Re: [SECURITY] [DSA 4371-1] apt security update
On Thu, 2019-02-14 at 01:09 +, Steve McIntyre wrote: > On Mon, Feb 11, 2019 at 01:38:05AM +, Steve McIntyre wrote: > > On Fri, Feb 08, 2019 at 11:23:54AM +0100, Emilio Pozuelo Monfort wrote: > > > I have done an automated install (ncurses frontend, installing GNOME) > > > using the > > > netinst/amd64 image, with an LVM encrypted volume. I have also tested the > > > CD1 > > > media, using the graphical installer, doing an SSH server install using > > > the > > > guided partitioning (full disk). Both installations went well and the > > > systems > > > seem alright. > > > > > > Is there any more tests that you would suggest? If you don't have anything > > > particular in mind, I'd be happy to respin this as 8.11.1 and publish it. > > > > OK, that sounds fine. I've just started a build now as 8.11.1 for the > > 4 LTS arches. I'll do a little bit of smoke testing, then publish in > > the normal place (https://cdimage.debian.org/cdimage/archive) and > > report back. > > Now done. Thank you very much, Steve. Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DSA 4371-1] apt security update
On Mon, Feb 11, 2019 at 01:58:24PM +0100, Emilio Pozuelo Monfort wrote: >On 11/02/2019 02:38, Steve McIntyre wrote: >> >> Next: live images? cloud images? > >I found cloud images for openstack in > >https://cloud.debian.org/images/cloud/OpenStack/archive/ ACK. >But can't find any jessie live images in > >https://cdimage.debian.org/debian-cd/ > >Are those archived somewhere else? Under http://cdimage.debian.org/cdimage/archive/ alongside the installer images. >For any of those, I suppose users could update apt following the >upgrade instructions. However, it wouldn't hurt to have updated >images with the new apt. I'd be happy to test any new images if you >can fire a build. May be a few days, we have the stretch point release this weekend and that's my priority. -- Steve McIntyre, Cambridge, UK.st...@einval.com Mature Sporty Personal More Innovation More Adult A Man in Dandism Powered Midship Specialty signature.asc Description: PGP signature
Re: [SECURITY] [DSA 4371-1] apt security update
On Mon, Feb 11, 2019 at 01:38:05AM +, Steve McIntyre wrote: >On Fri, Feb 08, 2019 at 11:23:54AM +0100, Emilio Pozuelo Monfort wrote: >> >>I have done an automated install (ncurses frontend, installing GNOME) using >>the >>netinst/amd64 image, with an LVM encrypted volume. I have also tested the CD1 >>media, using the graphical installer, doing an SSH server install using the >>guided partitioning (full disk). Both installations went well and the systems >>seem alright. >> >>Is there any more tests that you would suggest? If you don't have anything >>particular in mind, I'd be happy to respin this as 8.11.1 and publish it. > >OK, that sounds fine. I've just started a build now as 8.11.1 for the >4 LTS arches. I'll do a little bit of smoke testing, then publish in >the normal place (https://cdimage.debian.org/cdimage/archive) and >report back. Now done. -- Steve McIntyre, Cambridge, UK.st...@einval.com "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." -- Linus Torvalds signature.asc Description: PGP signature
Re: [SECURITY] [DSA 4371-1] apt security update
On 11/02/2019 02:38, Steve McIntyre wrote: > On Fri, Feb 08, 2019 at 11:23:54AM +0100, Emilio Pozuelo Monfort wrote: >> >> I have done an automated install (ncurses frontend, installing GNOME) using >> the >> netinst/amd64 image, with an LVM encrypted volume. I have also tested the CD1 >> media, using the graphical installer, doing an SSH server install using the >> guided partitioning (full disk). Both installations went well and the systems >> seem alright. >> >> Is there any more tests that you would suggest? If you don't have anything >> particular in mind, I'd be happy to respin this as 8.11.1 and publish it. > > OK, that sounds fine. I've just started a build now as 8.11.1 for the > 4 LTS arches. I'll do a little bit of smoke testing, then publish in > the normal place (https://cdimage.debian.org/cdimage/archive) and > report back. Sounds good! > > Next: live images? cloud images? I found cloud images for openstack in https://cloud.debian.org/images/cloud/OpenStack/archive/ But can't find any jessie live images in https://cdimage.debian.org/debian-cd/ Are those archived somewhere else? For any of those, I suppose users could update apt following the upgrade instructions. However, it wouldn't hurt to have updated images with the new apt. I'd be happy to test any new images if you can fire a build. Thanks, Emilio
Re: [SECURITY] [DSA 4371-1] apt security update
On Fri, Feb 08, 2019 at 11:23:54AM +0100, Emilio Pozuelo Monfort wrote: > >I have done an automated install (ncurses frontend, installing GNOME) using the >netinst/amd64 image, with an LVM encrypted volume. I have also tested the CD1 >media, using the graphical installer, doing an SSH server install using the >guided partitioning (full disk). Both installations went well and the systems >seem alright. > >Is there any more tests that you would suggest? If you don't have anything >particular in mind, I'd be happy to respin this as 8.11.1 and publish it. OK, that sounds fine. I've just started a build now as 8.11.1 for the 4 LTS arches. I'll do a little bit of smoke testing, then publish in the normal place (https://cdimage.debian.org/cdimage/archive) and report back. Next: live images? cloud images? -- Steve McIntyre, Cambridge, UK.st...@einval.com You lock the door And throw away the key There's someone in my head but it's not me
Re: [SECURITY] [DSA 4371-1] apt security update
On 07/02/2019 12:23, Emilio Pozuelo Monfort wrote: > Hi Steve, > > On 07/02/2019 12:12, Steve McIntyre wrote: >> On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote: >>> On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote: I'll give it a try now... >>> >>> And that worked on the first attempt. Using this approach, I've done >>> jessie builds of the various LTS arches using casulana, the normal CD >>> build machine. Resulting test output at >>> >>> http://cdimage.debian.org/cdimage/.jessie_release/debian-cd/ >>> >>> if you'd like to have a look. I've tested the amd64 netinst with no >>> network connection (to ensure no updates from elsewhere), and it >>> happily installed the right version of apt (1.0.9.8.5) seamlessly. >>> >>> If you're happy with this, let me know and I'll spin a new version >>> ready for release (version 8.11.1, I guess?). >> >> Ping? > > Sorry for the delay, and thanks for preparing these updated images! I'll give > them some testing today and report back. I have done an automated install (ncurses frontend, installing GNOME) using the netinst/amd64 image, with an LVM encrypted volume. I have also tested the CD1 media, using the graphical installer, doing an SSH server install using the guided partitioning (full disk). Both installations went well and the systems seem alright. Is there any more tests that you would suggest? If you don't have anything particular in mind, I'd be happy to respin this as 8.11.1 and publish it. Thanks! Emilio
Re: [SECURITY] [DSA 4371-1] apt security update
Hi Steve, On 07/02/2019 12:12, Steve McIntyre wrote: > On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote: >> On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote: >>> >>> I'll give it a try now... >> >> And that worked on the first attempt. Using this approach, I've done >> jessie builds of the various LTS arches using casulana, the normal CD >> build machine. Resulting test output at >> >> http://cdimage.debian.org/cdimage/.jessie_release/debian-cd/ >> >> if you'd like to have a look. I've tested the amd64 netinst with no >> network connection (to ensure no updates from elsewhere), and it >> happily installed the right version of apt (1.0.9.8.5) seamlessly. >> >> If you're happy with this, let me know and I'll spin a new version >> ready for release (version 8.11.1, I guess?). > > Ping? Sorry for the delay, and thanks for preparing these updated images! I'll give them some testing today and report back. And yes, 8.11.1 sounds right. Cheers, Emilio
Re: [SECURITY] [DSA 4371-1] apt security update
On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote: >On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote: >> >>I'll give it a try now... > >And that worked on the first attempt. Using this approach, I've done >jessie builds of the various LTS arches using casulana, the normal CD >build machine. Resulting test output at > > http://cdimage.debian.org/cdimage/.jessie_release/debian-cd/ > >if you'd like to have a look. I've tested the amd64 netinst with no >network connection (to ensure no updates from elsewhere), and it >happily installed the right version of apt (1.0.9.8.5) seamlessly. > >If you're happy with this, let me know and I'll spin a new version >ready for release (version 8.11.1, I guess?). Ping? -- Steve McIntyre, Cambridge, UK.st...@einval.com Google-bait: http://www.debian.org/CD/free-linux-cd Debian does NOT ship free CDs. Please do NOT contact the mailing lists asking us to send them to you.
Re: [SECURITY] [DSA 4371-1] apt security update
On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote: >On Thu, Jan 24, 2019 at 12:39:29PM +0100, Emilio Pozuelo Monfort wrote: >> >>Just to clarify: there is no separate -lts suite anymore, so it'd >>just need to pull from security (which still needs changes as you >>mentioned). >> >>Can you give a pointer to the code where this is done? Perhaps we >>can help with the necessary code changes if you would welcome that. > >There are a few places where debian-cd references the mirror, suite, >etc. which is a bit awkward here. Thinking about this, the *easiest* >way to do this would be to use the existing "local" support which can >pull in a local repo of changed .debs and .udebs on top of the base >Debian repo access. Simply setting up a local repo with the apt >packages in wouldn't be too hard here, and would solve the initial >installation problem. However, it might confuse people a little, and >I'll admit it might look ugly too. > >I'll give it a try now... And that worked on the first attempt. Using this approach, I've done jessie builds of the various LTS arches using casulana, the normal CD build machine. Resulting test output at http://cdimage.debian.org/cdimage/.jessie_release/debian-cd/ if you'd like to have a look. I've tested the amd64 netinst with no network connection (to ensure no updates from elsewhere), and it happily installed the right version of apt (1.0.9.8.5) seamlessly. If you're happy with this, let me know and I'll spin a new version ready for release (version 8.11.1, I guess?). -- Steve McIntyre, Cambridge, UK.st...@einval.com There's no sensation to compare with this Suspended animation, A state of bliss
Re: [SECURITY] [DSA 4371-1] apt security update
On Thu, Jan 24, 2019 at 12:39:29PM +0100, Emilio Pozuelo Monfort wrote: >Hi Steve, > >On 22/01/2019 14:50, Steve McIntyre wrote: >> On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote: >>> However, APT is used during initial installation and we don't have any >>> provision for updating installer images during LTS. So we're either >>> going to have to revisit that or come up with some kind of workaround >>> for installation time. >> >> I can help with new jessie installation images, > >That would be great! > >> but it'll need a bit >> of prep work. debian-cd doesn't pull from security or lts by default. > >Just to clarify: there is no separate -lts suite anymore, so it'd just need to >pull from security (which still needs changes as you mentioned). > >Can you give a pointer to the code where this is done? Perhaps we can help with >the necessary code changes if you would welcome that. There are a few places where debian-cd references the mirror, suite, etc. which is a bit awkward here. Thinking about this, the *easiest* way to do this would be to use the existing "local" support which can pull in a local repo of changed .debs and .udebs on top of the base Debian repo access. Simply setting up a local repo with the apt packages in wouldn't be too hard here, and would solve the initial installation problem. However, it might confuse people a little, and I'll admit it might look ugly too. I'll give it a try now... -- Steve McIntyre, Cambridge, UK.st...@einval.com Is there anybody out there?
Re: [SECURITY] [DSA 4371-1] apt security update
Hi Steve, On 22/01/2019 14:50, Steve McIntyre wrote: > On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote: >> However, APT is used during initial installation and we don't have any >> provision for updating installer images during LTS. So we're either >> going to have to revisit that or come up with some kind of workaround >> for installation time. > > I can help with new jessie installation images, That would be great! > but it'll need a bit > of prep work. debian-cd doesn't pull from security or lts by default. Just to clarify: there is no separate -lts suite anymore, so it'd just need to pull from security (which still needs changes as you mentioned). Can you give a pointer to the code where this is done? Perhaps we can help with the necessary code changes if you would welcome that. Thanks, Emilio
Re: [SECURITY] [DSA 4371-1] apt security update
On Wed, Jan 23, 2019 at 12:19:28AM +, Ben Hutchings wrote: >On Tue, 2019-01-22 at 13:50 +, Steve McIntyre wrote: >> >> I can help with new jessie installation images, but it'll need a bit >> of prep work. debian-cd doesn't pull from security or lts by default. > >Would it be any easier to stick with oldstable as a base and explicitly >replace specific packages? *possibly* yes. That's still code that needs writing, either way. -- Steve McIntyre, Cambridge, UK.st...@einval.com Can't keep my eyes from the circling sky, Tongue-tied & twisted, Just an earth-bound misfit, I...
Re: [SECURITY] [DSA 4371-1] apt security update
Ben Hutchings wrote: > This presumably needs to be fixed for jessie LTS as well, and I see > Chris Lamb has claimed it. I took the "claim" here so that there was definitely someone in the LTS team who would ensure everything was followed-through, which seems like it has happened. I've since unclaimed it in: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0204483362e5fe697ec79cc2a519498dd067778 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: [SECURITY] [DSA 4371-1] apt security update
On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote: > On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: > > - > > Debian Security Advisory DSA-4371-1 secur...@debian.org > > https://www.debian.org/security/Yves-Alexis Perez > > January 22, 2019 https://www.debian.org/security/faq > > - > > > > Package: apt > > CVE ID : CVE-2019-3462 > > > > Max Justicz discovered a vulnerability in APT, the high level package > > manager. > > The code handling HTTP redirects in the HTTP transport method doesn't > > properly > > sanitize fields transmitted over the wire. This vulnerability could be used > > by > > an attacker located as a man-in-the-middle between APT and a mirror to > > inject > > malicous content in the HTTP connection. This content could then be > > recognized > > as a valid package by APT and used later for code execution with root > > privileges on the target machine. > [...] > > This presumably needs to be fixed for jessie LTS as well, and I see > Chris Lamb has claimed it. Julian has already uploaded a fixed package, this only needs the DLA mail at this point. Cheers, Moritz
Re: [SECURITY] [DSA 4371-1] apt security update
On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote: >On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: >> - >> Debian Security Advisory DSA-4371-1 secur...@debian.org >> https://www.debian.org/security/Yves-Alexis Perez >> January 22, 2019 https://www.debian.org/security/faq >> - >> >> Package: apt >> CVE ID : CVE-2019-3462 >> >> Max Justicz discovered a vulnerability in APT, the high level package >> manager. >> The code handling HTTP redirects in the HTTP transport method doesn't >> properly >> sanitize fields transmitted over the wire. This vulnerability could be used >> by >> an attacker located as a man-in-the-middle between APT and a mirror to inject >> malicous content in the HTTP connection. This content could then be >> recognized >> as a valid package by APT and used later for code execution with root >> privileges on the target machine. >[...] > >This presumably needs to be fixed for jessie LTS as well, and I see >Chris Lamb has claimed it. > >However, APT is used during initial installation and we don't have any >provision for updating installer images during LTS. So we're either >going to have to revisit that or come up with some kind of workaround >for installation time. I can help with new jessie installation images, but it'll need a bit of prep work. debian-cd doesn't pull from security or lts by default. -- Steve McIntyre, Cambridge, UK.st...@einval.com "Managing a volunteer open source project is a lot like herding kittens, except the kittens randomly appear and disappear because they have day jobs." -- Matt Mackall
Re: [SECURITY] [DSA 4371-1] apt security update
On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: > - > Debian Security Advisory DSA-4371-1 secur...@debian.org > https://www.debian.org/security/Yves-Alexis Perez > January 22, 2019 https://www.debian.org/security/faq > - > > Package: apt > CVE ID : CVE-2019-3462 > > Max Justicz discovered a vulnerability in APT, the high level package manager. > The code handling HTTP redirects in the HTTP transport method doesn't properly > sanitize fields transmitted over the wire. This vulnerability could be used by > an attacker located as a man-in-the-middle between APT and a mirror to inject > malicous content in the HTTP connection. This content could then be recognized > as a valid package by APT and used later for code execution with root > privileges on the target machine. [...] This presumably needs to be fixed for jessie LTS as well, and I see Chris Lamb has claimed it. However, APT is used during initial installation and we don't have any provision for updating installer images during LTS. So we're either going to have to revisit that or come up with some kind of workaround for installation time. Ben. -- Ben Hutchings Power corrupts. Absolute power is kind of neat. - John Lehman signature.asc Description: This is a digitally signed message part
