Hi,
what is your opinion on the deterministic linux kernel SameKernel with
grsecurity by mempo?
https://wiki.debian.org/SameKernel
https://github.com/mempo/mempo-kernel
Cheers,
Patrick
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Troub
Hi,
I was running:
sudo apt-build install ccache
And the output contained a message:
WARNING: The following packages cannot be authenticated!
ccache
Authentication warning overridden.
Is this just how apt-build works or could this be a security issue due
to installing unauthenticated packages
Dear security team!
Paul Wise thinks this is a security issue
Paul Wise:
> This is a security issue, [...]
I was running:
sudo apt-build install ccache
And the output contained a message:
WARNING: The following packages cannot be authenticated!
ccache
Authentication warning overridden.
Holger Levsen:
> I think you probably just need to run "apt-get update" before "apt-get
> install"...
I did that, I am sure of it. Reproduced this on two different systems.
Cheers,
Patrick
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Tr
Holger Levsen:
> Hi,
>
> On Donnerstag, 19. März 2015, Patrick Schleizer wrote:
>>> I think you probably just need to run "apt-get update" before "apt-get
>>> install"...
>> I did that, I am sure of it. Reproduced this on two different systems
Cyril Brulebois:
> Patrick Schleizer (2015-03-18):
>> Hi,
>>
>> I was running:
>> sudo apt-build install ccache
>>
>> And the output contained a message:
>>
>> WARNING: The following packages cannot be authenticated!
>> ccache
>>
Brett Parker:
> On 18 Mar 16:27, Patrick Schleizer wrote:
>> Hi,
>>
>> I was running:
>> sudo apt-build install ccache
>>
>> And the output contained a message:
>>
>> WARNING: The following packages cannot be authenticated!
>> ccache
Hi!
Are you aware of this already?
[SECURITY NOTICE] libidn with bad UTF8 input
http://curl.haxx.se/mail/lib-2015-06/0143.html
Haven’t found anything related on debian.org mailing lists and/or curl's
changelog.
Cheers,
Patrick
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian
ted mode interface to
> be secure in theory - Nonetheless just believe me that things are not as
> theoretical in practice as this description may make you believe.).
>
> Regards,
> Elmar
>
> On 29.11.2015 22:05, Patrick Schleizer wrote:
>> Elmar Stellnberger:
>>&
Elmar Stellnberger:
> Dear Debian-Security
>
> Having just released debcheckroot I wanna shortly present you my new tool:
> It was originally designed as a replacement for debsums and has the following
> qualities:
> * full support of Debian repos reading /etc/[apt/]sources.list to fetch
> che
Hello we are a privacy-centric distro based on Debian and wanted to know
what Debian packages leak information about the system to the network
without a user's consent/expectation.
As documented on the page below, a system's security also depends on
avoiding leaking any identifiable information to
Holger Levsen:
> On Wed, May 18, 2016 at 06:33:52PM +0200, Jakub Wilk wrote:
>> Could you explain how any of these tools leak any information "without a
>> user's consent/expectation"?
>
> gnome-calculator contacts a web page/service with currency exchange
> information *on every start*, I think t
TLDR:
Is it possible to disable InRelease processing by apt-get?
Long:
Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system compromise.
sources:
- https://security-tracker.debian.org/tra
Geert Stappers:
> On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote:
>> Quoting Patrick Schleizer :
>>
>>> Very short summary of the bug:
>>> (my own words) During apt-get upgrading signature verification can be
>>> tricked resulting in arbitra
Julian Andres Klode:
> (2) look at the InRelease file and see if it contains crap
> after you updated (if it looks OK, it's secure - you need
> fairly long lines to be able to break this)
Thank you for that hint, Julian!
Can you please elaborate on this? (I am asking for Qubes and Whonix
What about Debian graphical installer security?
Isn't that in meanwhile the ideal target for exploitation for targeted
attacks? Because it will take a while until the Debian point release
with fixed apt.
And during the gui installer, the output of apt-get is not visible. And
stuff during installe
I am very interested in Verified Boot. Was wondering how it could be
implemented on a Linux desktop distribution such as Debian. I would like
to implement in Debian derivatives, that I maintain (Whonix, Kicksecure).
Came up with some ideas which I will share here.
https://www.whonix.org/wiki/Veri
Anyone using this yet?
I would speculate, not many are using it. It needs step by step
instructions. Otherwise, most users are lost at hello.
> Things debcheckroot does not check at the moment are the initrd and
the MBR (master boot record). You may unpack the initrd by hand and
check the files c
Elmar Stellnberger:
>>> Things debcheckroot does not check at the moment are the initrd and
>> the MBR (master boot record). You may unpack the initrd by hand and
>> check the files contained there against a sha256sum list generated by
>> debcheckroot. The MBR can first be backuped by confinedrv/di
Russell Coker:
> I think it would be good to have a package for improving system security.
https://github.com/Whonix/security-misc
> It
> could depend on packages like spectre-meltdown-checker and also contain
> scripts that look for ways of improving system security. For example
> recommend
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi!
Stable, http://cdimage.debian.org/debian-cd/7.3.0/i386/iso-dvd/ contains
gpg signatures.
Wheezy, http://cdimage.debian.org/cdimage/weekly-builds/i386/iso-dvd/
does not contain gpg signatures.
Can you offer gpg signatures for Jessie as well ple
Hi Elmar!
This is a most interesting tool!
The opensuse logo on http://www.elstel.org/debcheckroot/ is confusing,
since this is a Debian tool. This might scare of interested people.
> As Debian package headers do not use to be signed
I think you are mistaken here or maybe I misunderstand. When
Elmar Stellnberger:
>>> As Debian package headers do not use to be signed
>> I think you are mistaken here or maybe I misunderstand. When you have a
>> Debian medium you trust (such as a Live DVD from a trusted source), we
>> can regard keys in /etc/apt/trusted.gpg.d/ and /etc/apt/trusted.gpg as
>>
Marko Randjelovic:
> I was thinking about some kind
> of wizard:
>
> - create a chroot if doesn't already exist
> - create a launcher for your DE
> - create a shell script to run a program from terminal or a simple WM
>
> hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args"
chroot is not
Marko Randjelovic:
> On Tue, 29 Apr 2014 11:52:14 +
> Patrick Schleizer wrote:
>
>> Marko Randjelovic:
>>> I was thinking about some kind
>>> of wizard:
>>>
>>> - create a chroot if doesn't already exist
>>> - create a launc
Joel Rees:
>> He told me to use Ubuntu instead. He explained that with the fact,
>> that Ubuntu has more security features enabled than Debian (also
>> more compiler flags for security) in a fresh install. He gave me a
>> link to the following site:
>> https://wiki.ubuntu.com/Security/Features
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
herzogbrigit...@t-online.de:
> Thank you for all your replies. I understand that the user is
> important for security, but it's a difference whether you start
> from scratch or you can work with somethink prebuilt. So, could you
> tell me, which of t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
herzogbrigit...@t-online.de:
>> Yes it would be great if you can start with such a page. Use the
>> Ubuntu table as a template to start. I'll try to help as much as
>> I can in the wiki. Many Linux-Distros have a security features
>> page in their
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Paul Wise:
> On Sun, 2014-05-18 at 21:53 +0200, herzogbrigit...@t-online.de
> wrote:
>
>> So: Please help us to complete the table.
>
> Why didn't you just use the Ubuntu script to automatically fill it
> out?
>
> https://bazaar.launchpad.net/~ubu
Paul Wise:
> On Sun, 2014-05-18 at 01:41 +0000, Patrick Schleizer wrote:
>
>> Got started:
>> https://wiki.debian.org/Security/Features
>>
>> Anyone knows how to view (as a non-admin) the wiki markup of
>> https://wiki.ubuntu.com/Security/Features ? (I would
Peter Palfrader:
> On Fri, 30 May 2014, Joey Hess wrote:
>
>> Alfie John wrote:
>>> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>>>
>>> https://www.debian.org/mirror/list
>>
>> https://mirrors.kernel.org/debian is the only one I know of.
>>
>> It would be good to have
Joey Hess:> [...] there are situations where
> debootstrap is used without debian-archive-keyring being available, [...]
Please elaborate, which situations are these?
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas..
David Hubner:
> Hi,
>
> I am just wondering about a hypothetical situation where the master GPG key
> used for signing the debian archive was stolen. After creating a new master
> key and getting a new public key into the debian-keyring package, how would
> you get that to users?
>
> I mean if yo
Yves-Alexis Perez:
> On ven., 2014-10-17 at 17:14 +0000, Patrick Schleizer wrote:
>> Debian has no good mechanism to revoke apt keys in case of compromise,
>> neither a way to inform users in emergency situations:
>> https://lists.debian.org/debian-security/2013/10/msg000
Yves-Alexis Perez:
> On sam., 2014-10-18 at 13:55 +0000, Patrick Schleizer wrote:
>> Otherwise, what are the relevant people, how to contact them?
>
> You can find some hints in
> https://lists.debian.org/debian-security/2013/10/msg00066.html
>
> If it's really that
35 matches
Mail list logo