[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#491263: marked as done (network-console, etch netinst, openssh)

Your message dated Sat, 19 Jul 2008 11:17:06 +0000
with message-id <E1KKAR0-0002ko-JN@ries.debian.org>
and subject line Bug#491263: fixed in debian-installer 20070308etch3
has caused the Debian Bug report #491263,
regarding network-console, etch netinst, openssh
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

491263: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491263
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: network-console
Version: 1.11

A few issues relating to network-console on etch netinst 4.0r3:

* Keys generated by network-console are found on the blacklist included
with newer versions of openssh-server.

* If network-console is used for a new installation, openssh-server is
installed on the new system, but .broken keys are left lying around in

* Likewise to above, the rsa host key (/etc/ssh/ssh_host_rsa_key.pub)
is found to be on the blacklist, and appears that it may be the same
rsa key used during installation via network-console.

An 'ls -al *key*' in /etc/ssh on a newly installed system gives
something similar to:
-rw------- 1 root root  668 2008-07-17 07:24 ssh_host_dsa_key
-rw------- 1 root root  668 2008-07-17 07:21 ssh_host_dsa_key.broken
-rw-r--r-- 1 root root  612 2008-07-17 07:24 ssh_host_dsa_key.pub
-rw-r--r-- 1 root root  612 2008-07-17 07:21
-rw------- 1 root root 1675 2008-07-17 07:26 ssh_host_rsa_key
-rw------- 1 root root 1675 2008-07-17 07:21 ssh_host_rsa_key.broken
-rw-r--r-- 1 root root  404 2008-07-17 07:26 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root  404 2008-07-17 07:21

Likewise, checking for these keys in the blacklist:
# for key in ssh_host_[rd]sa_key.pub{,.broken}; do grep -q $(ssh-keygen \
-l -f $key | awk '{print $2}' | cut -d: -f7- | tr -d :) blacklist.* \
&& echo "$key is on the blacklist"; done
ssh_host_rsa_key.pub is on the blacklist
ssh_host_dsa_key.pub.broken is on the blacklist
ssh_host_rsa_key.pub.broken is on the blacklist

Mike Edwards                    |   If this email address disappears,   
Unsolicited advertisments to    |   assume it was spammed to death.  To
this address are not welcome.   |   reach me in that case, s/-.*@/@/

"Our progress as a nation can be no swifter than our progress in education.
The human mind is our fundamental resource."
  -- John F. Kennedy

--- End Message ---
--- Begin Message ---
Source: debian-installer
Source-Version: 20070308etch3

We believe that the bug you reported is fixed in the latest version of
debian-installer, which is due to be installed in the Debian FTP archive:

debian-installer-images_20070308etch3_s390.tar.gz byhand
  to pool/main/d/debian-installer/debian-installer_20070308etch3.dsc
  to pool/main/d/debian-installer/debian-installer_20070308etch3.tar.gz
  to pool/main/d/debian-installer/debian-installer_20070308etch3_s390.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 491263@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Frans Pop <fjp@debian.org> (supplier of updated debian-installer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Sat, 19 Jul 2008 10:03:12 +0200
Source: debian-installer
Binary: debian-installer
Architecture: source s390
Version: 20070308etch3
Distribution: stable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Frans Pop <fjp@debian.org>
 debian-installer - Debian installer
Closes: 491263
 debian-installer (20070308etch3) stable; urgency=low
   * Rebuild to ensure the installer includes fixed versions of openssh for
     the SSH key vulnerability (DSA-1576-1). This affects architectures
     using network-console (arm, mipsel) and generic (s390) images.
     The upcoming 4.0r4 point release will ensure fixed versions of openssh
     are also included for all CD-based installations.
     Closes: #491263.
 2afb2d02a80eb62e802bd9ffd09e28d2 2146 devel optional debian-installer_20070308etch3.dsc
 7ba0aac31e6876bb3d2c9f69879badfb 1230217 devel optional debian-installer_20070308etch3.tar.gz
 307b906cc0caed3c731a1797d47d507b 766530 devel optional debian-installer_20070308etch3_s390.deb
 0170335eab9a250482110ac0b3c48310 6669053 raw-installer - debian-installer-images_20070308etch3_s390.tar.gz

Version: GnuPG v1.4.9 (GNU/Linux)


--- End Message ---

Reply to: