[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 265-1] unattended-upgrades security update

Hi Michael, hi LTS team,

On  Do 02 Jul 2015 11:17:41 CEST, Michael Vogt wrote:

Package        : unattended-upgrades
Version        : 0.62.2+squeeze1
CVE ID         : CVE-2015-1330
Bug            : LP: #1466380

It was discovered that unattended-upgrades, a script for automatic
installation of security upgrades, did not properly authenticate
downloaded packages when the force-confold or force-confnew dpkg
options were enabled via the DPkg::Options::* apt configuration.

We recommend that you upgrade your unattended-upgrades package.

I just saw Michael's DLA announcement and realize that I have used the same DLA for pykerberos today.

Such an issue occurs, if people use bin/genDLA (from secure-testing repo), but don't push the resulting changes back to the secure-testing SVN.

(@Michael: Don't feel bad about this. It is a weakness in the workflow (sorry for saying that). I will check documentation later, to make sure it is very obvious that DLA mails may only be sent if that DLA number has been requested previously and also checked into SVN. I suppose that you have not pushed to SVN _before_ sending your DLA mail, right? As it seems, you haven't pushed the DLA entry in secure-testing at all, so far, right?).

This has happened before and I feel we need to get this DLA requesting/mail-sending system more fool proof, especially for DDs/DMs not directly involved with the LTS team and not so accustomed to the LTS team's workflow.

The only way I can think of in terms of making this more fool proof, I guess, is by rejecting mails to debian-lts-announce if

  o a used DLA has not been reserved via the secure-testing SVN repo
  o the DLA has been reserved in the SVN repo, but for another package

Feedback, comments?



mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgpQA2rItnoXM.pgp
Description: Digitale PGP-Signatur

Reply to: