cdrom-checker_1.30_i386.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 17 Jun 2015 07:25:20 +0200 Source: cdrom-checker Binary: cdrom-checker Architecture: source i386 Version: 1.30 Distribution: unstable Urgency: medium Maintainer: Debian Install System Team Changed-By: Christian Perrier Description: cdrom-checker - Verify the cd contents (udeb) Changes: cdrom-checker (1.30) unstable; urgency=medium . [ Updated translations ] * Turkish (tr.po) by Mert Dirik Checksums-Sha1: a0a0c1fb18ec731fa4b79e085d40fc7f506f7f43 1685 cdrom-checker_1.30.dsc 8ac93a49aec5e0055b520efaa2a904b246fcc493 65728 cdrom-checker_1.30.tar.xz f0caaf9ba39dc79ac09c95810c3a748e227eacb3 49528 cdrom-checker_1.30_i386.udeb Checksums-Sha256: 52ca7a759291e2881b52f82d5e8d280bbe95d78071964cc1c5e01968220c4336 1685 cdrom-checker_1.30.dsc c1d7fb0e890f1e34b13a412152fd4d6e35e2960f402fd65a58799a1537314a84 65728 cdrom-checker_1.30.tar.xz c635e6661f0ffe287b142032ab5ccc9339c32152a369a8401fc9138bc26c8ef4 49528 cdrom-checker_1.30_i386.udeb Files: ab55c543d2426fb7e1d39d580ab79ff4 1685 debian-installer optional cdrom-checker_1.30.dsc ab8303bb52b35e2306a9b38cdca1a41d 65728 debian-installer optional cdrom-checker_1.30.tar.xz 2fa043d119e55cdb9d6d5df022d090f2 49528 debian-installer optional cdrom-checker_1.30_i386.udeb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVgRKiAAoJEIcvcCxNbiWojYAQAKpFj9JkNoe3lSgxFxVlxoiF HY6drqABydSzig5eSe19k7NP3I2p5L+rA/gfNmV+WGM6jsOUun9M/215H1jkt5X2 JoydEVLlaUdC3zNl2Di69g39pV55kjysanVb41PpzQAfjmLJ1Yxx/VZtC/CRajSc vl16dUkuIW/PYYv5m+XoAF56EvWsDyB1jJpLl0sEilgfwnc56/4ZJz9CbJvZl10X 7NpeV/f8rJ9Usry/snU7SMzV1cTziNMSsYdPPx/b1HLZAIeyXKp1C+vXxNCfKZ0M Oridw3hcgJrV4n/0Wl6yPhHXL20mMEwqaIRMcKbZy1jb/0D9OBi0aBrKcO1FBaTO gPse44Gbkpo3rJigPy92dVg00wKHrVt2sdfqWhz+jhbHnesMJ0r9vQ+knGm1d2QF icrGU60RFpsl6aVtpSxdLIt4ieQZx1iourWKeMlEUDVwRDhTP86O3XnZGiVo4iWV QVu7w/BXgaxtcnqigLPVO8cY6mSPQvn72AGkL8+yUI+9Mq07GNkvwj0YXi9KQ4om EUoAqOeddRRit4h8HvEJs2Th1qeoiCSZD6AG1x3s3TbHmQOkcdh/cF5qx4WJ/QNs vfjuFYbhGKHV15QE+5oe7Jc3Gc8Ep73NdxwbullRZQ4UX0u2HvgWvOMhOxtI5L/B Q0x8mEVd1F0irDfMdqf0 =ORIC -END PGP SIGNATURE- Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1z572r-0005ks...@franck.debian.org
Bug#789035: debian-installer: fails to install pppoe with preseed file
Package: debian-installer Version: 20150422+deb8u1 Severity: normal Tags: d-i Dear maintainer team, I'm trying to install a fresh new jessie using a preseed file to automate most of the task. This worked with the wheezy installer. I downloaded the debian-8.1.0-i386-CD-1.iso, extract in on a usb key with unetbootin, and added some files: - syslinux.cfg to configure boot - preseed.cfg to make some parts of install automated - pool/main/r/rp-pppoe/pppoe_3.8-3_amd64.deb and pool/main/r/rp-pppoe/pppoe_3.8-3_i386.deb as they are not part of the CD1 My exact line in preseed.cfg is: d-i pkgsel/include string openssh-server libpcap0.8 ppp pppoe openssh-client python and it ends with the error: in-target: package 'pppoe' has no installation candidate and pkgsel fails with error code 100. I had the exact same setup with wheezy, and it worked. I tried copying the pppoe files in pool/main/p/pppoe (as a desperate try) but it doesn't work either. I absolutely don't know where the problem may be, and I can make further tests if needed. Thanks for the job, -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 Kernel: Linux 3.16.0-4-i386 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150617095200.17381.5591.reportbug@manaslu.grenoble.local
Processing of cdrom-detect_1.52_i386.changes
cdrom-detect_1.52_i386.changes uploaded successfully to localhost along with the files: cdrom-detect_1.52.dsc cdrom-detect_1.52.tar.xz cdrom-detect_1.52_all.udeb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1z5bgt-00027z...@franck.debian.org
Processing of cdrom-detect_1.52_i386.changes
cdrom-detect_1.52_i386.changes uploaded successfully to ftp-master.debian.org along with the files: cdrom-detect_1.52.dsc cdrom-detect_1.52.tar.xz cdrom-detect_1.52_all.udeb Greetings, Your Debian queue daemon (running on host coccia.debian.org) -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1z5bgo-00053p...@coccia.debian.org
cdrom-detect_1.52_i386.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 17 Jun 2015 08:25:11 +0200 Source: cdrom-detect Binary: cdrom-detect Architecture: source all Version: 1.52 Distribution: unstable Urgency: medium Maintainer: Debian Install System Team Changed-By: Christian Perrier Description: cdrom-detect - Detect CDROM devices and mount the CD (udeb) Changes: cdrom-detect (1.52) unstable; urgency=medium . [ Updated translations ] * German (de.po) by Holger Wansing * Japanese (ja.po) by Kenshi Muto * Turkish (tr.po) by Mert Dirik Checksums-Sha1: c1cafa9b260a12dda0368b09d45fd562dadd2f58 1652 cdrom-detect_1.52.dsc b90d0b37f6501f78b10c72e9f1cfcc1152538e6b 118972 cdrom-detect_1.52.tar.xz 89d761d4d60a1c43bc6deb2c3b0f4fbd98980caf 109380 cdrom-detect_1.52_all.udeb Checksums-Sha256: db100ce4e909023f9ca2b1cc7fb4325b6003fa024ad6636d307f6ad5fcdb 1652 cdrom-detect_1.52.dsc 857fbb5c8c180c3ded75e7a4ed49466cd7e4036e5a485e1efd9e6f353a600ef3 118972 cdrom-detect_1.52.tar.xz 7bb6e1e6e90c4e3b19c2d554df6c869dfda99b5c7530da8db0edd0161e7e4b9a 109380 cdrom-detect_1.52_all.udeb Files: 26cbb09973279ef856d4825f2e2f444e 1652 debian-installer optional cdrom-detect_1.52.dsc 350419c940a08f7bd8751a70461eeb83 118972 debian-installer optional cdrom-detect_1.52.tar.xz 83d21a63c2e3f3651a228c0aec677fab 109380 debian-installer optional cdrom-detect_1.52_all.udeb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVgVUrAAoJEIcvcCxNbiWo8qwP/Rr0LZkB1AJPJyYcXcmVHmf4 C4MxJRzR5WgwexxngeUfEh6aBTaqoPtrFnJ2sOnfBS7pl8ahmk30e8W4DEmXN1l9 qr4MVZHWu4dYB2pil6UefsoIFtxWxfzH1Xlul0o4HaIHbVB1lU7P0GIWuURH/5fO nKHBQ7Rt0+8KrlDdFa4J8FsTi8o91wPEvKY2SvsgS6gCtxFlllH9W4VS12mNA9Ko Nud7Ez2DthZKbls7s7LYhuHMarpZUZF/kGQCJFbWKRhejixjsfd2MmFIn0Hnoo0a Q0yXUBRSzBzOjbbYJSnqXLbYkhk+Hb1wvRHjN4PSKDby+c13T3IgELNbcZfisOM0 fVukkCFuEBuKaBC5YNlqLy9I39IYnfUKwLCBsttCoOOQR8fXxhck0wS82rSTjC24 G7EsGYDaln6k7eQjH/yYiQ59lJriA4SiMjYpSVEq8XITlGYUbMTk5K0DeBJIWT9D yAf2u7yN0BKP4aC5pTQOP7T3auEAcatfgbnRQ1PWX6l+iK7Eu8bR5cmSNAPKODjy W5JXW2xfJoZpbA3Ruhm3cNv6mxG46Ux0Y577krukuc6OR4ebibr2yK8PJT8vWbmY StZeVjiAvhKOk/uHbFCH1HYyVl23I75C7hP9VaDDWGRpBJxy7I9Q0ky4F6pv3mnb 4QI7iUdxY2aOBy0At/bk =XuPf -END PGP SIGNATURE- Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1z5bmk-0004r0...@franck.debian.org
Bug#788634: debian-installer: Accepting a preseed URL from DHCP allows attacker to hijack installation
On 16 June 2015 at 10:37, Wouter Verhelst wrote: > > But if you boot off CD-ROM or USB or some such? Then the situation is > much different. While I agree that having preseeding in that case can be > useful, I can also understand the POV that the system *defaulting* to > using such a preseed file is a bad idea. > This is the crux of my issue. I agree that an amount of preseeding is insecure by nature - it's pointless to secure a PXE-booted system - but I also think that it is reasonable for an end user, who does not know or care about preseeding, to believe that installation is safe on a hostile network, particularly because apt is so careful about verifying signatures (albeit of data that crossed the entire internet). If, as Geert Stappers says, more users use this (reasonably obscure?) feature than are concerned with the security implications of it, then as an absolute minimum, adding a commandline arg to disable it would allow security-minded users to install in hostile networks without possibility of compromise. I still feel that this is insufficient, though, because the average end-user will end up having their system compromised (possibly by one of the notoriously-insecure home internet gateways that seem to be popular these days). It's my opinion that feature in question should be disabled by default, and opt-in with a commandline argument. I've written a simple patch to implement this (see below). It adds a dialog that is shown only when a preseed URL is provided via DHCP, and is can be suppressed (ie, restores the current behaviour of silently accepting) with the kernel commandline "preseed/accept_preseed_from_DHCP=true". For anyone who feels similarly to me, I have built an install CD with a patched d-i, which I intend to maintain as a fork of the original d-i project. I have limited resources, however, so I've only built for jessie on amd64 right now - I hope to add support for more versions and architectures at some point in the future, but would appreciate the help of someone more experienced with d-i (or even debian development!) if possible. My blog post about it is at https://strange.systems/debian-installer-insecurity . My patch against 20150422+deb8u1 (please note: I've never submitted to the Debian project before, so please let me know if I've done anything wrong here): diff -ur old/DEBIAN/postinst new/DEBIAN/postinst --- old/DEBIAN/postinst 2014-09-24 06:16:34.0 +0100 +++ new/DEBIAN/postinst 2015-06-15 01:31:43.88400 +0100 @@ -11,7 +11,13 @@ dhcp_url=$(dhcp_preseed_url) if [ -n "$dhcp_url" ]; then - preseed_location "$dhcp_url" + db_input critical preseed/accept_preseed_from_DHCP || true + db_go + db_get preseed/accept_preseed_from_DHCP + use_dhcp_url=$RET + if [ "$use_dhcp_url" == "true" ]; then + preseed_location "$dhcp_url" + fi fi preseed preseed/url preseed_command preseed/early_command diff -ur old/DEBIAN/templates new/DEBIAN/templates --- old/DEBIAN/templates 2014-09-24 06:16:33.0 +0100 +++ new/DEBIAN/templates 2015-06-15 01:24:27.39600 +0100 @@ -1048,3 +1048,13 @@ Default: d-i/jessie/./preseed.cfg Description: for internal use; can be preseeded Path added to local server to give the preseed root + +Template: preseed/accept_preseed_from_DHCP +Type: boolean +Default: false +Description: Should we accept a preseed URL from a DHCP server? + Your DHCP server has provided extra commands or customisations to + debian-installer. It is possible that these commands were sent by + your network administrator; however, it is impossible to verify + this, or to ensure they have not been altered by an attacker who + already has access to your local network. Template: debian-installer/network-preseed/title I've sent this mail to the bugtracker (in addition to the l.d.o. list) since it contains a patch. I hope this is the correct behaviour. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAEMXWCBvfEqin0FE2j=z2ccbt611cccog0xaacwjyy0behj...@mail.gmail.com
