External check
CVE-2020-25657: RESERVED CVE-2020-25688: RESERVED CVE-2020-25711: RESERVED CVE-2020-28362: RESERVED CVE-2020-28366: RESERVED CVE-2020-28367: RESERVED CVE-2020-7768: TODO: check CVE-2020-8569: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: Is chromium updated?
Hi, 13 nov. 2020 à 11:06 de ggunin...@gmail.com: > Definitely won't say "thank you" to some entity which gives > me long unpatched important component like a web browser. > I confess that having an unpatched browser is really not recommended because of all exploits that could happen on the fly (the browser is a really exposed component by nature). However, everyone is free to contribute, provide help or simply choose another package, maybe more maintained... 9 nov. 2020 à 17:30 de go...@oles.biz: > what is your opinion, what should Linux users use for their daily work? > Firefox becomes more and more buggier, Chromium project doesn't provide > binaries for any OS. > Why not using Vivaldi browser then? It comes with its own repo and updates are released regularly. This is not 100% open source, true, but it's really functional & customisable. I've been using it for 1 year on Linux/macOS/Windows and heard/read almost only good feedbacks. Best regards, l0f4r0
Re: fun with mailinglists (was Re: Is chromium updated?)
On Fri, Nov 13, 2020 at 12:27 PM John Runyon wrote: > > Imagine calling yourself a “Debian contributor” because you... reported a few > bugs? Guess I’m a Debian contributor too. > I was wrong about being _contributor_, sorry (misunderstood the definition).
Security updates for software written in Go
Hello, the Debian Buster release notes state that no security updates are possible for software written in Go due to its static linking - Debian lacks the infrastructure to mass-rebuild all affected Go packages. Did this change in the mean time? If not, is there ongoing work to change this? The same release notes state that just Firefox and Chromium can be supported with security updates, but Chromium is several major versions behind in Buster, it appears as vulnerable to lots of CVEs and the last DSA for chromium was at the beginning of July. Best regards, Laurentiu [1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#limited-security-support [2] https://security-tracker.debian.org/tracker/source-package/chromium
Re: fun with mailinglists (was Re: Is chromium updated?)
* [Fri, Nov 13, 2020 at 05:26:56AM -0500] John Runyon: Why do we have such messages on the security mailing list? Is there a way to get actual security team announcements without all this spam? That's a job for debian-security-announce@l.d.o (please note the '-announce' suffix) Ciao, Gian Piero.
Re: fun with mailinglists (was Re: Is chromium updated?)
John Runyon (Fri 2020-11-13 05:26:56 -0500) : > Why do we have such messages on the security mailing list? Is there a way to > get actual security team announcements without all this spam? Yes, there is such a list [1]. This list [2] is for (quote): Discussion about security issues, including cryptographic issues, that are of interest to all parts of the Debian community. Please note that this is NOT an announcement mailing list. If you're looking for security advisories from Debian, subscribe to debian-security-announce instead. This list is not moderated; posting is allowed by anyone. [1] https://lists.debian.org/debian-security-announce/ [2] https://lists.debian.org/debian-security/ -- Emmanuel
Re: fun with mailinglists (was Re: Is chromium updated?)
Come on man, if someone contributes, they contribute. Big or small. And sure, let's quiet down a bit~ Best, Alana X On Fri, Nov 13, 2020 at 7:27 PM John Runyon wrote: > Imagine calling yourself a “Debian contributor” because you... reported a > few bugs? Guess I’m a Debian contributor too. > > Why do we have such messages on the security mailing list? Is there a way > to get actual security team announcements without all this spam? There is, > after all, no shortage of Debian or Linux users mailing lists on which such > messages could be posted. > > On Fri, Nov 13, 2020 at 5:19 AM Holger Levsen > wrote: > >> On Fri, Nov 13, 2020 at 12:06:50PM +0200, Georgi Guninski wrote: >> > On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos >> wrote: >> > > BUT we should not forget to say a THANK YOU to these guys which give >> their best in order all of us to use this OS for free ;-) >> > I believe I am debian contributor too, search in google for: >> > "georgi guninski" site:debian.org >> >> you seem to be a very funny person, less than 3h ago you said in >> Message-ID: > u6uwf+qe8tumw4tk...@mail.gmail.com> >> Debian was not responding to this thread and now you are saying you >> are Debian too! :))) >> >> >> -- >> cheers, >> Holger >> >> ⢀⣴⠾⠻⢶⣦⠀ >> ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org >> ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A >> AA1C >> ⠈⠳⣄ >> >> Moral, truth, long term- and holistic thinking seem to mean nothing to >> us. The >> emperors are naked. Every single one. It turns out our whole society is >> just >> one big nudist party. (Greta Thunberg about the world reacting to the >> corona >> crisis but not reacting appropriatly to the climate crisis.) >> > -- > Thanks, > John Runyon >
Re: fun with mailinglists (was Re: Is chromium updated?)
Imagine calling yourself a “Debian contributor” because you... reported a few bugs? Guess I’m a Debian contributor too. Why do we have such messages on the security mailing list? Is there a way to get actual security team announcements without all this spam? There is, after all, no shortage of Debian or Linux users mailing lists on which such messages could be posted. On Fri, Nov 13, 2020 at 5:19 AM Holger Levsen wrote: > On Fri, Nov 13, 2020 at 12:06:50PM +0200, Georgi Guninski wrote: > > On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos > wrote: > > > BUT we should not forget to say a THANK YOU to these guys which give > their best in order all of us to use this OS for free ;-) > > I believe I am debian contributor too, search in google for: > > "georgi guninski" site:debian.org > > you seem to be a very funny person, less than 3h ago you said in > Message-ID: u6uwf+qe8tumw4tk...@mail.gmail.com> > Debian was not responding to this thread and now you are saying you > are Debian too! :))) > > > -- > cheers, > Holger > > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org > ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C > ⠈⠳⣄ > > Moral, truth, long term- and holistic thinking seem to mean nothing to us. > The > emperors are naked. Every single one. It turns out our whole society is > just > one big nudist party. (Greta Thunberg about the world reacting to the > corona > crisis but not reacting appropriatly to the climate crisis.) > -- Thanks, John Runyon
fun with mailinglists (was Re: Is chromium updated?)
On Fri, Nov 13, 2020 at 12:06:50PM +0200, Georgi Guninski wrote: > On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos wrote: > > BUT we should not forget to say a THANK YOU to these guys which give their > > best in order all of us to use this OS for free ;-) > I believe I am debian contributor too, search in google for: > "georgi guninski" site:debian.org you seem to be a very funny person, less than 3h ago you said in Message-ID: Debian was not responding to this thread and now you are saying you are Debian too! :))) -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C ⠈⠳⣄ Moral, truth, long term- and holistic thinking seem to mean nothing to us. The emperors are naked. Every single one. It turns out our whole society is just one big nudist party. (Greta Thunberg about the world reacting to the corona crisis but not reacting appropriatly to the climate crisis.) signature.asc Description: PGP signature
Re: Is chromium updated?
On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos wrote: > BUT we should not forget to say a THANK YOU to these guys which give their > best in order all of us to use this OS for free ;-) I believe I am debian contributor too, search in google for: "georgi guninski" site:debian.org Definitely won't say "thank you" to some entity which gives me long unpatched important component like a web browser. It is like saying "thank you" to someone who gives you free licensed Windows XP, lol.
[SECURITY] [DSA 4791-1] pacemaker security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4791-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 13, 2020 https://www.debian.org/security/faq - - Package: pacemaker CVE ID : CVE-2020-25654 Debian Bug : 973254 Ken Gaillot discovered a vulnerability in the Pacemaker cluster resource manager: If ACLs were configured for users in the "haclient" group, the ACL restrictions could be bypassed via unrestricted IPC communication, resulting in cluster-wide arbitrary code execution with root privileges. If the "enable-acl" cluster option isn't enabled, members of the "haclient" group can modify Pacemaker's Cluster Information Base without restriction, which already gives them these capabilities, so there is no additional exposure in such a setup. For the stable distribution (buster), this problem has been fixed in version 2.0.1-5+deb10u1. We recommend that you upgrade your pacemaker packages. For the detailed security status of pacemaker please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pacemaker Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl+uVnoACgkQEMKTtsN8 TjZWLg//VcnK6Q9FIkqb48ACRqjHyin6bAhKOWWkzd0StbmlYvSChZeC9FPiks8I MGO3+r3P0Rby6r086CAvustauYASDEGM5Vn2rjIYdB1PNu7mZSjgCrZHA8WTbqr6 l2UBG/1I0EiN6rleCrp7FlkyyXqkuTmYlBl9WxGjIBcV52+mdlSkgXqDtdG2nEom mpK1IHfBodljfMQxVpoGxNIZv0YTu0jzWVH17J85W7sQlFIXzIfq3CxwSyEx7GDB yAmmGuKY0jOVnqcSCGgsgiBHSDc709+q6dpGkm95317qHneKvxrbpshmWMbNjV3T +NOdAgg285gTkECxpTqthz8dRJKQWc9ZjD8L0eAwEs6aArMmsuXKuL+pS/F/C+M9 FvXEeI1R7Q2xgStqk8rf/wojLkBp3LKXN7xDsQjpDjb/IDli1tlRD3eNavmWb2/C gUBbjt5lyYvsRRMShAb3YN169KQ7aSo/ShoKqxoWgWUia2hggT8CuGeoVaGNDuD+ 1gMwXMO75rhEy3fWOAIpJwWt2IEh3Pgels9Y7du8Xk8TaWwwmYunrw1cHhqJbmeZ Z6hf3qfpRykYUG6lxyxSFsP3fKjCNZ4DD30iS0GIxosZEuAiQhuFHi5l2IdPuTuA aAsqv1zxidMif0OH8Ia/dDA7BFSDupShe1Mn6DoQkrv5JylRCoM= =KMeH -END PGP SIGNATURE-
Re: Is chromium updated?
Hi, some brain storming: what about working together with the LinuxMint people, they just got a dedicated compiling machine, just for getting updated Chromium for LMDE in time: http://packages.linuxmint.com/list.php?release=Debbie Consolidating resources might do the trick here, Kind regards, Joerg. On 11/13/20 9:31 AM, Emmanuel Halbwachs wrote: > Hello, > > Pavlos Ponos (Fri 2020-11-13 10:20:36 +0200) : >> BUT we should not forget to say a THANK YOU to these guys > > and gals > >> which give their best in order all of us to use this OS for free ;-) > > I was about to write the same thing: a big thank you to all > volunteers. >
Re: Is chromium updated?
Hello, Pavlos Ponos (Fri 2020-11-13 10:20:36 +0200) : > BUT we should not forget to say a THANK YOU to these guys and gals > which give their best in order all of us to use this OS for free ;-) I was about to write the same thing: a big thank you to all volunteers. -- Emmanuel
Re: /home/loser is with permissions 755, default umask 0022
Your question(?) is answered by the FAQ in https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html Bjørn
Re: /home/loser is with permissions 755, default umask 0022
On 13-11-2020 08:18, Georgi Guninski wrote: Some more exploit vectors from the FD list: https://seclists.org/fulldisclosure/2020/Nov/13 Partial results: 1. mutt (text email client) exposes ~/.mutt/muttrc, which might contain the imap password in plaintext. Interesting find. Please report this to the mutt package maintainer using reportbug[1]. 2. Some time ago on a multiuser debian mirror we found a lot of data, including the wordpress password of the admin. As Giacomo already explained, there is nothing an OS can do to stop the insecure behavior of its users. 3. Anything created by EDITOR NEWFILE is readable, unless the directory prevents. This include root doing EDITOR /etc/NEWFILE Yes, that is indeed the default. If you don't like it, you can change the system umask in /etc/login.defs or /etc/profile Somehow I get the feeling you are using debian-security@lists.debian.org to report a security issues with Debian. This is however just a discussion mailing list about Debian security. If you wish to report a serious security issue (which I did not find in your E-mails) you need to contact the Debian Security Team[2]. Kind regards, Richard [1]: https://wiki.debian.org/reportbug [2]: https://www.debian.org/security/faq#contact
Re: Is chromium updated?
On 17.10.20 14:28, Georgi Guninski wrote: Is Debian's chromium vulnerable now? Yes. The Team maintaining Chromium in Debian is clearly overloaded and understaffed and I am sure the Corona Crisis isn't helping here.
