Re: should the Release Notes be updated concerning trixie security

On Sun, Jul 13, 2025 at 01:17:36AM +0200, Santiago Ruano Rincón wrote: > (CCing the actual security team address - team@s.d.o) being lazy I'm replying to this mail though this is actual an reply to > El 12/07/25 a las 22:04, Paul Gevers escribió: > > The text about golang and rustc and chromium

Re: should the Release Notes be updated concerning trixie security

Hello! (CCing the actual security team address - team@s.d.o) El 12/07/25 a las 22:04, Paul Gevers escribió: > Dear security team, > > I sent you a similar request at the end of the bookworm release. Are you > aware of issues that are worth mentioning in the release notes from your > point of vie

Re: Security tracker suggestions

Hi Adrian, On Thu, Jun 26, 2025 at 02:59:06AM +0300, Adrian Bunk wrote: > Hi, > > below are some items I have for security tracker development. > > No commitment from me to work on any of these, but if this > is considered useful I can turn them into salsa issues. > These all seem like ideas t

Re: Resurrecting the Securing Debian Manual

hi, I also should have thrown in some more URLs, namely: https://jenkins.debian.net/userContent/debian-edu-doc/debian-edu-doc-en/debian-edu-bookworm-manual.html https://jenkins.debian.net/userContent/debian-edu-doc/debian-edu-doc-en/debian-edu-bookworm-manual.pdf https://jenkins.debian.net/userCon

Re: Resurrecting the Securing Debian Manual

commit/edit more. 😀 Ultimately, Javier is the writer and maintainer of this manual. It is GPL, which of course means that anyone could copy/modify/re-create/etc... *However, a word of caution: updating/recreating a manual of this proportion is a big proposition. Trust me on this - I know! * For

Re: Resurrecting the Securing Debian Manual

On Mon, Jun 09, 2025 at 04:43:47PM +, Holger Levsen wrote: > https://wiki.debian.org/DebianEdu/Documentation/Trixie (or Bookworm or many > earlier relases) is an example where this is being done, using translations > via > .po files (nowadays mostly translated via weblate) and with a > src:de

Re: Resurrecting the Securing Debian Manual

I'm not an expert or developer, but I'll take a look at this when I've got a few minutes and see if there's anywhere I feel I can make a meaningful contribution, thanks for the link. I brought this up I believe on the forums quite a while back because when reading it the issue I ran into wasn't

Re: Resurrecting the Securing Debian Manual

On Tue, 10 Jun 2025 at 22:57, Noah Meyerhans wrote: > On Tue, Jun 10, 2025 at 09:57:43PM +0200, Javier Fernandez-Sanguino wrote: > >Moving the manual to a Wiki could be an option but I would rather > first > >have an updated version/content using the current package/toolset and > then > >

Re: Resurrecting the Securing Debian Manual

On Tue, Jun 10, 2025 at 09:57:43PM +0200, Javier Fernandez-Sanguino wrote: >Moving the manual to a Wiki could be an option but I would rather first >have an updated version/content using the current package/toolset and then >consider moving it to a wiki. The current format is arcane an

Re: Resurrecting the Securing Debian Manual

[ Apologies on advance for top posting but I'm writing this on my phone in an airplane ] Dear Noah, As the main developer of the manual I find tour comments very interesting. I agree that the manual needs an overhaul and I'm sure more hands in it would help improve it tremendously. Moving the ma

Re: Resurrecting the Securing Debian Manual

Excellent idea Noah, especially Debian *server* security. I'm willing to help. The Wiki option sounds like the best way to me. Some points: - SSH server security - Firewalls: I think someone mentioned nftables, and that is optimal. But for people choosing between UFW and firewalld front-end tools,

Re: Resurrecting the Securing Debian Manual

I certainly think having an up to date "Securing Debian" document is a worthy endeavor, especially for server management. I've been using Debian to host my family home server for years now and have learned a lot in that time, so I actually started my own take on a re-write a wh

Re: Resurrecting the Securing Debian Manual

Hello Noah, very good idea. Things have changed a lot in the past years, and many guides are obsolete. Tips what to include / check / rewrite: iptables -> nftables sysV-init -> systemd completely new: apparmor, SELinux Also I have recently hit this thing, which might be for general consideratio

Re: Resurrecting the Securing Debian Manual

Hi Noah, > Most basically, I wonder if folks think this is a worthy idea. Another long-term Debian user here who normally doesn't post to this list. I am very much in favour of this idea. There is a lot of information out there on this topic, but a lot of nonsense and flame wars which discourag

Re: Resurrecting the Securing Debian Manual

I'd like to see updates on Active Response. I've adopted Wazuh for such a task. On 6/9/25 09:20, Noah Meyerhans wrote: Hi all. The Securing Debian Manual (the harden-doc package) is woefully out of date and doesn't provide accurate guidance for operating modern software in the current threat la

Re: Resurrecting the Securing Debian Manual

Hi Noah, On Mon, Jun 09, 2025 at 12:20:36PM -0400, Noah Meyerhans wrote: > Most basically, I wonder if folks think this is a worthy idea. I do think so! Thanks for your initiative, I do hope it will fly! > My inclination is to primarily focus on general principles rather than > try to document

Re: Resurrecting the Securing Debian Manual

I am usually radio silent on this list but this project is interesting to me because I have 11 years of experience doing forensics in a purely Debian environment. I am not a full stack developer, I can script in bash and python but this is not enough to contribute to code. Contributing to this ma

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

On Sun, May 18, 2025 at 06:43:37PM +0200, Salvatore Bonaccorso wrote: > Hi Santiago, > > On Fri, May 16, 2025 at 03:20:36PM -0300, Santiago Ruano Rincón wrote: > > > > Would you be OK if we track the above proposal on a salsa issue in, > > https://salsa.debian.org/security-tracker-team/security-t

RE: Clarification Request: Acceptable Scenarios for Submitting CVE Fixes to Debian

f Of Salvatore Bonaccorso Sent: Sunday, May 18, 2025 4:12 AM To: Fu, Rong (CN) Cc: t...@security.debian.org; debian-security@lists.debian.org Subject: Re: Clarification Request: Acceptable Scenarios for Submitting CVE Fixes to Debian CAUTION: This email comes from a non Wind River email acco

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Santiago, On Fri, May 16, 2025 at 03:20:36PM -0300, Santiago Ruano Rincón wrote: > Dear security team, > > El 10/05/25 a las 16:14, Samuel Henrique escribió: > > Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió. > > > > On Thu, 1 May 2025 at 06:24, Salvatore Bonaccorso

Re: Clarification Request: Acceptable Scenarios for Submitting CVE Fixes to Debian

Hi Let's comment on some of your specific CVEs, thanks for reaching out. On Mon, May 12, 2025 at 06:09:37AM +, Fu, Rong (CN) wrote: > Dear maintainer, > > > > I would like to clarify the appropriate circumstances under which a > Debian bug report should be submitted for CVE-related fixes.

Re: Upcoming stable point release: 12.11

On Sat, May 03, 2025 at 02:42:14PM +0100, Jonathan Wiltshire wrote: > The next point release for "bookworm" (12.11) is scheduled for Saturday, > May 17th 2025. Processing of new uploads into bookworm-proposed-updates > will be frozen during the preceding weekend. The archive side of the point rele

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Dear security team, El 10/05/25 a las 16:14, Samuel Henrique escribió: > Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió. > > On Thu, 1 May 2025 at 06:24, Salvatore Bonaccorso wrote: > > Yes the A2 would go in the direction we are thingking, internally we > > have said t

Re: SHH Cipher recommendations and "prohibitions" from Debian?

Hello Chris, Thank you for your reply. Am 13.05.2025 12:39 schrieb Chris Boot: I don't think that your software _should_ offer cipher selection options [..] If your users know enough about ciphers to make their own judgements about them and make their own selections, they should also know about

Re: SHH Cipher recommendations and "prohibitions" from Debian?

On 13/05/2025 10:35, c.bu...@posteo.jp wrote: [...] I know nearly nothing about Ciphers and stuff like this. I would like to give my users some hands-on about the available and used ciphers. I would like to warn if they use an out-dated one and I want to recommend some. [...] I also know lit

Re: SHH Cipher recommendations and "prohibitions" from Debian?

I'd start with something like https://github.com/jtesta/ssh-audit Bartek On 13/05/2025 11:35 AM, c.bu...@posteo.jp wrote: Hello, I am upstream maintainer of "Back In Time" [1][2]. It is GUI backup software using rsync, where rsync is able to connect via SSH to a remote host. Users are able t

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió. On Thu, 1 May 2025 at 06:24, Salvatore Bonaccorso wrote: > Yes the A2 would go in the direction we are thingking, internally we > have said to it a new "nonissue" state, which can apply as well at > suite entry levels (this

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Samuel, On Sun, Apr 13, 2025 at 04:47:38PM +0100, Samuel Henrique wrote: > Hello Salvatore, > > On Sun, 13 Apr 2025 at 16:32, Salvatore Bonaccorso wrote: > > I have not gone to all details of your proposal, but the high level > > view is IMHO as described in short above. For instance for the

Re: Open security issues affecting trixie which are not RC (2025-04-29)

Hi Jeff, On 29/04/25 22:12, Jeffrey Walton wrote: For Crpyto++, Debian should grab . Should the preceding and following commit also be picked? Cheers!

Re: Open security issues affecting trixie which are not RC (2025-04-29)

On Tue, Apr 29, 2025 at 2:21 PM Moritz Mühlenhoff wrote: > > Hi, > giving this a try for the trixie release: > > If anyone wants to help getting trixie in good shape: Here's > a list of open security issues below the RC threshold which > would still be useful to fix before the release. Many of > t

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello Salvatore, On Sun, 13 Apr 2025 at 16:32, Salvatore Bonaccorso wrote: > I have not gone to all details of your proposal, but the high level > view is IMHO as described in short above. For instance for the zlib > isues that would then move the entries from the ignored (which is a > substate o

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi, On Sun, Apr 13, 2025 at 04:06:38PM +0100, Samuel Henrique wrote: > Hello everyone, > > On Sun, 2 Mar 2025 at 20:26, Samuel Henrique wrote: > > Just checking if you would have time to look into this. > > Sending another ping, this proposal is now 1 year old. > > For clarity, I'm not request

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, On Sun, 2 Mar 2025 at 20:26, Samuel Henrique wrote: > Just checking if you would have time to look into this. Sending another ping, this proposal is now 1 year old. For clarity, I'm not requesting the team to do any work here. I can work on the changes, I just need a decision on

Re: FWD: FWD: FWD: Re: Strange welcome after a testmail

On Monday, 2025-03-24 at 17:02:44 +0100, h...@tutamail.com wrote: > Strange welcome after a testmail > -thats obviously bullying after agreement, a ugly intrigue after > two month silence before getting subscribed. > And before I got the opportunity to say something about the  > attacks on me by t

FWD: Re: Strange welcome after a testmail

Of course Jeffrey. Which shit ? -- Secured with Tuta Mail: https://tuta.com/free-email Date: Mar 24, 2025, 18:30 From: noloa...@gmail.com To: h...@tutamail.com Subject: Re: Strange welcome after a testmail > Please take this shit off-list. > > On Mon, Mar 24, 2025 at 8:07 

FWD: FWD: FWD: Re: Strange welcome after a testmail

minal conspiration especially now for Linux, Debian, Thorvalds and co. Date: Mar 24, 2025, 15:38 From: h...@tutamail.com To: l...@lupe-christoph.de Subject: FWD: FWD: Re: Strange welcome after a testmail > > -Just for a check. Anyone who can reply by "ok"? > -Thanks to all > >

Re: Strange welcome after a testmail

Please, stop this, and go read the Mailing List Code of Conduct. https://www.debian.org/MailingLists/#codeofconduct h...@tutamail.com wrote on 24/03/2025 at 10:24:29+0100: > Date: Mar 24, 2025, 08:34 > From: h...@tutamail.com > To: stapp...@stappers.nl > Subject: FWD: Re: FWD:

FWD: Re: Testmail

Thanks to all -- Secured with Tuta Mail: https://tuta.com/free-email Date: Mar 22, 2025, 21:25 From: aandrew...@yahoo.com To: h...@tutamail.com Subject: Re: Testmail > > ok > > On Saturday, March 22, 2025 at 04:07:37 AM CDT, wrote: > > > Just for a check. Anyone who can reply by "ok"? > >

Re: Testmail

Ok Em sáb., 22 de mar. de 2025 08:21, Arne Pisch escreveu: > ok >

Re: Testmail

On Sat, Mar 22, 2025 at 8:42 AM wrote: > > Just for a check. Anyone who can reply by "ok"? Please don't pollute this list. You should run your checks on .

Re: Testmail

Ok On Sat, Mar 22, 2025 at 12:39 PM, Jeffrey Walton wrote: On Sat, Mar 22, 2025 at 8:42 AM wrote: > > Just for a check. Anyone who can reply by "ok"? Please don't pollute this list. You should run your checks on

Re: Testmail

Ok El sáb, 22 de mar de 2025, 08:21, Arne Pisch escribió: > ok >

Re: Testmail

Ok Le 22 mars 2025 10:07:15 GMT+01:00, h...@tutamail.com a écrit : >Just for a check. Anyone who can reply by "ok"?

Re: sbuscribe

On Wed, 19 Mar 2025, Francesco Buscaino wrote: [- Cut -] To subscribe to the debian-security mailing list, you need to send an email to: List-Subscribe: Note the "-request" part of the email address. -- Povl Ole

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello Salvatore, On Sun, 1 Dec 2024 at 14:08, Salvatore Bonaccorso wrote: > On Wed, Nov 27, 2024 at 11:28:50PM +, Samuel Henrique wrote: > > On Sat, 2 Nov 2024 at 20:02, Samuel Henrique wrote: > > > On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso > > > wrote: > > > > As mentioned in an

Re: Bug#1093650: Prebuilt binaries in QEMU source

20.01.2025 23:53, Michael Tokarev wrote: 20.01.2025 23:49, Heinrich Schuchardt wrote: Hello Michael, I can understand that a maintainer cares about keeping his package buildable but system security is of even higher importance. The xz package has demonstrated the security impact of including

Re: Bug#1093650: Prebuilt binaries in QEMU source

On 1/20/25 21:29, Michael Tokarev wrote: 20.01.2025 23:22, Heinrich Schuchardt wrote: Package: qemu-system-riscv Version: 1:9.2.0+ds-5 Severity: nomal The https://salsa.debian.org/qemu-team/qemu contains pre-built binaries. Binaries should always be built from source. What's the point in f

Re: Bug#1093650: Prebuilt binaries in QEMU source

20.01.2025 23:49, Heinrich Schuchardt wrote: Hello Michael, I can understand that a maintainer cares about keeping his package buildable but system security is of even higher importance. The xz package has demonstrated the security impact of including binaries of unchecked origin. Why do we

Re: Intel Microcode updates

Hello Elmar, I feel it is best to be very clear on this: I will *not* add automatic downloading of Intel microcode updates from unofficial place. The reasons are: 1. License issues. Non-negotiable. And this has been covered in this half-a-decade-old thread that raised from the grave, so I

Re: [DSA 5824-1] chromium security update

El 7/12/24 a las 12:31, Bjørn Mork escribió: But shouldn't those clang packages alsoe be avaiable from bookworm-security then? Yes, they should. Don't worry, this is known and I'm sure that Andres and the security team are already working on it: https://bugs.debian.org/cgi-bin/bugreport.cgi?b

Re: [DSA 5824-1] chromium security update

Andres Salomon writes: > For the stable distribution (bookworm), this problem has been fixed in > version 131.0.6778.108-1~deb12u1. What am I missing here? root@miraculix:/tmp# apt install chromium Reading package lists... Done Building dependency tree... Done Reading state information... Done

RE: Should Debian ask for a CPE when a CVE in Debian is found?

; debian-security@lists.debian.org; Brewer, Tanya L. (Fed) Cc: Wheeler, David A ; cpe_dictionary ; Kate Stewart ; Samir Khakimov ; Holger Levsen ; Turner, Christopher A. (Fed) Subject: RE: Should Debian ask for a CPE when a CVE in Debian is found? Hi David, Noting that the statement below

RE: Should Debian ask for a CPE when a CVE in Debian is found?

arold -Original Message- From: David A. Wheeler Sent: Sunday, December 1, 2024 3:30 PM To: Booth, Harold (Fed) ; debian-security@lists.debian.org Cc: Wheeler, David A ; cpe_dictionary ; Kate Stewart ; Samir Khakimov ; Holger Levsen Subject: Re: Should Debian ask for a CPE when a CVE in Debian is

Re: Should Debian ask for a CPE when a CVE in Debian is found?

> On Feb 12, 2016, at 12:50 PM, Booth, Harold wrote: > > We welcome and encourage participation from any vendor to provide us with > this information. We will be happy to work with Debian to accept their CPE > submissions for products that they release. What would help you to get > started?

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Samuel, On Wed, Nov 27, 2024 at 11:28:50PM +, Samuel Henrique wrote: > Hello Salvatore, > > On Sat, 2 Nov 2024 at 20:02, Samuel Henrique wrote: > > On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso > > wrote: > > > As mentioned in an earlier message: What I would love to see is to > >

Re: I forgot my password and Debian need password when booting

: 11/27/24 17:17 (GMT-05:00) To: debian-security@lists.debian.org, cho...@binghamton.edu Subject: Re: I forgot my password and Debian need password when booting Can you get grub to appear? If you can an easy way to get in Go to the end of the line with options and add to the end I think

Re: (No Subject)

On Thu, 28 Nov 2024, Sergey S. wrote: unsubscribe From the mail headers: List-Unsubscribe: You might want to send an email to that address instead of the mailing list. -- Povl Ole

Re: (No Subject)

Sure, I didn't think it through, that I shouldn't do it this way and that I would send a message to the entire mailing list. I used https://www.debian.org/MailingLists/unsubscribe after. Sorry to bother you. -- BR, Sergey On Thursday, November 28th, 2024 at 10:47 AM, Povl Ole Haarlev Olsen

Re: bind9 update 9.16.50 -- too many record

Hi Lee, Ondrej, Salvatore I didn't follow up on this because your backport of the configuration settings was done after my original message in August: the 9.16.50-1~deb11u2 version, which landed during my holiday break. Since then, we are able to set the appropriate configuration settings to ena

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello Salvatore, On Sat, 2 Nov 2024 at 20:02, Samuel Henrique wrote: > On Tue, 29 Oct 2024 at 19:43, Salvatore Bonaccorso wrote: > > As mentioned in an earlier message: What I would love to see is to > > actually have a substate which makes the situation clear, and still > > beeing technically c

Re: Latent bugs in armel, armhf packages built before t64 transition

Hi, On Thu, Aug 15, 2024 at 7:21 PM Chris Hofstaedtler wrote: > > Hi, > > while investigating a test failure in ksh93u+m, it became clear that > packages last built before the time_t-64bit transition can have > latent bugs. > They might very well now FTBFS or fail at runtime (autopkgtest time > o

Re: Latent bugs in armel, armhf packages built before t64 transition

On 2024-08-16 10:25, Emanuele Rocca wrote: > Martin, I think you and your employer were looking for ways to help the > armhf/armel ports. This looks like a great one! :) Noted ;-)

Re: Bug#539352: /etc/init.d/mountkernfs.sh: Please mount debugfs when available in the kernel

Hi Debian Security Team, Could I have your input on this please? An old bug has been reopened asking for initscripts to mount debugfs by default. It was closed for several years, but the workaround has now disappeared. In the original thread, concerns were raised about mounting debugfs in all cas

Re: Upcoming stable point releases: 12.8 and 12.9

On Sun, 2024-10-13 at 11:47 +0100, Jonathan Wiltshire wrote: > The next point release for "bookworm" (12.8) is scheduled for > Saturday, November 9th. The archive side of the point release has now finished, and packages should start appearing on mirrors shortly. Regards, Adam

Re: dpkg MD5

On Thu, Nov 7, 2024 at 10:12 PM Jeremy Stanley wrote: > [...] > > Probably the most convincing reason to replace such uses of MD5 is > that we collectively get to stop wasting time answering this same > question over and over and over... One more datapoint that might be useful AMD/Intel, ARMv

Re: dpkg MD5

On 2024-11-08 15:41:25 + (+), Jeremy Stanley wrote: [...] > Now grab a package file like > https://deb.debian.org/debian/pool/main/o/openssh/ssh_9.9p1-3_all.deb > and unpack it (dpkg-deb ssh_9.9p1-3_all.deb foo) [...] Hopefully obvious, but that should have been `dpkg-deb -R ...` instead,

Re: dpkg MD5

Idézem/Quoting Jeremy Stanley : Mostly. I don't know that the per-file checksums inside the DEB are all that useful to "make sure the packages arrived in one piece and weren't corrupted" since we already have stronger solutions for that: I am a frequent debsums runner. debsums alerts you when

Re: dpkg MD5

On 2024-11-08 04:04:19 + (+), debianmailinglists.hz...@simplelogin.com wrote: > I'm not a Debian developer, just a curious onlooker who hasn't > seen all of these messages, so I could completely off base with my > understanding of how things work. But, it was my understanding > that the bu

Re: dpkg MD5

David Campbell writes: > To whom it may concern, > > dpkg currently uses MD5 to verify packages, but MD5 is considered > insecure, why not switch to SHA256 (and also update lintian)? > > Also, to make verifying packages more useful, why not get a checksum > from a more trusted source, like a main

Re: dpkg MD5

From: debianmailinglists.hz...@simplelogin.com: > > I'm not a Debian developer, just a curious onlooker who hasn't seen all > of these messages, so I could completely off base with my understanding > of how things work. But, it was my understanding that the bundled MD5 > inside a .deb file isn't t

Re: dpkg MD5

On Thu, Nov 7, 2024 at 10:12 PM Jeremy Stanley wrote: > [...] > Probably the most convincing reason to replace such uses of MD5 is > that we collectively get to stop wasting time answering this same > question over and over and over... Hear, hear! Jeff

Re: I Joined This List

On Fri, Nov 8, 2024 at 12:02 AM David Campbell wrote: > > Okay, I subscribed to the list and will review the emails once they are > posted publicly. You can also find the discussions in the archive at . Jeff

Re: dpkg MD5

I'm not a Debian developer, just a curious onlooker who hasn't seen all of these messages, so I could completely off base with my understanding of how things work. But, it was my understanding that the bundled MD5 inside a .deb file isn't there for security, it's just there to make sure the pack

Re: dpkg MD5

On 2024-11-07 21:30:26 -0500 (-0500), Jeffrey Walton wrote: > On Thu, Nov 7, 2024 at 7:22 PM Jeremy Stanley wrote: > > > > On 2024-11-07 16:45:54 -0500 (-0500), David Campbell wrote: > > [...] > > > dpkg currently uses MD5 to verify packages, but MD5 is considered > > > insecure, why not switch to

Re: dpkg MD5

On Thu, Nov 7, 2024 at 7:22 PM Jeremy Stanley wrote: > > On 2024-11-07 16:45:54 -0500 (-0500), David Campbell wrote: > [...] > > dpkg currently uses MD5 to verify packages, but MD5 is considered > > insecure, why not switch to SHA256 (and also update lintian)? > [...] > > MD5 is considered insecur

Re: dpkg MD5

On 2024-11-07 16:45:54 -0500 (-0500), David Campbell wrote: [...] > dpkg currently uses MD5 to verify packages, but MD5 is considered > insecure, why not switch to SHA256 (and also update lintian)? [...] MD5 is considered insecure to collision attacks, but mounting one would require that the creat

Re: dpkg MD5

Nope, but I thought that may be a way to make check summing more useful. On 11/7/24 17:08, Jonathan Hutchins wrote: Do you have any evidence that there has been an attempt to post bogus packages to the official mirrors? -- David Campbell

Re: dpkg MD5

On 2024-11-07 15:45, David Campbell wrote: To whom it may concern, dpkg currently uses MD5 to verify packages, but MD5 is considered insecure, why not switch to SHA256 (and also update lintian)? Do you have any evidence that there has been an attempt to post bogus packages to the official mir

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, I'll merge my replies to Moritz and Salvatore into a single email. Moritz, On Tue, 29 Oct 2024 at 19:15, Moritz Mühlenhoff wrote: > I'm also in favour of changing the tracking. The current procedure addresses a > fringe use case (supporting rebuilds of source packages) in an inc

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Samuel, On Tue, Oct 29, 2024 at 07:06:23PM +, Samuel Henrique wrote: > Hello everyone, > > On Wed, 4 Sept 2024 at 12:47, Emilio Pozuelo Monfort wrote: > > One issue I see with using not-affected for this is that not-affected > > effectively marks all older versions as that. However, in th

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, On Wed, 4 Sept 2024 at 12:47, Emilio Pozuelo Monfort wrote: > One issue I see with using not-affected for this is that not-affected > effectively marks all older versions as that. However, in this case, a source > could be affected (e.g. in bookworm) and then in sid we've stopped

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

On 31/08/2024 20:07, Samuel Henrique wrote: Hello everyone, I've written another revision of my proposal, this is version 3 of it, the previous ones are on this email thread on debian-security@lists.debian.org. I did get some feedback from the Security Team privately, it wasn't anything confide

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hello everyone, I've written another revision of my proposal, this is version 3 of it, the previous ones are on this email thread on debian-security@lists.debian.org. I did get some feedback from the Security Team privately, it wasn't anything confidential, it's just that some members of the team

Re: Upcoming stable point release (12.7)

On Tue, 2024-07-16 at 21:22 +0100, Jonathan Wiltshire wrote: > The next point release for "bookworm" (12.7) is scheduled for > Saturday, > August 31st. Processing of new uploads into bookworm-proposed-updates > will > be frozen during the preceeding weekend. The archive side of the point release h

Re: Upcoming oldstable point release (11.11)

On Tue, 2024-07-16 at 21:25 +0100, Jonathan Wiltshire wrote: > The next and final point release for "bullseye" (11.11) is scheduled > for > Saturday, August 31st. Processing of new uploads into > bullseye-proposed-updates will be frozen during the preceeding > weekend. The archive side of the poin

Re: Recording for my DebConf talk about CVEs

And for this we thank you. :) Darren On Fri, Aug 30, 2024 at 7:06 AM Sylvain Beucler wrote: > Hello Samuel, > > On 27/08/2024 23:17, Samuel Henrique wrote: > > As I've mentioned before, here's the recording of the CVE talk from this > year's > > DebConf, the talk is titled: "Fixing CVEs on Debi

Re: Recording for my DebConf talk about CVEs

Hello Samuel, On 27/08/2024 23:17, Samuel Henrique wrote: As I've mentioned before, here's the recording of the CVE talk from this year's DebConf, the talk is titled: "Fixing CVEs on Debian: Everything you probably know already" I've provided subtitles (en, pt-br) and chapter markers for the vi

Re: Latent bugs in armel, armhf packages built before t64 transition

[ Martin added to CC ] On 2024-08-16 12:02, Chris Hofstaedtler wrote: > while investigating a test failure in ksh93u+m, it became clear that > packages last built before the time_t-64bit transition can have > latent bugs. > They might very well now FTBFS or fail at runtime (autopkgtest time > or l

Re: bind9 update 9.16.50 -- too many record

Hi Ondrej, On Mon, Jul 29, 2024 at 12:14:01PM +0200, Ondřej Surý wrote: > I've now also ported all the changes to the system tests, so I can > confirm the changes are correct and I've now uploaded the version > with configuration options to security-master. > > This means that information in: >

Re: bind9 update 9.16.50 -- too many record

I've now also ported all the changes to the system tests, so I can confirm the changes are correct and I've now uploaded the version with configuration options to security-master. This means that information in: https://kb.isc.org/docs/rrset-limits-in-zones also applies to bind9_9.16.50-1~deb11u

Re: bind9 update 9.16.50 -- too many record

Hello and thank you all for your answers. Indeed we might push the update to Bookworm four our DNS servers, or wait for the backports version to reach 9.18.28 (where the configuration option exists, which is not yet the case for the 9.16.24 that's available right now). > The source package can be

Re: bind9 update 9.16.50 -- too many record

Hey, I've successfully backported the configuration options from 9.18 to 9.16, so if you need to bump the limits, it will be possible in the next upload. That said, I don't currently have a repository where I can upload the updated packages, so I'll do the upload to security master, but before Sa

Re: bind9 update 9.16.50 -- too many record

Hi, [looping in explicitly Ondrej, maintainer of bind9] On Fri, Jul 26, 2024 at 03:40:30PM -0400, Lee wrote: > On Fri, Jul 26, 2024 at 11:24 AM Guillaume Bienkowski wrote: > > > > Hello, > > Hi > > > We are using bind9 with many SRV entries to allow for dynamic discovery of > > hosts to monito

Re: bind9 update 9.16.50 -- too many record

On Fri, Jul 26, 2024 at 11:24 AM Guillaume Bienkowski wrote: > > Hello, Hi > We are using bind9 with many SRV entries to allow for dynamic discovery of > hosts to monitor in our infrastructure. We have 300+ SRV records for the same > domain name. > > After the security update of tonight (9.16.4

Re: Upcoming stable point release (12.6)

On Wed, 2024-06-12 at 21:07 +0100, Jonathan Wiltshire wrote: > The next point release for "bookworm" (the delayed 12.6 release) is > scheduled for Saturday, 29th June 2024. Processing of new uploads > into bookworm-proposed-updates will be frozen during the preceding > weekend. The archive side of

Re: Upcoming oldstable point release (11.10)

On Wed, 2024-06-12 at 21:13 +0100, Jonathan Wiltshire wrote: > On Wed, Jun 12, 2024 at 09:11:32PM +0100, Jonathan Wiltshire wrote: > > The next point release for "bullseye" (11.10) is scheduled for > > Saturday, > > February 10th. Processing of new uploads into bullseye-proposed- > > updates > > wi

RE: Mini-DebConf in Cambridge, UK - October 10-13 2024

will not be attending Debcamp/Debconf at all this year last week of July/first week of August as I am tired of drama in the Debian community right now and sledge was being an asshole and banned me from OFTC for a month like the transphobic pig he is, however will be attending as an online visito

Re: CVE applicability

Arul Anand MM wrote: > Advisory page on September 14 > https://web.archive.org/web/20230924174231/https://security-tracker.debian.org/tracker/CVE-2023-3390 > states the issue is fixed in 5.10.191-1 No, it doesn't. It states the issue was fixed - for bullseye, i.e. oldstable - in 5.10.179-3 (lowe

Re: CVE applicability

Hi, On Wed, Jun 19, 2024 at 12:04:45AM +0530, Arul Anand MM wrote: > Hello Debian Security Team, > > This is regarding Debian advisory > https://security-tracker.debian.org/tracker/CVE-2023-3390. > > I would like to confirm whether version 5.10.191-1 is impacted by the UAF > and LPE. > > Adviso

Re: Upcoming oldstable point release (11.10)

On Wed, Jun 12, 2024 at 09:11:32PM +0100, Jonathan Wiltshire wrote: > The next point release for "bullseye" (11.10) is scheduled for Saturday, > February 10th. Processing of new uploads into bullseye-proposed-updates > will be frozen during the preceding weekend. The correct date for 11.10 is Satu

  1   2   3   4   5   6   7   8   9   10   >