Package: bind9
Version: 1:9.11.2.P1-1
Severity: wishlist
Dear maintainers,
It would be nice to enable seccomp support for bind9. Upstream added
this feature some time ago [1].
Thanks in advance,
Simon
[1]
https://deepthought.isc.org/article/AA-01177/0/BIND-9.10.1b1-Release-Notes.html
signat
On 2018-01-11 03:19 PM, Carsten Schoenert wrote:
> You can try to add a line for the Acrobat Reader into the profile. But
> this is blind shot from me, acroread will requesting probably further
> files.
I think you shot the target ;)
> diff --git a/debian/apparmor/usr.bin.thunderbird
> b/debian/
On 2017-12-16 08:37 AM, Cédric Dufour - Idiap Research Institute wrote:
> On 16/12/17 10:02, Carsten Schoenert wrote:
>> There is the AppArmor profile not re-enable? What let you came to that
>> conclusion? As written before two commands are needed.
>>
>> $ sudo rm /etc/apparmor.d/disable/profil
Hi,
It would be really nice to have those hardening options used. I use them
locally on Ubuntu. Please note that the Private*/Protect* options (using
the mount namespace) require this change to the Apparmor profile:
-/usr/sbin/named {
+/usr/sbin/named flags=(attach_disconnected) {
Thanks,
Simon
On 2017-12-05 04:12 AM, Yves-Alexis Perez wrote:
> On Tue, 2017-12-05 at 08:31 +0100, Christian Ehrhardt wrote:
>> On Mon, Dec 4, 2017 at 9:56 PM, Yves-Alexis Perez wrote:
>>> On Thu, 2017-11-30 at 16:31 +0100, Christian Ehrhardt wrote:
Pushed it to the same debian-submission-nov2017 branch a
Hello Yves-Alexis,
On 2017-12-04 03:56 PM, Yves-Alexis Perez wrote:
> On Thu, 2017-11-30 at 16:31 +0100, Christian Ehrhardt wrote:
>> Pushed it to the same debian-submission-nov2017 branch as before.
> 85150f06 (kernel-libipsec enable): for reference, this is #739641 and I'm
> still not sure I lik
And I forgot to add dh-apparmor to build-depends, sorry about that.
commit e497b63b0c414312f5ed716542ea7ffee108e0b0
Author: Simon Deziel
Date: Sat Dec 2 17:15:05 2017 -0500
Add dh-apparmor to build-depends
diff --git a/debian/control b/debian/control
index 9792653..1f022e1 100644
--- a
On 2017-12-02 05:22 PM, Simon Deziel wrote:
> And I forgot to add dh-apparmor to build-depends, sorry about that.
Oh boy, I attached the commit from the wrong branch, this one should be
right.
commit 6da01b0231cff6d84c7286ed01ae73c87e6c364d (msmtp-apparmor)
Author: Simon Deziel
Date: Sat De
1: https://wiki.debian.org/AppArmor
2: https://lists.debian.org/debian-devel/2017/08/msg00090.html
commit f9da17b83befa81877010427ee9fe4866bd56731 (HEAD -> msmtp-apparmor)
Author: Simon Deziel
Date: Sat Dec 2 15:54:33 2017 -0500
Ship an Apparmor profile
Signed-off-by: Simon Deziel
diff -
p-setgit)
Author: Simon Deziel
Date: Sat Dec 2 14:25:44 2017 -0500
Remove world read access to /etc/msmtprc and chgrp to "mail".
Install the msmtp binary as setgid and owned by "root:mail".
Closes: #883349
Signed-off-by: Simon Deziel
diff --git a/
Package: msmtp
Version: 1.6.6-1
Hello,
/etc/msmtprc can contain SMTP credentials that are best kept from
regular users on the machine. It would be nice if the file permissions
could be adjusted to prevent that without breaking msmtp's functionality
for regular users.
Regards,
Simon
signature.
Hi,
This problem was also reported to Ubuntu where it affects more users as
Apparmor is enabled by default there.
https://bugs.launchpad.net/debian/+source/unbound/+bug/1723900
Regards,
Simon
signature.asc
Description: OpenPGP digital signature
On 2017-11-27 09:22 AM, Peter Palfrader wrote:
> On Mon, 27 Nov 2017, Simon Deziel wrote:
>
>> On 2017-11-26 03:31 AM, Peter Palfrader wrote:
>>> The apparmor policy for unbound allows access to
>>> /var/lib/unbound/root.key*, but it does not allow access to any
>
> Please allow access to all key files.
Please see the attached patch.
Regards,
Simon
commit 533ad2381f6f22ae829ec171a1ed7632e2c644b8 (HEAD -> bug882731)
Author: Simon Deziel
Date: Mon Nov 27 09:03:04 2017 -0500
Allow having auto-trust-anchor-file in /var/lib/unbound
Closes
On 2017-11-24 02:58 AM, intrigeri wrote:
> Simon Deziel:
>> On Tue, 21 Nov 2017 14:58:38 + George Dunlap wrote:
>>> Not sure how the AppArmor stuff works -- would it be possible to
>>> restrict the profile directory *after* reading profile.ini, so you
>>>
On 2017-11-24 02:58 AM, intrigeri wrote:
>> I'm afraid that for such cases, the easiest solution would be to disable
>> the Apparmor profile:
>
> … or use bind-mounts instead of symlinks, so that your profiles
> are exposed in ~/.thunderbird to AppArmor.
That's clever!
> And then we need to deci
Package: openntpd
Version: 1:6.2p3-1
Severity: low
Hi,
When someone purges the ntp package to then install openntpd, it is
possible for ntp's Apparmor profile to remain loaded in the kernel after
the corresponding /etc/apparmor.d/ file was removed. This prevents
openntpd's from working or even de
On Tue, 21 Nov 2017 14:58:38 + George Dunlap wrote:
> I'm also affected by this bug. At the moment my home directory is on
> an NFS share, and my quota isn't big enough to fit my mailboxes (in
> addition to making the NFS server a bottleneck for mailbox
> operations).
Unfortunately, the curr
On 2017-11-23 03:12 PM, Jack Henschel wrote:
> $ sudo dmesg -T | grep apparmor
> ...
> [Thu Nov 23 21:01:24 2017] audit: type=1400 audit(1511467287.665:8):
> apparmor="STATUS" operation="profile_load" profile="unconfined"
> name="thunderbird" pid=498 comm="apparmor_parser"
> [Thu Nov 23 21:01:24
On 2017-11-23 02:14 PM, intrigeri wrote:
> Hi,
>
> Vincas Dargis:
>> Looks like the culprit is this line in usr.bin.thunderbird [0]:
>
>> ```
>> deny @{HOME}/.* r,
>> ```
>
> […]
>
> Thanks for your detailed analysis!
>
>> 4. Opening a File dialog to select file to be attached, produces bunch
On 2017-11-23 12:18 AM, Carsten Schoenert wrote:
>> Also, directly running /usr/lib/thunderbird/thunderbird-bin works, too!
>> Which is really weird because /usr/lib/thunderbird/thunderbird and
>> /usr/lib/thunderbird/thunderbird-bin are the same, but only the latter one
>> can connect to the X s
On 2017-11-12 07:46 AM, intrigeri wrote:
> can you please review my MR upstream?
I'm not familiar with with GitLab (yet) so I don't know how to re-assign
to you but it LGTM.
Regards,
Simon
signature.asc
Description: OpenPGP digital signature
Hi Philipp,
Your bug reporting work is really appreciated, keep em coming!
On 2017-11-04 06:41 AM, Philipp Kern wrote:
> Package: thunderbird
> Version: 1:52.4.0-1
> X-Debbugs-Cc: intrig...@debian.org, si...@sdeziel.info
>
> When trying to import a GPG key from the Enigmail per-message "Import
>
Hi Philipp,
On 2017-11-01 05:38 PM, Philipp Kern wrote:
> Package: thunderbird
> Version: 1:52.4.0-1
> X-Debbugs-Cc: intrig...@debian.org, si...@sdeziel.info
>
> I'm using thunderbird with apparmor enabled and I get the following deny
> with the proprietary nvidia driver installed and active once
On 2017-11-01 03:52 AM, intrigeri wrote:
> Hi,
>
> Simon Deziel:
>> On 2017-10-31 08:32 AM, Philipp Kern wrote:
>>> When I use Thunderbird I see a lot of these in the kernel log (probably
>>> whenever I look at a signed and/or encrypted email):
>>>
On 2017-10-31 08:32 AM, Philipp Kern wrote:
> When I use Thunderbird I see a lot of these in the kernel log (probably
> whenever I look at a signed and/or encrypted email):
>
> [94784.485686] audit: type=1400 audit(1509453045.981:153):
> apparmor="DENIED" operation="file_inherit" profile="thunderb
Hi Scott,
On 2017-10-30 06:00 PM, Scott Kitterman wrote:
> Did you reproduce this one Debian unstable or are you just assuming
> it applies? If you did make that assumption, please don't. I
> believe that this is already fixed.
Before reporting to Debian, I looked at the files as shipped in:
h
Package: postfix
Version: 3.2.3-1
Dear maintainer,
"postfix check" complains like that:
postfix/postfix-script: warning: group or other writable:
/usr/lib/postfix/./libpostfix-tls.so.1
postfix/postfix-script: warning: group or other writable:
/usr/lib/postfix/./libpostfix-util.so.1
postfix/postf
On 2017-10-25 03:08 PM, Vincas Dargis wrote:
> On 2017.10.25 10:26, intrigeri wrote:
>>> Also, if sanitized_helper contains:
>>
>>> `/{usr/,}bin/* Pixr,`
>>
>>> Doesn't this automatically mean that this line in usr.bin.thunderbird
>>> profile
>>
>>> `/{usr/,}bin/* Cx -> sanitized_helper,`
>>
>>> wi
Package: aria2
Version: 1.32.0-1
Hello,
I've been investigating an issue with the autopkgtest failing on armhf
[1] and I suspect it is due to the python3 http server being too slow to
start on that arch. The attached patch changes the behavior to wait for
the HTTP socket to be listening or up to
On 2017-10-10 09:31 AM, David Sommerseth wrote:
> On Mon, 9 Oct 2017 23:31:40 +0200 Bernhard Schmidt wrote:
> [...snip...]
>>
>> for i in `seq 1 20`; do echo -e "dev tun\nifconfig 10.0.$i.1
>> 10.0.$i.2\nsecret static.key\nport 200$i\nscript-security 2\nup
>> '/usr/local/bin/sleep-5.sh'\n
On 2017-10-05 04:42 AM, Iliana Panagopoulou wrote:
> ls -l /etc/resolvconf/run/resolv.conf
> -rw-r--r-- 1 root root 211 Oct 5 11:38 /etc/resolvconf/run/resolv.conf
I'm surprised this points to /etc and not /run (or /var/run).
> pre tun0.openvpn:
> dhcp-option DNS 4.2.2.1
This is a bogus entry an
On 2017-10-04 10:20 AM, Iliana Panagopoulou wrote:
>
>
> On 10/04/2017 04:45 PM, Simon Deziel wrote:
>> Hi Iliana,
>>
>> On 2017-10-04 09:10 AM, Iliana Panagopoulou wrote:
>>> * What led up to the situation?
>>> Added 'dhcp-option DNS x.x.
Hi Iliana,
On 2017-10-04 09:10 AM, Iliana Panagopoulou wrote:
> * What led up to the situation?
> Added 'dhcp-option DNS x.x.x.x' to my openvpn's server.conf but my
> Debian client could not get the DNS.
When added server side, "push" is required for this option to be sent to
the client.
> O
On 2017-10-03 08:21 AM, Jörg Frings-Fürst wrote:
> setting ProtectSystem=full is not in all cases a good idea. So openvpn
> must be able to make changes to the /etc/resolv.conf.
On Ubuntu at least, /etc/resolv.conf is a symlink to
/run/resolvconf/resolv.conf so ProtectSystem=full doesn't get in th
On 2017-09-21 02:46 AM, Vincas Dargis wrote:
> /etc/apparmor.d/usr.bin.thunderbird has these lines:
>
> owner /tmp/** m,
> owner /var/tmp/** m,
>
> Is this really necesarry? If Thunderbir actually tries to mmap files with
> executable flags, I believe it should be reported as a bug upstream.
>
>
Hi intrigeri,
On 2017-09-20 11:26 AM, intrigeri wrote:
>> My only concern is what to do when those new rules are stalled
>> waiting on review? Could they be integrated to the Debian version while
>> waiting for the official merge? If yes, I think that's the best of both
>> worlds.
>
> For the rec
On 2017-09-03 10:34 AM, Simon Deziel wrote:
> Hi,
>
> Thanks for bringing this problem to my attention.
>
> On 2017-09-03 03:01 AM, intrig...@debian.org wrote:
>> Hi!
>>
>> (Context: tackling my AppArmor-in-Debian backlog in order to move the
>> "let
Hi,
Thanks for bringing this problem to my attention.
On 2017-09-03 03:01 AM, intrig...@debian.org wrote:
> Hi!
>
> (Context: tackling my AppArmor-in-Debian backlog in order to move the
> "let's enable AppArmor by default" topic forward.)
>
> Today I had a look at https://bugs.debian.org/855346
For the sake of completeness, when using the INLINE alternative, the
config file then needs to be properly protected (chown root:root, chmod
0600).
@Georg, indeed, ProtectHome=true ensures /root, /home and /run/user are
empty for the processes spawned by the unit. I welcome this addition!
@Bernha
Hi Georg,
According to the syslog_errors messages it seems that your config is
trying to use SSL/TLS certificate files hosted in root's home. This is
not permitted now that the systemd unit uses "ProtectHome=true".
A good way to avoid that problem and follow best practices would be to
create a di
On 2017-07-27 10:13 AM, Alexander Dahl wrote:
> Package: openssh-server
> Version: 1:7.4p1-10+deb9u1
> Severity: normal
>
> Dear Maintainer,
>
> I used the 'from' field in authorized_keys with an hostname (fqdn) on
> Debian 8 (jessie), which worked fine (openssh-server
> 1:6.7p1-5+deb8u3). After
On 2017-07-14 06:15 PM, Robert Edmonds wrote:
> Simon Deziel wrote:
>> When unbound is stopped, its PID file is left behind causing subsequent
>> service starts to complain like that:
>>
>> unbound[178]: [178:0] warning: did not exit gracefully last time (124)
>>
On 2017-07-11 09:27 PM, Daniel Kahn Gillmor wrote:
> On Thu 2017-07-06 12:11:04 -0400, Simon Deziel wrote:
>> On 2017-07-05 09:28 PM, Daniel Kahn Gillmor wrote:
>>> On Tue 2017-07-04 11:52:17 -0400, Simon Deziel wrote:
>>>
>>>> When unbound is stopp
On 2017-07-05 09:28 PM, Daniel Kahn Gillmor wrote:
> On Tue 2017-07-04 11:52:17 -0400, Simon Deziel wrote:
>
>> When unbound is stopped, its PID file is left behind causing subsequent
>> service starts to complain like that:
>>
>> unbound[178]: [178:0] warning: did
it once unbound is stopped.
Regards,
Simon
commit ebd7d61e0c79dbd85c99c878d06aff7fc09b919c
Author: Simon Deziel
Date: Tue Jul 4 15:47:00 2017 +
systemd: let systemd know about the pid file
This let systemd delete it when the service is stopped and avoids
getting "wa
: Simon Deziel
Date: Tue Jul 4 04:39:23 2017 +
systemd: add/remove notify socket inside chroot
diff --git a/debian/package-helper b/debian/package-helper
index 5b4264f..0b3ba37 100755
--- a/debian/package-helper
+++ b/debian/package-helper
@@ -60,6 +60,17 @@ do_chroot_setup
Package: unbound
Version: 1.6.4-1
With the new systemd service using Type=notify, the Apparmor profile
needs to be adjusted to make sd_notify work as intended. Please find a
patch that does that.
Regards,
Simon
commit 5e259e3a20f1efb886c6f69aca7723275e46a60b
Author: Simon Deziel
Date: Tue Jul
On Thu, 27 Apr 2017 12:01:47 +0100 Jim Cobley
wrote:
> audit: type=1400 audit(1493287998.510:88): apparmor="DENIED"
> operation="open" profile="thunderbird"
> name="/mnt/Z/temp/Bluebell/TyreSize.jpg" pid=4537 comm="thunderbird"
> requested_mask="r" denied_mask="r" fsuid=1900 ouid=1900
Right, /
On Thu, 24 Sep 2015 20:53:18 + Jason Pepas wrote:
> Did this patch never get accepted? It looks like a great, simple solution to
> the problem.
Still not accepted in Debian. It was integrated in Ubuntu Xenial (16.04)
and works well there so it would be nice to have it in Debian as well.
Si
On 03/17/2017 10:56 AM, Ulrike Uhlig wrote:
> it's great that you provided modifications to the AppArmor profile in
> Debian [1]! May I kindly ask you to send these upstream too? That way,
> they will get reviewed first and then all other distributions using
> AppArmor can profit from your improvem
Hi Ximin and Carsten,
On 2016-09-13 08:47 AM, Carsten Schoenert wrote:
> Hello Ximin,
>
> at least me has no knowledge about apparmor, so I including the upstream
> author Simon Deziel to the recipients.
>
> On Tue, Sep 13, 2016 at 01:27:31PM +0200, Ximin Luo wrote:
&
Hi Emmanuel,
On Sun, 21 Aug 2016 14:45:56 +0200 Emmanuel Fleury
wrote:
> Package: icedove
> Version: 1:45.2.0-4
> Severity: normal
>
> Dear Maintainer,
>
> When trying to access to a web link from an e-mail, I get the following
> error message:
>
> Could not launch default application fo
Thanks u for CC'ing me.
On 2016-08-08 08:25 AM, u wrote:
> Hi!
>
> Ximin Luo:
>> Package: icedove
>> Version: 1:45.2.0-2
>> Severity: important
>
>> The apparmor profile breaks -ProfileManager. Here is the audit log:
>>
>> [ +28.591676] audit: type=1400 audit(1470655963.593:12587):
>> apparmor=
Hi Nicolas,
Thanks for integrating the profile. The addition of a local include
makes sense but there is a little typo:
- #include
+ #include
Regards,
Simon
On Tue, 2 Aug 2016 04:33:18 -0400 Simon Deziel
wrote:
> So it seems the proper fix is to allow this:
>
> owner /var/mail/* rwlk,
It was integrated upstream:
https://code.launchpad.net/~apparmor-dev/apparmor-profiles/+git/apparmor-profiles/+ref/master
Regards,
Simon
sign
Here are the denial logs that the OP was getting:
Aug 1 09:25:33 debian kernel: [ 539.165205] audit: type=1400
audit(1470036333.163:66): apparmor="DENIED" operation="open"
profile="icedove" name="/var/mail/guy" pid=6134 comm="icedove"
requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
Afte
On Sun, 7 Feb 2016 14:36:24 +0100 "Alexander Afonyashin"
wrote:
> 1. Remove symlink /etc/systemd/system/sshd.service ->
> /lib/systemd/system/ssh.service - who knows what does symlink do here?
> 2. Copy /lib/systemd/system/ssh.service to /etc/systemd/system/ssh.service.
Forking the whole file ca
Hi Jim,
On 2016-05-13 08:19 AM, BARBER, Jim wrote:
> I tried Simon Deziel's technique first.
> I ran: systemctl edit openvpn@.service
> It opened a blank editor and I added the following lines:
>
> [Service]
> CapabilityBoundingSet=
I'm sorry to have induce you in error. Apparent
Hi Alberto and Jim,
On 2016-05-10 12:45 PM, Alberto Gonzalez Iniesta wrote:
> So sorry took me this long to answer. I'm pretty sure this is related to
> capabilities. Could try copying /lib/systemd/system/openvpn@.service to
> /etc/systemd/system/openvpn@.service and removin the
> CapabilityBoundi
on
commit f55e5f5b1a6594f31c291097d0fa4ce715322ba3
Author: Simon Deziel
Date: Wed May 4 13:07:30 2016 -0400
nginx-*.postinst: reuse "upgrade" action from init script
diff --git a/debian/nginx-extras.postinst b/debian/nginx-extras.postinst
index bd9c818..4ea6d9d 100644
--- a/debian/nginx-extras.postins
Hi Andreas,
On 2016-04-13 06:49 AM, Andreas Henriksson wrote:
>> This regression was introduced upstream by this commit:
>> https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/?id=54c6611d6f7b73609a5331f4d0bcf63c4af6429e
>
> Thanks for your exemplary bug report. I mentioned it to u
Package: util-linux
Version: 2.27.1-6
Hello,
I noticed a regression after upgrading from 2.26.2 to 2.27.1. Here are
the steps to reproduce:
1) Start script session (same issue when script is saving to /dev/null)
script # or: script /dev/null
2) Tail a file
tailf /var/log/syslog
3) Press "Enter"
Package: acpid
Version: 2.0.26-1
acpid is AFAIK not needed in containers.
Regards,
Simon
diff --git a/debian/acpid.service b/debian/acpid.service
index acff887..4b46914 100644
--- a/debian/acpid.service
+++ b/debian/acpid.service
@@ -1,6 +1,7 @@
[Unit]
Description=ACPI event daemon
Requires=ac
With 1.5.8, only the call to unbound-checkconf needed to be fix to use a
full path.
--- /usr/lib/unbound/package-helper.orig 2016-04-08 12:32:46.710107662 -0400
+++ /usr/lib/unbound/package-helper 2016-04-08 12:33:15.050107392 -0400
@@ -2,7 +2,7 @@
UNBOUND_CONF="/etc/unbound/unbound.conf"
UNBOU
Package: dns-root-data
Version: 2015052300+h+1
Hi,
On March 23rd, L-Root will stop responding on the old IPv6. Only the new
IPv6 address will remain functional, see [1] for details.
Regards,
Simon
1: http://seclists.org/nanog/2016/Mar/255
Package: unbound
Version: 1.5.8-1
Dear maintainers,
On March 23rd, L-Root will stop responding on the old IPv6. Only the new
IPv6 address will remain functional, see [1],[2] for details. Unbound
upstream updated the builtin root.hints and I attached that patch for
your convenience.
Since those r
Hello,
On Sat, 29 Aug 2015 19:19:08 +0200 intrigeri wrote:
> u wrote (02 Feb 2015 15:58:41 GMT) :
> > apparently I overlooked that Simon's profile seems to actually exist
> > upstream already [0]. Yay.
>
> Note that Simon and Nicolas have refreshed this profile recently:
> https://code.launchpad
On 2016-02-21 05:55 PM, Robert Edmonds wrote:
> Simon Deziel wrote:
>> Turns out that unbound-checkconf has been fixed somewhere between 1.4.22
>> and 1.5.7. "unbound-checkconf -o chroot" just works now. Please see the
>> updated patch attached.
>
> Grea
Hello Robert,
On 2016-01-30 10:26 PM, Robert Edmonds wrote:
> Simon Deziel wrote:
>> What do you think of the 2nd version of the proposed fixed
>> (unbound-fresh-chroot-2.patch)?
>
> This version of the patch will read from any *.conf file in
> /etc/unbound, which cou
Hi,
On Mon, 06 Apr 2015 14:08:29 +0300 Corcodel Marian
wrote:
> Added on configuration line:
> echo "plugin openvpn-plugin-auth-pam.so "login login USERNAME password
> PASSWORD"" >> /etc/openvpn/server.conf
> bu on start openvpn fail to start due errors:
> cat/etc/openvpn/openvpn.log
> Mon Apr
Hi Robert,
What do you think of the 2nd version of the proposed fixed
(unbound-fresh-chroot-2.patch)?
If we could resolve this chroot'ing problem, Ubuntu, that turns off
chroot by default, would be more comfortable to drop part of their delta
with Debian.
Best regards,
Simon
signature.asc
Des
Hi Robert,
On 12/12/2015 05:08 PM, Robert Edmonds wrote:
> Hi, Simon:
>
> The chroot directory might be configured by a file in
> /etc/unbound/unbound.conf.d/*.conf, rather than in the main unbound.conf
> file.
Good point, this needs to be supported.
> What do you think of setting UNBOUND_CONF
Package: amavisd-new
Version: 1:2.10.1-1
On Debian, the uncompress command is a wrapper script (in bash) around
'gzip -d'. As such, it would make sense to change the default search
order for the uncompress command.
The attached patch does the above.
Regards,
Simon
--- etc/conf.d/01-debian.orig 2
I ran into this too but on Ubuntu and filed [1] before noticing this
Debian bug.
I believe that [2, also attached here] might be a simple yet working
solution. It changes the initscript to use /var/lib/ntp/ntp.conf.dhcp
only if it is newer than /etc/ntp.conf.
This should keep the dhclient hook sc
This might be fixed upstream according to the changelog.
http://www.openssh.com/txt/release-6.9:
* ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco
implementations as some would fail when attempting to use group
sizes >4K; bz#2209
HTH,
Simon
--
To UNSUBSCRIBE, email to debian
Package: unbound
Version: 1.4.22-3
The chroot directory can accumulate old files that were deleted from
/etc/unbound. With the automatic inclusion of
/etc/unbound/unbound.conf.d, accumulating remnant files in there can
cause bugs that are hard to track.
Steps to reproduce:
0) edit unbound.conf t
Package: nginx
Version: 1.9.1-1
Many actions offered by the initscript do not preserve or give the
proper return code. One notable example is the "configtest" that always
returns 0 even when problems are detected:
echo "invalid" >> /etc/nging/nginx.conf
service nginx configtest
echo $?
Should
I have came up with a very similar patch [1] that adds support for a
couple more JDK versions (OpenJDK and Oracle present and future versions).
The patch only touches the jks-keystore hook but the same logic would
apply to the postinst.
1:
https://bugs.launchpad.net/debian/+source/ca-certificates
> Once this CA bundle version is released in NSS, this will be uploaded to
> Debian.
Just so that you know, the NSS version that includes this CA was
released in December 2014.
Thanks and regards,
Simon Deziel
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a sub
Package: nginx
Version: 1.6.2-5
The default value for worker_processes should probably be set to "auto".
According to the git log, this change was supposed to make it in [1] but
was apparently not committed by accident I guess.
[2] shows it's still hard-coded to "4".
Thanks for considering to ch
Let's not mix multiple requests as hinted by Thomas. The BIND_NOW
request is now made in bug #781703.
Simon
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Source: nginx
Version: 1.6.2-5
Nginx isn't built with BIND_NOW like Apache2 is:
$ hardening-check /usr/sbin/nginx
/usr/sbin/nginx:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations:
On Wed, 01 Apr 2015 15:14:22 -0400 Thomas Ward wrote:
> Included this in a build downstream, in Ubuntu, and the change here in
> git ***will cause a fail to build error in all architectures***.
>
> -fPIE -pie is a CFLAGS item, not a configure argument. In theory you
> would define this via dpkg-
Unfortunately, the previous patch contained an error. Here is a
corrected version.
commit 69ab1dcd862ad8ca4df784ef75ee2b5c8545dba2
Author: Simon Deziel
Date: Sun Mar 8 21:27:42 2015 -0400
Add support for pre/post start/stop scripts (v2)
diff --git a/debian/openvpn.init.d b/debian
new feature can be useful for many scenarios like:
* dynamically create any missing user/group (or chroot) (pre-start)
* test connectivity to an IP behind the remote VPN endpoint (start)
* add/remove iptables rules (all)
* add/remove routes (all)
* etc
Best regards,
Simon Deziel
-BEGIN PGP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Source: aide
Version: 0.16~a2.git20130520-2ubuntu0.1
Severity: wishlist
Tags: patch
Hi,
Please find attached a patch that allows aide to handle multiarch apt files.
Regards,
Simon Deziel
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
On 14-03-14 02:59 PM, Paul Slootman wrote:
> On Fri 14 Mar 2014, Nigel Horne wrote:
>>
>> When using the -z flag of rsync, it dies with
>>
>> inflate returned -3 (0 bytes)
>> rsync error: error in rsync protocol data stream (code 12) at token.c(548)
>> [receiver=3.0.9]
>> rsync: writefd_unbuffered
On 12-04-26 04:27 AM, Colin Watson wrote:
> On Thu, Apr 26, 2012 at 08:46:35AM +0200, Ph. Marek wrote:
>> I asked on openssh-unix-dev, and they said that there's a patch already
>> available:
>> http://lists.mindrot.org/pipermail/openssh-unix-dev/2012-April/030399.html
>>
>>
>> Please integrate tha
Apache versions.
Best regards,
Simon
commit bc29299b4e0eb73c8681011eb1489171d53bf148
Author: Simon Deziel
Date: Wed Mar 19 17:34:40 2014 -0400
Improve handling of Apache 2.2 and 2.4
* Use IfModule instead of IfVersion
* Properly translate "allow from all" -> "Require all granted
Please find a patch that implements the suggested change of making
/etc/ssmtp/* readable by "root:mail" only and setting the ssmtp binary
as setgid and "root:mail".
commit 6a56c090225dace7706b561d6419f58d38214d7f
Author: Simon Deziel
Date: Tue Jan 28 20:49:19 2014 -0500
Hi Lee,
On 12-10-10 01:29 PM, Lee Garrett wrote:
> I just spent quite some time debugging a problem with openvpn
> disconnecting on the first TLS renogotiation.
Are you using the --user directive? If yes, did you tune the memlock
limit for both root and the user in question?
> It all boils down
On 13-11-26 10:00 AM, Simon Deziel wrote:
> Hi Stephen and Alberto,
>
> On 13-11-26 07:47 AM, Alberto Gonzalez Iniesta wrote:
>> On Thu, Nov 07, 2013 at 09:46:24PM -0800, Stephen Gildea wrote:
>>> Package: openvpn
>>> Version: 2.3.2-5
>>> Tags: patch
>
Hi Stephen and Alberto,
On 13-11-26 07:47 AM, Alberto Gonzalez Iniesta wrote:
> On Thu, Nov 07, 2013 at 09:46:24PM -0800, Stephen Gildea wrote:
>> Package: openvpn
>> Version: 2.3.2-5
>> Tags: patch
>>
>> This patch moves all openvpn /var/run files down into a subdirectory.
>> This change is in su
rovide you more patches.
Thanks for the excellent maintainer job you are doing!
Best regards,
Simon Deziel
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
iQJ8BAEBCgBmBQJR4GoLXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1h
OpenVPN upstream included a fix [1] to only emit the script-security
warning when needed. This fix is included in OpenVPN 2.3.2 [2] that was
released today.
1:
https://github.com/OpenVPN/openvpn/commit/8476edbb1748e11de0e4fda8989c9e470285926b
2: https://community.openvpn.net/openvpn/wiki/ChangesIn
Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
The attached patch enables PIE and BINDNOW and the resulting binary/lib tested
OK.
Regards,
Simon Deziel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Robert,
On 13-04-13 03:27 PM, Robert Edmonds wrote:
> hi, simon:
>
> i've split your patch into a chroot part and an auto-trust-anchor-file
> part (see attached). i'm going to apply the first patch but not the
> second, because the auto-trust-a
On 12-10-03 11:09 AM, Ben Hutchings wrote:
> On Wed, 2012-10-03 at 16:24 +0200, Christoph Lechleitner wrote:
> [...]
>>> # vzctl enter build-lucid
>>> enter into CT 1000 failed
>>> Unable to open pty: No such file or directory
>>
>> This is a common problem with Ubuntu guests, several solutions can
Hi Christoph,
On 12-10-03 10:24 AM, Christoph Lechleitner wrote:
> Am 2012-10-03 16:07, schrieb Simon Deziel:
>> Hi,
>>
>> Since the kernel upgrade, all my Ubuntu Lucid VZ are broken. The
>> breakage manifests in various way but the more evident is the init
>>
101 - 200 of 226 matches
Mail list logo
