Dotdeb » security

Dotdeb packages are now signed!

Guillaume Plessis — Sun, 11 Jul 2010 15:35:51 +0000

After many requests from several users and after many months of promise, the Dotdeb repositories are GPG-signed. Yes, you can now get rid of the annoying “WARNING: The following packages cannot be authenticated!” message!

Waiting for a dotdeb-keyring package, you just have to get the key and add it to your trusted keys’ keyring :

gpg --keyserver keys.gnupg.net --recv-key 89DF5277
gpg -a --export 89DF5277 | sudo apt-key add -

I hope you’ll enjoy it.

Feel free to Flattr this post at flattr.com, if you like it.

MySQL 5.1.47, a security-focused release, is available

Guillaume Plessis — Tue, 25 May 2010 16:38:01 +0000

MySQL 5.1.47 is now available on Dotdeb for your Lenny servers, in amd64 and i386 flavours.

This is a security-oriented release that fixes some serious flaws… Please read full changelog for more information.

Please also note that the InnoDB plugin has been upgraded to version 1.0.8 and is now considered of General Availability quality. Feel free to use it for a performance boost.

Feel free to Flattr this post at flattr.com, if you like it.

May is the month of PHP security

Guillaume Plessis — Tue, 04 May 2010 12:26:21 +0000

According to Stefan Esser, author of the Suhosin patch, May 2010 will be the “Month of PHP Security” :

This initiative continues the effort of Hardened-PHP’s Month of PHP Bugs in 2007 to improve the security of PHP and the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications on the one hand and on the other hand by publishing articles and tools that help PHP application developers to develop more secure PHP applications.

You’ll find more information on the MoPS website and you can follow its twitter account to discover each vulnerability as soon as it’s reported.

Feel free to Flattr this post at flattr.com, if you like it.

Etch security support discontinued by Debian on Feb. 15th…

Guillaume Plessis — Wed, 20 Jan 2010 21:33:02 +0000

The Debian security team announced that Debian 4.0 “Etch” security support will be ended on February 15th, 2010 :

Security Support for Debian GNU/Linux 4.0 to be discontinued on
February 15th

One year after the release of Debian GNU/Linux 5.0 alias 'lenny' and
nearly three years after the release of Debian GNU/Linux 4.0 alias
'etch' the security support for the old distribution (4.0 alias
'etch') is coming to an end next month.  The Debian project is proud
to be able to support its old distribution for such a long time and
even for one year after a new version has been released.

The Debian project has released Debian GNU/Linux 5.0 alias 'lenny' on
the 14th of February 2009.  Users and Distributors have been given a
one-year timeframe to upgrade their old installations to the current
stable release.  Hence, the security support for the old release of
4.0 is going to end in February 2010 as previously announced.

Previously announced security updates for the old release will continue
to be available on security.debian.org.

Then, Dotdeb will follow the Debian project and all the Etch packages will be moved to http://archives.dotdeb.org/ on Feb. 15th.

It is now time for you to upgrade your last servers from Etch to Lenny…

What’s next?

I’ll have to prepare the Squeeze release (planned on August 2010). The (early) plans ?

Focus on high quality PHP 5.3 and MySQL 5.1+ packages
More useful tools for your LAMP platforms : Gearman, Maatkit… MariaDB? Drizzle? Wait & see
No more mail-realated packages (Qmail, Vpopmail, Courier, Dovecot, Vqadmin)

Feel free to Flattr this post at flattr.com, if you like it.

MySQL 5.1.41 has been updated to fix a security issue

Guillaume Plessis — Wed, 20 Jan 2010 20:25:13 +0000

I just uploaded new MySQL 5.1.41 packages that fix a remote buffer overflow in MySQL servers that use the embedded YaSSL library :

Lenz Grimmer gives more information about this issue
CVE-2009-4484 has been filled

Since Debian and Dotdeb are impacted, you are strongly encouraged to upgrade your servers.

Feel free to Flattr this post at flattr.com, if you like it.

MySQL 5.0.77 available

Guillaume Plessis — Wed, 18 Feb 2009 16:49:58 +0000

MySQL 5.0.77 packages are now available on Dotdeb for Debian Etch amd64/i386.

This is a maintenance release that fix some annoying bugs and a severe security issue.

Please read the official list of changes in 5.0.77 before upgrading.

Feel free to Flattr this post at flattr.com, if you like it.

PHP 5.2.8 available [update]

Guillaume Plessis — Tue, 09 Dec 2008 12:30:31 +0000

The PHP Group released PHP 5.2.8 this morning to fix the magic_quotes_gpc issue.

If you previously installed PHP 5.2.7-0.dotdeb.1 from Dotdeb and do not care about the version number displayed in your phpinfo(), save your bandwidth, your server is already secure Otherwise, just apt-get upgrade your LAMP stack…

[update] The packages have been upgraded to 5.2.8-0.dotdeb.1 to fix an issue about pcre & utf8.

Feel free to Flattr this post at flattr.com, if you like it.

PHP 5.2.7 updated because magic_quotes_gpc is broken

Guillaume Plessis — Sun, 07 Dec 2008 17:54:36 +0000

Stefan Esser has posted a warning about upgrading PHP to the 5.2.7 release :

(…)a change in the ext/filter extension that by default processes all incoming data, broke the magic_quotes_gpc feature. While magic_quotes_gpc itself is deprecated and it is recommended to not rely on it as protection against SQL injection, it is still used in many legacy applications that become very insecure once it is turned off. And exactly that happens with the upgrade to PHP 5.2.7. The fix for this was already commited to the PHP CVS and PHP 5.2.8 will be released next week.

I just fixed this issue in the Dotdeb packages, just upgrade your servers.

Feel free to Flattr this post at flattr.com, if you like it.