Package: debian-lan-config Version: 0.26 Severity: serious File: /usr/share/debian-lan-config/fai/config/scripts/LAST/50-misc User: debian-de...@lists.debian.org Usertags: bullseye-security
The above script references $release/updates but when bullseye is
released that should be replaced by $release-security.
It looks like when a bullseye system is being installed, the setrel
function does not recognise the target release and so it won't setup
the apt sources.list at all.
Then even if the release were recognised properly, the script would
generate an incorrect sources.list using /updates instead of -security
which would cause the target system to not get security updates from
bullseye in a timely manner.
In addition, the SERVER_A sources.list references buster for the main
set of packages but uses stable/updates for security updates. This
means that after the bullseye release servers installed using the
debian-lan-config package will get packages from buster but their
security updates from bullseye, which seems incorrect.
$ grep -A100 setrel
./usr/share/debian-lan-config/fai/config/scripts/LAST/50-misc
setrel() {
# if release is not set, try to determine it
if [ -n "$release" ]; then
return
fi
if [ ! -f $target/etc/os-release ]; then
return
fi
dists="jessie stretch buster bionic xenial trusty"
for d in $dists; do
if grep -iq $d $target/etc/os-release; then
release=$d
break
fi
done
}
# if installation was done from CD, replace useless sources.list
setrel
if [ -f $target/etc/apt/sources.list -a -n "$release" ]; then
grep -q 'file generated by fai-cd' $target/etc/apt/sources.list && cat
<<EOF > $target/etc/apt/sources.list
deb $apt_cdn/debian $release main contrib non-free
deb $apt_cdn/debian-security $release/updates main contrib non-free
#deb [trusted=yes] http://fai-project.org/download $release koeln
EOF
# if the package fai-server was installed, enable the project's
repository
if [ -f $target/var/lib/dpkg/info/fai-server.list ]; then
sed -i -e '/fai-project.org/s/^#//' $target/etc/apt/sources.list
fi
fi
# for ARM architecture, we may need the kernel and initrd to boot or flash
the device
if ifclass ARM64; then
cp -pv $target/boot/vmlinuz* $target/boot/initrd* $FAI_RUNDIR
fi
exit $error
$ cat
/usr/share/debian-lan-config/fai/config/files/etc/fai/apt/sources.list/SERVER_A
deb http://deb.debian.org/debian/ buster main
deb http://security.debian.org/ stable/updates main
deb http://deb.debian.org/debian/ buster-updates main
## Backports repository:
#deb http://deb.debian.org/debian/ buster-backports main
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-debug
APT policy: (900, 'testing-debug'), (900, 'testing'), (800,
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700,
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.7.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8),
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
debian-lan-config depends on no packages.
debian-lan-config recommends no packages.
Versions of packages debian-lan-config suggests:
pn fai-server <none>
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
