Subject: Rare project developers
List archive
- From: Alexander Gall <>
- To: mc36 <>
- Cc: Xavier Jeannin <>, "" <>
- Subject: Re: [rare-dev] bulk upgrade of the rare packages
- Date: Fri, 22 Jul 2022 10:00:55 +0200
Hi csaba
This is certainly relevant, but we have to distinguish a few things
since we have multiple package collections in play here. The Debian
system that's installed with ONIE (currently Debian 11.0) can (and
should) be maintained like a regular system after installation,
including security updates. The kernel is special, though.
We can move to the newest Debian release for the installer whenever we
create a new release, as long as the kernel is compatible with the
SDE.
On Fri, 22 Jul 2022 08:35:08 +0200, mc36 <> said:
> a lot changed since the release got packages frozen about 2 years ago...
Here you refer to the Nix-based packages, I assume.
> the debian kernel we ship have 2 cves in the past month, one is a local
> root exploit,
This is not directly in the scope of the Nix packages, but an upgrade
of the kernel needs to be reflected there in terms of the SDE's kernel
modules, which is not a problem but requires action on our part.
> the latest simply hard-freeze the box (on poz-onl, type
> /home/rare/CVE-2022-34918/poc)
> the jvm we're shipping also had several cves, one accepts empty ec
> signatures as valid
> (CVE-2022-21449), renderinging such signatures are hackable...
In contrast, this is actually part of the Nix package
collection. However, that jvm is used exclusively to run freerouter
and nothing else. How would you assess the impact of this particular
vulnerability for that specific purpose? It doesn't look critical to
me according to the description:
"This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from
the internet) and rely on the Java sandbox for security"
> in the meanwhile, xavier's secops team is examining the images we
> produced...
I would be interested in what their methodology is and whether they
understand the implications of our packaging approach.
> all this point in one direction, it's time to plan for a regular bump of
> the packages we ship....
To re-state what I said above: the packages that are "fixed" are those
used exclusively to (build and) run freerouter, bf_switchd and
bf_forwarder. We have to keep that in mind when we assess the impact
of vulnerabilites.
The system itself can be kept up to date with security fixes
independently of that (again, modulo the kernel).
--
Alex
- [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, mc36, 07/22/2022
- Re: [rare-dev] bulk upgrade of the rare packages, Alexander Gall, 07/22/2022
Archive powered by MHonArc 2.6.19.