Re: [DSA 5824-1] chromium security update

El 7/12/24 a las 12:31, Bjørn Mork escribió: But shouldn't those clang packages alsoe be avaiable from bookworm-security then? Yes, they should. Don't worry, this is known and I'm sure that Andres and the security team are already working on it: https://bugs.debian.org/cgi-bin/bugreport.cgi?b

Re: [DSA 5824-1] chromium security update

Andres Salomon writes: > For the stable distribution (bookworm), this problem has been fixed in > version 131.0.6778.108-1~deb12u1. What am I missing here? root@miraculix:/tmp# apt install chromium Reading package lists... Done Building dependency tree... Done Reading state information... Done

Re: bind9 update 9.16.50 -- too many record

gs to enable more than 100 SRV records and our Bind9 instance is running fine. So on my side this is fixed, and I thank the maintainers for having backported the config options. My original complaint was that we had a functional regression in a security update, and no way of recovering a working

Re: bind9 update 9.16.50 -- too many record

Hi Ondrej, On Mon, Jul 29, 2024 at 12:14:01PM +0200, Ondřej Surý wrote: > I've now also ported all the changes to the system tests, so I can > confirm the changes are correct and I've now uploaded the version > with configuration options to security-master. > > This means that information in: >

Re: bind9 update 9.16.50 -- too many record

ri, Jul 26, 2024 at 03:40:30PM -0400, Lee wrote: >>> On Fri, Jul 26, 2024 at 11:24 AM Guillaume Bienkowski wrote: >>>> >>>> Hello, >>> >>> Hi >>> >>>> We are using bind9 with many SRV entries to allow for dynamic discovery

Re: bind9 update 9.16.50 -- too many record

Hello and thank you all for your answers. Indeed we might push the update to Bookworm four our DNS servers, or wait for the backports version to reach 9.18.28 (where the configuration option exists, which is not yet the case for the 9.16.24 that's available right now). > The source pac

Re: bind9 update 9.16.50 -- too many record

ienkowski wrote: >>> >>> Hello, >> >> Hi >> >>> We are using bind9 with many SRV entries to allow for dynamic discovery of >>> hosts to monitor in our infrastructure. We have 300+ SRV records for the >>> same domain name. >&g

Re: bind9 update 9.16.50 -- too many record

mic discovery of > > hosts to monitor in our infrastructure. We have 300+ SRV records for the > > same domain name. > > > > After the security update of tonight (9.16.48 -> 9.16.50), our DNS server > > never rebooted. A named-zonecheck would issue error messages abou

Re: bind9 update 9.16.50 -- too many record

On Fri, Jul 26, 2024 at 11:24 AM Guillaume Bienkowski wrote: > > Hello, Hi > We are using bind9 with many SRV entries to allow for dynamic discovery of > hosts to monitor in our infrastructure. We have 300+ SRV records for the same > domain name. > > After the secur

bind9 update 9.16.50 -- too many record

Hello, We are using bind9 with many SRV entries to allow for dynamic discovery of hosts to monitor in our infrastructure. We have 300+ SRV records for the same domain name. After the security update of tonight (9.16.48 -> 9.16.50), our DNS server never rebooted. A named-zonecheck would is

Bug#1040914: dev-ref: update best practices around security (Re: Securing Debian Manual too old?)

package: developers-reference x-debbugs-cc: debian-security@lists.debian.org hi, On Tue, Jul 11, 2023 at 10:46:20PM +0200, Moritz Mühlenhoff wrote: > > I found the Securing Debian Manual > > (https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html). > > This version is from 2017.

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Am 09.04.22 um 23:31 schrieb Moritz Mühlenhoff: Friedhelm Waitzmann wrote: For the oldstable distribution (buster), these problems have been fixed in version 91.8.0esr-1~deb10u1. Where can I get this from for buster and architecture i386?

Re: [SECURITY] [DSA 5173-1] linux security update

On Tue, Jul 05, 2022 at 12:01:31AM +0200, Ben Hutchings wrote: > On Mon, 2022-07-04 at 22:17 +0200, Kurt Roeckx wrote: > > On Sun, Jul 03, 2022 at 03:49:12PM +, Ben Hutchings wrote: > > > > > > For the oldstable distribution (buster), these problems have been > > > fixed in version 4.19.249-2.

Re: [SECURITY] [DSA 5173-1] linux security update

On Mon, 2022-07-04 at 22:17 +0200, Kurt Roeckx wrote: > On Sun, Jul 03, 2022 at 03:49:12PM +, Ben Hutchings wrote: > > > > For the oldstable distribution (buster), these problems have been > > fixed in version 4.19.249-2. > > It seems that linux-image-amd64 does not depend on > linux-image-4.

Re: [SECURITY] [DSA 5173-1] linux security update

On Sun, Jul 03, 2022 at 03:49:12PM +, Ben Hutchings wrote: > > For the oldstable distribution (buster), these problems have been > fixed in version 4.19.249-2. It seems that linux-image-amd64 does not depend on linux-image-4.19.0-21-amd64 but still on linux-image-4.19.0-20-amd64, so the fixed

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Am 19.04.22 um 12:15 schrieb Elmar Stellnberger:   Today I have received response on my g++ bug report at gcc.gnu.org. Gcc 8.3.0 as used in Debian 10 is no longer supported as the 8 branch has a newer version which is gcc 8.5. Why do Debian maintainers not update gcc, if there is a known bug

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Today I have received response on my g++ bug report at gcc.gnu.org. Gcc 8.3.0 as used in Debian 10 is no longer supported as the 8 branch has a newer version which is gcc 8.5. Why do Debian maintainers not update gcc, if there is a known bug that prevents updated sources like firefox-esr

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

to compile that with a Debian10/i386 chroot: as root:  > debootstrap --arch i386 buster /dst/dbuster-i386  > xchroot /dst/dbuster-i386  > ... install build-essential apt-src locales-all etc.  > cd /usr/src  > apt-src update  > apt-src install gcc-8 Compiling may need more

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Fri, Apr 15, 2022 at 09:07:10AM +0200, Elmar Stellnberger wrote: > That is not correct. You can make use of SSE instructions also in > x86_32/i386 mode. > > I found f.i.: > https://gcc.gcc.gnu.narkive.com/k0KqaZF2/i386-sse-test-question Well x86_64 uses it all the time, not just optionally,

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

; ... install build-essential apt-src locales-all etc.   > cd /usr/src   > apt-src update   > apt-src install gcc-8 Compiling may need more than a day; however you may hibernate in between. Make sure you have copied the patch into gcc-8-8.3.0/debian/patches/ and check that file has been patc

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

h i386 buster /dst/dbuster-i386  > xchroot /dst/dbuster-i386  > ... install build-essential apt-src locales-all etc.  > cd /usr/src  > apt-src update  > apt-src install gcc-8 Compiling may need more than a day; however you may hibernate in between. Make sure you have copied

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

e issue. I would appreciate it very much if someone was ready to compile that with a Debian10/i386 chroot: as root: > debootstrap --arch i386 buster /dst/dbuster-i386 > xchroot /dst/dbuster-i386 > ... install build-essential apt-src locales-all etc. > cd /usr/src > apt-src

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Why not? On 16.04.22 16:05, Elmar Stellnberger wrote: >Given that this should not be possible for some reason, please > share your knowledge about these bugs, so that people like me > can try to find a fix. > > Elmar On 11.04.22 23:57, Moritz Muehlenhoff wrote: It is possible; if someone t

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Maybe the Qt/moc and the gcc/Firefox bugs are unrelated. I have not heard anything about it here yet. I have found a page that tells the moc error can be resolved by upgrading from Qt 5.4.1 -> 5.4.2. https://topic.alibabacloud.com/a/usrincludec641bitsstl_relops67parse-error-at-std_1_31_30235235.

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Fri, Apr 15, 2022 at 04:52:55PM +0200, Elmar Stellnberger wrote: > ... > exist. It truely is this g++ bug that prevents Firefox and any > Qt programs from building under Buster/i586. I have noted that > there are also some amd64 targets on the OBS that expose the > exact same g++ bug. My questio

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 14.04.22 15:45, Levis Yarema wrote: Is there in deed any reason to prefer amd64 over i586 if you have the choice and a machine with 2GB RAM or less, apart from perhaps long term support? Depends on the application. Encryption and decryption requiring the simulation of very larger integers

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 15.04.22 04:50, Lennart Sorensen wrote: On Thu, Apr 14, 2022 at 03:45:37PM +0200, Levis Yarema wrote: Is there in deed any reason to prefer amd64 over i586 if you have the choice and a machine with 2GB RAM or less, apart from perhaps long term support? Twice the registers and sse instructio

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Thu, Apr 14, 2022 at 03:45:37PM +0200, Levis Yarema wrote: > Is there in deed any reason to prefer amd64 over i586 if you have the > choice and a machine with 2GB RAM or less, apart from perhaps long term > support? Twice the registers and sse instructions for fpu rather than x87? -- Len Sore

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Elmar Stellnberger on Thursday., 2022-04-14T18:51:01+0200: Where can I get this from for buster and architecture i386? does not have it. Friedhelm

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On 14.04.22 14:52, Elmar Stellnberger wrote: I am also running Debian 10 on my Asus eeePC (Pentium M). I am mainly using it as a dictionary. Although I am performing security updates quite regularly I have not run into this issue. Having updated just now I am with Firefox 78.15.0-esr-1~deb10

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

Is there in deed any reason to prefer amd64 over i586 if you have the choice and a machine with 2GB RAM or less, apart from perhaps long term support? Am Do., 14. Apr. 2022 um 10:38 Uhr schrieb Paul Wise : > On Tue, 2022-04-12 at 05:59 +0200, Friedhelm Waitzmann wrote: > > > And if it is indeed p

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Thu, Apr 14, 2022 at 02:34:22PM +0200, Elmar Stellnberger wrote: On Wed, Apr 13, 2022 at 03:11:04PM -0400, Michael Stone wrote: On Wed, Apr 13, 2022 at 08:18:30PM +0200, Levis Yarema wrote: > What about Spectre /Meltdown? P3/P4/Pentium M systems don´t have that? Core 2 > systems to my knowled

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Thu, Apr 14, 2022 at 02:50:32PM +0200, Elmar Stellnberger wrote: > On Sat, Apr 09, 2022 at 11:31:01PM +0200, Moritz Mühlenhoff wrote: > > Friedhelm Waitzmann wrote: > > >> For the oldstable distribution (buster), these problems have > > >> been fixed in version 91.8.0esr-1~deb10u1. > > > > > >

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Sat, Apr 09, 2022 at 11:31:01PM +0200, Moritz Mühlenhoff wrote: > Friedhelm Waitzmann wrote: > >> For the oldstable distribution (buster), these problems have > >> been fixed in version 91.8.0esr-1~deb10u1. > > > > Where can I get this from for buster and architecture i386? > >

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Wed, Apr 13, 2022 at 03:11:04PM -0400, Michael Stone wrote: > On Wed, Apr 13, 2022 at 08:18:30PM +0200, Levis Yarema wrote: > > What about Spectre /Meltdown? P3/P4/Pentium M systems don´t have that? Core > > 2 > > systems to my knowledge can. > > There's no reason to believe netburst systems a

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Thu, Apr 14, 2022 at 11:01:06AM +0200, Maurice Dirr wrote: > Are you running KDE programs on a Pentium 4? > How can that work without hardware acceleration? > Well QCoan is a plain Qt program, not a KDE app, but Yes I am running KDE apps on that PIV. You have to use > export LIBGL_ALWAYS_SO

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Are you running KDE programs on a Pentium 4? How can that work without hardware acceleration? On 14.04.22 10:52, Elmar Stellnberger wrote: >Could it be that also other programs are affected by this issue? > > I have been building Coan (one of my programs) recently on the OBS and it > > did n

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 14.04.22 10:37, Paul Wise wrote: On Tue, 2022-04-12 at 05:59 +0200, Friedhelm Waitzmann wrote: And if it is indeed possible, how can I switch from i386 to amd64?  Can this be done with the apt tools?  Then during the migrating some packages will be from amd64 already while others will be sti

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Tue, 2022-04-12 at 05:59 +0200, Friedhelm Waitzmann wrote: > And if it is indeed possible, how can I switch from i386 to > amd64?  Can this be done with the apt tools?  Then during the > migrating some packages will be from amd64 already while others > will be still i386.  How does that go r

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Wed, Apr 13, 2022 at 09:52:13PM +0200, Elmar Stellnberger wrote: > On 09.04.22 23:31, Moritz Mühlenhoff wrote: > > Friedhelm Waitzmann wrote: > >>> For the oldstable distribution (buster), these problems have > >>> been fixed in version 91.8.0esr-1~deb10u1. > >> > >> Where can I get this from f

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On 09.04.22 23:31, Moritz Mühlenhoff wrote: > Friedhelm Waitzmann wrote: >>> For the oldstable distribution (buster), these problems have >>> been fixed in version 91.8.0esr-1~deb10u1. >> >> Where can I get this from for buster and architecture i386? >>

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

What security features do P3/P4/PM systems lack? I only know that the Intel ME was introduced with early Core 2 systems and that is well known to have security issues. Today people spend extra money for a system where you can disable the ME in the UEFI though it is only disabled by a setting then a

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Wed, Apr 13, 2022 at 08:18:30PM +0200, Levis Yarema wrote: What about Spectre /Meltdown? P3/P4/Pentium M systems don´t have that? Core 2 systems to my knowledge can. There's no reason to believe netburst systems are not affected by any of the cpu issues identified in the past few years, but

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Wed, Apr 13, 2022 at 07:18:53PM +0200, Levis Yarema wrote: If I would get an x64 CPU from a Linux pro, sure I would take it. Otherwise I would not recommend to just take any old hardware for exchange with my working one since not all of it was easily well supported by Linux these days, as far

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 13.04.22 16:44, piorunz wrote: On 12/04/2022 04:59, Friedhelm Waitzmann wrote: And if it is indeed possible, how can I switch from i386 to amd64? Can this be done with the apt tools? Then during the migrating some packages will be from amd64 already while others will be still i386. How does

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 13.04.22 19:18, Levis Yarema wrote: If I would get an x64 CPU from a Linux pro, sure I would take it. Otherwise I would not recommend to just take any old hardware for exchange with my working one since not all of it was easily well supported by Linux these days, as far as I can remember.

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 13.04.22 17:11, piorunz wrote: > On 13/04/2022 15:57, Michael Stone wrote: > >> family 15 model 2 is northwood based. no amd64. the best option for that >> one is to find a cheap second hand box with a CPU that's only 10 years >> old instead of (literally) 20 years old and retire it; those old p

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Wed, Apr 13, 2022 at 05:32:10PM +0200, Odo Poppinger wrote: I have a beloved P4 Gericom Frontman and I do not want to give it away. and that's fine, but it's increasingly unreasonable to try to run a modern general purpose OS on hardware that's 20 years old. if the driver is nostalgia, som

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

I have a beloved P4 Gericom Frontman and I do not want to give it away. It had a new game changing design as can today be found with many Apple computers. I also have a P4 notebook and some i386 desktops, some of which I am dual booting with some Windows and OS/2. New computers with a setup fro

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 13/04/2022 15:57, Michael Stone wrote: family 15 model 2 is northwood based. no amd64. the best option for that one is to find a cheap second hand box with a CPU that's only 10 years old instead of (literally) 20 years old and retire it; those old p4's were really power hungry, and it shouldn

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Wed, Apr 13, 2022 at 03:44:00PM +0100, piorunz wrote: On 12/04/2022 04:59, Friedhelm Waitzmann wrote: You mean, that it is possible to run amd64 on my old hardware 1# vendor_id   : GenuineIntel cpu family  : 6 model   : 22 model name  : Intel(R) Celeron(R) CPU  4

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 12/04/2022 04:59, Friedhelm Waitzmann wrote: You mean, that it is possible to run amd64 on my old hardware 1# vendor_id   : GenuineIntel cpu family  : 6 model   : 22 model name  : Intel(R) Celeron(R) CPU  440  @ 2.00GHz stepping    : 1 microcode   : 0x43 c

amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Moritz! Moritz Mühlenhoff: Friedhelm Waitzmann wrote: For the oldstable distribution (buster), these problems have been fixed in version 91.8.0esr-1~deb10u1. Where can I get this from for buster and architecture i386?

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

n´t it possible to build with > another gcc or to update gcc? It is possible; if someone tracks down the respective GCC change and backports it to GCC 8 in Buster or alternatively lands a patch in the ESR91 branch which changes the code to no longer trigger the ICE, that would fix it. But realis

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

I am still using i386 on some machines. Isn´t it possible to build with another gcc or to update gcc? On 09.04.22 23:31, Moritz Mühlenhoff wrote: Friedhelm Waitzmann wrote: For the oldstable distribution (buster), these problems have been fixed in version 91.8.0esr-1~deb10u1. Where can I

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Friedhelm Waitzmann wrote: >> For the oldstable distribution (buster), these problems have >> been fixed in version 91.8.0esr-1~deb10u1. > > Where can I get this from for buster and architecture i386? >

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Wed, 2022-04-06 at 17:11:21 + Moritz Muehlenhoff wrote in the mailing list debian-security-announce: For the oldstable distribution (buster), these problems have been fixed in version 91.8.0esr-1~deb10u1. Where can I get this from for buster and architecture i386?

Re: thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

On 02.11.21 01:07, Holger Levsen wrote: hey hey, hear hear! On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-5000-1 secur...@debian.org WHHO! th

Re: thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

Hello, On Tue 02 Nov 2021 at 12:07AM GMT, Holger Levsen wrote: > hey hey, hear hear! > > On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote: >> - >> Debian Security Advisory DSA-5000-1 secur.

Re: thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

On 02/11/2021 00:07, Holger Levsen wrote: hey hey, hear hear! On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-5000-1 secur...@debian.org WHHO!

thank *you*, team@security.d.o! (was Re: [SECURITY] [DSA 5000-1] openjdk-11 security update)

hey hey, hear hear! On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote: > - > Debian Security Advisory DSA-5000-1 secur...@debian.org WHHO! that's *something* to *celebrate*!!1 Very

Re: [SECURITY] [DSA 4774-1] linux security update

x packages. > > For the detailed security status of linux please refer to its security > tracker page at: > https://security-tracker.debian.org/tracker/linux > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently as

stretch update of linux but not linux-latest?

[ Please Cc me: I'm not subscribed ] Hi, I might have missed something obvious, but I don't think I understand how security updates of linux are managed in terms of suites. On 2019-11-24, due to https://lists.debian.org/debian-security-announce/2019/msg00215.html, linux was updated to 4.9.189-

Re: [SECURITY] [DSA 4016-1] irssi security update

Security about your app is very important for your privacy and you must try this app. - https://tototechy.com/podcast-addict-for-pc-free-download-windows-7-8-10-mac/ -- Sent from: http://debian.2.n7.nabble.com/Debian-Security-f2050754.html

#767272 and #866670 - update-ca-certificates and jks-keystore script integration

Hello, Is there any progress on these two bugs? This looks like a potential security issue as the certificates that are not trusted anymore are still trusted by java programs as they are not removed from the java trust store. Could someone have a look at this? Kind regards, Laurent Bigonvi

Re: rssh security update breaks rsync via Synology's "hyper backup"

El 19/02/2019 a las 17:44, Russ Allbery escribió: > Roman Medina-Heigl Hernandez writes: > > So you cannot overwrite /home/synology/rsyncd.conf. > Can the client just do: > > rsync rsyncd.conf :./ > You're right, I was wrong. It's game over :) > I think to make this safe the home directory h

Re: rssh security update breaks rsync via Synology's "hyper backup"

Roman Medina-Heigl Hernandez writes: > Well, in my case I had the following setting in rsyncd.conf: > path = /backup/synology > where path points to a different directory which is NOT $home nor > doesn't permit to reach $home. > So you cannot overwrite /home/synology/rsyncd.conf. Can the clie

Re: rssh security update breaks rsync via Synology's "hyper backup"

hat if the client can write to this configuration file, it can just > include a pre-xfer exec setting in that rsyncd.conf file and run commands > on the server side. Not in my setup. > So, unfortunately we won't be able to fix Synology in a stable update, > since it was relying on

Re: rssh security update breaks rsync via Synology's "hyper backup"

ff: - * The fix for the scp security vulneraability in 2.3.4-5+deb9u1 + * The fix for the scp security vulnerability in 2.3.4-4+deb8u2 .. and released this as a DLA-1660-2 "regression" update. I will leave the stable update to the security team. Best wishes, -- ,&#x

Re: rssh security update breaks rsync via Synology's "hyper backup"

Russ Allbery writes: > I'll follow up with the proposed diffs for stable and oldstable. Here are the proposed diffs for stable and oldstable. The stable diff just fixes the libssh2 interoperability regression. The oldstable diff fixes both that and the regression with downloading multiple file

Re: rssh security update breaks rsync via Synology's "hyper backup"

a pre-xfer exec setting in that rsyncd.conf file and run commands on the server side. So, unfortunately we won't be able to fix Synology in a stable update, since it was relying on insecure behavior. I'll continue with an update to fix the libssh2 regression. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>

Re: rssh security update breaks rsync via Synology's "hyper backup"

Antoine Beaupré wrote: > > Does this plan sound good to everyone? I'll follow up with the proposed > > diffs for stable and oldstable. > > Works for me (LTS), although I won't be the one performing the upgrade > (I've unclaimed the package for other reasons). Works for me too and happy to take

Re: rssh security update breaks rsync via Synology's "hyper backup"

On 2019-02-18 09:27:37, Russ Allbery wrote: > Does this plan sound good to everyone? I'll follow up with the proposed > diffs for stable and oldstable. Works for me (LTS), although I won't be the one performing the upgrade (I've unclaimed the package for other reasons). Thanks for your work! A.

Re: rssh security update breaks rsync via Synology's "hyper backup"

El 18/02/2019 a las 18:27, Russ Allbery escribió: > While I agree that using undocumented features of rsync is a little > dubious, I'm also willing to include a fix to allow the specific command > line "rsync --server --daemon " since (a) it seems to be safe, (b) > looks easy enough to do, and (c)

Re: rssh security update breaks rsync via Synology's "hyper backup"

Antoine Beaupré writes: > That said, if we do fix this in jessie, we should do it at the same time > as the regression identified in stretch (DSA-4377-2). > Russ, do you want to handle the Jessie update or should the LTS team do > it? > Should we wait for resolution on th

Re: rssh security update breaks rsync via Synology's "hyper backup"

roman rssh[19985]: command: rsync --server --daemon . > > Is it really unsafe to issue a "rsync --server --daemon ." command so it > deserves to be blocked?` There was a regression in the rssh security update. It has already been fixed in stretch, expect an update for jessie soon. Cheers, Emilio

Re: rssh security update breaks rsync via Synology's "hyper backup"

ailed analysis Russ! It does seem to be a bit of a whack-a-mole game that would be better solved by proper use of `command`... That said, if we do fix this in jessie, we should do it at the same time as the regression identified in stretch (DSA-4377-2). Russ, do you want to handle the Jessie up

Re: rssh security update breaks rsync via Synology's "hyper backup"

Roman Medina-Heigl Hernandez writes: > Added Russ (rssh maintainer). > I cannot probe it but I guess chances are high that the issue is present > both in stable and oldstable (I cannot find a good reason to filter > different commands: solution should be the same or very similar) so I'm > still

Re: rssh security update breaks rsync via Synology's "hyper backup"

Added Russ (rssh maintainer). I cannot probe it but I guess chances are high that the issue is present both in stable and oldstable (I cannot find a good reason to filter different commands: solution should be the same or very similar) so I'm still keeping debian-security in the loop. PS: Thx Ho

Re: rssh security update breaks rsync via Synology's "hyper backup"

[debian-security@lists.debian.org → Bcc] Holger Levsen wrote: > > I applied recent rssh security updates to Debian 8 (jessie) and I > > noticed that it breaks Synology's "Hyper backup" tool (with rsync method). > > > > Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved > > Feb 10 03:28:21 r

Re: rssh security update breaks rsync via Synology's "hyper backup"

Hi Roman, the security team is not responsible for Debian LTS, I've thus added debian-lts@lists.d.o to the mail recipients, so that they become aware of your issue. On Thu, Feb 14, 2019 at 06:06:34PM +0100, Roman Medina-Heigl Hernandez wrote: > Hi security-fellows, > > I applied recent rssh sec

rssh security update breaks rsync via Synology's "hyper backup"

Hi security-fellows, I applied recent rssh security updates to Debian 8 (jessie) and I noticed that it breaks Synology's "Hyper backup" tool (with rsync method). The relevant log lines at my Debian server: Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved Feb 10 03:28:21 roman rssh[19985]:

Re: Re: [SECURITY] [DSA 4371-1] apt security update

uilds packages for a different architecture: raspbian armhf is not Debian armhf, so it's not guaranteed to work on any raspberry pi. Also don't try to upgrade using packages downloaded from Debian, you really need to go to Raspbian for that. > > But running an update command an

Re: Re: [SECURITY] [DSA 4371-1] apt security update

messages. The command "sudo apt -o Acquire::http::AllowRedirect=false update" ran fine. By apt "list --upgradable" these 5 packages are displayed: apt/stable 1.4.9 armhf [upgradable from: 1.4.8] apt-transport-https/stable 1.4.9 armhf [upgradable from: 1.4.8] apt-utils/stable 1

Re: [SECURITY] [DSA 4371-1] apt security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, 2019-01-24 at 15:08 +0100, Edgar Remmel wrote: > Hello, Hi Edgar, adding debian-security mailing list since it's the proper place to ask about his. > > the above security update was linked by a security forum. > > As

Possible imagmagick package update

In September CVE-2018-16323 (https://security-tracker.debian.org/tracker/CVE-2018-16323) was published, indicating a vulnerability in ImageMagick. The Debian security tracker shows that the Debian package update for stretch has been postponed (https://security-tracker.debian.org/tracker/CVE-2018

squid3 security update in oldstable

Hi LTS, security folks, I notice that squid3 was updated[1] in oldstable a few days ago (on the 23rd) but no DLA was issued and the security tracker[2] has not been updated: 1. https://tracker.debian.org/news/1005422/accepted-squid3-348-6deb8u6-source-all-amd64-into-oldstable/ 2. https://securit

Re: Call for testing: Testers needed for ghostscript update

Hi, On Tue, Nov 6, 2018, at 4:16 PM, Salvatore Bonaccorso wrote: > Tests so far were limited, and thus we need a certain amount of further > external testing before we can release an update. I just tested to convert a 9 page PDF to PNG, the result was positive. root@box:~# lsb_release -a

Re: Call for testing: Testers needed for ghostscript update

On 06/11/2018 16:16, Salvatore Bonaccorso wrote: We plan to rebase ghostscript via stretch-security to 9.25 plus cherry picked security fixes which happened after that release. Packages are at https://people.debian.org/~carnil/tmp/ghostscript/ I'm using Buster, but I have download ghosts

Call for testing: Testers needed for ghostscript update

Hi We plan to rebase ghostscript via stretch-security to 9.25 plus cherry picked security fixes which happened after that release. Tests so far were limited, and thus we need a certain amount of further external testing before we can release an update. Packages are at https

Re: Testers needed for ghostscript update

s >> > > Ormandy. His research is still ongoing with new issues being >> > > found, >> > > but I've created an interim update which addresses most of the >> > > recent >> > > issues he found. It works fine in my tests, but my use case

Re: Testers needed for ghostscript update

is still ongoing with new issues being > > > found, > > > but I've created an interim update which addresses most of the > > > recent > > > issues he found. It works fine in my tests, but my use case is > > > fairly limited (printing via a local inkjet prin

Re: Testers needed for ghostscript update

On Wed, 5 Sep 2018 11:44:23 +0200 Moritz Mühlenhoff wrote: > Moritz Mühlenhoff schrieb: > > There's a number of vulnerabilities found in Ghostscript by Tavis > > Ormandy. His research is still ongoing with new issues being found, > > but I've created an interim

Re: Testers needed for ghostscript update

Moritz Mühlenhoff schrieb: > There's a number of vulnerabilities found in Ghostscript by Tavis > Ormandy. His research is still ongoing with new issues being found, > but I've created an interim update which addresses most of the recent > issues he found. It works fine i

Testers needed for ghostscript update

There's a number of vulnerabilities found in Ghostscript by Tavis Ormandy. His research is still ongoing with new issues being found, but I've created an interim update which addresses most of the recent issues he found. It works fine in my tests, but my use case is fairly limited (prin

Re: [SECURITY] [DSA 4272-1] linux security update

Hi, On Wed, Aug 15, 2018 at 04:02:59PM +0200, Matus UHLAR - fantomas wrote: > Hello, > > On 14.08.18 21:52, Salvatore Bonaccorso wrote: > > CVE-2018-5391 (FragmentSmack) > > > >Juha-Matti Tilli discovered a flaw in the way the Linux kernel > >handled reassembly of fragmented IPv4 and IPv

Re: [SECURITY] [DSA 4272-1] linux security update

Hello, On 14.08.18 21:52, Salvatore Bonaccorso wrote: CVE-2018-5391 (FragmentSmack) Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can take advantage of this flaw to trigger time and calculatio

Re: libprocps3 procps update this morning causing shorewall/iptables routing problems.

nel stopped routing traffic through to hosts behind them and we found >>>> it necessary to restart shorewall for this to resume. I will do some >>>> further debugging this morning but I'm wondering if this affected anyone >>>> else. > > Do you have a

Re: libprocps3 procps update this morning causing shorewall/iptables routing problems.

his to resume. I will do some >>> further debugging this morning but I'm wondering if this affected anyone >>> else. Do you have a stray 'net.ipv4.ip_forward=0' or similar in /etc/sysctl{.conf,.d}? We also saw one instance of this problem, because the sysctls were relo

Re: libprocps3 procps update this morning causing shorewall/iptables routing problems.

On 23/05/18 11:36, Luke Hall wrote: > I have just realised that jessie updates are still pre-lts so this may > not be suitable for the list. Apologies if so.. Yes, debian-security@lists.debian.org would be more appropriate in this case. Adding that to Cc. Full quote below. Emilio >> This morning

  1   2   3   4   5   6   7   8   9   10   >