Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-17 Thread leloft 
On Fri, 16 Mar 2018 19:09:27 +
KatolaZ  wrote:
> > [...]  
> >  >pinpoint any DSA whose patch is *not*
> > > already available in Devuan  
> > [...]
> > 
> > Ascii packages not yet replaced with patched versions
> >   
> 
> leloft, you must have "ascii-security" enabled in sources.list. Those
> packages are already in ascii:
> 
> $  apt-cache policy samba
> samba:
>   Installed: (none)
>   Candidate: 2:4.5.12+dfsg-2+deb9u2
> Version table:
>2:4.5.12+dfsg-2+deb9u2 500
>  500 http://pkgmaster.devuan.org/merged ascii-security/main
> amd64 Packages 2:4.5.12+dfsg-2+deb9u1 500
>  500 http://pkgmaster.devuan.org/merged ascii/main amd64
> Packages $
> 
> Same for all the other packages you mentioned. Please double-check
> yourself.
> 
> Updates enter pkgmaster.devuan.org about 5/6 minutes after the relevan
> Pacckages files are published by primary Debian mirrors. And they are
> available on deb.devuan.org (the new DNS Round-robin of Devuan package
> mirrors) about 30 minutes later, on average, and in any case no later
> than one hour later.
> 
> HND
> 
> KatolaZ

Thanks for your feedback, it is very welcome.  I did not use my
sources.list to apt-cache policy these packages to check them.
I checked them against an apt-mirror configured with the
mirror.list posted here a few days ago.  It would appear that although
the patched packages are immediately available on the official pkgmaster
ascii-security repo as you demonstrated, they are not similarly
available on an apt-mirror if it does not also mirror additional
ascii-* repos. I have added extra repos (taken from from the localhost's
sources.list and amended to also mirror 'contrib' and 'non-free')  thus

# config ##
#
set base_path/srv/apt-mirror
#
# set mirror_path  $base_path/mirror
# set skel_path$base_path/skel
# set var_path $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads20 
set _tilde 0
#
# end config ##
# mirroring package sources
deb-src http://pkgmaster.devuan.org/merged ascii main contrib non-free
deb-src http://pkgmaster.devuan.org/merged ascii-security main contrib non-free
deb-src http://pkgmaster.devuan.org/merged ascii-backports main contrib non-free
#deb-src http://pkgmaster.devuan.org/merged ascii-proposed main contrib non-free
deb-src http://pkgmaster.devuan.org/merged ascii-updates main contrib non-free
deb-src http://pkgmaster.devuan.org/merged ascii-proposed-updates main contrib 
non-free
#deb-src http://pkgmaster.devuan.org/devuan ascii-proposed-security main 
contrib non-free
deb-src http://pkgmaster.devuan.org/devuan experimental   main contrib non-free
# mirroring binary architectures
deb-amd64 http://pkgmaster.devuan.org/merged ascii main contrib non-free
deb-i386  http://pkgmaster.devuan.org/merged ascii main contrib non-free
deb-amd64 http://pkgmaster.devuan.org/devuan ascii main contrib non-free
deb-i386  http://pkgmaster.devuan.org/devuan ascii main contrib non-free
deb-amd64 http://pkgmaster.devuan.org/merged ascii-security main contrib 
non-free
deb-i386 http://pkgmaster.devuan.org/merged ascii-security main contrib non-free
deb-amd64 http://pkgmaster.devuan.org/merged ascii-backports main contrib 
non-free
deb-i386 http://pkgmaster.devuan.org/merged ascii-backports main contrib 
non-free
deb-amd64 http://pkgmaster.devuan.org/devuan ascii-proposed main contrib 
non-free
deb-i386 http://pkgmaster.devuan.org/devuan ascii-proposed main contrib non-free
deb-amd64 http://pkgmaster.devuan.org/merged ascii-updates main contrib non-free
deb-i386 http://pkgmaster.devuan.org/merged ascii-updates main contrib non-free
deb-amd64 http://pkgmaster.devuan.org/merged ascii-proposed-updates main 
contrib non-free
deb-i386 http://pkgmaster.devuan.org/merged ascii-proposed-updates main contrib 
non-free
#deb-amd64 http://pkgmaster.devuan.org/devuan ascii-proposed-security main 
contrib non-free
#deb-i386 http://pkgmaster.devuan.org/devuan ascii-proposed-security main 
contrib non-free
deb-amd64 http://pkgmaster.devuan.org/devuan experimental main contrib non-free
deb-i386 http://pkgmaster.devuan.org/devuan experimental main contrib non-free
# cleanup obsolete stuff
clean http://pkgmaster.devuan.org/merged

However, if I do not comment out the four lines indicated above,
apt-mirror downloads 585 index files but generates the following errors

Processing indexes: [SSSapt-mirror: can't open index
pkgmaster.devuan.org/merged//dists/ascii-proposed/main/source/Sources in 
process_index at /usr/bin/apt-mirror line 800.

apt-mirror: can't open index
pkgmaster.devuan.org/merged//dists/ascii-proposed/contrib/source/Sources in 
process_index at /usr/bin/apt-mirror line 800.

apt-mirror: can't open index
pkgmaster.devuan.org/merged//dists/ascii-proposed/non-free/source/Sources in 
process_index at /usr/bin/apt-mirror line 800.

Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-16 Thread KatolaZ 
On Fri, Mar 16, 2018 at 06:59:39PM +, leloft wrote:
> On Fri, 16 Mar 2018 12:17:58 +
> KatolaZ  wrote:
> 
> [...]
>  >pinpoint any DSA whose patch is *not*
> > already available in Devuan
> [...]
> 
> Ascii packages not yet replaced with patched versions
> 

leloft, you must have "ascii-security" enabled in sources.list. Those
packages are already in ascii:

$  apt-cache policy samba
samba:
  Installed: (none)
  Candidate: 2:4.5.12+dfsg-2+deb9u2
Version table:
   2:4.5.12+dfsg-2+deb9u2 500
 500 http://pkgmaster.devuan.org/merged ascii-security/main amd64 
Packages
   2:4.5.12+dfsg-2+deb9u1 500
 500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages
$

Same for all the other packages you mentioned. Please double-check
yourself.

Updates enter pkgmaster.devuan.org about 5/6 minutes after the relevan
Pacckages files are published by primary Debian mirrors. And they are
available on deb.devuan.org (the new DNS Round-robin of Devuan package
mirrors) about 30 minutes later, on average, and in any case no later
than one hour later.

HND

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-16 Thread leloft 
On Fri, 16 Mar 2018 12:17:58 +
KatolaZ  wrote:

[...]
 >pinpoint any DSA whose patch is *not*
> already available in Devuan
[...]

Ascii packages not yet replaced with patched versions

Tue, 13 Mar 2018 09:49:45 +
[SECURITY] [DSA 4135-1] samba security update
Need:   2:4.5.12+dfsg-2+deb9u2.
Got:samba_4.5.12+dfsg-2+deb9u1.
Repo:   pkgmaster.devuan.org/merged/pool/DEBIAN/main/s/samba

Wed, 14 Mar 2018 21:36:51 +
[SECURITY] [DSA 4136-1] curl security update
Need:   7.52.1-5+deb9u5.
Got:curl_7.52.1-5+deb9u4.
Repo:   pkgmaster.devuan.org/merged/pool/DEBIAN/main/c/curl

Wed, 14 Mar 2018 22:50:24 +0100
[SECURITY] [DSA 4137-1] libvirt security update
Need:   3.0.0-4+deb9u3.
Got:libnss-libvirt_3.0.0-4+deb9u2_amd64.deb
Repo:   pkgmaster.devuan.org/merged/pool/DEBIAN/main/libv/libvirt

Thu, 15 Mar 2018 10:47:18 +
[SECURITY] [DSA 4138-1] mbedtls security update
Need:   2.4.2-1+deb9u2.
Got:libmbedcrypto0_2.4.2-1+deb9u1_amd64.deb
Repo:   pkgmaster.devuan.org/merged/pool/DEBIAN/main/m/mbedtls

Thu, 15 Mar 2018 22:38:18 +0100
[SECURITY] [DSA 4139-1] firefox-esr security update
Need:   52.7.1esr-1~deb9u1.
Got:firefox-esr_52.6.0esr-1~deb9u1_amd64.deb
Repo:   pkgmaster.devuan.org/merged/pool/DEBIAN/main/f/firefox-esr

Is this helpful? I have compared the patched versions in the DSA with
the versions in my local updated apt-mirrored ascii/main repository.
At first inspection, the patched packages for ascii 2-13 Mar appear
to be available, including the devuan util-linux package, so it would
appear that the lag time between the DSA and the patched
version appearing in pkgmaster would be between 3 and 5 days.
I'll have a go at Jessie over the weekend, but first I'll have to clear
some space to mirror it.

Thanks for everything

leloft

 




___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-16 Thread golinux 

On 2018-03-16 04:40, KatolaZ wrote:

On Fri, Mar 16, 2018 at 06:01:20PM +0900, Olaf Meeuwissen wrote:


However, using a simple web search (using Duck Duck Go, if that 
matters)

I cannot seem to easily find anything on a Devuan website that clearly
spells this out.  Perhaps that is something that can be improved?  The
landing page lists



Security updates are managed in the same way as the rest of the
packages: they get merged by amprolla into the corresponding
"-security" suite.

There was online a video describing the whole Devuan package pipeline,
but I understand we should probably provide a better layman
description of what amprolla does and of what it does not. The latter
point seems to have created a lot of confusion in the past. I might
give a try at writing something short at some point.

HND

KatolaZ

___



This image describes the Devuan workflow. As you can see from the URL it 
was on an early version of the website. I have asked KatolaZ to write a 
brief clarification of the process. Then it can go on the forum, website 
and wiki. It has been discussed before but somehow fell through the 
cracks but not this time.  :)


http://web.archive.org/web/20150720070928im_/http://devuan.org/pics/devuan-ci-graph.png

golinux



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-16 Thread KatolaZ 
On Fri, Mar 16, 2018 at 12:07:46PM +, leloft wrote:
> On Thu, 15 Mar 2018 22:08:45 +
> KatolaZ  wrote:
>  Or maybe somebody here would like to take care of
> > putting together a summary of DSAs once a forthnight or so? That might
> > be useful. 
> 
> At last! Something I can do!
> 
> leloft

Great leloft! If you could also pinpoint any DSA whose patch is *not*
already available in Devuan, that would be great.

Thanks

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-16 Thread leloft 
On Thu, 15 Mar 2018 22:08:45 +
KatolaZ  wrote:
 Or maybe somebody here would like to take care of
> putting together a summary of DSAs once a forthnight or so? That might
> be useful. 

At last! Something I can do!

leloft
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-16 Thread Erik Christiansen 
On 15.03.18 22:08, KatolaZ wrote:
> FYI
> 
> As many of us, I keep receiving DSAs. And as usual, we should be
> covered on these ones. If you think it might be useful, I might
> forward DSAs here. Or maybe somebody here would like to take care of
> putting together a summary of DSAs once a forthnight or so? That might
> be useful. 

It might prompt me to upgrade more than once every three to five years,
which has been my pattern for decades. A good scare is worth a truckload
of advice.

Erik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-16 Thread KatolaZ 
On Fri, Mar 16, 2018 at 06:01:20PM +0900, Olaf Meeuwissen wrote:
> Hi KatolaZ,
> 
> KatolaZ writes:
> 
> > As many of us, I keep receiving DSAs. And as usual, we should be
> > covered on these ones. If you think it might be useful, I might
> > forward DSAs here. Or maybe somebody here would like to take care of
> > putting together a summary of DSAs once a forthnight or so? That might
> > be useful.
> 
> I'm one of those many and not just because I still have an odd Debian
> machine running.  I also keep getting them because I know that Devuan
> will get most of its security upgrades straight from Debian anyway.

I keep receiving them because I have not unsubscribed the mailing
list, not because I have any Debian machine hanging around :)

> 
> However, using a simple web search (using Duck Duck Go, if that matters)
> I cannot seem to easily find anything on a Devuan website that clearly
> spells this out.  Perhaps that is something that can be improved?  The
> landing page lists
> 

Security updates are managed in the same way as the rest of the
packages: they get merged by amprolla into the corresponding
"-security" suite. 

There was online a video describing the whole Devuan package pipeline,
but I understand we should probably provide a better layman
description of what amprolla does and of what it does not. The latter
point seems to have created a lot of confusion in the past. I might
give a try at writing something short at some point.

HND

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-16 Thread Olaf Meeuwissen 
Hi KatolaZ,

KatolaZ writes:

> As many of us, I keep receiving DSAs. And as usual, we should be
> covered on these ones. If you think it might be useful, I might
> forward DSAs here. Or maybe somebody here would like to take care of
> putting together a summary of DSAs once a forthnight or so? That might
> be useful.

I'm one of those many and not just because I still have an odd Debian
machine running.  I also keep getting them because I know that Devuan
will get most of its security upgrades straight from Debian anyway.

However, using a simple web search (using Duck Duck Go, if that matters)
I cannot seem to easily find anything on a Devuan website that clearly
spells this out.  Perhaps that is something that can be improved?  The
landing page lists

  deb http://auto.mirror.devuan.org/merged jessie-security main

in the Packages section but there's no mention of how Devuan handles
security issues.  A link to

  https://devuan.org/os/security/

on the landing page as well as a blurb on that security page explaining
how things work would go a long way?

Personally, I have no problem with *not* getting duplicates of Debian's
DSAs.  Then again, I also have no real problem with getting them ;-)
# Already get "duplicates" from Ubuntu as well :-/

What I'd definitely do like to see is Devuan Security Announcements for
the *forked* packages.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Softwarehttps://my.fsf.org/donate
 Join the Free Software Foundation  https://my.fsf.org/join
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]

2018-03-15 Thread KatolaZ 
FYI

As many of us, I keep receiving DSAs. And as usual, we should be
covered on these ones. If you think it might be useful, I might
forward DSAs here. Or maybe somebody here would like to take care of
putting together a summary of DSAs once a forthnight or so? That might
be useful. 

HND

KatolaZ

- Forwarded message from Moritz Muehlenhoff  -

Date: Thu, 15 Mar 2018 22:38:18 +0100
From: Moritz Muehlenhoff 
To: debian-security-annou...@lists.debian.org
Subject: [SECURITY] [DSA 4139-1] firefox-esr security update
User-Agent: Mutt/1.9.4 (2018-02-28)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4139-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
March 15, 2018https://www.debian.org/security/faq
- -

Package: firefox-esr
CVE ID : CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5130 
 CVE-2018-5131 CVE-2018-5144 CVE-2018-5145

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors and other implementation errors
may lead to the execution of arbitrary code, denial of service or
information disclosure.
   
For the oldstable distribution (jessie), these problems have been fixed
in version 52.7.1esr-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 52.7.1esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqq5tcACgkQEMKTtsN8
TjZTvA//T+rqBCfHhIUEk8X0MkALkFtOKDTgSVYERg+ZUolCU0SgfBwIFNo6KbnQ
a6FTAr2yHJeke7rNp1+NbHieJ1FcG7twkYlAI0/Ln4HRymIbgs8VYEVrI+hXCfbJ
8n69u5+iG2qwrNEgnlVLxSR5MoxoWLCa7LvZS2v6g37zFW4jbmf6iplh2lZMRpF0
RUYIVautPGPh+nT2yQCcZ//o0fvzywiqMenqcIqeVqS3abxcN6eOpmfo2uzASFoO
5L8/HotWTFGwGottm5Lg8aR+E6o2lfJSRIxzqqQW2cYB4sI9hczgeb5nyWg3z9ET
tU9qEjzJo1zLeCaVPTulpRHH4HTMKDmE2CrH6OKTE1rLTiYeh7O8pS/GD/ZhZRhd
W9INHgtp4G2IhwlAq8CBorGp+Qal8/0FZY6oVd7+Y0R8jQl0Dty1ArzC5lhEkkxS
Ug72Y7QOy0okcdKbKKb4BvohV7kNuuGWhp/8mEMf4h3nVbGSMLJTKystDzjJL/Zi
NEQFqHcW9aZZJ5xaVvpHNvhGwkvPGW6ckHi8RXKAHxRZRrIjhM2BtTiDOW0XmEo+
Jlcnd0kZmLkfXeN/JHTr62NdqJ2j0Gd3d0x8id+tDl2MbmnQk6hWp0ZW2dK1rnbG
bzGm7wCHIGICtWq6Dx41N8BvlXkSPwq1DONt7Nxmmg3okpSB74c=
=cCJ5
-END PGP SIGNATURE-


- End forwarded message -

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[ "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[   @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[ @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]


signature.asc
Description: Digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng