[Kolab-devel] Erlang security update breaks guam on Debian 10

Christoph Erhardt christoph.erhardt at sicherha.de
Mon Jul 17 23:13:50 CEST 2023 

Hi Christian,

unfortunately I'm not familiar with the admin side of OBS. The most plausible 
thing I have found would be this settings page:

  https://obs.kolabsys.com/repositories/Debian:10.0

The mirror URLs configured there lead to a 404, though. It seems there's a 
path component (`/dists/`) missing in the middle.

  Broken: https://mirror.switch.ch/ftp/mirror/debian/buster
 Working: https://mirror.switch.ch/ftp/mirror/debian/dists/buster

Maybe this will suffice to trigger a download-on-demand [1] on the next 
package build.

Best,
Christoph

[1] https://openbuildservice.org/help/manuals/obs-user-guide/
cha.obs.concepts.html#concept_dod

On Monday, 17 July 2023 07:12:51 CEST Christian Mollekopf wrote:
> On Saturday, 15 July 2023 00:04:21 CEST you wrote:
> > Hi all,
> > 
> > if my understanding is correct, CVE-2022-37026 allows an authentication
> > bypass by clients when using certificate-based authentication, while
> > 'normal' user/ password-based authentication is not affected.
> > 
> > If that is indeed the case, then I believe our quick fix doesn't entail an
> > immediate risk to Guam users.
> > 
> > Nevertheless, I do feel somewhat strongly about doing things the right
> > way. In our case this would mean:
> > 1. Make OBS pull the latest Debian 10 packages, including erlang-base.
> > 2. Revert the patch that enables ERTS bundling for Guam.
> > 3. Rebuild Guam.
> 
> I'd rather have it bundled than wake up to our packages no longer starting
> because the upstream erts package changed, so for unbundling we need to
> figure which erts version to pin first IMO.
> > I'm happy to take care of steps 2 and 3, but step 1 needs to be done by an
> > OBS admin. Christian? Jeroen?
> 
> Do you happen to know how to trigger such an update?
> I have access, but to me it seems the OBS mostly expects to build agains a
> static repository.
> 
> Cheers,
> Christian
> 
> > Best,
> > Christoph
> > 
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users
> 
> _______________________________________________
> devel mailing list
> devel at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/devel/attachments/20230717/7529106d/attachment.sig>

More information about the devel mailing list