[Kolab-devel] Erlang security update breaks guam on Debian 10
Lennart Ackermans
lennart at ackermans.ch
Tue Jul 18 00:13:15 CEST 2023
Debian security packages are usually not in mirrors, so you should also add the official security repo:
http://security.debian.org/debian-security/dists/buster/updates/main/
Lennart
> On 17 Jul 2023, at 23:15, Christoph Erhardt <christoph.erhardt at sicherha.de> wrote:
>
> Hi Christian,
>
> unfortunately I'm not familiar with the admin side of OBS. The most plausible
> thing I have found would be this settings page:
>
> https://obs.kolabsys.com/repositories/Debian:10.0
>
> The mirror URLs configured there lead to a 404, though. It seems there's a
> path component (`/dists/`) missing in the middle.
>
> Broken: https://mirror.switch.ch/ftp/mirror/debian/buster
> Working: https://mirror.switch.ch/ftp/mirror/debian/dists/buster
>
> Maybe this will suffice to trigger a download-on-demand [1] on the next
> package build.
>
> Best,
> Christoph
>
> [1] https://openbuildservice.org/help/manuals/obs-user-guide/
> cha.obs.concepts.html#concept_dod
>
>> On Monday, 17 July 2023 07:12:51 CEST Christian Mollekopf wrote:
>>> On Saturday, 15 July 2023 00:04:21 CEST you wrote:
>>> Hi all,
>>>
>>> if my understanding is correct, CVE-2022-37026 allows an authentication
>>> bypass by clients when using certificate-based authentication, while
>>> 'normal' user/ password-based authentication is not affected.
>>>
>>> If that is indeed the case, then I believe our quick fix doesn't entail an
>>> immediate risk to Guam users.
>>>
>>> Nevertheless, I do feel somewhat strongly about doing things the right
>>> way. In our case this would mean:
>>> 1. Make OBS pull the latest Debian 10 packages, including erlang-base.
>>> 2. Revert the patch that enables ERTS bundling for Guam.
>>> 3. Rebuild Guam.
>>
>> I'd rather have it bundled than wake up to our packages no longer starting
>> because the upstream erts package changed, so for unbundling we need to
>> figure which erts version to pin first IMO.
>>> I'm happy to take care of steps 2 and 3, but step 1 needs to be done by an
>>> OBS admin. Christian? Jeroen?
>>
>> Do you happen to know how to trigger such an update?
>> I have access, but to me it seems the OBS mostly expects to build agains a
>> static repository.
>>
>> Cheers,
>> Christian
>>
>>> Best,
>>> Christoph
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.kolab.org
>>> https://lists.kolab.org/mailman/listinfo/users
>>
>> _______________________________________________
>> devel mailing list
>> devel at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/devel
>
> _______________________________________________
> devel mailing list
> devel at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/devel/attachments/20230717/1c21216a/attachment-0001.html>
More information about the devel
mailing list