Monitoring Juillet 2017

monitoring@federez.net

7 participants
46 discussions

par root＠federez.net

*warning* -- /etc/backup.d/10.sys == warnings from /etc/backup.d/10.sys == Warning: The partition table for /dev/mapper/systemVG-slash could not be saved. Warning: The partition table for /dev/mapper/systemVG-swap could not be saved. Warning: The partition table for /dev/mapper/systemVG-home could not be saved. Warning: The partition table for /dev/mapper/systemVG-var could not be saved. Warning: The partition table for /dev/mapper/systemVG-ftp could not be saved. Warning: The partition table for /dev/mapper/systemVG-srv could not be saved. Warning: The partition table for /dev/mapper/systemVG-obnam could not be saved. Info: LVM metadata was saved to /var/backups/lvm for volume groups: systemVG

7 années, 8 mois

Undelivered Mail Returned to Sender

par MAILER-DAEMON＠nonagon.crans.org

This is the mail system at host nonagon.crans.org. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <monitoring(a)federez.net> (expanded from <root>): host smtp.crans.org[2a06:e042:100:4:200:9ff:fe04:1901] said: 550 5.1.0 <root(a)nonagon.crans.org>: Sender address rejected: User unknown in relay recipient table (in reply to RCPT TO command)

7 années, 8 mois

backupninja: dodecagon WARNING

par root＠federez.net

7 années, 8 mois

VIRUS (Html.Phishing.Bank-107) in mail FROM [79.127.207.178]:41297 <customersupport@blockchain.info>

par Content-filter＠quigon.federez.net

A virus was found: Html.Phishing.Bank-107 Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 28020-15/4n_tnuG4rzPE First upstream SMTP client IP address: [79.127.207.178] home.stroza.cz According to a 'Received:' trace, the message apparently originated at: [62.210.140.7], home.stroza.cz home.stroza.cz [79.127.207.178] Return-Path: <customersupport(a)blockchain.info> From: "Bitcoin Wallet - Blockchain"<customersupport(a)blockchain.info> Subject: Confirmation Required The message has been quarantined as: 4/virus-4n_tnuG4rzPE The message WAS NOT relayed to: <ares-technique(a)federez.net>: 250 2.7.0 Ok, discarded, id=28020-15 - INFECTED: Html.Phishing.Bank-107 Virus scanner output: p001: Html.Phishing.Bank-107 FOUND

7 années, 8 mois

Delayed Mail (still being retried)

par MAILER-DAEMON＠quigon.rez-gif.supelec.fr

This is the mail system at host quigon.rez-gif.supelec.fr. #################################################################### # THIS IS A WARNING ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. # #################################################################### Your message could not be delivered for more than 4 hour(s). It will be retried until it is 60 day(s) old. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <logwatch(a)federez.net>: delivery temporarily suspended: connect to dodecagon.federez.net[2001:bc8:273e::]:25: Network is unreachable

7 années, 8 mois

Undelivered Mail Returned to Sender

par MAILER-DAEMON＠nonagon.crans.org

This is the mail system at host nonagon.crans.org. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <monitoring(a)federez.net> (expanded from <root>): host smtp.crans.org[138.231.136.39] said: 550 5.1.0 <root(a)nonagon.crans.org>: Sender address rejected: User unknown in relay recipient table (in reply to RCPT TO command)

7 années, 8 mois

Cron <root@dodecagon> test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )

par root＠federez.net

/etc/cron.weekly/ssl-cert-check: ERROR: The file named /var/tmp/cert.ae7IrX is unreadable or doesn't exist ERROR: Please check to make sure the certificate for autoconfig.federez.net:443 is valid ERROR: The file named /var/tmp/cert.ae7IrX is unreadable or doesn't exist ERROR: Please check to make sure the certificate for munin.federez.net:443 is valid ERROR: The file named /var/tmp/cert.ae7IrX is unreadable or doesn't exist ERROR: Please check to make sure the certificate for roundcube.federez.net:443 is valid

7 années, 8 mois

backupninja: dodecagon WARNING

par root＠federez.net

7 années, 8 mois

apt-listchanges : nouveautés pour dodecagon

par root＠federez.net

apt (1.4.2) unstable; urgency=medium If periodic updates and unattended upgrades are enabled, the start of periodic updates are now distributed over 24 hour intervals (as in 1.2 to 1.4), whereas starting unattended-upgrade has been restricted to a time between 6 and 7 am. This only affects systems using systemd, other systems still use the classical hourly cron job. -- Julian Andres Klode <jak(a)debian.org> Thu, 04 May 2017 22:54:02 +0200 apt (1.4~beta1) unstable; urgency=medium Support for GPG signatures using the SHA1 or RIPE-MD/160 hash algorithms has been disabled. Repositories using Release files signed in such a way will stop working. This change has been made due to security considerations, especially with regards to possible further breakthroughs in SHA1 breaking during the lifetime of this APT release series. It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous behaviour by setting the options APT::Hashes::SHA1::Weak "yes"; APT::Hashes::RIPE-MD/160::Weak "yes"; Note that setting these options only affects the verification of the overall repository signature. -- Julian Andres Klode <jak(a)debian.org> Fri, 25 Nov 2016 13:19:32 +0100 apt (1.2~exp1) experimental; urgency=medium [ Automatic removal of debs after install ] After packages are successfully installed by apt(8), the corresponding .deb package files will be removed from the /var/cache/apt/archives cache directory. This can be changed by setting the apt configuration option "Binary::apt::APT::Keep-Downloaded-Packages" to "true". E.g: # echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' \ > /etc/apt/apt.conf.d/01keep-debs Please note that the behavior of apt-get is unchanged. The downloaded debs will be kept in the cache directory after they are installed. To enable the behavior for other tools, you can set "APT::Keep-Downloaded-Packages" to false. [ Compressed indices ] If you use Acquire::gzipIndexes, or any other compressed index targets, those will now be compressed with the fastest supported algorithm, currently lz4. -- Michael Vogt <mvo(a)debian.org> Tue, 05 Jan 2016 19:22:16 +0100 apt (1.1~exp9) experimental; urgency=medium A new algorithm for pinning has been implemented, it now assigns a pin priority to a version instead of assigning a pin to a package. This might break existing corner cases of pinning, if they use multiple pins involving the same package name or patterns matching the same package name, but should overall lead to pinning that actually works as intended and documented. -- Julian Andres Klode <jak(a)debian.org> Mon, 17 Aug 2015 14:45:17 +0200 apt-listchanges (3.3) unstable; urgency=medium Short summary of the most important changes done since version 3.0 up to 3.3: - apt-listchanges was migrated to python3. The "gtk" frontend now requires the python3-gi package to work. - The "browser", "xterm-pager", and "xterm-browser" frontends will now try to drop root privileges before spawning external commands. This only works when upgrade was initiated from a regular user account with commands like sudo|su apt-get|aptitude upgrade|install|etc. - The way apt-listchanges cooperates with apt was slightly changed; please make sure to accept the new version of `/etc/apt/apt.conf.d/20listchanges' configuration file in case dpkg prompts about the file. - apt-listchanges no longer supports deprecated frontends (e.g. "w3m") or ancient (i.e. more than about 15 years old) *.deb packages. -- Robert Luberda <robert(a)debian.org> Mon, 15 Aug 2016 21:55:31 +0200 apt-listchanges (2.87) unstable; urgency=medium For better integration with package management system, apt-listchanges automatically switches to the non-interactive "text" frontend: - when the `-y'/`--assume-yes' option is passed to apt-get - or when DEBIAN_FRONTEND environment variable is set to "noninteractive". The new behavior can be disabled in the configuration file (or via the command-line parameters), refer to apt-listchanges(1) man page for details. The "mail" frontend can optionally send e-mails in the HTML format, see the description of `--email-format' option in the man page for more information. For the sake of consistency the `--all' and `--show_seen' options were renamed to `--show-all' and `--show-seen' respectively. -- Robert Luberda <robert(a)debian.org> Sat, 02 Apr 2016 20:24:43 +0200 freeradius (3.0.11+dfsg-1) experimental; urgency=medium Please see upstream’s “Upgrading to Version 3.0” guide which is available locally in /etc/freeradius/3.0/README.rst or online at https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/README.rst -- Michael Stapelberg <stapelberg(a)debian.org> Thu, 15 Sep 2016 20:21:09 +0200 mutt (1.7.0-6) unstable; urgency=medium As of result of the switch to gpgme in 1.7.0-2, all pgp_* commands that reference a pgp/gnupg command are now ignored (unless crypt_use_gpgme is manually set to 'no'). If you had an --encrypt-to in those commands, to encrypt outgoing mail to yourself, then you will have to set pgp_encrypt_self=yes to maintain the same behavior. Starting from this version of mutt, $locale is not an option anymore, you will have to use $attribution_locale instead, which hich controls the translation of the "On {date}, {user} wrote" reply string. More details on https://www.mail-archive.com/mutt-dev@mutt.org/msg11544.html. As of this version mailto_allow will also include In-Reply-To, Cc and References by default, to change it set mailto_allow in your ~/.muttrc. -- Antonio Radici <antonio(a)debian.org> Sun, 25 Sep 2016 08:48:10 +0100 mutt (1.7.0-2) unstable; urgency=medium Starting from this version, we enable 'crypt_use_gpgme=yes' by default. The GPGME delegates all crypto support to gnupg, which is designed to hold your crypto data securely. The drawback is that inline signatures are no longer supported in favour of PGP/MIME. If you need to sign your email with inline signatures please use 'set crypt_use_gpgme=no' in your .muttrc. To solve #828751 we also had to add '--pinentry-mode loopback' to all commands in gpg.rc, that breaks compatibility with gpg v1, if you are still using gpg v1 please remove that option from the invocations of the command in /etc/Muttrc.d/gpg.rc -- Antonio Radici <antonio(a)debian.org> Wed, 07 Sep 2016 21:02:51 +0100 mutt (1.6.2-1) unstable; urgency=medium The mutt package now incorporates the NeoMutt patchset, which includes a number of important security, performance and stability fixes. It also includes a number of UI improvements and a plethora of new features, including many previously shipped by Debian. Among these is the functionality of both the mutt-patched (sidebar, NNTP) and the mutt-kz (notmuch) packages, that are now both obsolete and replaced by the mutt package. More information about NeoMutt can be found on its website: http://www.neomutt.org/ The sidebar patch has been polished up and merged upstream in what will eventually be Mutt 1.7.0 -- and then backported again by NeoMutt. For compatibility with upstream's default and since there is no mutt-patched package anymore, the sidebar is now off by default. Moreover, this new version renamed the sidebar's configuration options. To keep the old behavior, use this in your .muttrc: set mail_check_stats=yes set sidebar_visible=yes set sidebar_format="%B%* %S%?N?(%N)?%?F?[%F]?" set sidebar_indent_string=" " and optionally: set sidebar_folder_indent=yes set sidebar_short_path=yes The "file_charset" option has been renamed to "attach_charset", as part of its inclusion upstream. -- Faidon Liambotis <paravoid(a)debian.org> Mon, 25 Jul 2016 18:45:08 +0300 openldap (2.4.44+dfsg-1) unstable; urgency=medium The slapd package no longer includes OpenSLP support. The openslp-dfsg package is being retired due to lack of maintenance and security concerns. Please see <https://bugs.debian.org/795428> for more information. -- Ryan Tandy <ryan(a)nardis.ca> Tue, 15 Mar 2016 03:59:27 +0000 postfix (3.1.4-1) unstable; urgency=medium Starting with postfix 3.0, Debian's custom dynamically loadable module support has been replaced with a new upstream implementation. To support this change, some files in /etc/postfix required updates. If prompted during install to accept or reject changes, take care not to reject changes due to the new configuration. Failure to do so may lead to a non-working system. Starting with Debian 9, Codename Stretch, postfix is shipped with a systemd unit file for native systemd integration (the old sysv init script is also provided for non-systemd deployments). Manipulation of Postfix instances using the new unit files is described in README.Debian. -- Scott Kitterman <scott(a)kitterman.com> Mon, 02 Jan 2017 14:05:46 -0500 smartmontools (6.4+svn4214-1) unstable; urgency=medium Previous versions of the smartmontools package included a tool update-smart-drivedb which downloaded updated drive definitions from the smartmontools website and stored them at /var/lib/smartmontools/drivedb/drivedb.h This tool did not download the definitions in a secure manner and so the feature has been removed in this version. Future drive DB updates will be propagated via normal Debian package updates, including backports. If you already have a drivedb.h file at that location, smartctl will continue to use it. -- Jonathan Dowland <jmtd(a)debian.org> Mon, 01 Feb 2016 21:19:47 +0000 vim (2:8.0.0022-1) unstable; urgency=medium Vim now ships with a defaults.vim file which, when the user has no vimrc, enables some options that have historically been disabled by default. This is described in more detail at ":help defaults.vim". Since defaults.vim is loaded when the user's vimrc would typically be loaded, it will override any settings in /etc/vim/vimrc(.local). In order to disable the loading of defaults.vim, add let g:skip_defaults_vim = 1 to /etc/vim/vimrc(.local). -- James McCoy <jamessan(a)debian.org> Tue, 04 Oct 2016 20:28:02 -0400 vim (2:7.4.2330-1) unstable; urgency=medium The Python language bindings have been switched from python2 to python3. If you have plugins/addons that use Python, they may need to be updated to support python3. Similarly, python3 specific packages may need to be installed to re-enable plugins (e.g., python-powerline is replaced by python3-powerline) or plugin features. -- James McCoy <jamessan(a)debian.org> Wed, 07 Sep 2016 22:12:11 -0400 findutils (4.5.12-1) experimental; urgency=low The GNU extension find -perm +xyz has been deprecated, find now exits with an error when this syntax is used. Please switch over to find -perm /xyz which has been supported since 2005. See http://savannah.gnu.org/bugs/?38474 for upstream discussion of the issue. -- Andreas Metzler <ametzler(a)debian.org> Sat, 28 Sep 2013 08:46:13 +0200

7 années, 8 mois

apt-listchanges : nouveautés pour dodecagon

par root＠federez.net

bsd-mailx (8.1.2-0.20160123cvs-4) unstable; urgency=medium Since this version MIME headers are added to every outgoing mail to indicate the correct local charset (from the POSIX locale) and transfer encoding (always 8bit). See "Character sets and MIME" in bsd-mailx(1) man page and Bug#859935 for more information. -- Robert Luberda <robert(a)debian.org> Sat, 15 Apr 2017 00:11:27 +0200 ca-certificates (20161102) unstable; urgency=medium Update Mozilla certificate authority bundle to version 2.9. The following certificate authorities were added (+): + "Certplus Root CA G1" + "Certplus Root CA G2" + "Certum Trusted Network CA 2" + "Hellenic Academic and Research Institutions ECC RootCA 2015" + "Hellenic Academic and Research Institutions RootCA 2015" + "ISRG Root X1" + "OpenTrust Root CA G1" + "OpenTrust Root CA G2" + "OpenTrust Root CA G3" + "SZAFIR ROOT CA2" The following certificate authorities were removed (-): - "CA Disig" - "NetLock Business (Class B) Root" - "NetLock Express (Class C) Root" - "NetLock Notary (Class A) Root" - "NetLock Qualified (Class QA) Root" - "Sonera Class 1 Root CA" - "Staat der Nederlanden Root CA" - "Verisign Class 1 Public Primary Certification Authority - G2" - "Verisign Class 3 Public Primary Certification Authority" - "Verisign Class 3 Public Primary Certification Authority - G2" -- Michael Shuler <michael(a)pbandjelly.org> Wed, 02 Nov 2016 21:15:03 -0500 ca-certificates (20151214) unstable; urgency=medium Removed SPI CA. Closes: #796208 Updated Mozilla certificate authority bundle to version 2.6. The following certificate authorities were added (+): + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + "Certinomis - Root CA" + "OISTE WISeKey Global Root GB CA" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" The following certificate authorities were removed (-): - "A-Trust-nQual-03" - "Buypass Class 3 CA 1" - "ComSign Secured CA" - "Digital Signature Trust Co. Global CA 1" - "Digital Signature Trust Co. Global CA 3" - "SG TRUST SERVICES RACINE" - "TC TrustCenter Class 2 CA II" - "TC TrustCenter Universal CA I" - "TURKTRUST Certificate Services Provider Root 1" - "TURKTRUST Certificate Services Provider Root 2" - "UTN DATACorp SGC Root CA" - "Verisign Class 4 Public Primary Certification Authority - G3" -- Michael Shuler <michael(a)pbandjelly.org> Mon, 14 Dec 2015 18:51:50 -0600 ca-certificates (20150426) unstable; urgency=medium Update Mozilla certificate authority bundle to version 2.4. The following certificate authorities were added (+): + "CFCA EV ROOT" + "COMODO RSA Certification Authority" + "Entrust Root Certification Authority - EC1" + "Entrust Root Certification Authority - G2" + "GlobalSign ECC Root CA - R4" + "GlobalSign ECC Root CA - R5" + "IdenTrust Commercial Root CA 1" + "IdenTrust Public Sector Root CA 1" + "S-TRUST Universal Root CA" + "Staat der Nederlanden EV Root CA" + "Staat der Nederlanden Root CA - G3" + "USERTrust ECC Certification Authority" + "USERTrust RSA Certification Authority" Closes: #762709 The following certificate authorities were removed (-): - "America Online Root Certification Authority 1" - "America Online Root Certification Authority 2" - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" - "GTE CyberTrust Global Root" - "Thawte Premium Server CA" - "Thawte Server CA" -- Michael Shuler <michael(a)pbandjelly.org> Sun, 26 Apr 2015 10:37:48 -0500 dovecot (1:2.2.21-1) unstable; urgency=medium This release disables the dovecot.socket systemd unit by default. The unit is disabled only if the dovecot.service unit is already enabled, making sure that dovecot will start on system boot. If you are upgrading dovecot and previously relied on dovecot.socket and dovecot.service being both enabled, please re-enable dovecot.socket manually using systemctl enable dovecot.socket Future package updates will not disable the socket unit again. For details regarding this decision, please see Debian bugs #803915 and #814999. -- Apollon Oikonomopoulos <apoikos(a)debian.org> Fri, 19 Feb 2016 16:54:27 +0200 gdb (7.8-1) experimental; urgency=medium WARNING: gdb now uses Python 3 by default. Please update your Python scripts to work on both Python 2 and 3 as soon as possible. See /usr/share/doc/gdb*/README.python_switch for details. -- Samuel Bronson <naesten(a)gmail.com> Tue, 26 Aug 2014 14:04:20 -0400 glibc (2.21-2) unstable; urgency=medium Starting with version 2.21-1, the glibc requires a 3.2 or later Linux kernel. If you use an older kernel, please upgrade it *before* installing this glibc version. Failing to do so will end-up with the following failure: Preparing to unpack .../libc6_2.21-1_amd64.deb ... Checking for services that may need to be restarted... Checking init scripts... WARNING: this version of the GNU libc requires kernel version 3.2 or later. Please upgrade your kernel before installing glibc. Note: This obviously does not apply to non-Linux kernels. -- Aurelien Jarno <aurel32(a)debian.org> Thu, 03 Dec 2015 22:46:21 +0100 gnupg2 (2.1.11-7+exp1) experimental; urgency=medium The gnupg package now provides the "modern" version of GnuPG. Please read /usr/share/doc/gnupg/README.Debian for details about the transition from "classic" to "modern" -- Daniel Kahn Gillmor <dkg(a)fifthhorseman.net> Wed, 30 Mar 2016 09:59:35 -0400 ifupdown (0.8.17) unstable; urgency=medium Ifupdown now also configures VLANs for bridge interfaces. (Previously, the bridge-utils package integrated with the vlan package to do this via if-up hooks, however since bridge-utils 1.5-11 this integration has been removed.) -- Guus Sliepen <guus(a)debian.org> Tue, 10 Jan 2017 17:20:09 +0100 ifupdown (0.8.1) unstable; urgency=medium The /etc/default/networking file is now read even when systemd is used, although its use is not recommended. -- Guus Sliepen <guus(a)debian.org> Wed, 02 Dec 2015 23:25:41 +0100 ifupdown (0.8) unstable; urgency=medium Ifupdown now comes with a systemd service file. Any options specified in /etc/default/networking will no longer be used. If you are using CONFIGURE_INTERFACES=no, then run "systemctl disable networking" instead. If you are using EXCLUDE_INTERFACES, then edit /etc/network/interfaces and remove those interfaces from any "auto" keywords. Ifupdown will now be more strict when errors occur, and will also properly return a non-zero exit code when (de)configuring an interface fails. Please ensure your /etc/network/interfaces is correct and that your interfaces can be brought up and down without errors, especially during system startup. Ifupdown now has more fine-grained locking, allowing concurrent calls of ifup and ifdown. It is also allowed to call ifup and ifdown from a (pre-)up or (post-)down line from /etc/network/interfaces, as long as no recursion occurs. You can now use the "inherits" keyword to copy settings from another interface stanza. RFC 4361 DDNS support is now enabled by default for inet dhcp interfaces if isc-dhcp-client is installed. -- Guus Sliepen <guus(a)debian.org> Sun, 22 Nov 2015 21:19:44 +0100 initramfs-tools (0.129) unstable; urgency=medium * Some systems that do not support suspend-to-disk (hibernation) will require a configuration change to explicitly disable this. From version 0.128, the boot code waits for a suspend/resume device to appear, rather than checking just once. If the configured or automatically selected resume device is not available at boot time, this results in a roughly 30 second delay. You should set the RESUME variable in /etc/initramfs-tools/conf.d/resume or /etc/initramfs-tools/initramfs.conf to one of: - auto - select the resume device automatically - none - disable use of a resume device - UUID=<uuid> - use a specific resume device (by UUID) - /dev/<name> - use a specific resume device (by kernel name) -- Ben Hutchings <ben(a)decadent.org.uk> Thu, 20 Apr 2017 23:21:32 +0100 initramfs-tools (0.121~rc1) unstable; urgency=medium * If initramfs-tools is configured to use busybox but it is not installed, mkinitramfs will now fail. Previously it would quietly use klibc instead, sometimes producing a broken initramfs. You may need to modify /etc/initramfs-tools/initramfs.conf or install busybox when upgrading. * Support for loop-aes has been removed. If you use loop-aes encryption for the root or /usr filesystem, you will need to switch to cryptsetup. See the 'loop-AES extension' section in cryptsetup(8). -- Ben Hutchings <ben(a)decadent.org.uk> Tue, 22 Dec 2015 21:56:40 +0000 iputils (3:20150815-1) unstable; urgency=medium As of 3:20150815-1, the ping and ping6 commands are unified in a single binary that can communicate with targets of either address family. In order to force the use of a specific address family, you need to either pass the argument -4 or -6 on the command line, or call the program via one of the ping4 or ping6 names. You will need to be particularly aware of this change if you're invoking ping via a script as part of a monitoring or other such automated system. -- Noah Meyerhans <noahm(a)debian.org> Fri, 19 Feb 2016 22:26:30 -0800 libcgi-pm-perl (4.15-1) unstable; urgency=medium From upstream Changes, 4.15: - This release removes the AUTOLOAD and compile optimisations from CGI.pm that were introduced into CGI.pm twenty (20) years ago as a response to its large size, which meant there was a significant compile time penalty. [...] - This essentially deprecates the -compile pragma and ->compile method. The -compile pragma will no longer do anything, whereas the ->compile method will raise a deprecation warning. More importantly this also REMOVES the -any pragma because as per the documentation this pragma needed to be "used with care or not at all" and allowing arbitrary HTML tags is almost certainly a bad idea. If you are using the -any pragma and using arbitrary tags (or have typo's in your code) your code will *BREAK* - Although this release should be back compatible (with the exception of any code using the -any pragma) you are encouraged to test it throughly as if you are doing anything out of the ordinary with CGI.pm (i.e. have bugs that may have been masked by the AUTOLOAD feature) you may see some issues. From upstream Changes, 4.13: - CGI::Pretty is now DEPRECATED and will be removed in a future release. Please see GH #162 (https://github.com/leejo/CGI.pm/issues/162) for more information and discussion (also GH #140 for HTML function deprecation discussion: https://github.com/leejo/CGI.pm/issues/140) -- gregor herrmann <gregoa(a)debian.org> Sat, 09 May 2015 22:01:44 +0200 linux-latest (76) unstable; urgency=medium * From Linux 4.8, several changes have been made in the kernel configuration to 'harden' the system, i.e. to mitigate security bugs. Some changes may cause legitimate applications to fail, and can be reverted by run-time configuration: - On most architectures, the /dev/mem device can no longer be used to access devices that also have a kernel driver. This breaks dosemu and some old user-space graphics drivers. To allow this, set the kernel parameter: iomem=relaxed - The kernel log is no longer readable by unprivileged users. To allow this, set the sysctl: kernel.dmesg_restrict=0 -- Ben Hutchings <ben(a)decadent.org.uk> Sat, 29 Oct 2016 02:05:32 +0100 linux-latest (75) unstable; urgency=medium * From Linux 4.7, the iptables connection tracking system will no longer automatically load helper modules. If your firewall configuration depends on connection tracking helpers, you should explicitly load the required modules. For more information, see <https://home.regit.org/netfilter-en/secure-use-of-helpers/>. -- Ben Hutchings <ben(a)decadent.org.uk> Sat, 29 Oct 2016 01:53:18 +0100 net-tools (1.60+git20161116.90da8a0-1) unstable; urgency=medium After 15 years without upstream development, net-tools is being worked on again, fixing many long-standing issues. The bad news is that the output of many commands has changed, and it is sure to break scripts that relied on parsing it. If you have customs scripts that use any of these commands, please make sure they still work after this upgrade: netstat, ifconfig, ipmaddr, iptunnel, mii-tool, nameif, plipconfig, rarp, route, slattach, arp. Apologies in advance for the trouble that this may cause, but maintaining a separate version of net-tools just to keep the old format is something I am not able to do. -- Martín Ferrari <tincho(a)debian.org> Mon, 26 Dec 2016 05:29:25 +0000 ntp (1:4.2.8p4+dfsg-2) unstable; urgency=medium You now need to use "rlimit memlock -1" to disable locking memory. The behaviour for ""rlimit memlock 0" changed between 4.2.8p3 and 4.2.8p4 and it now tries to lock all the memory. But for various people this still breaks things. -- Kurt Roeckx <kurt(a)roeckx.be> Thu, 22 Oct 2015 18:58:56 +0200 opendkim (2.11.0~alpha-8) unstable; urgency=medium On systems using systemd, this version replaces /etc/default/opendkim with the files /etc/systemd/system/opendkim.service.d/overrride.conf and /etc/tmpfiles.d/opendkim.conf carrying over non-default settings. Note: since /etc/default/opendkim is removed if you are using systemd, if you later switch back to sysvinit, you will have to manually recreate it if needed. -- Scott Kitterman <scott(a)kitterman.com> Mon, 07 Nov 2016 12:14:31 -0500 openssh (1:7.4p1-7) unstable; urgency=medium This version restores the default for AuthorizedKeysFile to search both ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in Debian configurations before 1:7.4p1-1. Upstream intends to phase out searching ~/.ssh/authorized_keys2 by default, so you should ensure that you are only using ~/.ssh/authorized_keys, at least for critical administrative access; do not assume that the current default will remain in place forever. -- Colin Watson <cjwatson(a)debian.org> Sun, 05 Mar 2017 02:12:42 +0000 openssh (1:7.4p1-1) unstable; urgency=medium OpenSSH 7.4 includes a number of changes that may affect existing configurations: * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. * sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time. * sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. * sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions. The unprivileged sshd process that deals with pre-authentication network traffic is now subject to additional sandboxing restrictions by default: that is, the default sshd_config now sets UsePrivilegeSeparation to "sandbox" rather than "yes". This has been the case upstream for a while, but until now the Debian configuration diverged unnecessarily. -- Colin Watson <cjwatson(a)debian.org> Tue, 27 Dec 2016 18:01:46 +0000 openssh (1:7.2p1-1) unstable; urgency=medium OpenSSH 7.2 disables a number of legacy cryptographic algorithms by default in ssh: * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES. * MD5-based and truncated HMAC algorithms. These algorithms are already disabled by default in sshd. -- Colin Watson <cjwatson(a)debian.org> Tue, 08 Mar 2016 11:47:20 +0000 openssh (1:7.1p1-2) unstable; urgency=medium OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe cryptography. * Support for the legacy SSH version 1 protocol is disabled by default at compile time. Note that this also means that the Cipher keyword in ssh_config(5) is effectively no longer usable; use Ciphers instead for protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1", and "ssh-keygen1" binaries which you can use if you have no alternative way to connect to an outdated SSH1-only server; please contact the server administrator or system vendor in such cases and ask them to upgrade. * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for the legacy v00 cert format has been removed. Future releases will retire more legacy cryptography, including: * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits). * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants, and the rijndael-cbc aliases for AES. * MD5-based HMAC algorithms will be disabled by default. -- Colin Watson <cjwatson(a)debian.org> Tue, 08 Dec 2015 15:33:08 +0000 openssh (1:6.9p1-1) unstable; urgency=medium UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. -- Colin Watson <cjwatson(a)debian.org> Thu, 20 Aug 2015 10:38:58 +0100 openssl (1.1.0c-3) unstable; urgency=medium The openssl enc command changed the default digest (used to create the key from passphrase) from MD5 to SHA256 since the version 1.1.0. The digest can be specified with the -md option. -- Sebastian Andrzej Siewior <sebastian(a)breakpoint.cc> Tue, 27 Dec 2016 23:37:36 +0100 pinentry-gtk2 (0.9.6-3) unstable; urgency=medium Since pinentry-gtk2 0.9.6, upstream now uses the default GTK text entry widget instead of a custom text-entry widget. The GTK text entry widget in password mode may display characters while typed based on the setting of gtk-entry-password-hint-timeout. This value defaults to 0 (never display), but may be overridden in /etc/gtk-2.0/gtkrc or ~/.gtkrc-2.0. If your password entry shows the last character typed, please ensure that this value is not set in your system's configuration files. See https://developer.gnome.org/gtk2/stable/GtkSettings.html#GtkSettings--gtk-e… and https://bugs.debian.org/801757 for more details. -- Daniel Kahn Gillmor <dkg(a)fifthhorseman.net> Mon, 19 Oct 2015 20:39:25 -0400 proftpd-dfsg (1.3.5b-3) unstable; urgency=medium Starting from this version, proftpd works by default in standalone mode at its first install. It is still possible to use inetd/xinetd mode, but the admin has to manage that manually by update-inetd or configuring xinetd. Some information about that are provided in the accompanying doc /usr/share/doc/proftpd-basic/README.Debian. -- Francesco Paolo Lovergine <frankie(a)debian.org> Fri, 27 Jan 2017 14:44:31 +0100 systemd (231-1) unstable; urgency=low This version drops support for running /etc/rcS.d SysV init scripts. These are prone to cause dependency loops, and almost all Debian packages with rcS scripts now ship a native systemd service. If you have custom or third-party rcS scripts you need to convert them or change them to run in rc2.d/ - rc5.d/; see this page for details: <https://wiki.debian.org/Teams/pkg-systemd/rcSMigration>. -- Martin Pitt <mpitt(a)debian.org> Thu, 14 Jul 2016 12:54:34 +0200 systemd (224-2) unstable; urgency=medium This version splits out systemd-nspawn, systemd-machined, and machinectl into the new "systemd-container" package. That now also enables systemd-importd. -- Martin Pitt <mpitt(a)debian.org> Sat, 22 Aug 2015 15:58:43 +0200 unbound (1.5.7-2) unstable; urgency=medium The unbound package no longer ships an /etc/default/unbound conffile. If modified, it will be renamed to /etc/default/unbound.dpkg-bak after upgrading. The /etc/default/unbound file, if it exists, will still be read and the behavior of the package can be modified, but the defaults have been changed to make it unnecessary for most users to need an /etc/default/unbound file. The following variables are still supported by the /etc/default/unbound file, if it exists: DAEMON_OPTS If set, the value of this variable will be appended to the daemon command-line. RESOLVCONF This variable now must be explicitly set to "false" to disable the unbound package's resolvconf provider. Otherwise, it defaults to enabled if unset. In previous versions, this variable had to be explicitly set to "true" to enable the resolvconf provider, but the /etc/default/unbound file shipped with it explicitly enabled. ROOT_TRUST_ANCHOR_FILE This variable can be explicitly set to override the path used by the root trust anchor update mechanism for the root trust anchor. Otherwise, it defaults to /var/lib/unbound/root.key if unset. ROOT_TRUST_ANCHOR_UPDATE This variable now must be explicitly set to "false" to disable the root trust anchor update mechanism. Otherwise, it defaults to enabled if unset. In previous versions, this variable had to be explicitly set to "true" to enable the update mechanism, but the /etc/default/unbound file shipped with it explicitly enabled. The following variables are no longer supported by the /etc/default/unbound file, but were present in previous versions: UNBOUND_ENABLE This variable controlled whether or not the init script would start the Unbound daemon. Instead, use the standard Debian mechanisms for enabling or disabling a service started by the init system. RESOLVCONF_FORWARDERS This variable controlled whether or not the upstream nameservers supplied by resolvconf were configured into the running Unbound instance with the "unbound-control forward" command, via a resolvconf update.d hook. This mechanism still exists, but the variable controlling it has been removed. Instead, add or remove the executable bit from the /etc/resolvconf/update.d/unbound file to enable or disable the hook. This release also makes the following changes: The resolvconf update.d hook can be problematic, especially if the upstream nameservers do not perform DNSSEC validation, or if a "forward-zone" declaration for the root zone has been statically configured by the administrator. In previous versions, the hook was enabled by default, but it is now disabled by default. It can be explicitly enabled by running "chmod +x /etc/resolvconf/update.d/unbound". The unbound package now depends on the dns-root-data package, and the root trust anchor update mechanism has been enhanced to import the root trust anchor from /usr/share/dns/root.key on new installations, or if the /usr/share/dns/root.key file is newer than /var/lib/unbound/root.key. -- Robert Edmonds <edmonds(a)debian.org> Sun, 21 Feb 2016 16:01:33 -0500 fail2ban (0.9.0+git48-gabcab00-1) experimental; urgency=low [ Yaroslav Halchenko ] * This version went through big refactoring which allowed to gain new features such as multiline matching (see upstream's changelog for more information). * Although .local files are still supported, customizations are advised to be provided under corresponding .d/ directories. E.g. see /etc/fail2ban/jail.d/defaults-debian.conf which is where now sshd jail is enabled by default to match previous behavior of Fail2Ban in Debian. [ Daniel Schaal ] * All jails definitions were rewritten to become more concise and uniform. From this version on log paths are defined in distro specific files, for Debian this is in /etc/fail2ban/paths-debian.conf. -- Yaroslav Halchenko <debian(a)onerussian.com> Tue, 25 Mar 2014 08:38:31 -0400 lsb (9.20150826) unstable; urgency=low This update drops all lsb-* compatibility packages, and is therefore an abandon of the pursuit of LSB compatibility for Debian. Only lsb-release and lsb-base are kept as they continue to be used throughout the archive. -- Didier Raboud <odyx(a)debian.org> Wed, 26 Aug 2015 12:00:00 +0200 make-dfsg (4.1-2) unstable; urgency=low WARNING: Backward-incompatibility! The ar program in the binutils package in Debian is now configured with --enable-deterministic-archives. This change makes the archives reproducible, by setting the UID, GID, and timestamp to 0. However, when dealing with archives created with the libxx(*.o) style rules, make needs the timestamp of the file in order to decide to update it or not. With the current deterministic behavior of ar, the time stamp is always 0. This has consequences, since make will fall back to always adding each member to the archive, whether or not it is required. This is a change in behaviour, and, for instance, it makes make fail to build, failing 7 out of 10 archive tests. . Since binutils will create archive with time stamps set to 0 when running in "deterministic" mode, make will always try to update such members. When this is detected, make will emit a warning. . There is some online discussion: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798804 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798913 https://bugzilla.redhat.com/show_bug.cgi?id=1195883 -- Manoj Srivastava <srivasta(a)debian.org> Mon, 18 Jan 2016 16:09:19 -0800

7 années, 8 mois

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

Monitoring Juillet 2017