Your message dated Thu, 05 Sep 2019 14:46:03 +0000 with message-id <e1i5t1p-0006hd...@fasolo.debian.org> and subject line Bug#935092: fixed in inetsim 1.3.1+dfsg.1-1 has caused the Debian Bug report #935092, regarding Serious issues with inetsim in Debian 10 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935092: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935092 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: inetsim Version: 1.2.7+dfsg.1-1 Severity: serious Debian source and binary packages for INetSim have been provided with the official inetsim.org APT repository for 10+ years, see <https://www.inetsim.org/packages.html>. Earlier versions of our .deb packages did not comply with the Debian policy as they included precompiled Windows executables. More than a year ago, we decided to change this by re-building the binaries at package build time using gcc-mingw-w64-i686 and prepared the necessary code changes in the development branch. However, users of INetsim asked us not to change the sample binaries included with INetSim since the first release, so we postponed this change for the release branch. Background: INetSim is used with lots of automated malware analysis systems at AV companies and other security orgs around to world. Many of those systems use the well-known hashsums of the sample binaries to evaluate if a malware tries to download an executable file. With the release of INetSim version 1.3.0, we finally decided to merge this change into the release branch and make the postinst script show a warning on the change of the binaries to the user on installation/upgrade along with instructions on how to download the old binaries from the project website and install them manually if needed. We have now been made aware that an older version of INetSim has already been included in the official Debian repository (unfortunately, we did not know about this) and the package now also available in Debian 10 replaces the original sample binaries with recompiled versions without showing any warning to the user, which is a VERY BAD idea as explained before. Many users use our apt repository for installing INetSim while others download the .deb and install it manually using dpkg. If a system was running Debian 9 with INetSim (< 1.2.7) installed manually (or via apt with a lower priority configured for our repository) and the system is now upgraded to Debian 10, INetSim will be upgraded to the version included with the official Debian repository and the user will not be notified of the change of the sample binaries. To prevent more automated malware analysis systems using INetSim from creating false reports due to this (unintended) upgrade, we would like to ask you to release updated packages for INetSim showing a warning on the change of the sample binaries along with instructions on how to install the old binaries for Debian 10 through debian-updates or even debian-security as soon as possible. Another issue: The postinst script of the Debian 10 package copies all files from /usr/share to /var/lib, including the files in data/certs. So it will a) overwrite existing certificate files and b) never generate a custom certficate. The correct workflow should be: a) Keep existing certificate files on upgrades b) If one of the files does not exist, try using OpenSSL to generate a custom certificate c) If that fails, copy the files from /usr/share/intersim/data/certs Also, the inetsim 1.2.8 package available in testing/unstable has the following dependencies: Recommends: libio-socket-ssl-perl, openssl Suggests: libiptables-ipv4-ipqueue-perl, iptables This is not correct, as INetSim has been using libnfqueue-perl instead of libiptables-ipv4-ipqueue-perl since version 1.2.8. This package should be recommended instead of suggested. So the correct dependencies should look like: Recommends: libio-socket-ssl-perl, openssl, libnfqueue-perl, iptables Please consider using the Debian sources provided with our apt source repository (see <https://www.inetsim.org/packages.html>). Kind regards Thomas Hungenberg & Matthias Eckert INetSim Development Team
--- End Message ---
--- Begin Message ---Source: inetsim Source-Version: 1.3.1+dfsg.1-1 We believe that the bug you reported is fixed in the latest version of inetsim, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Raphaël Hertzog <raph...@offensive-security.com> (supplier of updated inetsim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Sep 2019 15:29:11 +0200 Source: inetsim Architecture: source Version: 1.3.1+dfsg.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Security Tools <team+pkg-secur...@tracker.debian.org> Changed-By: Raphaël Hertzog <raph...@offensive-security.com> Closes: 935092 935278 Changes: inetsim (1.3.1+dfsg.1-1) unstable; urgency=medium . [ Sophie Brun ] * Team upload. * New upstream version 1.3.1+dfsg.1 * Update upstream page to use https * Use debhelper-compat 12 * Update debian/copyright * d/control: - all Suggests are now in Recommends - recommends libnfqueue-perl instead of libiptables-ipv4-ipqueue-perl - d/control: add missing Pre-Depends * d/rules: - use i686-w64-mingw32-strip on .exe and change permissions - change dh_installinit to --no-restart-after-upgrade * Remove d/inetsim.prerm: no need to stop manually inetsim * d/inetsim.postinst: - update examples copy to not copy certs directory - add important warning message (Closes: #935092) - add upstream welcome message - change ownership of /var/lib/inetsim if upgrade - use openssl to generate certs and add openssl in Depends * d/inetsim.default d/inetsim.init: remove AUTO_CONF parameter like upstream * Remove user and group in purge (Closes: #935278) * Refresh patches * Add an upstream patch: sample.readme.patch * Add lintian-overrides for recursive chown in postinst * Bump Standards-Version to 4.4.0 (no changes required) . [ Raphaël Hertzog ] * Rebuild the manual pages as we are patching the source files * Show the upstream warning on upgrade only * Rework the Debian patch set into 3 logical changes Checksums-Sha1: aa89be5c6463bd4d4c7a499cde67951f45d53208 1696 inetsim_1.3.1+dfsg.1-1.dsc a5f39ea5833263c9fbcfde206fe82a5abeb95b4e 215196 inetsim_1.3.1+dfsg.1.orig.tar.xz f3c446583292852aaf35ef808d129f7154d2739a 10920 inetsim_1.3.1+dfsg.1-1.debian.tar.xz 56e0306f5ecbb04c9d4b414e0403cd6e04bd260d 5672 inetsim_1.3.1+dfsg.1-1_source.buildinfo Checksums-Sha256: 63cf666460029964028f9696d6c5f49c1f36a05f14a1b29eb5392943cbb37074 1696 inetsim_1.3.1+dfsg.1-1.dsc 4c2e652d5d654504dbd022ba8edfbc5858c95a542dcf616b4ffd260714056097 215196 inetsim_1.3.1+dfsg.1.orig.tar.xz 7a90f1a380f217789422569db7a2c79e8d2d6b6fd5d14eeb73df3b1d389fafa4 10920 inetsim_1.3.1+dfsg.1-1.debian.tar.xz 77cf994366ab82e665eac7f0d8ed6b20b2f4e7d8c08877c90837753a86c73f63 5672 inetsim_1.3.1+dfsg.1-1_source.buildinfo Files: cc7e5bcd42ea46f93dd8951d2b39757f 1696 utils optional inetsim_1.3.1+dfsg.1-1.dsc f4df163703a5463e54a4245809eac890 215196 utils optional inetsim_1.3.1+dfsg.1.orig.tar.xz fadd4eba9a2285e2e03f6747193b8155 10920 utils optional inetsim_1.3.1+dfsg.1-1.debian.tar.xz 7d5fbc25eadd083eb0e5a6f61a1ccea5 5672 utils optional inetsim_1.3.1+dfsg.1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- Comment: Signed by Raphael Hertzog iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAl1xEQEACgkQA4gdq+vC mrmVnAgAhy+X8qZNI02RUoyq4BI85osiQtsVYSOTSqMkmCvDv4ZfxU6eSr3RRg99 GzUwqbmhgkZcK2cXljPw5aCBJ8nwVADUF82d0friL+pVtmSvjFSp13JKe3p2YkRU yPFJH+DK/l2gnVAD+vrWgwMr1InrXGZGP/b5E+CHFtZhQa2B5t1gLYkfuuf9Vggw sXmj/SEAUNMCtfQG9guqn8OaQUfHp+bv8Hr9EyzLKe6o58zxN8XbXeH/UDASUHWn pmvAUeZ84QkeC4WHmLmDs5sQ99I4r0H5kq6jl6pYHAFMxs6nmCIwGUU8e/GMvO6M TeV12fX63+EwCmIgqYBQGYp5+vaoaQ== =gIIO -----END PGP SIGNATURE-----
--- End Message ---
