If you are working on packages, make sure the environment is pleasant.

has had two security issues which are now fixed in the packages and will be in the soon to be released v5.9 upstream release.

CVE-2020-15862 is a realisation that EXTEND-MIB is bad because you can run arbitrary commands if you have a write community/user.

CVE-2020-15863 is unsafe symlink handling where you can get the snmpd daemon to write files as root. I'm also updating snmp-mibs-downloader to fix the vector used.

25 Years of Free Software

25 years ago on 24th July 1995 I released my first Free Software program called axdigi.

Time has gone quickly! A lot what was written has fallen away (I completely forgot I wrote ttylinkd for example).

I'm still writing Free Software or Open Source and still enjoy it.

dropbear.xyz/2020/07/25/25-yea

The extend MIB is nasty. I'm not sure what it was supposed to do but I now know what it can do. So for installations at least it will be removed.

Next step will be to fix the code so when you say use this user the program uses that user and not something else some file somewhere decides is a better idea.

The next (maybe next next? There is a security update to do) version of net-snmp for will have TLS and DTLS enabled as well as the transport security model. This means the authentication can be done at the lower layers (e.g. the TLS level) instead of in the SNMP layer.

packages for 5.4.2 jut got uploaded. They will be available from your local mirror soon.

They would have been there a day earlier except I forgot to actually sign and upload them!

5.4.2 is a security release and fixes about 6 security vulnerabilities plus an annoying problem where spammers can use the brief time between sending a spammy comment and it getting deleted.

I've added some autopkgtest test script to check for the version output of in The current versions just report unknown due to a upstream script breakage (which is my fault too).

is very useful facility to check for Debian packages as-installed. It probably has the second-worst documentation in history (the first being sendmail).

If I actually understood it, I'd fix the documentation, but I don't.

The project is planning on holding a mini DebConf online.

This will be "4 days of Debianites working together to improve Debian" and will be totally online like all the cool kids are doing.

It will be 28-31st May 2020, more details at wiki.debian.org/DebianEvents/i

Guess what? have release a new version and its a security fix. There are 6 security bugs fixed, they even have CVE IDs! Much excitement.

Pretty much every version of wordpress is vulnerable except for CVE-2020-11030 because the block editor is new from about WordPress 5.0 or so.

I'll be cooking up the packages this weekend.

packages for 5.4 are now uploaded. Yes, only 2 numbers so it is *not* a security fix, yay!

I can't really see much that is different. They have done some enhancements in the editor and there is a new 2020 theme but other than that, its the same WordPress you know and love (or hate, or both, whatever).

In other ancient package news. I also asked for gjay to be removed. This is a gtk based music sorter that creates playlists. I've not worked on it for four years and needs some major work, so off it goes.

The package just got removed from the archive after I requested it removal. Unfortunately, it is too difficult to maintain in a distribution.

It's a great mud client, it is just a little wild and crazy on its required dependencies.

I've just uploaded the backported packages for for Buster. This fixes all security bugs fixed in WordPress 5.2.3 5.2.4 and 5.3.1 ready for buster.

package for 5.3.2 has just been uploaded. This fixes some important problems introduced in 5.3.1 That version fixed a few security-related bugs, mainly XSS (again).

The update should be available for Debian sid in the next few hours.

Found a curious bug in the package last night. There is a reasonably old security patch for CVE-2017-14990 where the activation key is stored in plaintext for multisite users (normal users it's hashed).

Anyway it's a broken patch because it doesn't decide the user id. Easy to fix but I never used it before.

More sagas with net-snmp. It seems that something in the build process is wrecking the modules, so none of the functions are exposed.

The odd thing is, if I compile it by hand it works fine, so what is messing things up?

net-snmp packages version 5.8-1 just got uploaded. The previous upstream version 5.7.2 has been around for 4 years so this has been a long time coming.

5.8 packages also drop support of python modules, use pysnmp instead as its better in most ways.

Debian packages now should be source only, otherwise they won't make it to bullseye ( the next release).

So the wiki has the flags to add to build source only, so that's all you need to do?

Nope.

debsign and debrelease need to be told too. ( Both with -S)

So the toolchain will create a package that is guaranteed to be rejected using the default setup. The only way to fix it is to use two different sets of options.

After a lot of mucking around I got the laptop looking ok. The conky config says its but it's really .

Show more

πŸ… Craig's choices:

Mastodon on Dropbear

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!