Calling all *nix Admins -PATCH YOUR CRAP-

[donhwyo]

Code:

grep dns       
ii  dnsmasq                                 2.80-1

So dnsmasq is still not getting updated on my Untangle. Is it a problem with apt or has it not yet been uploaded to the repo?

[Xoff]

Thanks a lot for all these informations, they were a great help in my case.
I'm always pleased to have nothing to do
(I'm reassured)

[donhwyo]

Seems apt is working. Two packages were updated since March 4th.

Code:

diff untangleapt2.txt untangleapt.txt
724,725d723
< ii  python-apt                              1.8.4.2                                                        amd64        Python interface to libapt-pkg
< ii  python-apt-common                       1.8.4.2                                                        all          Python interface to libapt-pkg (locales)

Still dnsmasq 2.80-1. Why?

[donhwyo]

Time to add openssl to the things not being updated by apt. Who knows how many others?

Package: openssl (1.1.1d-0+deb10u6) [security]

Code:

[root @ homeuntangle] ~ # dpkg -l |grep openssl
ii  libcrypt-openssl-bignum-perl            0.09-1+b1                                                      amd64        Perl module to access OpenSSL multiprecision integer arithmetic libraries
ii  libcrypt-openssl-random-perl            0.15-1+b1                                                      amd64        module to access the OpenSSL pseudo-random number generator
ii  libcrypt-openssl-rsa-perl               0.31-1+b1                                                      amd64        module for RSA encryption using OpenSSL
ii  openssl                                 1.1.1d-0+deb10u4                                               amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  perl-openssl-defaults:amd64             3                                                              amd64        version compatibility baseline for Perl OpenSSL packages

Untangle claims to be secure because it is based on debian. If it is not kept updated with debian is it still secure? I understand the need to test. I also understand the urgency to update.

So is apt being used, yes. Is it being used as intended?

[donhwyo]

16.3 beta finally updates these and a bunch of other stuff. Why do we need to wait so long to get debian updates? Defeats debian security updates as a security feature.

[sky-knight]

I'm of two minds on the topic...

Rapid automatic updates is great to remediate known issues if and only of the updates come from a trusted source. But that's the rub isn't it? Debian's repos have been victimized before...

Building trust into Untangle's supply chain will require a certain amount of buffer between Untangle released and supported updates and the upstream repos. But where do you put that line?

[donhwyo]

But where do you put that line?

I don't know were the line should be. I understand the need to test against Untangles modifications. I think for such critical updates it needs more priority than it gets now. If it was based on some bleeding edge distro I could see the long delay. Debian is a very conservative stable distro. If they deem it needs to be updated pay attention.

As for trust would bet on debian long before Untangle at this point. Untangle has been based on "old" debian for years. Now it is much closer than it has in the past. A good trend. Only a few months behind. Is that good enough?

As for automatic updates I don't run them on anything. I want to test before applying them. But they usually happen within a week.

[sky-knight]

On non-critical systems like desktops yes. But on servers the game changes, and on a server that will bork the connection everything uses to get updates? How much more so?

Yes... on the DNSMasq patch specifically I feel that should have been faster, because it's left every Untangle in the wild vulnerable to real risk. But, that's the first time to my memory this has happened. Usually Untangle's conservative approach has been to our collective benefit.

Though I no longer know if that benefit is via intent or accident. Which is the largest issue for me.