[prev in list] [next in list] [prev in thread] [next in thread]
List: kolab-devel
Subject: Re: [Kolab-devel] Erlang security update breaks guam on Debian 10
From: Lennart Ackermans <lennart () ackermans ! ch>
Date: 2023-07-17 22:13:15
Message-ID: 0102018965ea34ce-f28e464f-f9ca-4010-ba0e-48d9752cc74b-000000 () eu-west-1 ! amazonses ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Debian security packages are usually not in mirrors, so you should also add the official security repo:
http://security.debian.org/debian-security/dists/buster/updates/main/
Lennart
> On 17 Jul 2023, at 23:15, Christoph Erhardt <christoph.erhardt@sicherha.de> wrote:
>
> Hi Christian,
>
> unfortunately I'm not familiar with the admin side of OBS. The most plausible
> thing I have found would be this settings page:
>
> https://obs.kolabsys.com/repositories/Debian:10.0
>
> The mirror URLs configured there lead to a 404, though. It seems there's a
> path component (`/dists/`) missing in the middle.
>
> Broken: https://mirror.switch.ch/ftp/mirror/debian/buster
> Working: https://mirror.switch.ch/ftp/mirror/debian/dists/buster
>
> Maybe this will suffice to trigger a download-on-demand [1] on the next
> package build.
>
> Best,
> Christoph
>
> [1] https://openbuildservice.org/help/manuals/obs-user-guide/
> cha.obs.concepts.html#concept_dod
>
>> On Monday, 17 July 2023 07:12:51 CEST Christian Mollekopf wrote:
>>> On Saturday, 15 July 2023 00:04:21 CEST you wrote:
>>> Hi all,
>>>
>>> if my understanding is correct, CVE-2022-37026 allows an authentication
>>> bypass by clients when using certificate-based authentication, while
>>> 'normal' user/ password-based authentication is not affected.
>>>
>>> If that is indeed the case, then I believe our quick fix doesn't entail an
>>> immediate risk to Guam users.
>>>
>>> Nevertheless, I do feel somewhat strongly about doing things the right
>>> way. In our case this would mean:
>>> 1. Make OBS pull the latest Debian 10 packages, including erlang-base.
>>> 2. Revert the patch that enables ERTS bundling for Guam.
>>> 3. Rebuild Guam.
>>
>> I'd rather have it bundled than wake up to our packages no longer starting
>> because the upstream erts package changed, so for unbundling we need to
>> figure which erts version to pin first IMO.
>>> I'm happy to take care of steps 2 and 3, but step 1 needs to be done by an
>>> OBS admin. Christian? Jeroen?
>>
>> Do you happen to know how to trigger such an update?
>> I have access, but to me it seems the OBS mostly expects to build agains a
>> static repository.
>>
>> Cheers,
>> Christian
>>
>>> Best,
>>> Christoph
>>>
>>> _______________________________________________
>>> users mailing list
>>> users@lists.kolab.org
>>> https://lists.kolab.org/mailman/listinfo/users
>>
>> _______________________________________________
>> devel mailing list
>> devel@lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/devel
>
> _______________________________________________
> devel mailing list
> devel@lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/devel
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">Debian \
security packages are usually not in mirrors, so you should also add the official \
security repo:</div><div dir="ltr"><a \
href="http://security.debian.org/debian-security/dists/buster/updates/main/">http://security.debian.org/debian-security/dists/buster/updates/main/</a></div><div \
dir="ltr"><br></div><div dir="ltr">Lennart</div><div dir="ltr"><br></div><div \
dir="ltr"><br><div dir="ltr"></div><blockquote type="cite">On 17 Jul 2023, at 23:15, \
Christoph Erhardt <christoph.erhardt@sicherha.de> \
wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Hi \
Christian,</span><br><span></span><br><span>unfortunately I'm not familiar with the \
admin side of OBS. The most plausible </span><br><span>thing I have found would be \
this settings page:</span><br><span></span><br><span> \
https://obs.kolabsys.com/repositories/Debian:10.0</span><br><span></span><br><span>The \
mirror URLs configured there lead to a 404, though. It seems there's a \
</span><br><span>path component (`/dists/`) missing in the \
middle.</span><br><span></span><br><span> Broken: \
https://mirror.switch.ch/ftp/mirror/debian/buster</span><br><span> Working: \
https://mirror.switch.ch/ftp/mirror/debian/dists/buster</span><br><span></span><br><span>Maybe \
this will suffice to trigger a download-on-demand [1] on the next \
</span><br><span>package \
build.</span><br><span></span><br><span>Best,</span><br><span>Christoph</span><br><span></span><br><span>[1] \
https://openbuildservice.org/help/manuals/obs-user-guide/</span><br><span>cha.obs.concepts.html#concept_dod</span><br><span></span><br><span>On \
Monday, 17 July 2023 07:12:51 CEST Christian Mollekopf wrote:</span><br><blockquote \
type="cite"><span>On Saturday, 15 July 2023 00:04:21 CEST you \
wrote:</span><br></blockquote><blockquote type="cite"><blockquote \
type="cite"><span>Hi all,</span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote \
type="cite"><span></span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote type="cite"><span>if my understanding is correct, \
CVE-2022-37026 allows an \
authentication</span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote type="cite"><span>bypass by clients when using \
certificate-based authentication, \
while</span><br></blockquote></blockquote><blockquote type="cite"><blockquote \
type="cite"><span>'normal' user/ password-based authentication is not \
affected.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote \
type="cite"><span></span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote type="cite"><span>If that is indeed the case, then I believe \
our quick fix doesn't entail an</span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote type="cite"><span>immediate risk to Guam \
users.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote \
type="cite"><span></span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote type="cite"><span>Nevertheless, I do feel somewhat strongly \
about doing things the right</span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote type="cite"><span>way. In our case this would \
mean:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote \
type="cite"><span>1. Make OBS pull the latest Debian 10 packages, including \
erlang-base.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote \
type="cite"><span>2. Revert the patch that enables ERTS bundling for \
Guam.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote \
type="cite"><span>3. Rebuild Guam.</span><br></blockquote></blockquote><blockquote \
type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I'd rather \
have it bundled than wake up to our packages no longer \
starting</span><br></blockquote><blockquote type="cite"><span>because the upstream \
erts package changed, so for unbundling we need to</span><br></blockquote><blockquote \
type="cite"><span>figure which erts version to pin first \
IMO.</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>I'm \
happy to take care of steps 2 and 3, but step 1 needs to be done by \
an</span><br></blockquote></blockquote><blockquote type="cite"><blockquote \
type="cite"><span>OBS admin. Christian? \
Jeroen?</span><br></blockquote></blockquote><blockquote \
type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Do you happen \
to know how to trigger such an update?</span><br></blockquote><blockquote \
type="cite"><span>I have access, but to me it seems the OBS mostly expects to build \
agains a</span><br></blockquote><blockquote type="cite"><span>static \
repository.</span><br></blockquote><blockquote \
type="cite"><span></span><br></blockquote><blockquote \
type="cite"><span>Cheers,</span><br></blockquote><blockquote \
type="cite"><span>Christian</span><br></blockquote><blockquote \
type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote \
type="cite"><span>Best,</span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote \
type="cite"><span>Christoph</span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote \
type="cite"><span></span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote \
type="cite"><span>_______________________________________________</span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote type="cite"><span>users mailing \
list</span><br></blockquote></blockquote><blockquote type="cite"><blockquote \
type="cite"><span>users@lists.kolab.org</span><br></blockquote></blockquote><blockquote \
type="cite"><blockquote \
type="cite"><span>https://lists.kolab.org/mailman/listinfo/users</span><br></blockquote></blockquote><blockquote \
type="cite"><span></span><br></blockquote><blockquote \
type="cite"><span>_______________________________________________</span><br></blockquote><blockquote \
type="cite"><span>devel mailing list</span><br></blockquote><blockquote \
type="cite"><span>devel@lists.kolab.org</span><br></blockquote><blockquote \
type="cite"><span>https://lists.kolab.org/mailman/listinfo/devel</span><br></blockquot \
e><span></span><br><span>_______________________________________________</span><br><span>devel \
mailing list</span><br><span>devel@lists.kolab.org</span><br><span>https://lists.kolab.org/mailman/listinfo/devel</span></div></blockquote></body></html>
_______________________________________________
devel mailing list
devel@lists.kolab.org
https://lists.kolab.org/mailman/listinfo/devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic