Secure testing team - Mar 2006 - Broken testing propagation for some packages?

On Tue, Jul 05, 2005 at 10:36:51AM +0200, Moritz Muehlenhoff wrote:
> I was having a look at the state of applications in testing using
> the vulnerable XMLRPC code, for which an easily usable exploit has
> been published and which seems like a perfect worm candidate as it
> affects a wide range of popular web apps.
> For testing is affects drupal and wordpress, which both have been
> fixed. But there propagation seems blocked, because britney thinks
> that there is no version in testing, which is wrong as both _are_
> present in current testing:
This output says nothing of the sort.  First, britney doesn''t care
about
whether there''s a previous version of the package in testing when
considering it for updating; second, that line of output does *not* come
from britney.  The britney output is that which is found at
<http://ftp-master.debian.org/testing/update_excuses.html.gz> and at
<http://ftp-master.debian.org/testing/update_output.txt.gz>.  This
"only in
unstable" claim is something you''ll have to take up with the
maintainer of
bjorn.haxx.se.  (I''m guessing it still things sarge==testing...)

... and third, britney hasn''t been run in several days due to the
impending
ftp-master move.  Sorry, there''s not much to be done about that as long
as
things are up in the air.

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050705/8a1b973f/attachment.pgp

Moritz Muehlenhoff wrote:
> I was having a look at the state of applications in testing using
> the vulnerable XMLRPC code, for which an easily usable exploit has
> been published and which seems like a perfect worm candidate as it
> affects a wide range of popular web apps.
> 
> For testing is affects drupal and wordpress, which both have been
> fixed. But there propagation seems blocked, because britney thinks
> that there is no version in testing, which is wrong as both _are_
> present in current testing:
> 
> http://bjorn.haxx.se/debian/testing.pl?package=wordpress:
> Checking wordpress
> 
>      * trying to update [1]wordpress from 1.5.1.2-1 to 1.5.1.3-1
>      * wordpress [2]is only in unstable (no testing version)
> 
> Checking drupal
> 
>      * trying to update [1]drupal from 4.5.3-2 to 4.5.4-1
>      * drupal [2]is only in unstable (no testing version)
> 
> What''s wrong? Is this a known problem?
Yes, the testing propigation scripts have been down for several days.
I''m told it has something to do with the pending move of newraff to a
different ISP.

This would probably be a great time to put up a repository and begin
doing some advisories.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050706/faa1918e/attachment.pgp

Hi,
I was having a look at the state of applications in testing using
the vulnerable XMLRPC code, for which an easily usable exploit has
been published and which seems like a perfect worm candidate as it
affects a wide range of popular web apps.

For testing is affects drupal and wordpress, which both have been
fixed. But there propagation seems blocked, because britney thinks
that there is no version in testing, which is wrong as both _are_
present in current testing:

http://bjorn.haxx.se/debian/testing.pl?package=wordpress:
Checking wordpress

     * trying to update [1]wordpress from 1.5.1.2-1 to 1.5.1.3-1
     * wordpress [2]is only in unstable (no testing version)

Checking drupal

     * trying to update [1]drupal from 4.5.3-2 to 4.5.4-1
     * drupal [2]is only in unstable (no testing version)

What''s wrong? Is this a known problem?

Cheers,
        Moritz

Moritz Muehlenhoff schrieb am Wednesday, den 06. July 2005:
> Joey Hess wrote:
> > This would probably be a great time to put up a repository and begin
> > doing some advisories.
> 
> Definitely, but I have to submit my thesis synopsis by thursday in a week
> and pending Spanish exams the day after that, so my spare time is very
> limited. I haven''t done much on the DTSA processing script since I
sent
Time is tight for many right now as a number of us are embarking on
our travels to Debconf in Helsinki. Although I do not leave for
another day, I have a lot of work to wrap up before I go. 

Hopefully someone has time available and can get a repository setup,
but if nobody has that time, perhaps we can discuss where that
repository could go. The most obvious candidate to me is on the alioth
machine. Although this resource is available, it may cause some security
concerns for people to have it there, due to the large number of
people who have access to the box. Perhaps its not an issue?

micah

Joey Hess wrote:
> This would probably be a great time to put up a repository and begin
> doing some advisories.
Definitely, but I have to submit my thesis synopsis by thursday in a week
and pending Spanish exams the day after that, so my spare time is very
limited. I haven''t done much on the DTSA processing script since I sent
it around, but at least it processes DTSA templates and generates
email announcements from it (these aren''t signed yet, though). The
functions
for updating a certain DTSA and generating an HTML overview is not done
yet, but it should be roughly usable already. It''s still missing code
for
processing SHA-1 checksums of the source and binary packages to be included
in the advisory, but I can add this tonight. I can commit the current version
this evening, or feel free to implement another solution.

Cheers,
        Moritz

Micah Anderson wrote:
> The most obvious candidate to me is on the alioth
> machine. Although this resource is available, it may cause some security
> concerns for people to have it there, due to the large number of
> people who have access to the box. Perhaps its not an issue?
I don''t think that storing it on Alioth for now would be a problem.
If DTSAs have SHA-1 or SHA-256 checksums for the fixed packages and
PGP signatures, compromised binaries would be noticed. Access to
security.d.o is restricted because of embargoed disclosure, which is
not the case for secure-testing.

Cheers,
        Moritz