<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">Debian security packages are usually not in mirrors, so you should also add the official security repo:</div><div dir="ltr"><a href="http://security.debian.org/debian-security/dists/buster/updates/main/">http://security.debian.org/debian-security/dists/buster/updates/main/</a></div><div dir="ltr"><br></div><div dir="ltr">Lennart</div><div dir="ltr"><br></div><div dir="ltr"><br><div dir="ltr"></div><blockquote type="cite">On 17 Jul 2023, at 23:15, Christoph Erhardt <christoph.erhardt@sicherha.de> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Hi Christian,</span><br><span></span><br><span>unfortunately I'm not familiar with the admin side of OBS. The most plausible </span><br><span>thing I have found would be this settings page:</span><br><span></span><br><span>  https://obs.kolabsys.com/repositories/Debian:10.0</span><br><span></span><br><span>The mirror URLs configured there lead to a 404, though. It seems there's a </span><br><span>path component (`/dists/`) missing in the middle.</span><br><span></span><br><span>  Broken: https://mirror.switch.ch/ftp/mirror/debian/buster</span><br><span> Working: https://mirror.switch.ch/ftp/mirror/debian/dists/buster</span><br><span></span><br><span>Maybe this will suffice to trigger a download-on-demand [1] on the next </span><br><span>package build.</span><br><span></span><br><span>Best,</span><br><span>Christoph</span><br><span></span><br><span>[1] https://openbuildservice.org/help/manuals/obs-user-guide/</span><br><span>cha.obs.concepts.html#concept_dod</span><br><span></span><br><span>On Monday, 17 July 2023 07:12:51 CEST Christian Mollekopf wrote:</span><br><blockquote type="cite"><span>On Saturday, 15 July 2023 00:04:21 CEST you wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Hi all,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>if my understanding is correct, CVE-2022-37026 allows an authentication</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>bypass by clients when using certificate-based authentication, while</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>'normal' user/ password-based authentication is not affected.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>If that is indeed the case, then I believe our quick fix doesn't entail an</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>immediate risk to Guam users.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Nevertheless, I do feel somewhat strongly about doing things the right</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>way. In our case this would mean:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>1. Make OBS pull the latest Debian 10 packages, including erlang-base.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>2. Revert the patch that enables ERTS bundling for Guam.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>3. Rebuild Guam.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I'd rather have it bundled than wake up to our packages no longer starting</span><br></blockquote><blockquote type="cite"><span>because the upstream erts package changed, so for unbundling we need to</span><br></blockquote><blockquote type="cite"><span>figure which erts version to pin first IMO.</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>I'm happy to take care of steps 2 and 3, but step 1 needs to be done by an</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>OBS admin. Christian? Jeroen?</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Do you happen to know how to trigger such an update?</span><br></blockquote><blockquote type="cite"><span>I have access, but to me it seems the OBS mostly expects to build agains a</span><br></blockquote><blockquote type="cite"><span>static repository.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Cheers,</span><br></blockquote><blockquote type="cite"><span>Christian</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Best,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Christoph</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>_______________________________________________</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>users mailing list</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>users@lists.kolab.org</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>https://lists.kolab.org/mailman/listinfo/users</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>devel mailing list</span><br></blockquote><blockquote type="cite"><span>devel@lists.kolab.org</span><br></blockquote><blockquote type="cite"><span>https://lists.kolab.org/mailman/listinfo/devel</span><br></blockquote><span></span><br><span>_______________________________________________</span><br><span>devel mailing list</span><br><span>devel@lists.kolab.org</span><br><span>https://lists.kolab.org/mailman/listinfo/devel</span></div></blockquote></body></html>