added/updated like they were in Stretch. (The new > python-josepy package comes from it being split out of python-acme.) > > We have spent a lot of time upstream keeping compatibility with older > versions of our dependencies and not adding new dependencies with the goal of > making situations like this easier. > > With that said, these Debian packages have switched from Python 2 to Python 3 > since the last time they were updated in jessie-backports. The switch to > Python 3 would either need to be undone (as we have kept compatibility with > Python 2 upstream) or Python 3 versions of some of our dependencies would > need to be added. I am not sure how many packages would be affected if the > latter approach was taken. > > > > > -- > > tschau, > > Holger > > > > --- > > holger@(debian|reproducible-builds|layer-acht).org > > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C > > > > -- > --- Inguza Technology AB --- MSc in Information Technology > / o...@inguza.comFolkebogatan 26\ > | o...@debian.org 654 68 KARLSTAD| > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --- >
Re: PHP 5.6 EOD of Life Support and Debian 8 LTS.
Hi Thomas I do not see that anyone else have answered this so I'll try to do that. If nothing else is stated the LTS team plan to support all packages regardless of whether upstream have declared it as end of life or not. Regarding php5 I think it is a must to do so, since transition to php7 is non-trivial. I guess most sponsors stick to oldstable for this particular reason. If we force the users to upgrade to php7 then they can just as well upgrade to stable anyway. // Ola On Mon, 28 Jan 2019 at 18:42, Thomas Martin wrote: > Hello, > > With the end of life support of PHP 5.6 from upstream, do you know if > Debian LTS > team will still support php5.6 in the future ? > > I'm talking about the packaging of PHP 5.6.40 but also about next > potential vulnerabilities which may happened. > > By the way; does PHP 7.0 will be supported by Debian LTS team when > Stretch became LTS ? > > Thanks! > > > Regards, > Thomas > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Bug#921663: Please add python-certbot update to jessie-backports
> On Feb 9, 2019, at 6:19 AM, Holger Levsen wrote: > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: >> I can also add that I have looked into this for myself and the number of >> needed dependencies is rather large. So it is not just certbot that need an >> update, we also need to include quite a few other packages too. > > how large exactly? > All of: - python-acme - python-certbot - python-certbot-apache - python-certbot-nginx - python-josepy would need to be added/updated like they were in Stretch. (The new python-josepy package comes from it being split out of python-acme.) We have spent a lot of time upstream keeping compatibility with older versions of our dependencies and not adding new dependencies with the goal of making situations like this easier. With that said, these Debian packages have switched from Python 2 to Python 3 since the last time they were updated in jessie-backports. The switch to Python 3 would either need to be undone (as we have kept compatibility with Python 2 upstream) or Python 3 versions of some of our dependencies would need to be added. I am not sure how many packages would be affected if the latter approach was taken. > > -- > tschau, > Holger > > --- > holger@(debian|reproducible-builds|layer-acht).org > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Re: Bug#921663: Please add python-certbot update to jessie-backports
Hi Holger and Brad Here is a little more extensive list of dependencies: python-certbot (of course as it is the one providing certbot) python3-acme (>= 0.26.0~) - not in jessie, available in backports python3-configargparse - not in jessie, available in backports python3-cryptography (>= 1.2) - update needed (affecting something else?), available in backports python3-josepy - not in jessie python3-rfc3339 - not in jessie, available in backports python3-sphinx (>= 1.6) - update needed (affecting something else?) python-certbot-nginx python-certbot-apache python-certbot-nginx and python-certbot-apache do not seem to add any additional dependencies that are not already in jessie. I have not checked if any of the above packages require further dependencies so the list may grow larger. Best regards // Ola On Sat, 9 Feb 2019 at 20:58, Brad Warren wrote: > > > > On Feb 9, 2019, at 6:19 AM, Holger Levsen wrote: > > > > On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: > >> I can also add that I have looked into this for myself and the number of > >> needed dependencies is rather large. So it is not just certbot that > need an > >> update, we also need to include quite a few other packages too. > > > > how large exactly? > > > All of: > > - python-acme > - python-certbot > - python-certbot-apache > - python-certbot-nginx > - python-josepy > > would need to be added/updated like they were in Stretch. (The new > python-josepy package comes from it being split out of python-acme.) > > We have spent a lot of time upstream keeping compatibility with older > versions of our dependencies and not adding new dependencies with the goal > of making situations like this easier. > > With that said, these Debian packages have switched from Python 2 to > Python 3 since the last time they were updated in jessie-backports. The > switch to Python 3 would either need to be undone (as we have kept > compatibility with Python 2 upstream) or Python 3 versions of some of our > dependencies would need to be added. I am not sure how many packages would > be affected if the latter approach was taken. > > > > > -- > > tschau, > > Holger > > > > > --- > > holger@(debian|reproducible-builds|layer-acht).org > > PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Bug#859122: about 500 DLAs missing from the website
Hi Laura, many many thanks for your work on this, including and especially this writeup! some comments below, where I dont say anything I mean 'yay"! :) On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote: > * The /lts/security//index.*.html files show the last advisory for > the cases where there are several files with the same beginning (e.g. > for DSA- and DSA--2, both html files are generated, but the > index only points to the -2 file). If this is not the intended > behaviour, changes in index.wml and Makefiles are needed. I think we want the other DLAs linked from the indexes as well. shall we file a bug to not forget this? > * Please review the content (text, links) of these files: > /lts/index.wml > /lts/security/index.wml the former seems a bit bare to me. Also, isnt the 2nd enough, so that we can just drop/not have the former? > * This new /lts section of the website is not referenced yet in other > places of the Debian website. I'm not sure if it should be referenced in > /security, in /releases/, or in both. I think there is no hurry for this, rather I would suggest to not reference for now and then look again in 2-4 weeks, so that we get a better idea where we want it. > * We still need the Apache redirects, so the people that try the old > URLs (wether directly because they knew, or via the security tracker), > find the files they need. What we need to do is send a patch to > > https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb > > that sets the redirect from > https://www.debian.org/security/any_year/dla-whatever to > https://www.debian.org/security/lts/any_year/dla-whatever right. shall we file a bug to not forget this? > * Adaptation in the security tracker so the new URL paths are used from > now on is also needed. right. shall we file a bug to not forget this? > Thanks for reading so long! Thank you for getting us here! -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Bug#921663: Please add python-certbot update to jessie-backports
On Sat, Feb 09, 2019 at 02:54:43PM +0100, Ola Lundqvist wrote: > I can also add that I have looked into this for myself and the number of > needed dependencies is rather large. So it is not just certbot that need an > update, we also need to include quite a few other packages too. how large exactly? -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
[SECURITY] [DLA 1666-1] freerdp security update
Package: freerdp Version: 1.1.0~git20140921.1.440916e+dfsg1-13~deb8u3 CVE ID : CVE-2018-8786 CVE-2018-8787 CVE-2018-8788 CVE-2018-8789 Debian Bug : For the FreeRDP version in Debian jessie LTS a security and functionality update has recently been provided. FreeRDP is a free re-implementation of the Microsoft RDP protocol (server and client side) with freerdp-x11 being the most common RDP client these days. Functional improvements: With help from FreeRDP upstream (cudos to Bernhard Miklautz and Martin Fleisz) we are happy to announce that RDP proto v6 and CredSSP v3 support have been backported to the old FreeRDP 1.1 branch. Since Q2/2018, Microsoft Windows servers and clients received an update that defaulted their RDP server to proto version 6. Since this change, people have not been able anymore to connect to recently updated MS Windows machines using old the FreeRDP 1.1 branch as found in Debian jessie LTS and Debian stretch. With the recent FreeRDP upload to Debian jessie LTS, connecting to up-to-date MS Windows machines is now again possible. Security issues: CVE-2018-8786 FreeRDP contained an integer truncation that lead to a heap-based buffer overflow in function update_read_bitmap_update() and resulted in a memory corruption and probably even a remote code execution. CVE-2018-8787 FreeRDP contained an integer overflow that leads to a heap-based buffer overflow in function gdi_Bitmap_Decompress() and resulted in a memory corruption and probably even a remote code execution. CVE-2018-8788 FreeRDP contained an out-of-bounds write of up to 4 bytes in function nsc_rle_decode() that resulted in a memory corruption and possibly even a remote code execution. CVE-2018-8789 FreeRDP contained several out-of-bounds reads in the NTLM authentication module that resulted in a denial of service (segfault). For Debian 8 "Jessie", these security problems have been fixed in version 1.1.0~git20140921.1.440916e+dfsg1-13~deb8u3. We recommend that you upgrade your freerdp packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: Bug#921663: Please add python-certbot update to jessie-backports
Hi I can also add that I have looked into this for myself and the number of needed dependencies is rather large. So it is not just certbot that need an update, we also need to include quite a few other packages too. // Ola On Sat, 9 Feb 2019 at 09:37, Ian Campbell wrote: > [[ Resending to correct debian-lts, I forgot the "lists." bit... ]] > > On Fri, 2019-02-08 at 11:18 -0800, Brad Warren wrote: > > To provide a little more information as an upstream maintainer of > > Certbot, the lack of an upgrade here will affect a lot of Debian > > Jessie users. > > > > Let’s Encrypt started sending out multiple emails telling affected > > users they needed to upgrade their client or they will become unable > > to renew their certificates 3 weeks ago. Looking at server side data > > from the past week on how many Jessie users continue to rely on these > > soon to be broken packages, I estimate it is 20,000 users maintaining > > 37,000 certificates for 64,000 domains. > > > > Is there really nothing that can be done here? Is it possible to make > > an exception to Debian’s normal policy to prevent TLS configurations > > from breaking on tens of thousands of websites? > > There is no need for an exception, jessie-backports is not the right > place to be fixing this issue even if it were still open. It should be > fixed by an update to either Jessie itself of the security suite. > > Jessie(-security) is currently maintained (until June 2020) by the LTS > team[0], who I've cc-d here. > > There was a similar thread on the backports list which ended with [1] > but I don't know if this ever formally came to the LTS team. > > Ian (not involved with LTS nor backports nor letsencrypt team). > > [0] https://wiki.debian.org/LTS/ > [1] https://lists.debian.org/debian-backports/2019/01/msg00052.html > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: concerns about the security reliability of python-gnupg
On 2019-02-07 at 11:44:45 -0500, Antoine Beaupré wrote: > Hi, > > Recently, python-gnupg was triaged for maintenance in Debian LTS, which > brought my attention to this little wrapper around GnuPG that I'm > somewhat familiar with. > > Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch > right now, with buster and sid marked as fixed, as you can see here: > > https://security-tracker.debian.org/tracker/source-package/python-gnupg sorry, my fault for missing the CVE when uploading the new upstream version; I will prepare the fix for stable(-security) ASAP. I don't care enough about LTS to learn its upload procedures, but if somebody is interested in doing it I can backport the patch and push it to git, for them to upload. > I'm concerned about the security of this project in general. Even though > that specific instance might be fixed, there are many more bad security > practices used in this project. A fork was created by Isis Agora > Lovecruft to fix those issues: > > https://github.com/isislovecruft/python-gnupg/ AFAIK that fork is dead upstream, and it's not compatible with Vinay Sajip's version, so it can't be used to satisfy the dependency in other packages > [...] > I suspect many such issues could be identified formally in the > python-gnupg package. My experience with upstream is that they are quite good at reacting to issues that are raised on their bugtracker (and I'm happy to forward them there from the debian BTS). On the other hand, they don't maintain a LTS version, so the fix will happen in the latest release, and while I'm confident that many patches will be backportable there is no guarantee that *all* of them would be, especially to the version in oldstable. > But maybe, instead, we should just mark it as unsupported in > debian-security-support and move on. There are few packages depending on > it, in jessie: > [...] > in buster: > [...] I think this list is missing something, maybe the reverse dependencies of python3-gnupg: I know that gajim-pgp depends on it (and is in turn recommended by gajim) at least in buster; earlier versions used an old embedded copy of the same library, so this isn't really a "new" dependency. -- Elena ``of Valhalla'' signature.asc Description: PGP signature
Re: Bug#921663: Please add python-certbot update to jessie-backports
[[ Resending to correct debian-lts, I forgot the "lists." bit... ]] On Fri, 2019-02-08 at 11:18 -0800, Brad Warren wrote: > To provide a little more information as an upstream maintainer of > Certbot, the lack of an upgrade here will affect a lot of Debian > Jessie users. > > Let’s Encrypt started sending out multiple emails telling affected > users they needed to upgrade their client or they will become unable > to renew their certificates 3 weeks ago. Looking at server side data > from the past week on how many Jessie users continue to rely on these > soon to be broken packages, I estimate it is 20,000 users maintaining > 37,000 certificates for 64,000 domains. > > Is there really nothing that can be done here? Is it possible to make > an exception to Debian’s normal policy to prevent TLS configurations > from breaking on tens of thousands of websites? There is no need for an exception, jessie-backports is not the right place to be fixing this issue even if it were still open. It should be fixed by an update to either Jessie itself of the security suite. Jessie(-security) is currently maintained (until June 2020) by the LTS team[0], who I've cc-d here. There was a similar thread on the backports list which ended with [1] but I don't know if this ever formally came to the LTS team. Ian (not involved with LTS nor backports nor letsencrypt team). [0] https://wiki.debian.org/LTS/ [1] https://lists.debian.org/debian-backports/2019/01/msg00052.html