Re: Unable to announce the updates
Hi, On Di 14 Jan 2020 04:10:46 CET, Utkarsh Gupta wrote: Hi Chris, On Tue, 14 Jan, 2020, 5:27 AM Chris Lamb, wrote: > Running `gpg --clearsign DLA-2063-1` which generates DLA-2063-1.asc and > pasting its content and sending it via GMail. > > Whilst I BCCed myself, I do get a "Good signature from Utkarsh Gupta > " on Thunderbird. Whilst not conclusive, this would suggest to me that the mailing list software is not treating this key as authorised; did you perhaps do some Debian keyring changes recently? It may take some time to propagate, perhaps after a keyring update (usually once a month IIRC). Ah, though my keys were in the keyring (as a DM) since March, only 15 days before did I get a mail from the DSA Team telling that the process from DM -> DD has been completed. So I'm guessing it'll sync by next month at least. That said, I shall send the DLAs here in sometime. Requesting for someone to announce the update on my behalf :) Best, Utkarsh please send over the announcement text, I'll handle the signed mail to d-lts-announce later today. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp7nJinr377t.pgp Description: Digitale PGP-Signatur
Re: Unable to announce the updates
Hi Utkarsh, On Mo 13 Jan 2020 20:39:12 CET, Utkarsh Gupta wrote: Hi Chris, Emilio, On 13/01/20 2:41 pm, Emilio Pozuelo Monfort wrote: On 10/01/2020 19:12, Utkarsh Gupta wrote: Hi Chris, On 10/01/20 11:34 pm, Chris Lamb wrote: I've been trying to send DLA-2063 (and now DLA-2060) announcement to -lts-announce but for some reasons I can't seem to post there. This is invariably due to issues regarding the GPG signature. Ah, I am guessing that Thunderbird doesn't really work when a GPG signature is sent as an attachment? If it helps, I tend to BCC myself when making those announcements so that I can confirm that I used the correct key and (inline) signature scheme. Aha! Nice idea, I shall BCC myself, too. Perhaps I shall look up the inline signature scheme, thanks! :) Using enigmail with PGP/mime has problems with debian lists for some reason. So that's most likely the cause. Just use inline PGP signatures when sending mails to -announce lists and you should be good. Perhaps this doesn't seem to be working for me :/ Here's what I'm doing: Running `gpg --clearsign DLA-2063-1` which generates DLA-2063-1.asc and pasting its content and sending it via GMail. Whilst I BCCed myself, I do get a "Good signature from Utkarsh Gupta " on Thunderbird. Am I missing something? Maybe use a mail client like Mutt or Thunderbird providing native GPG support on top of your gmail account? Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpouJciE20Az.pgp Description: Digitale PGP-Signatur
Re: Unable to announce the updates
On 15/01/20 3:20 am, Utkarsh Gupta wrote: > Hi Mike, > > On 14/01/20 2:00 pm, Mike Gabriel wrote: >> please send over the announcement text, I'll handle the signed mail to >> d-lts-announce later today. > > Many thanks for doing so. > Attached is the DLA-2060 for phpmyadmin and DLA-2063 for debian-lan-config. Just a small thingy, I had stripped the "From", "To", and the "Subject" field from DLA-2063 previously (when I was trying to send it on my own). Re-added in the attached DLA-2063 file if it helps. Best, Utkarsh From: Utkarsh Gupta To: debian-lts-annou...@lists.debian.org Subject: [SECURITY] [DLA 2063-1] debian-lan-config security update Package: debian-lan-config Version: 0.19+deb8u2 CVE ID : CVE-2019-3467 Debian Bug : 947459 In debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server allowed password changes for other Kerberos user principals. For Debian 8 "Jessie", this problem has been fixed in version 0.19+deb8u2. We recommend that you upgrade your debian-lan-config packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: OpenPGP digital signature
Re: Unable to announce the updates
Hi Mike, On 14/01/20 2:00 pm, Mike Gabriel wrote: > please send over the announcement text, I'll handle the signed mail to > d-lts-announce later today. Many thanks for doing so. Attached is the DLA-2060 for phpmyadmin and DLA-2063 for debian-lan-config. Best, Utkarsh From: Utkarsh Gupta To: debian-lts-annou...@lists.debian.org Subject: [SECURITY] [DLA 2060-1] phpmyadmin security update Package: phpmyadmin Version: 4:4.2.12-2+deb8u8 CVE ID : CVE-2020-5504 Debian Bug : 948718 In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. For Debian 8 "Jessie", this problem has been fixed in version 4:4.2.12-2+deb8u8. We recommend that you upgrade your phpmyadmin packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Package: debian-lan-config Version: 0.19+deb8u2 CVE ID : CVE-2019-3467 Debian Bug : 947459 In debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server allowed password changes for other Kerberos user principals. For Debian 8 "Jessie", this problem has been fixed in version 0.19+deb8u2. We recommend that you upgrade your debian-lan-config packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Best, Utkarsh signature.asc Description: OpenPGP digital signature
