Re: process to include upstream jar sig in Debian-generated jar
* Hans-Christoph Steiner: That should then result in a debian-generated jar that has the martus signature on it. If Debian Security needed to update the package to fix an urgent issue, then they could still do so. The package build process would only include the upstream signature from martus.jar if it was an exact match. The security fixed version would then result in an unsigned jar, which is standard for jars in Debian. How would you tell a legitimate security update from a version that lacks a signature for other reasons? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/871u5daqtb@mid.deneb.enyo.de
Re: process to include upstream jar sig in Debian-generated jar
On 29 aug. 2013, at 09:39, Florian Weimer f...@deneb.enyo.de wrote: How would you tell a legitimate security update from a version that lacks a signature for other reasons? If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. -- Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dedc154-c4cc-4ded-86ec-373b760de...@vdberg.org
Re: process to include upstream jar sig in Debian-generated jar
Le 29/08/2013 11:21, Richard van den Berg a écrit : On 29 aug. 2013, at 09:39, Florian Weimer f...@deneb.enyo.de wrote: How would you tell a legitimate security update from a version that lacks a signature for other reasons? If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. Yes but the whole thing looks weird, on one hand OP wants to include a signed jar in the package, on the other hand he says signature could be omitted if quick update is needed… What's the point having signed JAR if unsigned JAR is legitimate too? Either you ban unsigned JARs or you don't use signed JAR at all… Regards, -- Sebastien signature.asc Description: OpenPGP digital signature
Re: process to include upstream jar sig in Debian-generated jar
On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote: Yes but the whole thing looks weird, on one hand OP wants to include a signed jar in the package, on the other hand he says signature could be omitted if quick update is needed… What's the point having signed JAR if unsigned JAR is legitimate too? Either you ban unsigned JARs or you don't use signed JAR at all… It leaves that decision of whether to run with the unsigned jar up to the user. I think this is a reasonable solution if it works in practice, and is similar in concept to what the openssl folks have done for FIPS validation. Mike Stone signature.asc Description: Digital signature
Re: process to include upstream jar sig in Debian-generated jar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/29/2013 10:56 AM, Michael Stone wrote: On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote: Yes but the whole thing looks weird, on one hand OP wants to include a signed jar in the package, on the other hand he says signature could be omitted if quick update is needed… What's the point having signed JAR if unsigned JAR is legitimate too? Either you ban unsigned JARs or you don't use signed JAR at all… It leaves that decision of whether to run with the unsigned jar up to the user. I think this is a reasonable solution if it works in practice, and is similar in concept to what the openssl folks have done for FIPS validation. Mike Stone Another idea is that it provides a public record of whether the upstream jar matches the Debian jar, which is guaranteed to be built from source. This could then serve as a verification that the upstream jar did not have code injected into it that is not in the source tarball. One example of a worry of how this might happen is if a governmental agency issues a secret order to implant a back door in said app. .hc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJSH3pGAAoJEJ8P5Yc3S76BTXIP/inFL/bFGLOb6dAWvBwGmjxZ VW++aWVd1tr9YUMR7n6EEcbrswmi6pg2PnezPekijIe/+VyfrL7YrKOGZ+HfAwOX S3XlkrKYs0s/cTQHG6WGEFVWBnbISjQ0MT5YDLea8U/dK8x1tLbbi+ZruC/NDXqS ruJSDSfcPFFHvNNwpqIHLDoTSzLe3iAX7HpLPmWjCzj3Wxtl8UzPElmQ72nlggfH SgNoj0zovnSmUNpd36Uu+CIj5IZZr/Eu6Nrxcw/onKshvl2itSmOqc+SR4cvFvpU P0b4xhzAItnkyfFzNtGxeFQGH/K81Vek1hu0/rblMFbwpPqzL9dMHB/PwIB6hXP8 6gbzGycupGV8ojX/X3QO+ws87Y1YCiiHkcsUcBRa26pRehv815gPZinNDU8GPxgK JTAv8B2cVa/wxyZvCXUMGGjbvJ988/RhkcFh/r3/DEdM6RZ4bjd7z+afSxBvUTFg cR6/7OEGWb926Q3U19NXPLw1bg8B3Yfbm6og6BTtozi6ljNwqVa9Hf29yRLxSp/C U8K5vKt40UkwNi7yd5IKLXYQbTbtRuddU0vV7/ek/hsKZ0xgkZ7a4bnR5U9Ta0DG 8odIhg6mlY3u+iq7rLEbWq5KV2jlJeX5qXRwCWd9CGbRz8upLcSqRxHBtWnggW2R q83YDbYWKqapQ/HWoUpA =W0To -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521f7a4b.3070...@at.or.at
Re: [SECURITY] [DSA 2746-1] icedove security update
ist vielleicht für stockerau interessant Ralf Lehner IT Consulting e.U. Judengasse 1 Top 4 A-1010 Wien tel +43 (720) 699799 mob +43 (699) 18885799 mailto:r...@rdl.at web http://www.rdl.at Am 29.08.2013 um 19:38 schrieb Moritz Muehlenhoff j...@debian.org: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2746-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 29, 2013http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code or cross-site scripting. The Icedove version in the oldstable distribution (squeeze) is no longer supported with full security updates. However, it should be noted that almost all security issues in Icedove stem from the included browser engine. These security problems only affect Icedove if scripting and HTML mails are enabled. If there are security issues specific to Icedove (e.g. a hypothetical buffer overflow in the IMAP implementation) we'll make an effort to backport such fixes to oldstable. For the stable distribution (wheezy), these problems have been fixed in version 17.0.8-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.8-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIfhf8ACgkQXm3vHE4uylqF2QCeK7C4vEufIlumHBA/ElEt8/DK WW8An0Q0dB0o6Q9xLtdKeDzbg7RB/J6c =VAfs -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130829173606.GA6561@pisco.westfalen.local -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5d5a6211-40a6-4848-8e0f-39d9a380a...@rdl.at
External check
CVE-2013-4283: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521eed9a.m/e/pmxlssopzaqq%atomo64+st...@gmail.com