[Kolab-devel] Erlang security update breaks guam on Debian 10
Christoph Erhardt
christoph.erhardt at sicherha.de
Mon Jul 17 23:13:50 CEST 2023
Hi Christian,
unfortunately I'm not familiar with the admin side of OBS. The most plausible
thing I have found would be this settings page:
https://obs.kolabsys.com/repositories/Debian:10.0
The mirror URLs configured there lead to a 404, though. It seems there's a
path component (`/dists/`) missing in the middle.
Broken: https://mirror.switch.ch/ftp/mirror/debian/buster
Working: https://mirror.switch.ch/ftp/mirror/debian/dists/buster
Maybe this will suffice to trigger a download-on-demand [1] on the next
package build.
Best,
Christoph
[1] https://openbuildservice.org/help/manuals/obs-user-guide/
cha.obs.concepts.html#concept_dod
On Monday, 17 July 2023 07:12:51 CEST Christian Mollekopf wrote:
> On Saturday, 15 July 2023 00:04:21 CEST you wrote:
> > Hi all,
> >
> > if my understanding is correct, CVE-2022-37026 allows an authentication
> > bypass by clients when using certificate-based authentication, while
> > 'normal' user/ password-based authentication is not affected.
> >
> > If that is indeed the case, then I believe our quick fix doesn't entail an
> > immediate risk to Guam users.
> >
> > Nevertheless, I do feel somewhat strongly about doing things the right
> > way. In our case this would mean:
> > 1. Make OBS pull the latest Debian 10 packages, including erlang-base.
> > 2. Revert the patch that enables ERTS bundling for Guam.
> > 3. Rebuild Guam.
>
> I'd rather have it bundled than wake up to our packages no longer starting
> because the upstream erts package changed, so for unbundling we need to
> figure which erts version to pin first IMO.
> > I'm happy to take care of steps 2 and 3, but step 1 needs to be done by an
> > OBS admin. Christian? Jeroen?
>
> Do you happen to know how to trigger such an update?
> I have access, but to me it seems the OBS mostly expects to build agains a
> static repository.
>
> Cheers,
> Christian
>
> > Best,
> > Christoph
> >
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users
>
> _______________________________________________
> devel mailing list
> devel at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20230717/7529106d/attachment.sig>
More information about the users
mailing list