<![CDATA[Dev1 Galaxy Forum / [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?id=6708 Mon, 08 Jul 2024 18:54:13 +0000 FluxBB <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50998#p50998 ghp wrote:

Daedalus is good, but is it armhf?

amd64, so no.

You seem to be getting there, so that's good.

]]> Mon, 08 Jul 2024 18:54:13 +0000 https://dev1galaxy.org/viewtopic.php?pid=50998#p50998 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50991#p50991 I had 

APT::Default-Release daedalus;

Now:

Setting up openssh-client (1:9.2p1-2+deb12u3) ...
Setting up openssh-sftp-server (1:9.2p1-2+deb12u3) ...
Setting up openssh-server (1:9.2p1-2+deb12u3) ...

Thank YOU!

I don't remember why I put that line there.  It doesn't seem very wise.   Part of an upgrade perhaps, this system ran on a RPi2 before, and certainly before Daedalus.  I must have overlooked some of the small print.  I hope.

]]> Mon, 08 Jul 2024 12:42:30 +0000 https://dev1galaxy.org/viewtopic.php?pid=50991#p50991 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50990#p50990 Yes, the files in /var/lib/apt/lists are the package index files, and the Priority in those is a categorical grouping of packages that is something different from Pin-Priority.

(see my previous reply that overlapped yours)

]]> Mon, 08 Jul 2024 12:28:35 +0000 https://dev1galaxy.org/viewtopic.php?pid=50990#p50990 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50989#p50989 I ran an strace on apt-cache policy.  Seems to get the 990 from 

/var/lib/apt/lists/deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages

But in that file there's only "Priority: standard".

]]> Mon, 08 Jul 2024 12:22:18 +0000 https://dev1galaxy.org/viewtopic.php?pid=50989#p50989 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50988#p50988 Sorry, I replied before I saw your edit... hmm.

According to man apt_preferences there is an automatic priority of 990 to the versions that belong to the "target release", which would be declared in /etc/apt/apt.conf or some file in /etc/apt/apt.conf.d by a line like APT::Default-Release "stable";
Comment out that line (with initial #)

]]> Mon, 08 Jul 2024 12:17:30 +0000 https://dev1galaxy.org/viewtopic.php?pid=50988#p50988 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50987#p50987 @ralph.ronnquist: I can't find it under /etc/apt.  Tried "grep -r 990 .".

]]> Mon, 08 Jul 2024 12:10:49 +0000 https://dev1galaxy.org/viewtopic.php?pid=50987#p50987 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50986#p50986 You have an explicit Pin-Priority of 990 for daedalus in some /etc/apt/preferences.d/* file.

]]> Mon, 08 Jul 2024 12:09:38 +0000 https://dev1galaxy.org/viewtopic.php?pid=50986#p50986 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50985#p50985 This probably:

openssh-client:
  Installed: 1:9.2p1-2+deb12u2
  Candidate: 1:9.2p1-2+deb12u2
  Version table:
     1:9.2p1-2+deb12u3 500
        500 http://deb.devuan.org/merged daedalus-security/main armhf Packages
        500 http://deb.devuan.org/merged daedalus-proposed-updates/main armhf Packages
 *** 1:9.2p1-2+deb12u2 990
        990 http://deb.devuan.org/merged daedalus/main armhf Packages
        100 /var/lib/dpkg/status

Where did I go wrong?
I've got no preferences.conf nor preferences.d.

# apt-mark showhold     
libjemalloc1
]]> Mon, 08 Jul 2024 11:59:38 +0000 https://dev1galaxy.org/viewtopic.php?pid=50985#p50985 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50984#p50984 Use apt-mark showhold to check if it's held or not.

/etc/apt/preferences.conf and files in /etc/apt/preferences.d/ define preferences.

And apt-cache policy openssh-server would tell about pinning as well.

]]> Mon, 08 Jul 2024 11:55:10 +0000 https://dev1galaxy.org/viewtopic.php?pid=50984#p50984 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50983#p50983 Strange, the deb12u3_armhf.debs are there:

/var/lib/apt/lists
# grep openssh-client  * | grep -E ':(Package|Filename):' | less -X            
grep: auxfiles: Is a directory
grep: partial: Is a directory
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh/openssh-client_9.2p1-2+deb12u2_armhf.deb
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Package: openssh-client-ssh1
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh-ssh1/openssh-client-ssh1_7.5p1-14_armhf.deb
deb.devuan.org_merged_dists_daedalus_main_i18n_Translation-en:Package: openssh-client
deb.devuan.org_merged_dists_daedalus_main_i18n_Translation-en:Package: openssh-client-ssh1
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh/openssh-client_9.2p1-2+deb12u3_armhf.deb
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_i18n_Translation-en:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-security_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-security_main_binary-armhf_Packages:Filename: pool/DEBIAN-SECURITY/updates/main/o/openssh/openssh-client_9.2p1-2+deb12u3_armhf.deb
deb.devuan.org_merged_dists_daedalus-security_main_i18n_Translation-en:Package: openssh-client

What's wrong with my configuration that it ignores security and proposed-updates?

]]> Mon, 08 Jul 2024 11:49:45 +0000 https://dev1galaxy.org/viewtopic.php?pid=50983#p50983 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50982#p50982 Pointing your broswer at https://pkginfo.devuan.org/openssh-server you'll see all currently available versions of the package and the repository points they are found in.

Do you have a hold on the package, or some blocking preferences? It should update.

See also https://www.debian.org/releases/proposed-updates for some new and relevant information.

EDIT: hmm pkginfo favours amd64 ... that might not be ideal for you...
however, armhf has the same versions in the same repositories, at least for openssh-server.

]]> Mon, 08 Jul 2024 11:42:11 +0000 https://dev1galaxy.org/viewtopic.php?pid=50982#p50982 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50981#p50981 @alexkemp,  Daedalus is good, but is it armhf?
@ralph.ronnquist, I added daedalus-proposed-updates, ran "apt-get update"  and "apt-get -s upgrade". No luck  (I get the advice to remove ntpsec). Is "proposed-updates" Devuan specific?  First time I come across it, been using Debian since the previous century.

]]> Mon, 08 Jul 2024 11:26:03 +0000 https://dev1galaxy.org/viewtopic.php?pid=50981#p50981 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50979#p50979 It has already received at least one update since your OP.

My system runs under Daedalus:

$ apt info openssh-client
Package: openssh-client
Version: 1:9.2p1-2+deb12u3
$ grep ^[^#] /etc/apt/sources.list /etc/apt/sources.list.d/*
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus                  main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-updates          main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-security         main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-proposed-updates main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-backports        main non-free-firmware non-free contrib
]]> Mon, 08 Jul 2024 07:25:36 +0000 https://dev1galaxy.org/viewtopic.php?pid=50979#p50979 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50978#p50978 You may want to include daedalus-proposed-updates in your sources.list
as well as daedalus-security

]]> Mon, 08 Jul 2024 05:22:11 +0000 https://dev1galaxy.org/viewtopic.php?pid=50978#p50978 <![CDATA[Re: [SOLVED] no fix for CVE regreSSHion on armhf?]]> https://dev1galaxy.org/viewtopic.php?pid=50977#p50977 I must say I'm underwhelmed by the attention this gets. Any advice on where I should be reporting a CVE making a stable Devuan server vulnerable?  Just asking.

]]> Mon, 08 Jul 2024 04:19:25 +0000 https://dev1galaxy.org/viewtopic.php?pid=50977#p50977