-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Fri, 13 Aug 2021 13:06:27 +1000
Source: cpio
Architecture: source
Version: 2.13+dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar
Changed-By: Anibal Monsalve Salazar
Closes: 992098
Changes:
cpio
Implementations with real /bin /sbin /lib* directories and symlink farms
are not useful because they would negate the major benefits of
merged-/usr, i.e. the ability of sharing and independently updating
/usr.
--
ciao,
Marco
signature.asc
Description: PGP signature
On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> Would you agree that there is an issue with sudo access that is enabled
> by default on most Debian and Debian-based distributions? The bug may
> not be in apt, but it definitely lives somewhere.
if those users are not trustworthy
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 12 Aug 2021 16:02:12 +0200
Source: imx-code-signing-tool
Architecture: source
Version: 3.3.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Andrej Shadura
Changed-By: Andrej Shadura
Changes:
imx-code-signing-tool
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 15:37:08 +0200
Source: libpdl-graphics-gnuplot-perl
Architecture: source
Version: 2.018-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Perl Group
Changed-By: Bas Couwenberg
Changes:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 16:28:15 +0200
Source: pywps
Architecture: source
Version: 4.5.0-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian GIS Project
Changed-By: Bas Couwenberg
Changes:
pywps (4.5.0-1~exp1)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Mon, 09 Aug 2021 20:06:56 +0200
Source: ngspice
Architecture: source
Version: 35+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Electronics Team
Changed-By: Carsten Schoenert
Closes: 984677
Changes:
ngspice
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Fri, 13 Aug 2021 00:16:16 +0900
Source: whizzytex
Architecture: source
Version: 1.4.0-1
Distribution: experimental
Urgency: medium
Maintainer: Hideki Yamane
Changed-By: Hideki Yamane
Changes:
whizzytex (1.4.0-1) experimental;
> The focus of the article is "sudo access *only* to apt". When we talk
> about unrestricted sudo access it doesn't even make sense to talk about
> privilege escalation because unrestricted sudo is by design a privilege
> escalation.
Similarly, sudo access *only* to bash enables execution of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Tue, 18 May 2021 13:56:18 +0200
Source: postgresql-13
Architecture: source
Version: 13.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
Changes:
postgresql-13
Hi,
11/08/2021 16:08, Vincent Bernat :
> I think we have more systemic issues. I am quite impressed how Nix/NixOS
> is able to pull so many packages and modules with so few people. But
> they use only one workflow, one way to package, one init system, etc.
> Looking at Arch, one workflow, one way
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 23:02:54 +0900
Source: ruby-loofah
Architecture: source
Version: 2.12.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
Changed-By: Hideki Yamane
Changes:
ruby-loofah (2.12.0-1) unstable;
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Fri, 13 Aug 2021 00:04:11 +0900
Source: ruby-async
Architecture: source
Version: 1.30.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
Changed-By: Hideki Yamane
Changes:
ruby-async (1.30.1-1) unstable;
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 12 Aug 2021 15:10:25 +0200
Source: imx-code-signing-tool
Architecture: source
Version: 3.3.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Andrej Shadura
Changed-By: Andrej Shadura
Changes:
imx-code-signing-tool
2021, ഓഗസ്റ്റ് 12 8:51:55 AM IST, Timothy M Butterworth
ൽ എഴുതി
>I am fine with Debian's release cycle but It would be nice to see more
>packages. For example Debian is missing KDE's Amarok music manager. I
>am happy to see Debian 11 gained KDE Elisa music manager. I am sad to
>see that
On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
Now if people start doing stuff they don't master than it's not
privilege escalation but much more something like another manifestation
of human stupidity. And this, there won't be a number of article
sufficient to make people change.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 11:37:43 +0200
Source: apache2
Architecture: source
Version: 2.4.48-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers
Changed-By: Yadd
Changes:
apache2 (2.4.48-4) unstable;
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 15:46:58 +0200
Source: libpdl-linearalgebra-perl
Architecture: source
Version: 0.21-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Perl Group
Changed-By: Bas Couwenberg
Changes:
On Thu, 12 Aug 2021 13:44:24 +0200, Philipp Kern
wrote:
>On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
>> Now if people start doing stuff they don't master than it's not
>> privilege escalation but much more something like another manifestation
>> of human stupidity. And this, there
Package: wnpp
Severity: wishlist
Owner: Thomas Goirand
X-Debbugs-Cc: debian-devel@lists.debian.org
* Package name: puppet-module-mistral
Version : 18.4.0
Upstream Author : OpenStack Discuss
* URL : https://opendev.org/openstack/puppet-mistral
* License :
On 2021-08-12 08:32, Vincent Bernat wrote:
❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
I just ran across this article
https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I
tested
the attacks on Debian 11 and they work successfully giving me a root
shell prompt.
I don't think
❦ 12 August 2021 10:31 +02, Ansgar:
>> I give myself password less sudo to "apt update" (without additional
>> options), "apt upgrade" (same), "apt full-upgrade" (same). I was
>> thinking this should be safe, but now I need to check if the pager is
>> properly restricted when displaying NEWS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 11:19:24 +0200
Source: dnsperf
Architecture: source
Version: 2.7.0-1
Distribution: sid
Urgency: medium
Maintainer: Daniel Baumann
Changed-By: Daniel Baumann
Changes:
dnsperf (2.7.0-1) sid; urgency=medium
.
*
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 13:58:10 +0200
Source: identify
Architecture: source
Version: 2.2.13-1
Distribution: experimental
Urgency: medium
Maintainer: Daniel Baumann
Changed-By: Daniel Baumann
Changes:
identify (2.2.13-1) experimental;
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 14:03:34 +0200
Source: pre-commit
Architecture: source
Version: 2.14.0-1
Distribution: experimental
Urgency: medium
Maintainer: Daniel Baumann
Changed-By: Daniel Baumann
Changes:
pre-commit (2.14.0-1)
Le jeudi 12 août 2021, 10:16:45 UTC Bastien Roucariès a écrit :
> Le jeudi 12 août 2021, 09:52:53 UTC Bastien Roucariès a écrit :
> > Le mercredi 11 août 2021, 14:00:37 UTC Steve McIntyre a écrit :
> > > On Tue, Aug 10, 2021 at 03:19:10PM -0700, Josh Triplett wrote:
> > > >Bastien Roucariès wrote:
On 8/12/21 2:32 AM, Vincent Bernat wrote:
❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
I just ran across this article
https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
the attacks on Debian 11 and they work successfully giving me a root
shell prompt.
I don't think
Le mercredi 11 août 2021, 14:00:37 UTC Steve McIntyre a écrit :
> On Tue, Aug 10, 2021 at 03:19:10PM -0700, Josh Triplett wrote:
> >Bastien Roucariès wrote:
> >> I am going to compile shell.efi from source.
> >>
> >> I whish to install to something stable, but I need an arch triplet in
> >> order
On Thu, Aug 12, 2021 at 08:32:14AM +0200, Vincent Bernat wrote:
> ❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
> >> I just ran across this article
> >> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> >> the attacks on Debian 11 and they work successfully giving me a
On Thu, Aug 12, 2021 at 08:35:42AM -0400, Kyle Edwards wrote:
> > > > I just ran across this article
> > > > https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> > > > the attacks on Debian 11 and they work successfully giving me a root
> > > > shell prompt.
> > > I don't think
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Tue, 10 Aug 2021 13:11:12 +0200
Source: postgresql-14
Architecture: source
Version: 14~beta3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
Changes:
On Thu, 2021-08-12 at 08:32 +0200, Vincent Bernat wrote:
> I give myself password less sudo to "apt update" (without additional
> options), "apt upgrade" (same), "apt full-upgrade" (same). I was
> thinking this should be safe, but now I need to check if the pager is
> properly restricted when
Le jeudi 12 août 2021, 09:52:53 UTC Bastien Roucariès a écrit :
> Le mercredi 11 août 2021, 14:00:37 UTC Steve McIntyre a écrit :
> > On Tue, Aug 10, 2021 at 03:19:10PM -0700, Josh Triplett wrote:
> > >Bastien Roucariès wrote:
> > >> I am going to compile shell.efi from source.
> > >>
> > >> I
Hi,
On 2021-08-12 2:25 a.m., Brian Thompson wrote:
> On Thu, 2021-08-12 at 11:19 +0500, Andrey Rahmatullin wrote:
>> On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
>>> Would you agree that there is an issue with sudo access that is
>>> enabled
>>> by default on most Debian and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 12 Aug 2021 10:24:33 +0100
Source: pmix
Binary: libpmix-bin libpmix-bin-dbgsym libpmix-dev libpmix2 libpmix2-dbgsym
python3-pmix python3-pmix-dbgsym
Architecture: source amd64
Version: 4.1.0-1
Distribution: experimental
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Sun, 18 Jul 2021 09:06:18 +0200
Source: dnsjit
Architecture: source
Version: 1.2.1-2
Distribution: sid
Urgency: medium
Maintainer: Daniel Baumann
Changed-By: Daniel Baumann
Changes:
dnsjit (1.2.1-2) sid; urgency=medium
.
*
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 16:13:25 +0200
Source: thunderbird
Architecture: source
Version: 1:78.13.0-1
Distribution: unstable
Urgency: medium
Maintainer: Carsten Schoenert
Changed-By: Carsten Schoenert
Changes:
thunderbird (1:78.13.0-1)
On Thu, Aug 12, 2021 at 01:19:23PM +, Holger Levsen wrote:
> if those users are not trustworthy than the bug is giving them sudo,
> nothing else. (Debian does not give sudo to users by default. The default
> is to set a root password.)
>
> if you give someone a gun for hunting (animals) and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 09:16:27 -0700
Source: cloud-init
Architecture: source
Version: 21.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Cloud Team
Changed-By: Noah Meyerhans
Closes: 991629
Changes:
cloud-init (21.2-1)
On 2021-08-12 17:56, Marc Haber wrote:
On Thu, 12 Aug 2021 13:44:24 +0200, Philipp Kern
wrote:
On 2021-08-12 12:23, Polyna-Maude Racicot-Summerside wrote:
Now if people start doing stuff they don't master than it's not
privilege escalation but much more something like another
manifestation
Philipp Kern writes:
> You know that this is a bad idea (granting sudo to apt without a
> wrapper). I know that this is a bad idea. That was my point. Plus that
> this is a very common trope in multi-user settings that you want to hand
> out some privilege to install packages.
Right, but this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 20:55:31 +0200
Source: orthanc-python
Architecture: source
Version: 3.3+ds-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Med Packaging Team
Changed-By: Sebastien Jodogne
Changes:
Hello Helmut,
On Sun 06 Jun 2021 at 09:58PM +02, Helmut Grohne wrote:
> There is another issue affecting me, that may derail from the original
> topic. When I work with packages I tend to fix bugs that are reported by
> some CI system on unstable. When I dgit clone, I may get the unstable
>
Package: wnpp
Severity: wishlist
Owner: Damyan Ivanov
X-Debbugs-Cc: debian-devel@lists.debian.org
* Package name: firebird4.0
Version : 4.0.0.2496
Upstream Author : Firebird developers (firebird-de...@lists.sourceforge.net)
* URL : https://www.firebirdsql.org/
*
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Fri, 13 Aug 2021 01:27:39 +0530
Source: node-shelljs
Architecture: source
Version: 0.8.4+~cs0.8.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
Changed-By: Pirate Praveen
Changes:
Hi,
On Thu, Aug 12, 2021 at 02:06:37PM +0200, Romain Porte wrote:
> > Looking at Arch, one workflow, one way to package, one init system, etc.
> > Looking at Fedora, one workflow, one way to package, one init system.
>
> I think this is a major point. I am a new Debian contributor after a
> good
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 12 Aug 2021 22:45:02 +0200
Source: systemd
Architecture: source
Version: 249.3-3
Distribution: experimental
Urgency: medium
Maintainer: Debian systemd Maintainers
Changed-By: Michael Biebl
Changes:
systemd (249.3-3)
Hello,
On Fri 04 Jun 2021 at 06:39PM +02, Helmut Grohne wrote:
> Hi Sean,
>
> On Thu, Jun 03, 2021 at 04:47:44PM -0700, Sean Whitton wrote:
>> dgit wraps some of the existing tools. While dgit is mainly for humans,
>> one role it can have in automated toolchains is producing an ephemeral
>>
Hello Romain, others,
On Thu 12 Aug 2021 at 02:06PM +02, Romain Porte wrote:
> I think this is a major point. I am a new Debian contributor after a
> good time of ArchLinux PKGBUILD writing. I find Debian technically
> superior on the packaging side, and would not trade it for PKGBUILD. But
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Fri, 13 Aug 2021 01:06:19 +0200
Source: gnome-tweaks
Built-For-Profiles: noudeb
Architecture: source
Version: 40.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GNOME Maintainers
Changed-By: Gunnar Hjalmarsson
Quoting Andreas Tille (2021-08-12 23:06:47)
> On Thu, Aug 12, 2021 at 02:06:37PM +0200, Romain Porte wrote:
> > Maintainers like their freedoms, but enforcing some tools at some
> > point could make it easier for everyone to contribute and not
> > relearn the packaging process for every package,
On Tue, 2021-07-27 at 13:23:46 -0400, Calum McConnell wrote:
> > Of course, having to unnecessarily add more maintainer scripts to
> > handle something that dpkg can do perfectly fine on its own
>
> TL;DR: merged-usr-via-symlink-farms cannot be done without changing dpkg,
In my mind that's
On Tue, 2021-08-10 at 12:34:18 +, Bastien Roucariès wrote:
> I am going to compile shell.efi from source.
>
> I whish to install to something stable, but I need an arch triplet
> in order to put in a multiarch (like) location.
Multiarch-based pathnames should only be used by
The following is a listing of packages for which help has been requested
through the WNPP (Work-Needing and Prospective Packages) system in the
last week.
Total number of orphaned packages: 1225 (new: 0)
Total number of packages offered up for adoption: 204 (new: 0)
Total number of packages
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Thu, 2021-08-12 at 07:38 +0200, Niels Thykier wrote:
> Timothy M Butterworth:
> > All,
> >
> > I just ran across this article
> > https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I
> > tested
> > the attacks on Debian 11 and they
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Thu, 2021-08-12 at 10:44 +0500, Andrey Rahmatullin wrote:
> On Wed, Aug 11, 2021 at 10:55:44PM -0500, Brian Thompson wrote:
> > Thank you for bringing this to everyone's attention. This are very
> > real
> > vulnerabilities.
> How are they
On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> Would you agree that there is an issue with sudo access that is enabled
> by default on most Debian and Debian-based distributions? The bug may
> not be in apt, but it definitely lives somewhere.
Do you think "sudo access" itself is
On Thu, Aug 12, 2021 at 01:17:03AM -0500, Brian Thompson wrote:
> > > Thank you for bringing this to everyone's attention. This are very
> > > real
> > > vulnerabilities.
> > How are they vulnerabilities?
> They are vulnerabilities because the user is susceptible to this kind of
> attack by
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Thu, 2021-08-12 at 11:19 +0500, Andrey Rahmatullin wrote:
> On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> > Would you agree that there is an issue with sudo access that is
> > enabled
> > by default on most Debian and
❦ 12 August 2021 10:39 +05, Andrey Rahmatullin:
>> I just ran across this article
>> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
>> the attacks on Debian 11 and they work successfully giving me a root
>> shell prompt.
> I don't think calling this "privilege escalation"
On Thu, Aug 12, 2021 at 08:32:14AM +0200, Vincent Bernat wrote:
> >> I just ran across this article
> >> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> >> the attacks on Debian 11 and they work successfully giving me a root
> >> shell prompt.
> > I don't think calling
On Thu, Aug 12, 2021 at 01:25:06AM -0500, Brian Thompson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Thu, 2021-08-12 at 11:19 +0500, Andrey Rahmatullin wrote:
> > On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> > > Would you agree that there is an issue
❦ 12 August 2021 11:38 +05, Andrey Rahmatullin:
>> >> I just ran across this article
>> >> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
>> >> the attacks on Debian 11 and they work successfully giving me a root
>> >> shell prompt.
>> > I don't think calling this
63 matches
Mail list logo