Dev1 Galaxy Forum / [SOLVED] Security update delays (again)

Re: [SOLVED] Security update delays (again)

dummy@example.com (fsmithred) — Sun, 16 May 2021 16:21:51 +0000

Thanks for the alert. It's been brought up to date.

Re: [SOLVED] Security update delays (again)

dummy@example.com (pcalvert) — Sun, 16 May 2021 00:11:30 +0000

I received this notification more than 48 hours ago:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4915-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 13, 2021 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : postgresql-11
CVE ID : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029
Multiple security issues have been discovered in the PostgreSQL database
system, which could result in the execution of arbitrary code or
disclosure of memory content.
For the stable distribution (buster), these problems have been fixed in
version 11.12-0+deb10u1.
We recommend that you upgrade your postgresql-11 packages.
For the detailed security status of postgresql-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tra … tgresql-11
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org

This does not look right:

$ apt policy postgresql-11
postgresql-11:
  Installed: (none)
  Candidate: 11.11-0+deb10u1
  Version table:
     11.11-0+deb10u1 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
     11.7-0+deb10u1 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages

Re: [SOLVED] Security update delays (again)

dummy@example.com (pcalvert) — Mon, 10 May 2021 17:09:22 +0000

It finally came through some time earlier today.

$ apt policy exim4
exim4:
  Installed: 4.92-8+deb10u5
  Candidate: 4.92-8+deb10u6
  Version table:
     4.92-8+deb10u6 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages
 *** 4.92-8+deb10u5 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
        100 /var/lib/dpkg/status

Re: [SOLVED] Security update delays (again)

dummy@example.com (pcalvert) — Sun, 09 May 2021 19:06:52 +0000

In case it helps, this is the last security update that came through in a timely manner:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4911-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
May 03, 2021 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230
CVE-2021-21231 CVE-2021-21232 CVE-2021-21233
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2021-21227
Gengming Liu discovered a data validation issue in the v8 javascript
library.
CVE-2021-21228
Rob Wu discovered a policy enforcement error.
CVE-2021-21229
Mohit Raj discovered a user interface error in the file downloader.
CVE-2021-21230
Manfred Paul discovered use of an incorrect type.
CVE-2021-21231
Sergei Glazunov discovered a data validation issue in the v8 javascript
library.
CVE-2021-21232
Abdulrahman Alqabandi discovered a use-after-free issue in the developer
tools.
CVE-2021-21233
Omair discovered a buffer overflow issue in the ANGLE library.
For the stable distribution (buster), these problems have been fixed in
version 90.0.4430.93-1~deb10u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org

From aptitude's log file:

Aptitude 0.8.11: log report
Tue, May  4 2021 10:27:13 -0400

  IMPORTANT: this log only lists intended actions; actions which fail
  due to dpkg problems may not be completed.

Will install 3 packages, and remove 0 packages.
4096 B of disk space will be used
========================================
[UPGRADE] chromium:amd64 90.0.4430.85-1~deb10u1 -> 90.0.4430.93-1~deb10u1
[UPGRADE] chromium-common:amd64 90.0.4430.85-1~deb10u1 -> 90.0.4430.93-1~deb10u1
[UPGRADE] chromium-sandbox:amd64 90.0.4430.85-1~deb10u1 -> 90.0.4430.93-1~deb10u1
========================================

Log complete.

Re: [SOLVED] Security update delays (again)

dummy@example.com (fsmithred) — Sat, 08 May 2021 14:29:26 +0000

Using Refracta won't matter because it only has devuan repos. I was told a full merge is scheduled for Sunday, but I really have no idea what the schedule is or why. It seemed like we had this problem fixed with the last set of patches to amprolla. Guess not.

Re: [SOLVED] Security update delays (again)

dummy@example.com (pcalvert) — Sat, 08 May 2021 14:04:45 +0000

It has now been over 96 hours, and there is still no sign of the update.

$ apt policy exim4
exim4:
  Installed: 4.92-8+deb10u5
  Candidate: 4.92-8+deb10u5
  Version table:
 *** 4.92-8+deb10u5 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
        100 /var/lib/dpkg/status
     4.92-8+deb10u4 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages

By the way, in case it matters, I am using Refracta based on Devuan Beowulf. I forgot to mention that in my original post.

Re: [SOLVED] Security update delays (again)

dummy@example.com (rolfie) — Wed, 05 May 2021 18:58:53 +0000

Altoid wrote:

Tim Anderson @TheRegister wrote:
At the time of writing*, the packages for Debian 9 (Stretch), which is end of life but in long term support, had not yet been updated.

That would be valid for ASCII, not for Beowulf/Buster.

rolfie

Re: [SOLVED] Security update delays (again)

dummy@example.com (Altoid) — Wed, 05 May 2021 18:54:15 +0000

Hello:

pcalvert wrote:

... received this notification more than 24 hours ago ...
... problems have been fixed in version 4.92-8+deb10u6.

See this article from The Register.
https://www.theregister.com/2021/05/05/ … exim_mail/

Tim Anderson @TheRegister wrote:

At the time of writing*, the packages for Debian 9 (Stretch), which is end of life but in long term support, had not yet been updated.

* Wed 5 May 2021 // 17:20 UTC

It may shed some light on the reasons for the apparent delay.
It's probably on its way.

groucho@devuan:~$ apt policy exim4
exim4:
  Installed: (none)
  Candidate: 4.92-8+deb10u5
  Version table:
     4.94.2-1~bpo10+1 100
        100 http://deb.devuan.org/merged beowulf-backports/main amd64 Packages
        100 http://deb.devuan.org/merged beowulf-backports/main i386 Packages
     4.92-8+deb10u5 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
        500 http://deb.devuan.org/merged beowulf/main i386 Packages
     4.92-8+deb10u4 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages
        500 http://deb.devuan.org/merged beowulf-security/main i386 Packages
groucho@devuan:~$

Best,

[SOLVED] Security update delays (again)

dummy@example.com (pcalvert) — Wed, 05 May 2021 18:22:07 +0000

I received this notification more than 24 hours ago:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4912-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 04, 2021 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : exim4
CVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010
CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014
CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021
CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025
CVE-2020-28026
The Qualys Research Labs reported several vulnerabilities in Exim, a
mail transport agent, which could result in local privilege escalation
and remote code execution.
Details can be found in the Qualys advisory at
https://www.qualys.com/2021/05/04/21nails/21nails.txt
For the stable distribution (buster), these problems have been fixed in
version 4.92-8+deb10u6.
We recommend that you upgrade your exim4 packages.
For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Reference:
https://www.debian.org/security/2021/dsa-4912

I've run apt update multiple times since then, and it hasn't shown up yet.

$ apt policy exim4
exim4:
  Installed: 4.92-8+deb10u5
  Candidate: 4.92-8+deb10u5
  Version table:
 *** 4.92-8+deb10u5 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
        100 /var/lib/dpkg/status
     4.92-8+deb10u4 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages

Although I could be mistaken, this does not seem like normal behavior to me.