Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
On Fri, 16 Mar 2018 19:09:27 + KatolaZwrote: > > [...] > > >pinpoint any DSA whose patch is *not* > > > already available in Devuan > > [...] > > > > Ascii packages not yet replaced with patched versions > > > > leloft, you must have "ascii-security" enabled in sources.list. Those > packages are already in ascii: > > $ apt-cache policy samba > samba: > Installed: (none) > Candidate: 2:4.5.12+dfsg-2+deb9u2 > Version table: >2:4.5.12+dfsg-2+deb9u2 500 > 500 http://pkgmaster.devuan.org/merged ascii-security/main > amd64 Packages 2:4.5.12+dfsg-2+deb9u1 500 > 500 http://pkgmaster.devuan.org/merged ascii/main amd64 > Packages $ > > Same for all the other packages you mentioned. Please double-check > yourself. > > Updates enter pkgmaster.devuan.org about 5/6 minutes after the relevan > Pacckages files are published by primary Debian mirrors. And they are > available on deb.devuan.org (the new DNS Round-robin of Devuan package > mirrors) about 30 minutes later, on average, and in any case no later > than one hour later. > > HND > > KatolaZ Thanks for your feedback, it is very welcome. I did not use my sources.list to apt-cache policy these packages to check them. I checked them against an apt-mirror configured with the mirror.list posted here a few days ago. It would appear that although the patched packages are immediately available on the official pkgmaster ascii-security repo as you demonstrated, they are not similarly available on an apt-mirror if it does not also mirror additional ascii-* repos. I have added extra repos (taken from from the localhost's sources.list and amended to also mirror 'contrib' and 'non-free') thus # config ## # set base_path/srv/apt-mirror # # set mirror_path $base_path/mirror # set skel_path$base_path/skel # set var_path $base_path/var # set cleanscript $var_path/clean.sh # set defaultarch # set postmirror_script $var_path/postmirror.sh # set run_postmirror 0 set nthreads20 set _tilde 0 # # end config ## # mirroring package sources deb-src http://pkgmaster.devuan.org/merged ascii main contrib non-free deb-src http://pkgmaster.devuan.org/merged ascii-security main contrib non-free deb-src http://pkgmaster.devuan.org/merged ascii-backports main contrib non-free #deb-src http://pkgmaster.devuan.org/merged ascii-proposed main contrib non-free deb-src http://pkgmaster.devuan.org/merged ascii-updates main contrib non-free deb-src http://pkgmaster.devuan.org/merged ascii-proposed-updates main contrib non-free #deb-src http://pkgmaster.devuan.org/devuan ascii-proposed-security main contrib non-free deb-src http://pkgmaster.devuan.org/devuan experimental main contrib non-free # mirroring binary architectures deb-amd64 http://pkgmaster.devuan.org/merged ascii main contrib non-free deb-i386 http://pkgmaster.devuan.org/merged ascii main contrib non-free deb-amd64 http://pkgmaster.devuan.org/devuan ascii main contrib non-free deb-i386 http://pkgmaster.devuan.org/devuan ascii main contrib non-free deb-amd64 http://pkgmaster.devuan.org/merged ascii-security main contrib non-free deb-i386 http://pkgmaster.devuan.org/merged ascii-security main contrib non-free deb-amd64 http://pkgmaster.devuan.org/merged ascii-backports main contrib non-free deb-i386 http://pkgmaster.devuan.org/merged ascii-backports main contrib non-free deb-amd64 http://pkgmaster.devuan.org/devuan ascii-proposed main contrib non-free deb-i386 http://pkgmaster.devuan.org/devuan ascii-proposed main contrib non-free deb-amd64 http://pkgmaster.devuan.org/merged ascii-updates main contrib non-free deb-i386 http://pkgmaster.devuan.org/merged ascii-updates main contrib non-free deb-amd64 http://pkgmaster.devuan.org/merged ascii-proposed-updates main contrib non-free deb-i386 http://pkgmaster.devuan.org/merged ascii-proposed-updates main contrib non-free #deb-amd64 http://pkgmaster.devuan.org/devuan ascii-proposed-security main contrib non-free #deb-i386 http://pkgmaster.devuan.org/devuan ascii-proposed-security main contrib non-free deb-amd64 http://pkgmaster.devuan.org/devuan experimental main contrib non-free deb-i386 http://pkgmaster.devuan.org/devuan experimental main contrib non-free # cleanup obsolete stuff clean http://pkgmaster.devuan.org/merged However, if I do not comment out the four lines indicated above, apt-mirror downloads 585 index files but generates the following errors Processing indexes: [SSSapt-mirror: can't open index pkgmaster.devuan.org/merged//dists/ascii-proposed/main/source/Sources in process_index at /usr/bin/apt-mirror line 800. apt-mirror: can't open index pkgmaster.devuan.org/merged//dists/ascii-proposed/contrib/source/Sources in process_index at /usr/bin/apt-mirror line 800. apt-mirror: can't open index pkgmaster.devuan.org/merged//dists/ascii-proposed/non-free/source/Sources in process_index at /usr/bin/apt-mirror line 800.
Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
On Fri, Mar 16, 2018 at 06:59:39PM +, leloft wrote: > On Fri, 16 Mar 2018 12:17:58 + > KatolaZwrote: > > [...] > >pinpoint any DSA whose patch is *not* > > already available in Devuan > [...] > > Ascii packages not yet replaced with patched versions > leloft, you must have "ascii-security" enabled in sources.list. Those packages are already in ascii: $ apt-cache policy samba samba: Installed: (none) Candidate: 2:4.5.12+dfsg-2+deb9u2 Version table: 2:4.5.12+dfsg-2+deb9u2 500 500 http://pkgmaster.devuan.org/merged ascii-security/main amd64 Packages 2:4.5.12+dfsg-2+deb9u1 500 500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages $ Same for all the other packages you mentioned. Please double-check yourself. Updates enter pkgmaster.devuan.org about 5/6 minutes after the relevan Pacckages files are published by primary Debian mirrors. And they are available on deb.devuan.org (the new DNS Round-robin of Devuan package mirrors) about 30 minutes later, on average, and in any case no later than one hour later. HND KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
On Fri, 16 Mar 2018 12:17:58 + KatolaZwrote: [...] >pinpoint any DSA whose patch is *not* > already available in Devuan [...] Ascii packages not yet replaced with patched versions Tue, 13 Mar 2018 09:49:45 + [SECURITY] [DSA 4135-1] samba security update Need: 2:4.5.12+dfsg-2+deb9u2. Got:samba_4.5.12+dfsg-2+deb9u1. Repo: pkgmaster.devuan.org/merged/pool/DEBIAN/main/s/samba Wed, 14 Mar 2018 21:36:51 + [SECURITY] [DSA 4136-1] curl security update Need: 7.52.1-5+deb9u5. Got:curl_7.52.1-5+deb9u4. Repo: pkgmaster.devuan.org/merged/pool/DEBIAN/main/c/curl Wed, 14 Mar 2018 22:50:24 +0100 [SECURITY] [DSA 4137-1] libvirt security update Need: 3.0.0-4+deb9u3. Got:libnss-libvirt_3.0.0-4+deb9u2_amd64.deb Repo: pkgmaster.devuan.org/merged/pool/DEBIAN/main/libv/libvirt Thu, 15 Mar 2018 10:47:18 + [SECURITY] [DSA 4138-1] mbedtls security update Need: 2.4.2-1+deb9u2. Got:libmbedcrypto0_2.4.2-1+deb9u1_amd64.deb Repo: pkgmaster.devuan.org/merged/pool/DEBIAN/main/m/mbedtls Thu, 15 Mar 2018 22:38:18 +0100 [SECURITY] [DSA 4139-1] firefox-esr security update Need: 52.7.1esr-1~deb9u1. Got:firefox-esr_52.6.0esr-1~deb9u1_amd64.deb Repo: pkgmaster.devuan.org/merged/pool/DEBIAN/main/f/firefox-esr Is this helpful? I have compared the patched versions in the DSA with the versions in my local updated apt-mirrored ascii/main repository. At first inspection, the patched packages for ascii 2-13 Mar appear to be available, including the devuan util-linux package, so it would appear that the lag time between the DSA and the patched version appearing in pkgmaster would be between 3 and 5 days. I'll have a go at Jessie over the weekend, but first I'll have to clear some space to mirror it. Thanks for everything leloft ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
On 2018-03-16 04:40, KatolaZ wrote: On Fri, Mar 16, 2018 at 06:01:20PM +0900, Olaf Meeuwissen wrote: However, using a simple web search (using Duck Duck Go, if that matters) I cannot seem to easily find anything on a Devuan website that clearly spells this out. Perhaps that is something that can be improved? The landing page lists Security updates are managed in the same way as the rest of the packages: they get merged by amprolla into the corresponding "-security" suite. There was online a video describing the whole Devuan package pipeline, but I understand we should probably provide a better layman description of what amprolla does and of what it does not. The latter point seems to have created a lot of confusion in the past. I might give a try at writing something short at some point. HND KatolaZ ___ This image describes the Devuan workflow. As you can see from the URL it was on an early version of the website. I have asked KatolaZ to write a brief clarification of the process. Then it can go on the forum, website and wiki. It has been discussed before but somehow fell through the cracks but not this time. :) http://web.archive.org/web/20150720070928im_/http://devuan.org/pics/devuan-ci-graph.png golinux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
On Fri, Mar 16, 2018 at 12:07:46PM +, leloft wrote: > On Thu, 15 Mar 2018 22:08:45 + > KatolaZwrote: > Or maybe somebody here would like to take care of > > putting together a summary of DSAs once a forthnight or so? That might > > be useful. > > At last! Something I can do! > > leloft Great leloft! If you could also pinpoint any DSA whose patch is *not* already available in Devuan, that would be great. Thanks KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
On Thu, 15 Mar 2018 22:08:45 + KatolaZwrote: Or maybe somebody here would like to take care of > putting together a summary of DSAs once a forthnight or so? That might > be useful. At last! Something I can do! leloft ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
On 15.03.18 22:08, KatolaZ wrote: > FYI > > As many of us, I keep receiving DSAs. And as usual, we should be > covered on these ones. If you think it might be useful, I might > forward DSAs here. Or maybe somebody here would like to take care of > putting together a summary of DSAs once a forthnight or so? That might > be useful. It might prompt me to upgrade more than once every three to five years, which has been my pattern for decades. A good scare is worth a truckload of advice. Erik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
On Fri, Mar 16, 2018 at 06:01:20PM +0900, Olaf Meeuwissen wrote: > Hi KatolaZ, > > KatolaZ writes: > > > As many of us, I keep receiving DSAs. And as usual, we should be > > covered on these ones. If you think it might be useful, I might > > forward DSAs here. Or maybe somebody here would like to take care of > > putting together a summary of DSAs once a forthnight or so? That might > > be useful. > > I'm one of those many and not just because I still have an odd Debian > machine running. I also keep getting them because I know that Devuan > will get most of its security upgrades straight from Debian anyway. I keep receiving them because I have not unsubscribed the mailing list, not because I have any Debian machine hanging around :) > > However, using a simple web search (using Duck Duck Go, if that matters) > I cannot seem to easily find anything on a Devuan website that clearly > spells this out. Perhaps that is something that can be improved? The > landing page lists > Security updates are managed in the same way as the rest of the packages: they get merged by amprolla into the corresponding "-security" suite. There was online a video describing the whole Devuan package pipeline, but I understand we should probably provide a better layman description of what amprolla does and of what it does not. The latter point seems to have created a lot of confusion in the past. I might give a try at writing something short at some point. HND KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
Hi KatolaZ, KatolaZ writes: > As many of us, I keep receiving DSAs. And as usual, we should be > covered on these ones. If you think it might be useful, I might > forward DSAs here. Or maybe somebody here would like to take care of > putting together a summary of DSAs once a forthnight or so? That might > be useful. I'm one of those many and not just because I still have an odd Debian machine running. I also keep getting them because I know that Devuan will get most of its security upgrades straight from Debian anyway. However, using a simple web search (using Duck Duck Go, if that matters) I cannot seem to easily find anything on a Devuan website that clearly spells this out. Perhaps that is something that can be improved? The landing page lists deb http://auto.mirror.devuan.org/merged jessie-security main in the Packages section but there's no mention of how Devuan handles security issues. A link to https://devuan.org/os/security/ on the landing page as well as a blurb on that security page explaining how things work would go a long way? Personally, I have no problem with *not* getting duplicates of Debian's DSAs. Then again, I also have no real problem with getting them ;-) # Already get "duplicates" from Ubuntu as well :-/ What I'd definitely do like to see is Devuan Security Announcements for the *forked* packages. Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] [j...@debian.org: [SECURITY] [DSA 4139-1] firefox-esr security update]
FYI As many of us, I keep receiving DSAs. And as usual, we should be covered on these ones. If you think it might be useful, I might forward DSAs here. Or maybe somebody here would like to take care of putting together a summary of DSAs once a forthnight or so? That might be useful. HND KatolaZ - Forwarded message from Moritz Muehlenhoff- Date: Thu, 15 Mar 2018 22:38:18 +0100 From: Moritz Muehlenhoff To: debian-security-annou...@lists.debian.org Subject: [SECURITY] [DSA 4139-1] firefox-esr security update User-Agent: Mutt/1.9.4 (2018-02-28) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4139-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 15, 2018https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5130 CVE-2018-5131 CVE-2018-5144 CVE-2018-5145 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service or information disclosure. For the oldstable distribution (jessie), these problems have been fixed in version 52.7.1esr-1~deb8u1. For the stable distribution (stretch), these problems have been fixed in version 52.7.1esr-1~deb9u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqq5tcACgkQEMKTtsN8 TjZTvA//T+rqBCfHhIUEk8X0MkALkFtOKDTgSVYERg+ZUolCU0SgfBwIFNo6KbnQ a6FTAr2yHJeke7rNp1+NbHieJ1FcG7twkYlAI0/Ln4HRymIbgs8VYEVrI+hXCfbJ 8n69u5+iG2qwrNEgnlVLxSR5MoxoWLCa7LvZS2v6g37zFW4jbmf6iplh2lZMRpF0 RUYIVautPGPh+nT2yQCcZ//o0fvzywiqMenqcIqeVqS3abxcN6eOpmfo2uzASFoO 5L8/HotWTFGwGottm5Lg8aR+E6o2lfJSRIxzqqQW2cYB4sI9hczgeb5nyWg3z9ET tU9qEjzJo1zLeCaVPTulpRHH4HTMKDmE2CrH6OKTE1rLTiYeh7O8pS/GD/ZhZRhd W9INHgtp4G2IhwlAq8CBorGp+Qal8/0FZY6oVd7+Y0R8jQl0Dty1ArzC5lhEkkxS Ug72Y7QOy0okcdKbKKb4BvohV7kNuuGWhp/8mEMf4h3nVbGSMLJTKystDzjJL/Zi NEQFqHcW9aZZJ5xaVvpHNvhGwkvPGW6ckHi8RXKAHxRZRrIjhM2BtTiDOW0XmEo+ Jlcnd0kZmLkfXeN/JHTr62NdqJ2j0Gd3d0x8id+tDl2MbmnQk6hWp0ZW2dK1rnbG bzGm7wCHIGICtWq6Dx41N8BvlXkSPwq1DONt7Nxmmg3okpSB74c= =cCJ5 -END PGP SIGNATURE- - End forwarded message - -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: Digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng