Linked by Eugenia Loli on Wed 8th Jun 2005 08:43 UTC, submitted by george
Debian and its clones A configuration mistake in the new Debian Linux distribution has forced a fix less than 24 hours after the software was released. "New installs [of Debian 3.1 from CD and DVD] will not get security updates by default," said Debian developer Colin Watson in an e-mail warning. Installations from floppy disks or network servers were not affected.
Order by: Score:
Nobody's perfect...
by directhex on Wed 8th Jun 2005 08:52 UTC

Kernel 2.6.8.1 eat your heart out!

Advice for Debian Newbies
by James Duncan on Wed 8th Jun 2005 08:53 UTC

Fix for this: The file /etc/apt/sources.list has the line starting #security... The hash at the beginning makes the update server not be used so it needs to be removed.

Re: Advice for Debian Newbies
by Anonymous on Wed 8th Jun 2005 09:07 UTC

And maybe change testing to stable on the same line?

RE: Advice for Debian Newbies
by directhex on Wed 8th Jun 2005 09:09 UTC

Actually, the commented out line (according to cdimage.debian.org) points to testing/updates

The corrected entry in sources.list should read:

deb http://security.debian.org/ stable/updates main contrib non-free

drop the contrib and non-free if you don't use them

RE: Advice for Debian Newbies
by martin.k on Wed 8th Jun 2005 10:09 UTC

After 3 years of testing...

Embarrasing
by HiddenWolf on Wed 8th Jun 2005 10:17 UTC

It's day this is a bug both so trivial to fix, easy to notice, and embarrasingly obvious that it should make the Debian release managers hold their heads in shame.

I'd say it's probably caused by the long time everyone has been using sarge. Every devel has probably noticed it, edited the line months ago, and forgot about it.


Not a flame, I love Debian, but this made me laugh.

Impressive
by busfahrer on Wed 8th Jun 2005 10:32 UTC

Really impressive.

One line fix
by psilo on Wed 8th Jun 2005 10:37 UTC

They need to rebuild approximately 14x11 CD images and 2x11 DVD images for a one line fix... there has to be a better way!

Lesson Learned...
by Anonymous on Wed 8th Jun 2005 10:45 UTC

One should not rush a product. They should have taken their time testing this release before letting it go public.

RE: Lesson Learned...
by Anonymous on Wed 8th Jun 2005 11:10 UTC

LOL

Shows that no-one in the release team tested on a clean system
by Anonymous on Wed 8th Jun 2005 11:26 UTC

Whilst you can easily fix the issue by editing sources.list, it's very clear that no-one who was involved in the release of the 14 CDs/2 DVDs actually bothered to install it on a clean system, because they would have seen the problem right away. Hopefully, they'll learn from this mistake and actually install from scratch before their next release.

BTW, this Debian didn't recognise my network card (it's an onboard NIC on an NForce 4 motherboard, which I don't believe is a rare combo), whereas Fedora Core 3 (released last year !) did. A good job I knew it needed the forcedeth driver (which was listed by the Debian installer but only amidst about 50 other NIC drivers), otherwise it could have been game over...

~
by anon on Wed 8th Jun 2005 11:30 UTC

Oh bother, but at least it's not like ill have to torrent cd1 all over again for a single sources.list entry..

Its fixed ...
by Moulinneuf on Wed 8th Jun 2005 11:31 UTC


"will not get security updates by default"

What ? they tried to be Like Microsoft Windows Xp and ship without security updates ? ;-)

Come on Debian ! You will have to achieve better then that at the Microsoft Security Test and Release.

First your machine must allow 10 hacker minimum to connect to it at all time , anytime , anywhere ...

Second they must allow for root kit to install without asking for anything to install ...

Third after 15 seconds online you must have add 45 attempt at breaking in the machine from spyware , virus , and DotBot ...

You Lazy Debian developper !!!!!

All kidding apart , anyone know if they already remastered the first DVD and the CD with the software that install this , and replaced the faulty one on the ftp and elsewhere ... ?

Luckily its already known and fixed for most people , they should release a software patch that one can easily apt-get ... For those who dont feel like getting a new CD

Funny thing how *this* made NEWS on much more that many sites , millions times faster then the news it whas released ...

It serve to show that in GNU/Linux bugs are fixed and told the same day , even when its embarrasiing a little , because security in GNU/Linux is not a joke.

at the boot prompt, type "linux26" to use a 2.6 kernel

or even better, use amd64 debian (amd64.debian.net)

the onboard networking on my new k8t890 amd64 system works fine with sarge.

Quick action from Debian
by digit on Wed 8th Jun 2005 12:44 UTC

Well, there's no harm done, really. The installation images are being fixed and the people downloading or purchasing Sarge later on will get the fixed version. How many security updates do you expect to download one day after the official release date, anyway?

uh
by joe on Wed 8th Jun 2005 12:46 UTC

how about just rolling out a patch or a simple replace this file with this one and then fixing it in any point releases...

i love ZDNET statement
"Debian is not the only high-profile software project to be forced to fix a dangerous security flaw in short order after the time of release."

a DANGEROUS security flaw.... I would say a oopsy booboo

Heck, the installer use to ask you if you wanted updates and so forth. Run apt-setup and I am sure it will ask you and I would hope enable it.

The fixed images are available
by digit on Wed 8th Jun 2005 13:00 UTC

The good news is that the fixed installation images are already available for download.

http://cdimage.debian.org/debian-cd/3.1_r0a/

v Debian tested ????
by carlos on Wed 8th Jun 2005 13:03 UTC
Irony at its best
by WedDa on Wed 8th Jun 2005 13:12 UTC

Debian 3.1 is arguably the least "rushed" OS release in modern computing history. I agree with HiddenWolf, it was probably "fixed" and forgotten a long time ago. There are really no lessons to learn for the Debian team, except that given a good opportunity, the devil will always fart in your face.

That said, I guess everyone installing Deb from CD's where this is REALLY critical will know how to deal with it.

I just had a look at my own customized KANOTIX sources.list on my bastard hybrid unstable/testing/experimental laptop and I do not even have the "deb http://security.debian.org/ stable/updates main contrib non-free" line in there at all, and seem to be doing pretty well anyway :-)

/Andreas

PS. I just hope you can not pick up my IP-number from anywhere and delete all me music collection and pr0n ;-) DS

v sucks
by none on Wed 8th Jun 2005 13:14 UTC
RE: Its fixed ...
by WedDa on Wed 8th Jun 2005 13:20 UTC

> Luckily its already known and fixed for most people , they should release a software patch that one can easily apt-get ... For those who dont feel like getting a new CD

Yeah, why not just put it in "http://security.debian.org/ stable/updates main"?

Hehe.

...

Sorry for that :-)

RE:Irony at its best
by Andrea on Wed 8th Jun 2005 13:24 UTC

/me using unstable (sid)
and I have this:

deb http://security.debian.org/ stable/updates main

mmm it seems I forgot to add contrib and non-free ? :-D

p.s.
Today I launched apt-get dist-upgrade on my sid and then launching gnome, I saw some packages upgraded to 2.10 finally, the top and the bottom bars disapperead...

/me using fluxbox right now...

RE:RE: Its fixed ...
by Andrea on Wed 8th Jun 2005 13:25 UTC

...so mine was ok ?

RE: The fixed images are available
by Federico on Wed 8th Jun 2005 13:26 UTC


The good news is that the fixed installation images are already available for download.

http://cdimage.debian.org/debian-cd/3.1_r0a/


The bad news is that the iso of the second cd is not downloadable :-)

Debian should have caught this...
by David Pastern on Wed 8th Jun 2005 13:26 UTC

Well Libranet 3 doesn't have any issues here ;-) Firstly, you really shouldn't have 'stable' in your /etc/apt/sources.list, but woody. Same with testing. It should have been entered as sarge. Reasoning? When you get a major new release like this, sarge becomes stable. Not testing. What was the Sid packages becomes testing packages, namely Etch. Sid always stays Sid, and unstable. So - by using testing originally, you're updates are going to come from Etch 'testing' and not the Sarge 'stable' that they really should be tracking.

Libranet 3 has the entries in /etc/apt/sources.list correctly named, with security entries as well. And not hashed out.

Debian needs to pay more attention to silly little things like this, although truth be told, it's the sort of thing that's easily missed. The really sad and *bad* thing is that Debian doesn't appear to have anything about this issue on it's main page, or the release page for 3.1. That's disgraceful.

Dave

RE: Debian Security
by Cheapskate on Wed 8th Jun 2005 13:32 UTC

Thanks directhex for the info :^)

What's the fuss ...
by MacTO on Wed 8th Jun 2005 14:41 UTC

I noticed a message regarding this "dangerous security flaw" a few hours ago, and really must ask what the fuss is. Unless something has changed in 3.1, you have to manually check for updates. So this one commented out line is a moot point for people who never check for updates.

Not to mention it is easy to fix. While a new Linux user may be scared off by such minor changes, Debian is not the sort of distro I would recommend for a someone intimidated by computers. There's always Ubuntu or BeatrIX for that (both based on Debian).

...
by Anonymous on Wed 8th Jun 2005 15:22 UTC

an onboard NIC on an NForce 4 needs 2.6.11 or drivers from nvidia's page

cool debian
by jim on Wed 8th Jun 2005 17:21 UTC

i still think it's a cool desktop.

to me - my opinion debian is like my dads pick-up truck, where it's not new and not perfect but all in all always runs and runs well.

as for this security thing - screw ups happen all the time.
everybody be cool now.

peace man,

jim

@ HiddenWolf
by helf on Wed 8th Jun 2005 18:16 UTC

umm..

It's day this is a bug both so trivial to fix, easy to notice, and embarrasingly obvious that it should make the Debian release managers hold their heads in shame.

What did you mean to say in the frist part of that sentence? I can't figure it out. Not a flame.. I really want to know ;)

My personnal advice
by Anonymous on Wed 8th Jun 2005 22:31 UTC

I always wait at least a month before updateting my system with a new version. I had other bad experience with freebsd 5.x in the past where important bugs where find soon after the release. Normally after some weeks, there are chance that the most evident bugs are fixed and installation will be painless.

Of course, it will test Sarge later this summer, since this seems to be a very impressive distribution !

Sarge Install
by t3q on Thu 9th Jun 2005 00:29 UTC

This is a minor issue compared to the fact that two installs completely failed with the officialy released sarge images so far, one being binary-1, one being netinstall. Although being rather standard, two year old P4 systems, sarge fails to mount /target, find the cdrom, install grub etc., all what woody was able to do on the very same machine without any hickups...
Even manual workarounds (like mounting /target manually) failed in the end.

This I call a major dissappointment, really. Being a debian devotee for years, for the first time I consider moving to fedora (being quite aware that the debian developers are giving a sh*t about that move, and right they are, i could have contributed to fix this madness in advance, which I haven't)...

But still... Sad sad sad...

t.

Good exercise for debian newbies
by n1xt3r on Thu 9th Jun 2005 03:05 UTC

I think this is an excellent exercise for newbies.

Seriously though, I for one am still stoked about the release of sarge and am highly appreciative of the debian team's efforts in making one of the best linux distros ever!

...
by joe on Thu 9th Jun 2005 04:24 UTC

dont have the official sarge release but my cd images from around the middle of may seem just fine, no probs on my p4 system or celeron lapptoppy...
Is this a desktop or a laptop? kind of strange! Which kernel are you trying?
holla back
I have thought about trying to keep woody alive with some needed updates and call it 'everlasting woody' or maybe 'perpetual wood' or something...hmmm...