Package: xen-tools Version: 4.8-1 Severity: serious File: /usr/share/xen-tools/debian.d/20-setup-apt User: [email protected] Usertags: bullseye-security
With the release of Debian bullseye and later, security updates are
provided in the bullseye-security suite instead of bullseye/updates.
The above hook script references ${dist}/updates but when bullseye is
released that should be replaced by ${dist}-security so it looks
like the script would generate an incorrect sources.list using /updates
instead of -security which would cause the new Xen guest to not get
security updates from bullseye in a timely manner.
I suggest that this hook check the version of the Debian release in
question using distro-info and then if the release is 11 or higher,
then use ${dist}-security otherwise use ${dist}/updates as before.
It is much better to use distro-info than to hard-code the release
version numbers. It might even be a good idea to include the security
suite information in distro-info itself and look it up there.
$ grep -B12 -A3 /updates /usr/share/xen-tools/debian.d/20-setup-apt
#
# If the host system has security support then enable that here, too,
# except if we're installing Debian Unstable.
#
if ( test "${dist}" "!=" "sid" && test "${dist}" "!=" "unstable" && \
test -e /etc/apt/sources.list && \
grep ^deb.*security -r /etc/apt/sources.list /etc/apt/sources.list.d
>/dev/null 2>/dev/null ) ; then
cat <<E_O_APT >> ${prefix}/etc/apt/sources.list
#
# Security updates
#
deb http://security.debian.org/ ${dist}/updates main contrib non-free
deb-src http://security.debian.org/ ${dist}/updates main contrib non-free
E_O_APT
else
cat <<E_O_APT >> ${prefix}/etc/apt/sources.list
#
# Security updates - Uncomment to enable.
#
# deb http://security.debian.org/ ${dist}/updates main contrib non-free
# deb-src http://security.debian.org/ ${dist}/updates main contrib non-free
E_O_APT
fi
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-debug
APT policy: (900, 'testing-debug'), (900, 'testing'), (800,
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700,
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages xen-tools depends on:
ii debootstrap 1.0.123
ii libconfig-inifiles-perl 3.000003-1
ii libdata-validate-domain-perl 0.10-1
pn libdata-validate-ip-perl <none>
pn libdata-validate-uri-perl <none>
ii libfile-slurp-perl 9999.32-1
ii libfile-which-perl 1.23-1
ii libsort-versions-perl 1.62-1
ii libtext-template-perl 1.59-1
ii openssh-client 1:8.3p1-1
ii perl 5.30.3-4
Versions of packages xen-tools recommends:
ii debian-archive-keyring 2019.1
ii e2fsprogs 1.45.6-1
pn libexpect-perl <none>
ii lvm2 2.03.09-3
pn rinse <none>
pn ubuntu-keyring | ubuntu-archive-keyring <none>
pn xen-hypervisor <none>
pn xen-utils <none>
Versions of packages xen-tools suggests:
ii btrfs-progs 5.7-1
pn cfengine2 <none>
pn grub-xen-host <none>
ii reiserfsprogs 1:3.6.27-4
pn xfsprogs <none>
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
