Re: retry at email Security problem with deian12.10.0

On 5/30/25 6:26 AM, Donald MacKinnon wrote: mail.txt Dear Debian, I am having difficulty in attempting to access your facilities. [SNIP] In *NONE* of your posts to debian-user do you state the _address_ you are attempting to contact.

Re: retry at email Security problem with deian12.10.0

On 30.05.2025 16:26, Donald MacKinnon wrote: Dear Debian,  I am having difficulty in attempting to access your facilities. From Debian's response it would   appear a security issue. This is partially confirmed by "Open Printing's" response of "Not   Allowed"

retry at email Security problem with deian12.10.0

Dear Debian, I am having difficulty in attempting to access your facilities. From Debian's response it would appear a security issue. This is partially confirmed by "Open Printing's" response of "Not Allowed" by a request for the software required for my H

Re: Debian 12 security issue - please help to understand

ra...@siliconet.pl wrote: > >On 29.01.2025 4:16 PM, Roberto C. Sánchez wrote: >> Yes, it still means that. The minizip binary package you are seeing >> comes from a different source package, also called minizip: >> >> https://packages.debian.org/source/bookworm/minizip > >Aha! Got it :-) > >And th

Re: Debian 12 security issue - please help to understand

On 29.01.2025 4:16 PM, Roberto C. Sánchez wrote: Yes, it still means that. The minizip binary package you are seeing comes from a different source package, also called minizip: https://packages.debian.org/source/bookworm/minizip Aha! Got it :-) And there are no binary components in Debian b

Re: Debian 12 security issue - please help to understand

On Wed, Jan 29, 2025 at 04:15:16PM +0100, Rafał Lichwała wrote: > >But still don;t understand "Debian itself does *not* build the affected >component" as I can find "minizip" (and maybe other) package based on that >vulnerable library - see my previous post above as Re- to Hanno. > Yo

Re: Debian 12 security issue - please help to understand

e you are seeing comes from a different source package, also called minizip: https://packages.debian.org/source/bookworm/minizip > > that is what your job is: finding out wether the bug is really > > affecting you and if so, how to mitigate it. > > So, if I use "minizip&q

Re: Debian 12 security issue - please help to understand

On 29.01.2025 3:30 PM, Roberto C. Sánchez wrote: On Wed, Jan 29, 2025 at 03:22:02PM +0100, Rafał Lichwała wrote: On 29.01.2025 2:43 PM, Dan Ritter wrote: CVSS are often bogus. Hmmm... I'm not sure what you mean. All security announcements in DSAs are referring to CVSS, so... w

Re: Debian 12 security issue - please help to understand

hanks for trying and patience :-) that is what your job is: finding out wether the bug is really affecting you and if so, how to mitigate it. So, if I use "minizip" or any other package based on vulnerable "zlib1g" in bookworm, that may be a security risk, right?

Re: Debian 12 security issue - please help to understand

On Wed, Jan 29, 2025 at 03:22:02PM +0100, Rafał Lichwała wrote: >On 29.01.2025 2:43 PM, Dan Ritter wrote: > > CVSS are often bogus. > > Hmmm... I'm not sure what you mean. All security announcements in DSAs are > referring to CVSS, so... what's the source of

Re: Debian 12 security issue - please help to understand

On Wed, Jan 29, 2025 at 08:43:12AM -0500, Dan Ritter wrote: > > Most recently: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/ I was going to post a link to this very article when I saw that you already had :-) Regards, -Roberto -- Roberto C. Sánchez

Re: Debian 12 security issue - please help to understand

On 29.01.2025 2:43 PM, Dan Ritter wrote: CVSS are often bogus. Hmmm... I'm not sure what you mean. All security announcements in DSAs are referring to CVSS, so... what's the source of such opinion? Most recently:https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/ Yeah, an

Re: Debian 12 security issue - please help to understand

e just false-alarms because they are already fixed in Debian (as usually, in normal security fixes, backports or whatever) - even if that's not reflected in the package main version number - so I can easily find an information about that on Debian pages. But I can't find it - worse - I

Re: Debian 12 security issue - please help to understand

- > vulnerable", so why it has low priority? > > Maybe I just don;t understand the process of this "Debian doesn't build the > vulnerable binary component", so please clarify in more details. > > > CVSS are often bogus. > > Hmmm... I'm not sure what

Re: Debian 12 security issue - please help to understand

On 29.01.2025 1:57 PM, David wrote: How does your "automatically scanned for possible vulnerabilites" actually work? I don't know, but it does not matter in that context. The fact is, that the result of this "magic scan" properly found and points out th

Re: Debian 12 security issue - please help to understand

se clarify in more details. CVSS are often bogus. Hmmm... I'm not sure what you mean. All security announcements in DSAs are referring to CVSS, so... what's the source of such opinion? Similar problem in second critical on the list: package "libaom3" which is a binary

Re: Debian 12 security issue - please help to understand

ng to this scan > there are 139 security vulnerabilities and 2 of them are CRITICAL (!). > I've started to dig further to find out what's going on there. > > First critical on the list is "zlib1g" binary Debian package which is a part > of (a result) of wider pac

Re: Debian 12 security issue - please help to understand

n discovered that according to this scan > there are 139 security vulnerabilities and 2 of them are CRITICAL (!). How does your "automatically scanned for possible vulnerabilites" actually work? Because Debian does backport security fixes, so simply checking the version number of the sof

Debian 12 security issue - please help to understand

Hi, I've prepared some docker image based on Debian 12 (bookworm, fully updated) and after upload it to local registry it has been automatically scanned for possible vulnerabilities. Then I was really surprised when discovered that according to this scan there are 139 security vulnerabil

Re: Wazuh Security Alert

I guess this is the link as you comments in your post: https://security-tracker.debian.org/tracker/CVE-2023-37920 Name: CVE-2023-37920 Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS

Re: Wazuh Security Alert

Simon Bates wrote: > I recently started using Wazuh to manage the security of my servers and > Linux desktops. > > I have a Debian server that is raising the following alert: > > package.name: python3-certifi > > package.version: 2022.9.24-1 > > vulnerability

Wazuh Security Alert

I recently started using Wazuh to manage the security of my servers and Linux desktops. I have a Debian server that is raising the following alert: package.name: python3-certifi package.version: 2022.9.24-1 vulnerability.id: CVE-2023-37920 https://nvd.nist.gov/vuln/detail/CVE-2023-37920

Re: Security Flaw:

On 7/9/24 23:34, Richard Bostrom wrote: I cannot update my passphrase in crypttab although the passphrase is updated in the OS I cannot enter my OS without using the latest passphrase. Yours sincerely Richardh Bostrom Passphrases in crypttab(5) are for disks, disk partitions, virtual device

Re: Changing the passphrase in crypttab [Was: Security Flaw:]

On Wed, Jul 10, 2024 at 09:09:06AM GMT, Ceppo wrote: > If this isn't your case, we probably need some more details to be able to > help you. And I forgot the most important question: how did you encrypt your disk? -- Ceppo signature.asc Description: PGP signature

Re: Changing the passphrase in crypttab [Was: Security Flaw:]

rase. What happens when you enter the old passphrase? And what when you enter the new one? P.S.: you should always choose a meaningful subject for your emails. "Security Flaw" really looks spam and is easily discarded by spam filters, and even if the message were delivered most p

Security Flaw:

I cannot update my passphrase in crypttab although the passphrase is updated in the OS I cannot enter my OS without using the latest passphrase. Yours sincerely Richardh Bostrom

Re: Security hole in kernel fixed?

ср, 15 мая 2024 г. в 16:55, Hans : > Dear developers, Users. > in April 2024 the security hole CVE-2023-6546 was discovered in linux-image, > and I believe, it is fixed in kernel 6.1.0 (from debian/stable) as soon after > this a new kernel was released. https://security-tracke

Re: Security hole in kernel fixed?

On 2024-05-15 at 03:05, Hans wrote: > Dear developers, As usual, most of us here are not Debian developers, even if some of us may be software developers. > in April 2024 the security hole CVE-2023-6546 was discovered in linux-image, > and I believe, it > is fixed in kernel 6.1.0

Security hole in kernel fixed?

Dear developers, in April 2024 the security hole CVE-2023-6546 was discovered in linux-image, and I believe, it is fixed in kernel 6.1.0 (from debian/stable) as soon after this a new kernel was released. However, there is no new kernel 6.5.0-*-bpo released at that time, so my question

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

e been yet tackled by Debian? You can find a reference for advisories here: https://www.debian.org/security/ And you can be fed info by email by subscribing to: https://lists.debian.org/debian-security-announce/ Between those last two links your specific question here is answered but

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

On 2024-03-30, fxkl4...@protonmail.com wrote: > so is this a threat to us normal debian users > if so how do we fix it Debian stable is not affected, Debian testing, unstable and experimental must be updated. https://lists.debian.org/debian-security-announce/2024/msg00057.html

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

key) passed to RSA_public_decrypt, checked > against a simple fingerprint, and decrypted with a fixed ChaCha20 key > before the Ed448 signature verification..." Also see > <https://www.openwall.com/lists/oss-security/2024/03/30/36>. > > On Fri, Mar 29, 2024 at 1:52 PM Jeffrey W

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

ature verification..." Also see <https://www.openwall.com/lists/oss-security/2024/03/30/36>. On Fri, Mar 29, 2024 at 1:52 PM Jeffrey Walton wrote: > > Seems relevant since Debian adopted xz about 10 years ago. > > -- Forwarded message - > From: Andres Fr

Re: Fwd: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

Hello, On Fri, Mar 29, 2024 at 01:52:18PM -0400, Jeffrey Walton wrote: > Seems relevant since Debian adopted xz about 10 years ago. Though we do not know how or why this developer has come to recently put apparent exploits in it, so we can't yet draw much of a conclusion beyond "sometimes people

Re: Fwd: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

On Fri, Mar 29, 2024 at 01:52:18PM -0400, Jeffrey Walton wrote: > Seems relevant since Debian adopted xz about 10 years ago. > Also note that this has been addressed in Debian: https://lists.debian.org/debian-security-announce/2024/msg00057.html Provided here for the benefit those who a

Re: seeding /dev/random from a security key

On Tue, Mar 26, 2024 at 7:12 PM Björn Persson wrote: > > Jeffrey Walton wrote: > > For what you want to do, and if I am parsing it correctly... I would > > write a daemon in C [...] > > Only in the unlikely case that both RNGD and SCDrand turn out unsuitable > somehow. Writing and compiling a daem

Re: seeding /dev/random from a security key

Jeffrey Walton wrote: > For what you want to do, and if I am parsing it correctly... I would > write a daemon in C [...] Only in the unlikely case that both RNGD and SCDrand turn out unsuitable somehow. Writing and compiling a daemon is no less work than compiling an already written daemon. > The

Re: seeding /dev/random from a security key

t; > Be careful of rng-tools. It does not do a good job for non-mainstream > > generators, like VIA's Padlock Security Engine. And rng-tools did not > > support generators for architectures, like you would find on ARM, > > aarch64 and PowerPC. > > I figure it can b

Re: seeding /dev/random from a security key

computer instead of buying a tiny dongle? > Be careful of rng-tools. It does not do a good job for non-mainstream > generators, like VIA's Padlock Security Engine. And rng-tools did not > support generators for architectures, like you would find on ARM, > aarch64 and PowerPC. I

Re: seeding /dev/random from a security key

On Mon, Mar 25, 2024 at 4:33 PM Björn Persson wrote: > > In a quest to acquire hardware random number generators for seeding > /dev/random on servers that lack a built-in entropy source, I'm > investigating how random data can be obtained from a security key such > as a Ni

Re: seeding /dev/random from a security key

m investigating whether security keys can be used instead. Security keys are available from multiple vendors, but it's hard to find any information about the random number generators inside them. > OneRNG is still in production. I tried to buy one of those a while ago, but I couldn't

Re: seeding /dev/random from a security key

On Mon, Mar 25, 2024 at 06:09:02PM -0400, e...@gmx.us wrote: > On 3/25/24 17:27, Andy Smith wrote: > > The thread covers how to make rngd feed /dev/random from a OneRNG in > > Debian 12, but it is no longer possible to tell if that does > > anything useful. > > If not from devices like this, from

Re: seeding /dev/random from a security key

On 3/25/24 17:27, Andy Smith wrote: The thread covers how to make rngd feed /dev/random from a OneRNG in Debian 12, but it is no longer possible to tell if that does anything useful. If not from devices like this, from where does Debian get its randomness? -- For is it not written, wheresoever

Re: seeding /dev/random from a security key

Hi, On Mon, Mar 25, 2024 at 09:24:23PM +0100, Björn Persson wrote: > Does anyone know of another way to obtain random data from devices of > this kind? I have some EntropyKeys and some OneRNGs. I have the rngd packaged in Debian feeding /dev/random from them. This had an actual noticeable effect

seeding /dev/random from a security key

Hello! In a quest to acquire hardware random number generators for seeding /dev/random on servers that lack a built-in entropy source, I'm investigating how random data can be obtained from a security key such as a Nitrokey, Yubikey or a similar device. RNGD version 6 from https://githu

Re: No Release file for Security Update

Tixy wrote: > On Thu, 2024-01-18 at 12:06 -0600, John Hasler wrote: > > Tixy writes: > > > Where could your machine be getting this IP address from?  It's > > > the same IP address shown in your output when you used the > > > incorrect address 'ftp.security.debian.org' and for me that > > > does

SOLVED Re: No Release file for Security Update SOLVED

://deb.debian.org/debian/ bookworm-updates main non-free-firmware contrib non-free deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware contrib non-free deb http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-free deb-src http

Re: No Release file for Security Update

On Thu, Jan 18, 2024 at 10:59:48AM -0600, John Hasler wrote: > Host gives me the same result. However, apt says: > > 0% [Connecting to security-debian.org (57.128.81.193)] security-debian.org and security.debian.org are different names.

Re: No Release file for Security Update

for me too. > > > > > > > > I was using the address that George _said_ he used in his email, > > > > obviously he was wrong and just mis-typing emails rather than copy and > > > > pasting in what he was actually using :-( > > > > Of course you're also guilty John ;-) saying 'ftp.security.debian.org' > > resolved, but at least you pasted a command showing what you really > > used :-) And now you can all point out that it was me that was misquoting the address and using a dot where in fact everyone else was using a hyphen in 'debian-security'. I'll now slink away red faced and try and find a hole big enough to crawl into... -- Tixy

Re: No Release file for Security Update

On Thu, 2024-01-18 at 18:16 +, Tixy wrote: > On Thu, 2024-01-18 at 12:06 -0600, John Hasler wrote: > > Tixy writes: > > > Where could your machine be getting this IP address from?  It's the > > > same IP address shown in your output when you used the incorrect > > > address 'ftp.security.debian

Re: No Release file for Security Update

On Thu, 2024-01-18 at 12:06 -0600, John Hasler wrote: > Tixy writes: > > Where could your machine be getting this IP address from?  It's the > > same IP address shown in your output when you used the incorrect > > address 'ftp.security.debian.org' and for me that doesn't resolve to > > any IP addre

Re: No Release file for Security Update

lt;- opcode: QUERY, status: NOERROR, id: 2686 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ftp.security-debian.org. IN A ;; ANSWER SECTION: ftp.security-debian.org. 3296 IN

Re: No Release file for Security Update

On Thu, 2024-01-18 at 10:48 -0500, Thomas George wrote: > On 1/17/24 20:52, Greg Wooledge wrote: > > On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: > > > deb http://ftp.security-debian.org/debian-security/ bookworm-security main > > > non-free non-free

Re: No Release file for Security Update

Host gives me the same result. However, apt says: 0% [Connecting to security-debian.org (57.128.81.193)] and times out. Using "nameserver 8.8.8.8" changes nothing. -- John Hasler j...@sugarbit.com Elmwood, WI USA

Re: No Release file for Security Update

Thomas George wrote: > I typed the above line exactly. apt-get update searches for > security.debian.org:80 [57.128.81.193] and times out, no connection Gene writes: > And that is not the address I get from here It's the one I get from here, and it times out. My DNS is working. -- John Hasler

Re: No Release file for Security Update SOLVED

non-free deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware contrib non-free deb http://security.debian.org/debian-security bookworm-security main non-free-firmware contrib non-free deb-src http://security.debian.org/debian-security bookworm-security main non-free

Re: No Release file for Security Update

On 1/17/24 22:54, Todd Zullinger wrote: Greg Wooledge wrote: On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: deb http://ftp.security-debian.org/debian-security/ bookworm-security main non-free non-free-firmware Stop guessing, and *read* what you were told to use. https

Re: No Release file for Security Update

On Thu, Jan 18, 2024 at 10:59:34AM -0500, gene heskett wrote: > And that is not the address I get from here > ping -c1 security.debian.org > PING security.debian.org (151.101.2.132) 56(84) bytes of data. > 64 bytes from 151.101.2.132 (151.101.2.132): icmp_seq=1 ttl=59 time=15.8 ms > > Your dns isn

Re: No Release file for Security Update

On 1/18/24 10:49, Thomas George wrote: On 1/17/24 20:52, Greg Wooledge wrote: On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: deb http://ftp.security-debian.org/debian-security/ bookworm-security main non-free non-free-firmware Stop guessing, and *read* what you were told to

Re: No Release file for Security Update

On 1/18/24 10:49, Thomas George wrote: On 1/17/24 20:52, Greg Wooledge wrote: On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: deb http://ftp.security-debian.org/debian-security/ bookworm-security main non-free non-free-firmware Stop guessing, and *read* what you were told to

Re: No Release file for Security Update

On 1/17/24 20:52, Greg Wooledge wrote: On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: deb http://ftp.security-debian.org/debian-security/ bookworm-security main non-free non-free-firmware Stop guessing, and *read* what you were told to use. https://lists.debian.org/debian

update of bookworm-security failed Formerly Re: No Release file for Security Update

*keep* non-free-firmware, though. Also, if you don't want to use plain http, you can change this to https. deb http://ftp.debian.org/debian/ bookworm-security  main non-free non-free-firmware This one is incorrect, but someone else already addressed that one. Be sure you actually fo

Re: No Release file for Security Update

-firmware > > deb http://ftp.debian.org/debian/ bookworm-updates main non-free > non-free-firmware > > # deb http://ftp.debian.org/debian/ bookworm-backports main non-free > non-free-firmware > > deb http://ftp.debian.org/debian/ bookworm-security  main non-free > non-

Re: No Release file for Security Update

Greg Wooledge wrote: > On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: >> deb http://ftp.security-debian.org/debian-security/ bookworm-security main >> non-free non-free-firmware > > Stop guessing, and *read* what you were told to use. > > https://lists.

Re: No Release file for Security Update

On Wed, Jan 17, 2024 at 08:40:58PM -0500, Thomas George wrote: > deb http://ftp.security-debian.org/debian-security/ bookworm-security main > non-free non-free-firmware Stop guessing, and *read* what you were told to use. https://lists.debian.org/debian-user/2024/01/msg00778.html

Re: No Release file for Security Update

f you don't want to use plain http, you can change this to https. deb http://ftp.debian.org/debian/ bookworm-security  main non-free non-free-firmware This one is incorrect, but someone else already addressed that one. Be sure you actually follow their instructions correctly. The

Re: No Release file for Security Update

plain http, you can change this to https. > deb http://ftp.debian.org/debian/ bookworm-security  main non-free > non-free-firmware This one is incorrect, but someone else already addressed that one. Be sure you actually follow their instructions correctly. The hostnames security.debian.org an

Re: No Release file for Security Update

On 1/17/24 16:13, Tom Furie wrote: Thomas George writes: deb http://ftp.debian.org/debian/ bookworm-security  main non-free non-free-firmware Err:5 http://ftp.debian.org/debian bookworm-security Release   404  Not Found [IP: 151.101. I entered you suggested line as http

Re: No Release file for Security Update

Thomas George writes: > deb http://ftp.debian.org/debian/ bookworm-security  main non-free > non-free-firmware > Err:5 http://ftp.debian.org/debian bookworm-security Release >   404  Not Found [IP: 151.101. Your source is incorrect. The security repo is at "http://security.

Re: No Release file for Security Update

-firmware # deb http://ftp.debian.org/debian/ bookworm-backports main non-free non-free-firmware deb http://ftp.debian.org/debian/ bookworm-security  main non-free non-free-firmware sources.list (END) root@Phoenix:/etc/apt# apt-get update Hit:1 http://ftp.debian.org/debian bookworm InRelease

Re: No Release file for Security Update

On Tue, Jan 16, 2024 at 05:48:27PM +0100, Marco Moock wrote: > Am 16.01.2024 um 11:30:09 Uhr schrieb Thomas George: > > > The result was  bookworm InRelease, bookworm-updates InRelease, > > bookworm-secutity Relesse 404 Not Found [IP: 146.75.30.132 80] > ^ > > There seems to be a ty

Re: No Release file for Security Update

Am 16.01.2024 um 11:30:09 Uhr schrieb Thomas George: > The result was  bookworm InRelease, bookworm-updates InRelease, > bookworm-secutity Relesse 404 Not Found [IP: 146.75.30.132 80] ^ There seems to be a typo!

Re: No Release file for Security Update

On Tue, Jan 16, 2024 at 11:30:09AM -0500, Thomas George wrote: > I commented out the dvd and added to sources.list lines for bookworm, > bookworm-updates and bookworm-security. What lines did you add? > Ran apt-get update > > The result was  bookworm InRelease, bookworm-up

No Release file for Security Update

My system is Bookworm installed from the first DVD which was downloaded with the checksums and successfully checked. I commented out the dvd and added to sources.list lines for bookworm, bookworm-updates and bookworm-security. Ran apt-get update The result was  bookworm InRelease, bookworm

Re: Where to report CVEs missing from the security tracker ?

On 2024-01-09 16:57 +0100, Jorropo wrote: > Hello, there are 6 CVEs on the golang-go package which are not on > https://security-tracker.debian.org/tracker/status/release/stable They are there, just not shown by default. Toggle the "include issues tagged no-dsa" checkbox t

Where to report CVEs missing from the security tracker ?

Hello, there are 6 CVEs on the golang-go package which are not on https://security-tracker.debian.org/tracker/status/release/stable I couldn't find them either there https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=golang-go The list is: - CVE-2023-29409 https://pkg.g

Re: APT preferring `stable` over `stable-security`

On 26/12/2023 23:23, Dan Ritter wrote: https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release (quoted entirely) But omitting a couple of links to comments from developers that APT::Default-Release is deprecated. A tool to debug issues with upgrades is apt policy

Re: APT preferring `stable` over `stable-security`

>> What am I missing? > https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release Indeed! Thank you! Apparently the release notes didn't warn me loudly enough about it :-( Stefan

Re: APT preferring `stable` over `stable-security`

>> I take it this is bookworm. In that case, you also need: >> >> # bookworm-updates, to get updates before a point release is made; >> # see >> https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports >> deb http://deb.debian.org/debian bookworm-updates main contrib

Re: APT preferring `stable` over `stable-security`

after > > apt install openssh-server/stable-security > > did the machine get the new version :-( > > The `sources.list` files says: > > deb http://security.debian.org/ stable-security main > deb http://deb.debian.org/debian stable main > > and the `ap

Re: APT preferring `stable` over `stable-security`

>> The `sources.list` files says: >> >> deb http://security.debian.org/ stable-security main >> deb http://deb.debian.org/debian stable main > > I take it this is bookworm. In that case, you also need: > > # bookworm-updates, to get updates before a poi

Re: APT preferring `stable` over `stable-security`

On Tue, 26 Dec 2023 11:12:01 -0500 Stefan Monnier wrote: > The `sources.list` files says: > > deb http://security.debian.org/ stable-security main > deb http://deb.debian.org/debian stable main I take it this is bookworm. In that case, you also need: # bookworm-updates, to

APT preferring `stable` over `stable-security`

I noticed today that one of my machines was still running openssh 1:9.2p1-2+deb12u1 rather than 1:9.2p1-2+deb12u2 even though it is supposed to do its unattended-upgrades, so I tried a manual upgrade and the result was still the same. Only after apt install openssh-server/stable-security

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

ufsichtsrats: Dr. Markus Forschner > ​ > Hi, For Ubuntu reference of which versions are or are not affected, see: https://ubuntu.com/security/CVE-2023-44487 Regards Phil -- Playing the game for the games sake. * Debian Maintainer Web: * Debian Wiki: https://wiki.debian.org/Phil

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

On Tue, 28 Nov 2023 08:56:28 + "Marold Marcus (DC-AE/ESW1)" wrote: Hello Marold, Firstly, we're (for the most part) users, not developers. >I would like to request an upgrade of the curl package (Linux Ubuntu >Core 22 / Secondly, we're _Debian_ users not Ubuntu. You'll have to take it up

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

to by users. It's not the place to officially report bugs, at least not if you want them to be read by the package maintainers and to have some sort of audit trail. Looking at: https://security-tracker.debian.org/tracker/CVE-2023-44487 https://security-tracker.debian.org/tracker/so

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

Am 28.11.2023 um 08:56:28 Uhr schrieb Marold Marcus (DC-AE/ESW1): > I would like to request an upgrade of the curl package (Linux Ubuntu > Core 22 / Jammy) to Nghttp2 v1.57.0 because of > CVE-2023-44487: > HTTP/2 Rapid Reset. That is the debian u

Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

Hello, I would like to request an upgrade of the curl package (Linux Ubuntu Core 22 / Jammy) to Nghttp2 v1.57.0 because of CVE-2023-44487: HTTP/2 Rapid Reset. https://nghttp2.org/blog/2023/10/10/nghttp2-v1-57-0/ Thank you in advance. Mit fre

Re: Security question about daemon-init

On 29/08/2023 18:35, Bhasker C V wrote: Apologies in advance for cross-group posting. I have enabled selinux  and after carefully allowing certain permissions, I have put my system in enforcing mode I do see a suspicious line like this [  115.089395] audit: type=1400 audit(1693329979.841:1

Security question about daemon-init

Apologies in advance for cross-group posting. I have enabled selinux and after carefully allowing certain permissions, I have put my system in enforcing mode I do see a suspicious line like this [ 115.089395] audit: type=1400 audit(1693329979.841:11): avc: denied { getattr } for pid=3104 c

PS/PDF etc in import-im6.q16 not allowed by security policy

[3rd attempt; first two flagged as spam] On Thu 08 Jun 2023 at 17:11:01 (+0200), Roger Price wrote: > On Thu, 8 Jun 2023, Greg Wooledge wrote: > > > Roger, what is the full command that you used? When I tested with > > "import foo.png" it worked as expected. One might assume that that's because

Re: Link to import-im6.q16 not allowed by security policy ?

On Thu, Jun 08, 2023 at 04:51:44PM +0200, Roger Price wrote: > I used to type "import foo.jpg" but got into the habit of typing "import > /tmp/foo" which produces the error message. > > So this afternoon I went back to typing "import foo.jpg" and this works > correctly, exactly as expected. Thank

Re: Link to import-im6.q16 not allowed by security policy ?

On Thu, 8 Jun 2023, Greg Wooledge wrote: Roger, what is the full command that you used? When I tested with "import foo.png" it worked as expected. Previously I used to type "import foo.jpg" but got into the habit of typing "import /tmp/foo" which I now understand produces the error message.

Re: Link to import-im6.q16 not allowed by security policy ?

On Thu, 8 Jun 2023, Greg Wooledge wrote: Roger, what is the full command that you used? When I tested with "import foo.png" it worked as expected. I used to type "import foo.jpg" but got into the habit of typing "import /tmp/foo" which produces the error message. So this afternoon I went b

Re: Link to import-im6.q16 not allowed by security policy ?

Hi, Greg Wooledge wrote: > You must have got a completely different set of Google results than I did. That's a known effect from Google watching people digging in the web. But maybe this time it's only the search string. I entered attempt to perform an operation not allowed by

Re: Link to import-im6.q16 not allowed by security policy ?

On Thu, Jun 08, 2023 at 02:39:11PM +0200, Thomas Schmitt wrote: > Hi, > > Roger Price wrote: > > > import-im6.q16: attempt to perform an operation not allowed by the > > > security > > > policy `PS' @ error/constitute.c/IsCoderAuthorized/421. > >

Re: Link to import-im6.q16 not allowed by security policy ?

Hi, Roger Price wrote: > > import-im6.q16: attempt to perform an operation not allowed by the security > > policy `PS' @ error/constitute.c/IsCoderAuthorized/421. Greg Wooledge wrote: > I tried googling the error message, and I get extremely confusing results, > but as

Re: Link to import-im6.q16 not allowed by security policy ?

he soft link > > ln -s /usr/bin/import /usr/bin/screen-grab > > Now, whenever I try to run screen-grab or import or import-im6.q16 I get the > error message: > > import-im6.q16: attempt to perform an operation not allowed by the security > policy `PS' @ error/cons

Link to import-im6.q16 not allowed by security policy ?

I try to run screen-grab or import or import-im6.q16 I get the error message: import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/421. So I removed the link, but calls to import still produce the error message.

Re: Bullseye debian security support?

Hello, On Wed, May 31, 2023 at 11:37:34AM -0700, John Conover wrote: > How long will Debian Bullseye have debian security team support after > Bookworm is announced? LTS planning is here: https://wiki.debian.org/LTS bullseye will be LTS-supported til june 2026 (not yet clearly defined

  1   2   3   4   5   6   7   8   9   10   >