The officially official Devuan Forum!

You are not logged in.

#1 2021-05-05 18:22:07

pcalvert
Member
Registered: 2017-05-15
Posts: 84  

[SOLVED] Security update delays (again)

I received this notification more than 24 hours ago:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4912-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 04, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010
                 CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014
                 CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021
                 CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025
                 CVE-2020-28026

The Qualys Research Labs reported several vulnerabilities in Exim, a
mail transport agent, which could result in local privilege escalation
and remote code execution.

Details can be found in the Qualys advisory at
https://www.qualys.com/2021/05/04/21nails/21nails.txt

For the stable distribution (buster), these problems have been fixed in
version 4.92-8+deb10u6.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Reference:
https://www.debian.org/security/2021/dsa-4912


I've run apt update multiple times since then, and it hasn't shown up yet.

$ apt policy exim4
exim4:
  Installed: 4.92-8+deb10u5
  Candidate: 4.92-8+deb10u5
  Version table:
 *** 4.92-8+deb10u5 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
        100 /var/lib/dpkg/status
     4.92-8+deb10u4 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages

Although I could be mistaken, this does not seem like normal behavior to me.


“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

Offline

#2 2021-05-05 18:54:15

Altoid
Member
Registered: 2017-05-07
Posts: 787  

Re: [SOLVED] Security update delays (again)

Hello:

pcalvert wrote:

... received this notification more than 24 hours ago ...
... problems have been fixed in version 4.92-8+deb10u6.

See this article from The Register.
https://www.theregister.com/2021/05/05/ … exim_mail/

Tim Anderson @TheRegister wrote:

At the time of writing*, the packages for Debian 9 (Stretch), which is end of life but in long term support, had not yet been updated.

* Wed 5 May 2021 // 17:20 UTC

It may shed some light on the reasons for the apparent delay.
It's probably on its way.

groucho@devuan:~$ apt policy exim4
exim4:
  Installed: (none)
  Candidate: 4.92-8+deb10u5
  Version table:
     4.94.2-1~bpo10+1 100
        100 http://deb.devuan.org/merged beowulf-backports/main amd64 Packages
        100 http://deb.devuan.org/merged beowulf-backports/main i386 Packages
     4.92-8+deb10u5 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
        500 http://deb.devuan.org/merged beowulf/main i386 Packages
     4.92-8+deb10u4 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages
        500 http://deb.devuan.org/merged beowulf-security/main i386 Packages
groucho@devuan:~$ 

Best,

A.

Last edited by Altoid (2021-05-05 19:09:09)

Offline

#3 2021-05-05 18:58:53

rolfie
Member
Registered: 2017-11-25
Posts: 508  

Re: [SOLVED] Security update delays (again)

Altoid wrote:
Tim Anderson @TheRegister wrote:

At the time of writing*, the packages for Debian 9 (Stretch), which is end of life but in long term support, had not yet been updated.

That would be valid for ASCII, not for Beowulf/Buster.

rolfie

Offline

#4 2021-05-08 14:04:45

pcalvert
Member
Registered: 2017-05-15
Posts: 84  

Re: [SOLVED] Security update delays (again)

It has now been over 96 hours, and there is still no sign of the update.

$ apt policy exim4
exim4:
  Installed: 4.92-8+deb10u5
  Candidate: 4.92-8+deb10u5
  Version table:
 *** 4.92-8+deb10u5 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
        100 /var/lib/dpkg/status
     4.92-8+deb10u4 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages

By the way, in case it matters, I am using Refracta based on Devuan Beowulf. I forgot to mention that in my original post.


“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

Offline

#5 2021-05-08 14:29:26

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,864  

Re: [SOLVED] Security update delays (again)

Using Refracta won't matter because it only has devuan repos. I was told a full merge is scheduled for Sunday, but I really have no idea what the schedule is or why. It seemed like we had this problem fixed with the last set of patches to amprolla. Guess not.

Offline

#6 2021-05-09 19:06:52

pcalvert
Member
Registered: 2017-05-15
Posts: 84  

Re: [SOLVED] Security update delays (again)

In case it helps, this is the last security update that came through in a timely manner:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4911-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
May 03, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230
                 CVE-2021-21231 CVE-2021-21232 CVE-2021-21233

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2021-21227

    Gengming Liu discovered a data validation issue in the v8 javascript
    library.

CVE-2021-21228

    Rob Wu discovered a policy enforcement error.

CVE-2021-21229

    Mohit Raj discovered a user interface error in the file downloader.

CVE-2021-21230

    Manfred Paul discovered use of an incorrect type.

CVE-2021-21231

    Sergei Glazunov discovered a data validation issue in the v8 javascript
    library.

CVE-2021-21232

    Abdulrahman Alqabandi discovered a use-after-free issue in the developer
    tools.

CVE-2021-21233

    Omair discovered a buffer overflow issue in the ANGLE library.

For the stable distribution (buster), these problems have been fixed in
version 90.0.4430.93-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

From aptitude's log file:

Aptitude 0.8.11: log report
Tue, May  4 2021 10:27:13 -0400

  IMPORTANT: this log only lists intended actions; actions which fail
  due to dpkg problems may not be completed.

Will install 3 packages, and remove 0 packages.
4096 B of disk space will be used
========================================
[UPGRADE] chromium:amd64 90.0.4430.85-1~deb10u1 -> 90.0.4430.93-1~deb10u1
[UPGRADE] chromium-common:amd64 90.0.4430.85-1~deb10u1 -> 90.0.4430.93-1~deb10u1
[UPGRADE] chromium-sandbox:amd64 90.0.4430.85-1~deb10u1 -> 90.0.4430.93-1~deb10u1
========================================

Log complete.

“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

Offline

#7 2021-05-10 17:09:22

pcalvert
Member
Registered: 2017-05-15
Posts: 84  

Re: [SOLVED] Security update delays (again)

It finally came through some time earlier today.

$ apt policy exim4
exim4:
  Installed: 4.92-8+deb10u5
  Candidate: 4.92-8+deb10u6
  Version table:
     4.92-8+deb10u6 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages
 *** 4.92-8+deb10u5 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
        100 /var/lib/dpkg/status

“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

Offline

#8 2021-05-16 00:11:30

pcalvert
Member
Registered: 2017-05-15
Posts: 84  

Re: [SOLVED] Security update delays (again)

I received this notification more than 48 hours ago:

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4915-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 13, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-11
CVE ID         : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029

Multiple security issues have been discovered in the PostgreSQL database
system, which could result in the execution of arbitrary code or
disclosure of memory content.

For the stable distribution (buster), these problems have been fixed in
version 11.12-0+deb10u1.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tra … tgresql-11

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org


This does not look right:

$ apt policy postgresql-11
postgresql-11:
  Installed: (none)
  Candidate: 11.11-0+deb10u1
  Version table:
     11.11-0+deb10u1 500
        500 http://deb.devuan.org/merged beowulf/main amd64 Packages
     11.7-0+deb10u1 500
        500 http://deb.devuan.org/merged beowulf-security/main amd64 Packages

“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

Offline

#9 2021-05-16 16:21:51

fsmithred
Administrator
Registered: 2016-11-25
Posts: 1,864  

Re: [SOLVED] Security update delays (again)

Thanks for the alert. It's been brought up to date.

Offline

Board footer