A configuration mistake in the new Debian Linux distribution has forced a fix less than 24 hours after the software was released. “New installs [of Debian 3.1 from CD and DVD] will not get security updates by default,” said Debian developer Colin Watson in an e-mail warning. Installations from floppy disks or network servers were not affected.
Kernel 2.6.8.1 eat your heart out!
Fix for this: The file /etc/apt/sources.list has the line starting #security… The hash at the beginning makes the update server not be used so it needs to be removed.
And maybe change testing to stable on the same line?
Actually, the commented out line (according to cdimage.debian.org) points to testing/updates
The corrected entry in sources.list should read:
deb http://security.debian.org/ stable/updates main contrib non-free
drop the contrib and non-free if you don’t use them
After 3 years of testing…
It’s day this is a bug both so trivial to fix, easy to notice, and embarrasingly obvious that it should make the Debian release managers hold their heads in shame.
I’d say it’s probably caused by the long time everyone has been using sarge. Every devel has probably noticed it, edited the line months ago, and forgot about it.
Not a flame, I love Debian, but this made me laugh.
Really impressive.
They need to rebuild approximately 14×11 CD images and 2×11 DVD images for a one line fix… there has to be a better way!
One should not rush a product. They should have taken their time testing this release before letting it go public.
LOL
Whilst you can easily fix the issue by editing sources.list, it’s very clear that no-one who was involved in the release of the 14 CDs/2 DVDs actually bothered to install it on a clean system, because they would have seen the problem right away. Hopefully, they’ll learn from this mistake and actually install from scratch before their next release.
BTW, this Debian didn’t recognise my network card (it’s an onboard NIC on an NForce 4 motherboard, which I don’t believe is a rare combo), whereas Fedora Core 3 (released last year !) did. A good job I knew it needed the forcedeth driver (which was listed by the Debian installer but only amidst about 50 other NIC drivers), otherwise it could have been game over…
Oh bother, but at least it’s not like ill have to torrent cd1 all over again for a single sources.list entry..
“will not get security updates by default”
What ? they tried to be Like Microsoft Windows Xp and ship without security updates ? ๐
Come on Debian ! You will have to achieve better then that at the Microsoft Security Test and Release.
First your machine must allow 10 hacker minimum to connect to it at all time , anytime , anywhere …
Second they must allow for root kit to install without asking for anything to install …
Third after 15 seconds online you must have add 45 attempt at breaking in the machine from spyware , virus , and DotBot …
You Lazy Debian developper !!!!!
All kidding apart , anyone know if they already remastered the first DVD and the CD with the software that install this , and replaced the faulty one on the ftp and elsewhere … ?
Luckily its already known and fixed for most people , they should release a software patch that one can easily apt-get … For those who dont feel like getting a new CD
Funny thing how *this* made NEWS on much more that many sites , millions times faster then the news it whas released …
It serve to show that in GNU/Linux bugs are fixed and told the same day , even when its embarrasiing a little , because security in GNU/Linux is not a joke.
at the boot prompt, type “linux26” to use a 2.6 kernel
or even better, use amd64 debian (amd64.debian.net)
the onboard networking on my new k8t890 amd64 system works fine with sarge.
Well, there’s no harm done, really. The installation images are being fixed and the people downloading or purchasing Sarge later on will get the fixed version. How many security updates do you expect to download one day after the official release date, anyway?
how about just rolling out a patch or a simple replace this file with this one and then fixing it in any point releases…
i love ZDNET statement
“Debian is not the only high-profile software project to be forced to fix a dangerous security flaw in short order after the time of release.”
a DANGEROUS security flaw…. I would say a oopsy booboo
Heck, the installer use to ask you if you wanted updates and so forth. Run apt-setup and I am sure it will ask you and I would hope enable it.
The good news is that the fixed installation images are already available for download.
http://cdimage.debian.org/debian-cd/3.1_r0a/
Debian 3.1 is arguably the least “rushed” OS release in modern computing history. I agree with HiddenWolf, it was probably “fixed” and forgotten a long time ago. There are really no lessons to learn for the Debian team, except that given a good opportunity, the devil will always fart in your face.
That said, I guess everyone installing Deb from CD’s where this is REALLY critical will know how to deal with it.
I just had a look at my own customized KANOTIX sources.list on my bastard hybrid unstable/testing/experimental laptop and I do not even have the “deb http://security.debian.org/ stable/updates main contrib non-free” line in there at all, and seem to be doing pretty well anyway ๐
/Andreas
PS. I just hope you can not pick up my IP-number from anywhere and delete all me music collection and pr0n ๐ DS
> Luckily its already known and fixed for most people , they should release a software patch that one can easily apt-get … For those who dont feel like getting a new CD
Yeah, why not just put it in “http://security.debian.org/ stable/updates main”?
Hehe.
…
Sorry for that ๐
/me using unstable (sid)
and I have this:
deb http://security.debian.org/ stable/updates main
mmm it seems I forgot to add contrib and non-free ? ๐
p.s.
Today I launched apt-get dist-upgrade on my sid and then launching gnome, I saw some packages upgraded to 2.10 finally, the top and the bottom bars disapperead…
/me using fluxbox right now…
…so mine was ok ?
The good news is that the fixed installation images are already available for download.
http://cdimage.debian.org/debian-cd/3.1_r0a/
The bad news is that the iso of the second cd is not downloadable ๐
Well Libranet 3 doesn’t have any issues here ๐ Firstly, you really shouldn’t have ‘stable’ in your /etc/apt/sources.list, but woody. Same with testing. It should have been entered as sarge. Reasoning? When you get a major new release like this, sarge becomes stable. Not testing. What was the Sid packages becomes testing packages, namely Etch. Sid always stays Sid, and unstable. So – by using testing originally, you’re updates are going to come from Etch ‘testing’ and not the Sarge ‘stable’ that they really should be tracking.
Libranet 3 has the entries in /etc/apt/sources.list correctly named, with security entries as well. And not hashed out.
Debian needs to pay more attention to silly little things like this, although truth be told, it’s the sort of thing that’s easily missed. The really sad and *bad* thing is that Debian doesn’t appear to have anything about this issue on it’s main page, or the release page for 3.1. That’s disgraceful.
Dave
Thanks directhex for the info :^)
I noticed a message regarding this “dangerous security flaw” a few hours ago, and really must ask what the fuss is. Unless something has changed in 3.1, you have to manually check for updates. So this one commented out line is a moot point for people who never check for updates.
Not to mention it is easy to fix. While a new Linux user may be scared off by such minor changes, Debian is not the sort of distro I would recommend for a someone intimidated by computers. There’s always Ubuntu or BeatrIX for that (both based on Debian).
an onboard NIC on an NForce 4 needs 2.6.11 or drivers from nvidia’s page
i still think it’s a cool desktop.
to me – my opinion debian is like my dads pick-up truck, where it’s not new and not perfect but all in all always runs and runs well.
as for this security thing – screw ups happen all the time.
everybody be cool now.
peace man,
jim
umm..
It’s day this is a bug both so trivial to fix, easy to notice, and embarrasingly obvious that it should make the Debian release managers hold their heads in shame.
What did you mean to say in the frist part of that sentence? I can’t figure it out. Not a flame.. I really want to know
I always wait at least a month before updateting my system with a new version. I had other bad experience with freebsd 5.x in the past where important bugs where find soon after the release. Normally after some weeks, there are chance that the most evident bugs are fixed and installation will be painless.
Of course, it will test Sarge later this summer, since this seems to be a very impressive distribution !
This is a minor issue compared to the fact that two installs completely failed with the officialy released sarge images so far, one being binary-1, one being netinstall. Although being rather standard, two year old P4 systems, sarge fails to mount /target, find the cdrom, install grub etc., all what woody was able to do on the very same machine without any hickups…
Even manual workarounds (like mounting /target manually) failed in the end.
This I call a major dissappointment, really. Being a debian devotee for years, for the first time I consider moving to fedora (being quite aware that the debian developers are giving a sh*t about that move, and right they are, i could have contributed to fix this madness in advance, which I haven’t)…
But still… Sad sad sad…
t.
I think this is an excellent exercise for newbies.
Seriously though, I for one am still stoked about the release of sarge and am highly appreciative of the debian team’s efforts in making one of the best linux distros ever!
dont have the official sarge release but my cd images from around the middle of may seem just fine, no probs on my p4 system or celeron lapptoppy…
Is this a desktop or a laptop? kind of strange! Which kernel are you trying?
holla back
I have thought about trying to keep woody alive with some needed updates and call it ‘everlasting woody’ or maybe ‘perpetual wood’ or something…hmmm…