Download | Devuan.org | Git | Bugs | Packages

The officially official Devuan Forum!

You are not logged in.

Pages: 1

#1 Re: Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-08 12:42:30

ghp

I had 

APT::Default-Release daedalus;

Now:

Setting up openssh-client (1:9.2p1-2+deb12u3) ...
Setting up openssh-sftp-server (1:9.2p1-2+deb12u3) ...
Setting up openssh-server (1:9.2p1-2+deb12u3) ...

Thank YOU!

I don't remember why I put that line there.  It doesn't seem very wise.   Part of an upgrade perhaps, this system ran on a RPi2 before, and certainly before Daedalus.  I must have overlooked some of the small print.  I hope.

#2 Re: Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-08 12:22:18

ghp

I ran an strace on apt-cache policy.  Seems to get the 990 from 

/var/lib/apt/lists/deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages

But in that file there's only "Priority: standard".

#3 Re: Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-08 12:10:49

ghp

@ralph.ronnquist: I can't find it under /etc/apt.  Tried "grep -r 990 .".

#4 Re: Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-08 11:59:38

ghp

This probably:

openssh-client:
  Installed: 1:9.2p1-2+deb12u2
  Candidate: 1:9.2p1-2+deb12u2
  Version table:
     1:9.2p1-2+deb12u3 500
        500 http://deb.devuan.org/merged daedalus-security/main armhf Packages
        500 http://deb.devuan.org/merged daedalus-proposed-updates/main armhf Packages
 *** 1:9.2p1-2+deb12u2 990
        990 http://deb.devuan.org/merged daedalus/main armhf Packages
        100 /var/lib/dpkg/status

Where did I go wrong?
I've got no preferences.conf nor preferences.d.

# apt-mark showhold     
libjemalloc1

#5 Re: Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-08 11:49:45

ghp

Strange, the deb12u3_armhf.debs are there:

/var/lib/apt/lists
# grep openssh-client  * | grep -E ':(Package|Filename):' | less -X            
grep: auxfiles: Is a directory
grep: partial: Is a directory
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh/openssh-client_9.2p1-2+deb12u2_armhf.deb
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Package: openssh-client-ssh1
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh-ssh1/openssh-client-ssh1_7.5p1-14_armhf.deb
deb.devuan.org_merged_dists_daedalus_main_i18n_Translation-en:Package: openssh-client
deb.devuan.org_merged_dists_daedalus_main_i18n_Translation-en:Package: openssh-client-ssh1
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh/openssh-client_9.2p1-2+deb12u3_armhf.deb
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_i18n_Translation-en:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-security_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-security_main_binary-armhf_Packages:Filename: pool/DEBIAN-SECURITY/updates/main/o/openssh/openssh-client_9.2p1-2+deb12u3_armhf.deb
deb.devuan.org_merged_dists_daedalus-security_main_i18n_Translation-en:Package: openssh-client

What's wrong with my configuration that it ignores security and proposed-updates?

#6 Re: Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-08 11:26:03

ghp

@alexkemp,  Daedalus is good, but is it armhf?
@ralph.ronnquist, I added daedalus-proposed-updates, ran "apt-get update"  and "apt-get -s upgrade". No luck  (I get the advice to remove ntpsec). Is "proposed-updates" Devuan specific?  First time I come across it, been using Debian since the previous century.

#7 Re: Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-08 04:19:25

ghp

I must say I'm underwhelmed by the attention this gets. Any advice on where I should be reporting a CVE making a stable Devuan server vulnerable?  Just asking.

#8 Re: Desktop and Multimedia » Appimage non functional as normal user » 2024-07-08 03:51:21

ghp

this perhaps?
https://github.com/endless-sky/endless-sky/issues/10297

#9 Re: Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-06 21:44:19

ghp

I'm afraid I do.  If someone would confirm the fix is available, I'd know I have to look for a problem on my side.

#10 Re: Off-topic » CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems » 2024-07-06 18:05:51

ghp

BTW, Siva, how does one know that  1:9.2p1-2+deb12u3 fixes regreSSHion?    Never mind, found it on Debian's changelog.   async-signal-unsafe  (https://metadata.ftp-master.debian.org/ … _changelog).

#11 Re: Off-topic » CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems » 2024-07-06 17:55:43

ghp

I know, Siva, but I'm running Devuan.   I've even tried with Debian's packages, which got me into a bit of a "pickle", if that's what the English call it.  I was hoping someone could tell me why Devuan is holding back.  May be a dependency problem?  But yes, I ran apt-get update, a number of times now since I read about regreSSHion.

#12 Other Issues » [SOLVED] no fix for CVE regreSSHion on armhf? » 2024-07-06 07:10:54

ghp
Replies: 17

or is it in the works?

This is CVE-2024-6387.
Checking for an upgrade gives:

openssh-client is already the newest version (1:9.2p1-2+deb12u2).
openssh-server is already the newest version (1:9.2p1-2+deb12u2).

#13 Off-topic » no fix for regreSSHion on armhf? » 2024-07-05 04:04:39

ghp
Replies: 0

Any idea why this fix is not needed for daedalus on armhf?

openssh-server is already the newest version (1:9.2p1-2+deb12u2).

#14 Re: Off-topic » CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems » 2024-07-04 06:03:59

ghp

Any idea why this fix is not needed for daedalus on armhf?

openssh-server is already the newest version (1:9.2p1-2+deb12u2).

#15 Re: Installation » Problem with *.iso file » 2020-09-30 18:50:45

ghp

Just to mention I had the same problem with the beowulf amd64 netinstall iso.

#16 Re: Other Issues » Jessie & Huge Dirty Cow » 2017-12-06 13:43:56

ghp

No, that was Dirty Cow, and the fix contained a vulnerability in case Transparent Huge Pages were enabled, therefore the "Huge Dirty Cow".

https://security-tracker.debian.org/tra … 7-1000405/

#17 Other Issues » Jessie & Huge Dirty Cow » 2017-12-05 11:37:15

ghp
Replies: 3

Is Jessie's kernel vulnerable for Huge Dirty Cow?

It looks as if we're not using Transparent Huge Pages.

# cat /proc/meminfo | grep -i huge

returns nothing.

But, in case I'm mistaken: https://github.com/torvalds/linux/commi … 0b5740b1f0

Kind regards,

Gerard

#18 Re: Other Issues » Krack » 2017-10-23 07:45:29

ghp

Thanks FSR.  After changing my sources.list to use pkgmaster.devuan.org, I got the fixed wpasupplicant.

wpa (2:2.4-1+deb9u1) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
    CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
    CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):

#19 Re: Other Issues » Krack » 2017-10-19 18:12:31

ghp

My bad, I'm hooked on Ascii.

#20 Other Issues » Krack » 2017-10-19 15:41:05

ghp
Replies: 5

Is anyone working on securing wpa_supplicant against Krack?
Thanks,
Gerard

Pages: 1

Board footer

Forum Software