Re: Archive of squeeze-lts ?

[Antoine Beaupré]

On 2016-03-27 15:01:01, Matus UHLAR - fantomas wrote:
>>On Thu, 24 Mar 2016, Luke Hall wrote:
>>> I'm seeing this when trying to fetch lts packages from
>>> archive.debian.org at the moment. Anyone know a good contact for them?
>>>
>>> E: Release file expired, ignoring
>>> http://archive.debian.org/debian/dists/squeeze-lts/Release (invalid
>>> since 9d 1h 10min 4s)
>
> On 24.03.16 17:43, Alexander Wirt wrote:
>>Thats expected and won't change. Time to upgrade.
>
> some time ago I have upgraded few lenny hosts (on private networks) from
> achive to latest lenny available, without error message of this kind. 
> Happily works before I'm able to transfer services to new installation.
>
> I would like to do the same with squeeze withoud need to manually avoid the
> apt warnings...

Unfortunately, this won't be possible. They key expired and, since
squeeze was archived, it is not possible (or at least, really
inconvenient and unusal) to renew that key.

A.

-- 
Every one of us is, in the cosmic perspective, precious. If a human
disagrees with you, let him live. In a hundred billion galaxies, you
will not find another.  - Carl Sagan

Status report: Making OpenJDK 7 the default in Wheezy LTS

[Markus Koschany]

Hi all,

here is a summary about the current status of making OpenJDK 7 the
default Java JRE / JDK in Wheezy-LTS.

Intended changes
===

1. Making OpenJDK 7 the default by updating src:java-common, so that
   default-jre and default-jdk will install OpenJDK 7 instead of
   OpenJDK 6.
   When: Two months after Wheezy-LTS started, on 2016-06-26
   Status: Ready

2. Changing the runtime dependencies of eighteen packages that strictly
   depend on either openjdk-6-jre, openjdk-6-jdk, openjdk-6-jre |
   sun-java6-jre or similar combinations to default-jre | java6-runtime
   or default-jdk | java6-sdk.
   When: Upload with last point update for Wheezy or via Wheezy-LTS
 update at the end of April 2016.
   Status: Ready

3. Announcing the switch via NEWS file in java-common and Debian NEWS,
   debian-security-announce, debian-lts-announce and other appropriate
   channels two months in advance to give users enough time to ensure
   that their web and desktop applications are compatible with
   OpenJDK 7.
   When: Start of Wheezy-LTS on 2016-04-26


1.

After discussing the switch to OpenJDK 7 on debian-java [1] and IRC, I
came to the conclusion that we should give LTS users more time to
evaluate the switch to OpenJDK 7. Desktop users should hardly notice any
changes at all but server admins might want to assess this more
carefully if they run web servers like Tomcat or Jetty. Web applications
may behave differently due to binary or behavioral changes. These
possible issues are documented at [2].

Therefore I suggest that we change the default two months after the
start of Wheezy-LTS. I have already made the necessary changes in
src:java-common which can be uploaded any time. The change still
requires manual intervention by the user by using the
update-alternatives --config java command, if OpenJDK 6 was previously
installed.

2.

I have now identified eighteen packages that require a source upload. I
had to change their runtime dependencies to openjdk-6-jre |
java6-runtime or openjdk-6-jdk | java6-sdk, so that OpenJDK 6 won't be
installed. In a few cases I also adjusted a start script. These packages
are ready to upload, now I'm waiting for the go from the release team. [3]

3.

We should communicate this change via the debian-security-announce and
debian-lts-announce mailing lists, Debian NEWS and with a NEWS file in
java-common. I have updated Santiago's initial work on
https://wiki.debian.org/LTS/Wheezy and added a paragraph about
OpenJDK 7. We should link to this page in all announcements.

Regards,

Markus


[1] https://lists.debian.org/debian-java/2016/03/msg00044.html
[2]
http://www.oracle.com/technetwork/java/javase/compatibility-417013.html#incompatibilities
[3] https://bugs.debian.org/819247



signature.asc
Description: OpenPGP digital signature

Re: [PATCH] Given a package allow to check in which releases security support has ended

[Guido Günther]

Hi,
On Thu, Feb 18, 2016 at 06:02:12PM +0100, Holger Levsen wrote:
> Hi Guido,
> 
> On Mittwoch, 17. Februar 2016, Guido Günther wrote:
> > When triaging LTS issues I always have to look up what we still support
> > and what not. Attached script simplifies this a bit:
> > 
> > $ bin/support-ended.py --lists /path/to/debian-security-support/ iceape
> > Package unsupported in wheezy
> > Package unsupported in squeeze
> 
> very nice!
>  
> > I didn't find a place in Debian where we canonically map release names
> > to release numbers (i.e. squeeze -> 6.x, jessie -> 7.x). I'm sure there
> > is such a thing so I'm happy about any pointers.
> 
> apt-cache show distro-info

Ahhh...great and there's python-distro-info as well.

I'm not using it yet since there's no support for LTS EOL dates yet (bug
to be filed in a second). It's needed for the new (attached) version
that also validates the packages individual EOL date.

Cheers,
 -- Guido
>From 2318cfc52ecbeaed5fee47c8c6d665377e4d4646 Mon Sep 17 00:00:00 2001
Message-Id: <2318cfc52ecbeaed5fee47c8c6d665377e4d4646.1459185378.git@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= 
Date: Wed, 17 Feb 2016 18:04:39 +0100
Subject: [PATCH] Given a package allow to check in which releases security
 support has ended
To: debian-lts@lists.debian.org

By default we check if the package will be supported until the release
goes EOL:

  $ bin/support-ended.py --lists debian-security-support/ tomcat6
  Package unsupported in stretch
  Package unsupported in wheezy
  Package unsupported in jessie

but we can also check if it support ends within the next N days:

  # tomcat6 is marked as EOL for 2016-12-31
  $ bin/support-ended.py --lists debian-security-support/ tomcat6 --days 100
  
  $ bin/support-ended.py --lists debian-security-support/ tomcat6 --days 300
  Package unsupported in stretch
  Package unsupported in wheezy
  Package unsupported in jessie
---
 bin/support-ended.py | 99 
 1 file changed, 99 insertions(+)
 create mode 100755 bin/support-ended.py

diff --git a/bin/support-ended.py b/bin/support-ended.py
new file mode 100755
index 000..9a248a8
--- /dev/null
+++ b/bin/support-ended.py
@@ -0,0 +1,99 @@
+#!/usr/bin/python
+# vim: set fileencoding=utf-8 :
+#
+# Copyright 2016 Guido Günther 
+#
+# This file is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see .
+
+"""Check if and when support ended for a given package"""
+
+import argparse
+import datetime
+import glob
+import os
+import re
+import sys
+
+
+release_mapping = {
+'deb6': ('squeeze', '2016-02-29'),
+'deb7': ('wheezy',  '2018-05-31'),
+# End date not yet fixed
+'deb8': ('jessie',  '2020-04-30'),
+# Not even released yet
+'deb9': ('stretch', None),
+}
+
+
+SUPPORT_ENDED = 0  # security support ended in at least one suite
+SUPPORT_FULL  = 2  # fully supported in all known suites
+
+
+def relnum_to_relname(relnum):
+return release_mapping[relnum][0]
+
+
+def release_eol(relnum):
+eolstr = release_mapping[relnum][1]
+return iso8601date_to_datetime(eolstr) if eolstr else None
+
+
+def iso8601date_to_datetime(datestr):
+return datetime.datetime.strptime(datestr, "%Y-%m-%d")
+
+
+def find_releases(pkg, dir, days):
+rels = []
+pkg_re = re.compile(r"(?P%s)\s+[^\s]+\s+(?P[0-9]{4}-[0-9]{2}-[0-9]{2})" % pkg)
+pattern = "security-support-ended.deb*"
+lists = glob.glob(os.path.join(dir, pattern))
+if not lists:
+raise Exception("No lists matching %s found in %s", (pattern, dir))
+
+end = datetime.datetime.today() + datetime.timedelta(days=days) if days else None
+
+for fn in lists:
+_, ext = os.path.splitext(fn)
+rel = ext[1:]
+sup_needed_til = end or release_eol(rel)
+with open(fn) as f:
+for line in f:
+m = pkg_re.match(line)
+if m:
+pkgeol = iso8601date_to_datetime(m.group("EOL"))
+if not sup_needed_til or pkgeol < sup_needed_til:
+rels.append(relnum_to_relname(rel))
+break
+return rels
+
+
+def main():
+parser = argparse.ArgumentParser(
+description='Check if and when security support ended for a given package')
+parser.add_argument('--lists',  help='Directory that contains the lists of unsupported 

Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]

[Salvatore Bonaccorso]

Hi Guido,

On Mon, Mar 28, 2016 at 11:49:55AM +0200, Guido Günther wrote:
> Hi Salvatore,
> On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> > Hi Guido,
> > 
> > On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
> [..snip..]
> > > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ?
> > 
> > Honestly I tend to actually mark this as no-dsa. My argument is the
> > following: LXC in wheezy was in a really early stage, and a local
> > container admin/root inside the container can do basically anything on
> > the host.  Furthermore proper confinement methods were afaik neither
> > implemented and only came with later versions (even in Jessie I think
> > that's not yet working all correctly).
> > 
> > https://blog.bofh.it/debian/id_413
> > 
> > Does that makes sense? We thus initially only addressed that specific
> > CVE only in Jessie.
> 
> After looking into this in more detail yesterday and today I tend to
> agree. Although there is some confinement dropping privileges only a
> small set is used by default and we don't have a apparmor policy in
> place for wheezy either. 
> 
> I've marked this as no-dsa in wheezy (hope that's o.k.) but am happy to
> revisit this if others disagre#e.
> 
> (cc'ing the lts list since we provided a patch for Squeeze)

Yes that's fine. Thanks for double-checking and confirming.

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: tracking security issues without CVEs

[Andrew Deck]

On a related note, does anyone know what happened to OSF and the OSVDB?
There still seem to be blog updates, but I remember OSVDB having a web
UI, and the OSF website seems to be down.

https://en.wikipedia.org/wiki/Open_Source_Vulnerability_Database#Contributors


-- 

"Institutions will try to preserve the problem to which they are the solution."
- Kevin Kelly

Re: DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]

[Guido Günther]

Hi Salvatore,
On Mon, Mar 28, 2016 at 07:32:38AM +0200, Salvatore Bonaccorso wrote:
> Hi Guido,
> 
> On Sun, Mar 27, 2016 at 04:15:10PM +0200, Guido Günther wrote:
[..snip..]
> > O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ?
> 
> Honestly I tend to actually mark this as no-dsa. My argument is the
> following: LXC in wheezy was in a really early stage, and a local
> container admin/root inside the container can do basically anything on
> the host.  Furthermore proper confinement methods were afaik neither
> implemented and only came with later versions (even in Jessie I think
> that's not yet working all correctly).
> 
> https://blog.bofh.it/debian/id_413
> 
> Does that makes sense? We thus initially only addressed that specific
> CVE only in Jessie.

After looking into this in more detail yesterday and today I tend to
agree. Although there is some confinement dropping privileges only a
small set is used by default and we don't have a apparmor policy in
place for wheezy either. 

I've marked this as no-dsa in wheezy (hope that's o.k.) but am happy to
revisit this if others disagre#e.

(cc'ing the lts list since we provided a patch for Squeeze)

Cheers,
 -- Guido