Your message dated Wed, 25 Jan 2023 21:49:08 +0000 with message-id <e1pkndk-006f97...@fasolo.debian.org> and subject line Bug#1028961: fixed in dpkg 1.21.19 has caused the Debian Bug report #1028961, regarding dpkg: reverts to using insecure cryptographic algorithms by default to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1028961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028961 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: dpkg Version: 1.21.13 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Hi, dpkg 1.21.13 introduced passing "--openpgp" to GnuPG by default due to some conflict between the dpkg maintainer and gnupg upstream. This causes GnuPG to use insecure cryptographic algorithms like the SHA-1 digest algorithm by default. Please revert https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?h=1.21.13&id=b83114daa69c50d368199d00fbb67e190068b273 I do not think that cryptographic default from over 15 years ago are a good default choice today; rather they are a security issue (just like, for example, reverting to using SSL3 instead of TLS1.3). Ansgar -- Package-specific info: This system uses merged-usr-via-aliased-dirs, going behind dpkg's back, breaking its core assumptions. This can cause silent file overwrites and disappearances, and its general tools misbehavior. See <https://wiki.debian.org/Teams/Dpkg/FAQ#broken-usrmerge>. I think this message should be removed as it confuses users.
--- End Message ---
--- Begin Message ---Source: dpkg Source-Version: 1.21.19 Done: Guillem Jover <guil...@debian.org> We believe that the bug you reported is fixed in the latest version of dpkg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1028...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guillem Jover <guil...@debian.org> (supplier of updated dpkg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 24 Jan 2023 23:39:50 +0100 Source: dpkg Architecture: source Version: 1.21.19 Distribution: unstable Urgency: medium Maintainer: Dpkg Developers <debian-d...@lists.debian.org> Changed-By: Guillem Jover <guil...@debian.org> Closes: 1028961 1028981 Changes: dpkg (1.21.19) unstable; urgency=medium . [ Guillem Jover ] * Architecture support: - Revert "arch: Add support for loong64 CPU". See #1028654. * Perl modules: - Dpkg::OpenPGP::Backend::GnuPG: Set secure signing preferred algorithms. Closes: #1028961 - Dpkg::OpenPGP::Backend::GnuPG: Touch trustedkeys.gpg on temporary gpg home. - Dpkg::OpenPGP::Backend::GnuPG: Fallback to use «gpg dearmor» if present. Reported by Sven Joachim <svenj...@gmx.de> (on IRC). - Dpkg::Vendor::Ubuntu: Fix lto feature to honor DEB_BUILD_OPTIONS. * Test suite: - Set the permissions explicitly for the copied ChangeLog.old file. - Add unit tests for lto build flags handling in Ubuntu. Thanks to Shengjing Zhu <shengjing....@canonical.com>. See https://bugs.launchpad.net/bugs/2002582. * Localization: - Update Catalan translation. - Update Portuguese man pages translation. Thanks to Américo Monteiro <a_monte...@gmx.com>. Closes: #1028981 . [ Sven Joachim ] * Localization: - Update German programs translation. . [ Helge Kreutzmann ] * Localization: - Update German man pages translation. Checksums-Sha1: df80449cb4534cdb53f22f8825c82ebffe67ce77 3060 dpkg_1.21.19.dsc 1e6c6037cd27bc620b84423823c40f3f396edbfc 5360888 dpkg_1.21.19.tar.xz bb7e4555cd129b2af38341df6551e440e41e2756 7958 dpkg_1.21.19_amd64.buildinfo Checksums-Sha256: 2c7cf3f3d10473510515af27bd99bde56f1ec123ecff8e61869984d88fb8769d 3060 dpkg_1.21.19.dsc cdfd0b36676a77a9cfc53597697c9096f3ffcbc25750944c34142af025101c92 5360888 dpkg_1.21.19.tar.xz 6b7c52df3cae17f66d6f78497d73075384f234291f8d296a3eec5b0480bb86fb 7958 dpkg_1.21.19_amd64.buildinfo Files: ee7639c9c28d84ffc1efd583386edd0e 3060 admin required dpkg_1.21.19.dsc 1aafd3b59b3e1709ad1b0c2c7a7dd2dc 5360888 admin required dpkg_1.21.19.tar.xz 1f28d9d90e1ab146d88717b750ced7ad 7958 admin required dpkg_1.21.19_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAmPQYQcACgkQuXK/PqSu V6NapRAAs9F/4VaHGAII2AGETnJroWkrKiwdf/mLkno0NejUbBh55ATqKrxWovnI gG8IYOXzCX64+myFPWR5q6i3ucm8smHsWE0uiQ9MmwtWSP1nLKjtq7FB3YKPluFp NMeRLnkWNhrGib1XtqPHU95GXTfJV5GNl62PvkbZhCE/e/3YkzZvd2EZ+BL/uRwL iE/zkVRmXboYtKZ0sW49FXzln7bxxjfQRW2MRkci+1w1mBQwvH/s+fMD0A/aZvsK +HhBKhHvJV1fwCPDTcuuHFAYRQSvKNfmV1TandCbjpTl0nq02uH8SHwk6FL8NQWO 9r9dQlcgSDf3DFgRrzqaLDHeIuzU/vboWmSAjzSGhsV9YuH+0+CbSPkksUSmh2Iu NemZ6sSG3MAhh6QDzBPlBzXHZ95/5/MOjzHIh5eLamNnMTnkcb7+0hGn/uNDgwtq I3Ul/ddq3RhnNyf9VCND3nrV+q+upllGP+divuVClMgPL7RMDH5VBKHK+8wDR+xO d5gwcB/0vEuZBIO9JrTKvbNCJWFWgNyZjuG+MfxnL4glcrMhd0WyePhwH4TCDTGn LxMZjPQfVLnPYLIP9CF1ko8CNhbrkk4jkh395NErdAGQFijeVjLEujMwjL5HKOow 1ySb6sDgrObBi/jz5LOJRwnwGNQngYGbX4K0Y9mPpDu6JA+Wlv0= =UYGN -----END PGP SIGNATURE-----
--- End Message ---
