head 1.151; access; symbols; locks; strict; comment @# @; 1.151 date 2006.03.05.19.09.03; author rse; state Exp; branches; next 1.150; commitid xemgegL9fZ40G1or; 1.150 date 2006.02.19.12.11.48; author rse; state Exp; branches; next 1.149; commitid z0J9KQWUvD0LObmr; 1.149 date 2006.02.18.12.35.24; author rse; state Exp; branches; next 1.148; commitid nJf0J1EVerJQY3mr; 1.148 date 2006.02.18.09.36.51; author rse; state Exp; branches; next 1.147; commitid ixHGHdWjncLAZ2mr; 1.147 date 2005.12.14.20.25.20; author rse; state Exp; branches; next 1.146; commitid OBJvJ3KfAHlBHCdr; 1.146 date 2005.12.03.18.22.15; author rse; state Exp; branches; next 1.145; commitid cqfwCpi3ZZ6inccr; 1.145 date 2005.12.03.13.24.39; author rse; state Exp; branches; next 1.144; commitid jJpBlZDXmyAcJacr; 1.144 date 2005.12.03.12.38.22; author rse; state Exp; branches; next 1.143; commitid 6vzWJXRQtbzjtacr; 1.143 date 2005.10.19.09.20.04; author openpkg; state Exp; branches; next 1.142; 1.142 date 2005.10.17.16.11.22; author rse; state Exp; branches; next 1.141; 1.141 date 2005.09.10.15.14.37; author rse; state Exp; branches; next 1.140; 1.140 date 2005.09.06.13.27.25; author rse; state Exp; branches; next 1.139; 1.139 date 2005.09.05.16.11.13; author rse; state Exp; branches; next 1.138; 1.138 date 2005.09.05.13.52.22; author rse; state Exp; branches; next 1.137; 1.137 date 2005.07.28.12.09.46; author thl; state Exp; branches; next 1.136; 1.136 date 2005.07.28.11.11.43; author rse; state Exp; branches; next 1.135; 1.135 date 2005.07.28.07.54.36; author openpkg; state Exp; branches; next 1.134; 1.134 date 2005.07.08.13.50.54; author rse; state Exp; branches; next 1.133; 1.133 date 2005.06.23.18.39.47; author openpkg; state Exp; branches; next 1.132; 1.132 date 2005.06.22.16.00.08; author ms; state Exp; branches; next 1.131; 1.131 date 2005.06.22.08.25.25; author thl; state Exp; branches; next 1.130; 1.130 date 2005.06.21.16.46.31; author ms; state Exp; branches; next 1.129; 1.129 date 2005.06.11.16.41.33; author ms; state Exp; branches; next 1.128; 1.128 date 2005.04.20.15.36.41; author rse; state Exp; branches; next 1.127; 1.127 date 2005.04.20.11.30.05; author ms; state Exp; branches; next 1.126; 1.126 date 2005.02.24.15.55.52; author rse; state Exp; branches; next 1.125; 1.125 date 2005.01.17.12.38.19; author rse; state Exp; branches; next 1.124; 1.124 date 2005.01.11.15.10.01; author rse; state Exp; branches; next 1.123; 1.123 date 2005.01.11.14.58.04; author thl; state Exp; branches; next 1.122; 1.122 date 2004.12.17.16.01.47; author thl; state Exp; branches; next 1.121; 1.121 date 2004.12.16.21.00.58; author thl; state Exp; branches; next 1.120; 1.120 date 2004.12.15.16.53.28; author thl; state Exp; branches; next 1.119; 1.119 date 2004.11.29.15.35.08; author thl; state Exp; branches; next 1.118; 1.118 date 2004.11.29.14.51.12; author thl; state Exp; branches; next 1.117; 1.117 date 2004.10.20.08.08.54; author thl; state Exp; branches; next 1.116; 1.116 date 2004.10.15.15.40.30; author rse; state Exp; branches; next 1.115; 1.115 date 2004.10.14.15.25.04; author thl; state Exp; branches; next 1.114; 1.114 date 2004.10.13.06.58.31; author thl; state Exp; branches; next 1.113; 1.113 date 2004.09.15.12.55.56; author rse; state Exp; branches; next 1.112; 1.112 date 2004.09.13.13.40.57; author rse; state Exp; branches; next 1.111; 1.111 date 2004.08.15.10.17.53; author rse; state Exp; branches; next 1.110; 1.110 date 2004.08.04.14.00.16; author thl; state Exp; branches; next 1.109; 1.109 date 2004.07.22.14.34.44; author thl; state Exp; branches; next 1.108; 1.108 date 2004.07.20.07.59.49; author thl; state Exp; branches; next 1.107; 1.107 date 2004.07.20.07.04.14; author thl; state Exp; branches; next 1.106; 1.106 date 2004.07.08.13.14.44; author thl; state Exp; branches; next 1.105; 1.105 date 2004.07.06.14.04.55; author thl; state Exp; branches; next 1.104; 1.104 date 2004.06.11.14.43.17; author thl; state Exp; branches; next 1.103; 1.103 date 2004.06.11.12.08.07; author thl; state Exp; branches; next 1.102; 1.102 date 2004.06.11.08.12.38; author thl; state Exp; branches; next 1.101; 1.101 date 2004.06.05.11.33.51; author rse; state Exp; branches; next 1.100; 1.100 date 2004.05.21.16.06.26; author thl; state Exp; branches; next 1.99; 1.99 date 2004.05.19.21.03.24; author rse; state Exp; branches; next 1.98; 1.98 date 2004.05.19.19.47.41; author rse; state Exp; branches; next 1.97; 1.97 date 2004.05.12.13.19.09; author thl; state Exp; branches; next 1.96; 1.96 date 2004.05.07.20.03.20; author openpkg-cvs; state Exp; branches; next 1.95; 1.95 date 2004.05.05.13.18.55; author openpkg-cvs; state Exp; branches; next 1.94; 1.94 date 2004.05.03.08.42.55; author openpkg-cvs; state Exp; branches; next 1.93; 1.93 date 2004.04.29.20.04.07; author thl; state Exp; branches; next 1.92; 1.92 date 2004.04.19.08.06.35; author thl; state Exp; branches; next 1.91; 1.91 date 2004.04.15.18.09.53; author rse; state Exp; branches; next 1.90; 1.90 date 2004.04.07.16.24.59; author ms; state Exp; branches; next 1.89; 1.89 date 2004.04.07.12.45.54; author thl; state Exp; branches; next 1.88; 1.88 date 2004.04.05.12.56.08; author thl; state Exp; branches; next 1.87; 1.87 date 2004.04.05.12.48.29; author thl; state Exp; branches; next 1.86; 1.86 date 2004.04.01.21.01.13; author thl; state Exp; branches; next 1.85; 1.85 date 2004.03.18.10.02.38; author thl; state Exp; branches; next 1.84; 1.84 date 2004.03.12.14.45.10; author thl; state Exp; branches; next 1.83; 1.83 date 2004.03.09.14.43.35; author thl; state Exp; branches; next 1.82; 1.82 date 2004.03.08.14.09.51; author thl; state Exp; branches; next 1.81; 1.81 date 2004.03.05.16.07.14; author ms; state Exp; branches; next 1.80; 1.80 date 2004.02.27.14.59.15; author thl; state Exp; branches; next 1.79; 1.79 date 2004.02.25.09.26.00; author thl; state Exp; branches; next 1.78; 1.78 date 2004.01.16.12.43.44; author thl; state Exp; branches; next 1.77; 1.77 date 2004.01.08.08.03.57; author thl; state Exp; branches; next 1.76; 1.76 date 2003.12.17.11.59.24; author rse; state Exp; branches; next 1.75; 1.75 date 2003.12.04.15.21.12; author thl; state Exp; branches; next 1.74; 1.74 date 2003.11.28.11.21.06; author thl; state Exp; branches; next 1.73; 1.73 date 2003.11.25.13.37.59; author thl; state Exp; branches; next 1.72; 1.72 date 2003.10.30.10.48.39; author rse; state Exp; branches; next 1.71; 1.71 date 2003.10.28.14.46.56; author thl; state Exp; branches; next 1.70; 1.70 date 2003.10.19.07.16.29; author thl; state Exp; branches; next 1.69; 1.69 date 2003.09.30.12.47.11; author thl; state Exp; branches; next 1.68; 1.68 date 2003.09.24.08.09.34; author thl; state Exp; branches; next 1.67; 1.67 date 2003.09.24.08.08.10; author thl; state Exp; branches; next 1.66; 1.66 date 2003.09.19.08.14.36; author rse; state Exp; branches; next 1.65; 1.65 date 2003.09.17.06.59.37; author thl; state Exp; branches; next 1.64; 1.64 date 2003.09.16.10.21.12; author rse; state Exp; branches; next 1.63; 1.63 date 2003.09.15.13.27.23; author thl; state Exp; branches; next 1.62; 1.62 date 2003.09.15.11.33.39; author thl; state Exp; branches; next 1.61; 1.61 date 2003.08.28.08.37.00; author rse; state Exp; branches; next 1.60; 1.60 date 2003.08.06.15.26.42; author thl; state Exp; branches; next 1.59; 1.59 date 2003.08.06.13.07.50; author thl; state Exp; branches; next 1.58; 1.58 date 2003.08.05.08.47.06; author thl; state Exp; branches; next 1.57; 1.57 date 2003.08.04.09.12.56; author thl; state Exp; branches; next 1.56; 1.56 date 2003.07.10.14.22.48; author thl; state Exp; branches; next 1.55; 1.55 date 2003.07.10.09.54.16; author thl; state Exp; branches; next 1.54; 1.54 date 2003.07.07.13.48.08; author thl; state Exp; branches; next 1.53; 1.53 date 2003.06.11.11.04.36; author rse; state Exp; branches; next 1.52; 1.52 date 2003.06.03.12.11.24; author thl; state Exp; branches; next 1.51; 1.51 date 2003.05.16.09.39.04; author rse; state Exp; branches; next 1.50; 1.50 date 2003.04.07.15.30.36; author rse; state Exp; branches; next 1.49; 1.49 date 2003.03.30.12.09.22; author rse; state Exp; branches; next 1.48; 1.48 date 2003.03.20.20.17.31; author rse; state Exp; branches; next 1.47; 1.47 date 2003.03.20.16.21.59; author rse; state Exp; branches; next 1.46; 1.46 date 2003.03.18.15.55.42; author rse; state Exp; branches; next 1.45; 1.45 date 2003.03.18.15.38.30; author rse; state Exp; branches; next 1.44; 1.44 date 2003.03.18.15.26.42; author rse; state Exp; branches; next 1.43; 1.43 date 2003.03.18.10.12.57; author rse; state Exp; branches; next 1.42; 1.42 date 2003.03.14.21.17.45; author rse; state Exp; branches; next 1.41; 1.41 date 2003.03.04.15.37.39; author thl; state Exp; branches; next 1.40; 1.40 date 2003.03.04.13.06.10; author mlelstv; state Exp; branches; next 1.39; 1.39 date 2003.03.04.10.26.04; author rse; state Exp; branches; next 1.38; 1.38 date 2003.02.19.15.29.15; author rse; state Exp; branches; next 1.37; 1.37 date 2003.02.19.13.48.07; author thl; state Exp; branches; next 1.36; 1.36 date 2003.02.18.15.13.05; author thl; state Exp; branches; next 1.35; 1.35 date 2003.02.18.15.03.24; author ms; state Exp; branches; next 1.34; 1.34 date 2003.02.18.11.43.05; author openpkg; state Exp; branches; next 1.33; 1.33 date 2003.01.29.12.01.17; author thl; state Exp; branches; next 1.32; 1.32 date 2003.01.23.13.36.58; author thl; state Exp; branches; next 1.31; 1.31 date 2003.01.22.16.04.53; author thl; state Exp; branches; next 1.30; 1.30 date 2003.01.22.13.12.54; author rse; state Exp; branches; next 1.29; 1.29 date 2003.01.22.13.01.31; author thl; state Exp; branches; next 1.28; 1.28 date 2003.01.21.13.49.01; author thl; state Exp; branches; next 1.27; 1.27 date 2003.01.20.20.11.47; author thl; state Exp; branches; next 1.26; 1.26 date 2003.01.16.14.25.53; author thl; state Exp; branches; next 1.25; 1.25 date 2002.12.19.10.52.43; author rse; state Exp; branches; next 1.24; 1.24 date 2002.12.17.16.24.44; author rse; state Exp; branches; next 1.23; 1.23 date 2002.11.29.10.12.50; author rse; state Exp; branches; next 1.22; 1.22 date 2002.10.23.12.24.14; author rse; state Exp; branches; next 1.21; 1.21 date 2002.10.04.19.47.18; author rse; state Exp; branches; next 1.20; 1.20 date 2002.08.27.13.02.32; author ms; state Exp; branches; next 1.19; 1.19 date 2002.08.23.12.52.15; author rse; state Exp; branches; next 1.18; 1.18 date 2002.07.04.14.16.28; author rse; state Exp; branches; next 1.17; 1.17 date 2002.06.26.20.34.37; author rse; state Exp; branches; next 1.16; 1.16 date 2002.06.19.16.02.57; author rse; state Exp; branches; next 1.15; 1.15 date 2002.03.12.20.32.27; author rse; state Exp; branches; next 1.14; 1.14 date 2002.03.12.18.29.59; author rse; state Exp; branches; next 1.13; 1.13 date 2002.03.08.09.26.38; author rse; state Exp; branches; next 1.12; 1.12 date 2002.01.31.17.29.41; author rse; state Exp; branches; next 1.11; 1.11 date 2002.01.31.15.05.27; author rse; state Exp; branches; next 1.10; 1.10 date 2002.01.31.15.00.24; author rse; state Exp; branches; next 1.9; 1.9 date 2002.01.31.13.17.03; author rse; state Exp; branches; next 1.8; 1.8 date 2002.01.31.12.15.50; author rse; state Exp; branches; next 1.7; 1.7 date 2002.01.12.11.45.49; author rse; state Exp; branches; next 1.6; 1.6 date 2001.12.05.09.03.30; author rse; state Exp; branches; next 1.5; 1.5 date 2001.11.27.11.47.42; author rse; state Exp; branches; next 1.4; 1.4 date 2001.11.26.19.34.47; author rse; state Exp; branches; next 1.3; 1.3 date 2001.11.25.13.53.32; author rse; state Exp; branches; next 1.2; 1.2 date 2001.11.23.16.16.05; author rse; state Exp; branches; next 1.1; 1.1 date 2001.10.05.12.48.34; author rse; state Exp; branches; next ; desc @@ 1.151 log @link Tar SA into website @ text @ #use "page.inc" page=security Security

Security

OpenPKG takes security very seriously. Experience has shown that security through obscurity does not work. Rather, public disclosure allows for more rapid and better solutions to security problems. This page addresses OpenPKG's state of security with respect to the problems which could potentially affect an OpenPKG installation.

Reporting of Incidents

Your notifications of security incidents should be reported to openpkg-security@@openpkg.org. Expect to be requested by the Petidomo robot to send back a confirmation mail before your notification is actually delivered to the OpenPKG team. The Petidomo protection logic will not interfere with your concern, as the reaction time is particularly fast.

Note: all reports unrelated to security sent to the above address are silently ignored.

Security Policies

The OpenPKG project provides security advisories (SAs) and updated SRPMs (UPDs) for packages of CORE+BASE class that belong to either According to this policy, security advisories and updated SRPMs are now being issued for Older releases are not maintained and therefore users are strongly encouraged to upgrade to one of the supported releases mentioned above. Like all development efforts, security corrections are first committed to the OpenPKG-CURRENT branch. After adequate testing, the fix is retrofitted to the supported OpenPKG-STABLE and OpenPKG-SOLID branch(es).

Security advisories are sent out by the OpenPKG project to openpkg-announce@@openpkg.org and bugtraq@@securityfocus.com. You are strongly advised to at least subscribe to the moderated mailing list openpkg-announce@@openpkg.org.

Security Advisories

The complete list of OpenPKG security advisories follows:

[OpenPKG-SA-%0]   %1   (HTML, TXT)

Digital Signatures

The OpenPKG project uses GnuPG and OpenPGP digital signatures to sign security advisories and the associated SRPMs of official OpenPKG releases.

In order to verify the digital signature of any security advisory or RPM files, follow these steps:

  1. OpenPKG 2.x

    OpenPKG 2.x has the capability to check signed packages using built-in cryptographic tools. The OpenPKG OpenPGP public key is preinstalled and appears as if it were a package. To verify RPM files, nothing more is needed. Separate OpenPGP cryptography software is needed when verifying security advisory texts or to sign packages, however.

  2. Install GnuPG Software

    GnuPG is the preferred tool for working with OpenPGP. We recommend installing the OpenPKG gnupg package from the OpenPKG package repository. Alternatively, you can fetch it from its official homepage http://www.gnupg.org/ and then build and install it manually. Make sure the program gpg is in your $PATH. If you installed it via OpenPKG under prefix you can simply use eval `prefix/etc/rc --eval openpkg env` to accomplish this.

  3. Import the OpenPKG OpenPGP public key

    You can import the OpenPGP public key of "OpenPKG <openpkg@@openpkg.org>" into your key ring in one of the following ways:

  4. Verify the integrity of the imported OpenPKG public key

    You should always make sure the imported key is the correct one by at least verifying its fingerprint. To verify the imported key's fingerprint, run the following command:

    $ gpg --fingerprint openpkg

    Ensure that it prints the following fingerprint text:

    6D96 EFCF CF75 3288 10DB   40C2 8075 93E0 63C4 CB9F

  5. Verify the security advisory or distribution files

    After building and installing GnuPG and integrating the OpenPKG public key, the integrity and authenticity of OpenPKG security advisories and RPM files may be verified.

@ 1.150 log @link SAs into website @ text @d93 1 @ 1.149 log @link OpenSSH SA into website @ text @d93 2 @ 1.148 log @link SAs into website @ text @d93 1 @ 1.147 log @link latest SAs into website @ text @d93 2 @ 1.146 log @link PHP SA into website @ text @d93 2 @ 1.145 log @add Perl SA to website @ text @d93 2 @ 1.144 log @add MySQL SA into website @ text @d93 1 @ 1.143 log @update website for OpenPKG 2.5 @ text @d93 2 @ 1.142 log @link OpenSSL SA into website @ text @d58 1 a59 1
  • OpenPKG 2.3 CORE+BASE class packages
  • @ 1.141 log @link squid SA into website @ text @d93 1 @ 1.140 log @link OpenSSH SA into website @ text @d93 2 @ 1.139 log @link SA into website @ text @d93 1 @ 1.138 log @link into website @ text @d93 1 @ 1.137 log @SA-2005.016-fetchmail; CAN-2005-2335 @ text @d93 1 @ 1.136 log @link spamassassin SA into website @ text @d93 1 @ 1.135 log @SA-2005.014-zlib; CAN-2005-1849 @ text @d93 1 @ 1.134 log @link zlib SA into website @ text @d93 1 @ 1.133 log @link in OpenPKG-SA-2005.011-shtool and OpenPKG-SA-2005.012-sudo @ text @d93 1 @ 1.132 log @remove table of contents header to merge with main security secition, and introduce small refinements @ text @d93 2 @ 1.131 log @shift security support towards 2.4 and 2.3, dropping 2.2 @ text @a15 4

    Page Contents

    d18 1 a18 2
  • Page Contents
  • Security Incident Notifications
  • d25 1 a25 1

    Security Incident Notifications

    @ 1.130 log @first phase of security web pages edition @ text @d63 1 a64 1
  • OpenPKG 2.2 CORE+BASE class packages
  • @ 1.129 log @link new cvs, bzip2, gzip, and openpkg SAs into website @ text @d6 1 d8 7 d16 12 a27 5 OpenPKG takes security very seriously. Experience has shown that "security through obscurity" does not work. Public disclosure allows for more rapid and better solutions to security problems. In that vein, this page addresses OpenPKG's status with respect to various known security holes, which could potentially affect OpenPKG. d29 1 d31 1 d35 1 a35 1 Notification of security incidents should be reported to

    Security Advisories

    d51 2 a52 2 The OpenPKG project provides security advisories and updated SRPMs for packages of CORE+BASE class that belong to either d59 2 a60 2 Following this policy, at this time, security advisories and updated SRPMs are being issued for d67 5 a71 5 Older releases are not maintained and users are strongly encouraged to upgrade to one of the supported releases mentioned above. Like all development efforts, security fixes are first brought into the OpenPKG-CURRENT branch. After a some testing, the fix is retrofitted into the supported OpenPKG-STABLE and OpenPKG-SOLID branch(es). d74 8 a81 6 Security Advisories are sent out by the OpenPKG project to
    openpkg-announce@@openpkg.org and bugtraq@@securityfocus.com. You are strongly advised to at least subscribe to the moderated mailing list openpkg-announce@@openpkg.org. d84 1 a84 1 The complete list of OpenPKG Security Advisories follow: d240 4 a243 5 The OpenPKG project uses GnuPG and OpenPGP digital signatures to sign security advisories (see above) and the distribution files (*.rpm) of official OpenPKG releases. d246 2 a247 1 In order to verify the digital signatures, follow these steps: d252 1 a252 1 OpenPKG 2.x has the capability to check signed packages with built-in d254 3 a256 3 appears as if it were a package. OpenPGP is only necessary to verify things different from packages, i.e. an advisory text, or to sign packages. d258 1 a258 1
  • Install GnuPG d260 9 a268 9 This is the preferred tool for working with OpenPGP. We recommend you to install it by using the OpenPKG gnupg package. Alternatively you can fetch it from its official homepage http://www.gnupg.org/ and build/install it manually. Then make sure the program gpg is in your $PATH. If you installed it via OpenPKG under prefix you can simply use eval `prefix/etc/rc --eval openpkg env` for this. d270 1 a270 1
  • Import the OpenPKG's OpenPGP public key d272 2 a273 3 You can import the OpenPGP public key of "OpenPKG <openpkg@@openpkg.org>" into your key-ring in one of the following ways: d285 3 a287 3 You always should make sure the imported key is the correct one by verifying at least its fingerprint. For this, run the following command: d291 1 a291 1 Make sure it prints the following fingerprint: d299 3 a301 2 Now you are ready to verify the integrity and authentication of an OpenPKG security advisory or an OpenPKG RPM distribution file. d306 2 a307 2 To verify a security advisory, just pipe the message through the following command: d309 1 a309 1 $ gpg --verify d311 1 a311 1 Make sure it successfully responds with d319 2 a320 2 you can be sure the message was tampered with or not provided by the OpenPKG project. d322 1 a322 1
  • RPM Distribution File Verification d324 1 a324 1 To verify a RPM file name.rpm (both source or d327 1 a327 1 $ rpm -v --checksig name.rpm d329 1 a329 1 Make sure it successfully responds with: d331 11 a341 8 name.rpm: md5 gpg OK

    If instead it responds with (or something else):

    name.rpm: md5 GPG NOT OK

    you can be sure the RPM was tampered with or not provided as a released part of the OpenPKG project. @ 1.128 log @add mysql SA @ text @d78 4 @ 1.127 log @link in forgotten published SAs @ text @d78 1 @ 1.126 log @update website for OpenPKG 2.3 release @ text @d78 2 @ 1.125 log @link SAs into website @ text @d45 1 a46 1

  • OpenPKG 2.1 CORE+BASE class packages
  • @ 1.124 log @link SAs into website @ text @d78 2 @ 1.123 log @SA-2005.001-perl; CAN-2004-0452, CAN-2004-0976 @ text @d79 2 @ 1.122 log @SA-2004.054-samba; CAN-2004-0882, CAN-2004-0930, CAN-2004-1154 @ text @d78 1 @ 1.121 log @SA-2004.053-php; CAN-2004-1018, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065 @ text @d78 1 @ 1.120 log @SA-2004.052-vim; CAN-2004-1138 @ text @d78 1 @ 1.119 log @SA-2004.051-imapd; CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015 and more @ text @d78 1 @ 1.118 log @commit SAs to CVS which previously appeared through direct web site editing @ text @d78 1 @ 1.117 log @update security overview for OpenPKG 2.2 @ text @d78 6 @ 1.116 log @link mod_ssl SA to website @ text @d45 1 a46 1
  • OpenPKG 2.0 CORE+BASE class packages
  • @ 1.115 log @SA-2004.043-tiff; CAN-2004-0803, CAN-2004-0886 @ text @d78 3 a80 2 @ 1.114 log @remove traces of inactive bugdb @ text @d78 2 @ 1.113 log @link latest SAs to website @ text @d27 1 a27 2 silently ignored. They should be sent to openpkg-bugdb@@openpkg.org instead. @ 1.112 log @link kerberos SA to website @ text @d79 2 @ 1.111 log @flush @ text @d79 2 @ 1.110 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @d79 2 @ 1.109 log @SA-2004.034-php; CAN-2004-0594, CAN-2004-0595 @ text @d79 1 @ 1.108 log @link in OpenPKG-SA-2004.032-apache @ text @d79 2 @ 1.107 log @release OpenPKG 2.1 web pages @ text @d79 1 @ 1.106 log @SA-2004.031-dhcpd; CAN-2004-0460, CAN-2004-0461 @ text @d46 1 a47 1
  • OpenPKG 1.3 CORE+BASE class packages
  • d196 1 a196 1
  • OpenPKG 2.0 d198 1 a198 1 OpenPKG 2.0 has the capability to check signed packages with built-in @ 1.105 log @SA-2004.030-png; CAN-2002-1363 @ text @d79 1 @ 1.104 log @SA-2004.029-apache; CAN-2004-0492 @ text @d79 1 @ 1.103 log @SA-2004.028-subversion; CAN-2004-0413 @ text @d79 1 @ 1.102 log @OpenPKG-SA-2004.027-cvs, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418 @ text @d79 1 @ 1.101 log @add missing entry @ text @d79 1 @ 1.100 log @SA-2004.025-rsync; CAN-2004-0426 @ text @d79 1 @ 1.99 log @link Neon SA into website @ text @d79 1 @ 1.98 log @link CVS and Subversion SAs into website @ text @d79 1 @ 1.97 log @link in SA-2004.021-apache @ text @d79 2 @ 1.96 log @add 2004.020-ssmtp @ text @d79 1 @ 1.95 log @SA-2004.019-kolab @ text @d79 1 @ 1.94 log @link in SA-2004.018-proftpd @ text @d79 1 @ 1.93 log @SA-2004.017-png @ text @d79 1 @ 1.92 log @link in OpenPKG-SA-2004.015-ethereal and OpenPKG-SA-2004.016-neon @ text @d79 1 @ 1.91 log @add missing SAs @ text @d79 2 @ 1.90 log @publish OpenPKG-SA-2004.010-tcpdump @ text @d79 3 @ 1.89 log @SA-2004.011-sharutils @ text @d80 1 @ 1.88 log @remove superflous dash @ text @d79 1 @ 1.87 log @SA-2004.009-mc; CAN-2003-1023 @ text @d79 1 a79 1 @ 1.86 log @make SA-2004.008-squid visible @ text @d79 1 @ 1.85 log @SA-2004.007-openssl; CAN-2004-0079, CAN-2004-0112 @ text @d79 1 @ 1.84 log @SA-2004.006-uudeview @ text @d79 1 @ 1.83 log @SA-2004.005-mutt; CAN-2004-0078 @ text @d79 1 @ 1.82 log @OpenPKG-SA-2004.004-libtool @ text @d79 1 @ 1.81 log @SA-2004.003-libxml (CAN-2004-0110) @ text @d79 1 @ 1.80 log @fix typos and point out the importance of package classes @ text @d79 1 @ 1.79 log @flush pending updates for OpenPKG 2.0 @ text @d34 2 a35 2 The OpenPKG project provide security advisories for the following releases of OpenPKG: d38 2 a39 2
  • The most recent official release of OpenPKG.
  • The predecessor of the most recent release. d42 2 a43 2 Following this policy, at this time, security advisories are being released for CORE and BASE class packages of: d46 2 a47 2
  • OpenPKG 2.0
  • OpenPKG 1.3 d53 2 a54 2 After a couple of days and some testing, the fix is retrofitted into the supported OpenPKG-STABLE and OpenPKG-SOLID branch(es). d254 2 a255 2 you can be sure the RPM was tampered with or not provided by the OpenPKG project. @ 1.78 log @SA-2004.002-tcpdump; CAN-2002-0380, CAN-2002-1350, CAN-2003-0108, CAN-2003-0989, CAN-2003-1029, CAN-2004-0055, CAN-2004-0057 @ text @d46 1 a47 1
  • OpenPKG 1.2 d167 8 d179 1 a179 1 href="ftp://ftp.openpkg.org/release/1.3/SRC/gnupg-1.2.2-1.3.0.src.rpm"> @ 1.77 log @SA-2004.001-inn @ text @d79 1 @ 1.76 log @link in SA lftp and SA cvs @ text @d79 1 @ 1.75 log @SA-2003.051-rsync; CAN-2003-0962 @ text @d79 2 @ 1.74 log @SA-2003.050-screen @ text @d79 1 @ 1.73 log @SA-2003.049-zebra; CAN-2003-0795, CAN-2003-0858 @ text @d79 1 @ 1.72 log @link in PostgreSQL security advisory @ text @d79 2 @ 1.71 log @SA-2003.046-apache; CAN-2003-0542 @ text @d79 1 @ 1.70 log @SA-2003.045-ircd; CAN-2003-0864 @ text @d79 1 @ 1.69 log @SA-2003.044-openssl; CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 @ text @d79 1 @ 1.68 log @SA-2003.043-proftpd; CAN unknown @ text @d79 1 @ 1.67 log @SA-2003.042-openssh; CAN-2003-0786, CAN-2003-0787 @ text @d79 1 @ 1.66 log @link Sendmail SA into website @ text @d79 1 @ 1.65 log @SA-2003.040-openssh; CAN-2003-0693 @ text @d79 1 @ 1.64 log @flush pending changes @ text @d79 1 @ 1.63 log @SA-2003.039-perl; CAN-2003-0615 @ text @d79 1 a79 1 @ 1.62 log @SA-2003.038-mysql; CAN-2003-0780 @ text @d79 1 @ 1.61 log @link Sendmail SA into website @ text @d79 1 @ 1.60 log @OpenPKG-SA-2003.036-perl-www; CAN-2003-0615 @ text @d79 1 @ 1.59 log @OpenPKG-SA-2003.035-openssh; CAN-2003-0190 @ text @d79 1 @ 1.58 log @simplify and update security support statement; mention SOLID; reference more recent gnupg @ text @d79 1 @ 1.57 log @complete --eval example; use new pgp.openpkg.org @ text @d39 1 a39 3
  • OpenPKG-STABLE, if at least 2 releases are based on it.
  • The previous OpenPKG-STABLE when a "new stable" does not yet have 2 releases based on it. d46 1 a47 1
  • OpenPKG 1.1 d54 1 a54 1 supported OpenPKG-STABLE branch(es). d150 1 a150 1 href="ftp://ftp.openpkg.org/release/1.1/SRC/gnupg-1.0.7-1.1.0.src.rpm"> @ 1.56 log @SA-2003.034-imagemagick; CAN-2003-0455 @ text @d158 1 a158 1 you can simply use "prefix/etc/rc openpkg env" for this. d169 1 a169 1 $ gpg --recv-keys --keyserver pgp.mit.edu 63C4CB9F @ 1.55 log @SA-2003.033-infozip; CAN-2003-0282 @ text @d81 1 @ 1.54 log @SA-2003.032-php; CAN-2002-0985, CAN-2002-0986, CAN-2003-0442 @ text @d81 1 @ 1.53 log @link in gzip SA @ text @d81 1 @ 1.52 log @SA-2003.030-ghostscript; CAN-2003-0354; execute arbitrary commands @ text @d81 1 @ 1.51 log @link GnuPG SA into website @ text @d81 1 @ 1.50 log @link in Samba SA @ text @d81 1 @ 1.49 log @activate Sendmail SA @ text @d81 1 @ 1.48 log @link OpenSSL SA into website @ text @d81 1 @ 1.47 log @link in mutt SA @ text @d81 1 @ 1.46 log @activate MySQL SA @ text @d81 3 @ 1.45 log @link in Samba SA @ text @d81 1 @ 1.44 log @add mod_ssl SA @ text @d81 1 @ 1.43 log @activate OpenSSL SA @ text @d81 1 @ 1.42 log @link in QPopper SA @ text @d81 1 @ 1.41 log @SA-2003.017-file @ text @d81 1 @ 1.40 log @SA-2003.016; CAN-2002-133 @ text @d81 1 @ 1.39 log @link tcpdump SA into website @ text @d81 2 @ 1.38 log @activate already the OpenSSL SA for easier testing @ text @d81 1 @ 1.37 log @SA-2003.012-dhcpd; CAN-2003-0039 @ text @d81 1 @ 1.36 log @SA-2003.011-lynx; CAN-2002-1405 @ text @d81 1 @ 1.35 log @Put new PHP advisory online. @ text @d81 1 @ 1.34 log @new SA-2003.009-w3m @ text @d81 1 @ 1.33 log @OpenPKG-SA-2003.008 fix mysql double free bug @ text @d81 1 @ 1.32 log @SA-2003.007-wget; CAN-2002-1344 @ text @d81 1 @ 1.31 log @SA-2003.006-python; CAN-2002-1119 @ text @d81 1 @ 1.30 log @flush everything prepared for OpenPKG 1.2 @ text @d81 1 @ 1.29 log @SA-2003.005-php; CAN-2002-1396 @ text @d17 1 a17 1 d44 2 a45 1 At this time, security advisories are being released for: d48 2 a49 2
  • OpenPKG 1.1 (CORE and BASE class packages only)
  • OpenPKG 1.0 d60 4 a64 2 You are strongly advised to subscribe to this moderated mailing list. d71 7 a77 3 - [OpenPKG-SA-%0] %1 (HTML, TXT)
    d79 2 a80 1 d102 1 @ 1.28 log @SA-2003.004-cvs; CAN-2003-0015 @ text @d73 1 @ 1.27 log @SA-2003.003-vim; CAN-2002-1377 @ text @d73 1 @ 1.26 log @mount'em @ text @d73 1 @ 1.25 log @commit pending changes to CVS @ text @d73 2 @ 1.24 log @add SAs @ text @d47 1 a47 1
  • OpenPKG 1.1 (CORE and BASE class packages only) @ 1.23 log @release SA @ text @d73 4 @ 1.22 log @add SA for Apache/mod_ssl @ text @d73 2 @ 1.21 log @add security advisory @ text @d73 1 @ 1.20 log @Fix broken links to a broken or nonexisting keyserver. Suggest the more reliable MIT keyserver for PGP key service. Please review this change for political considerations. @ text @d47 1 d73 8 a81 7 d102 1 a102 1 href="ftp://ftp.openpkg.org/release/1.0/SRC/gnupg-1.0.6-1.0.0.src.rpm"> @ 1.19 log @add -v option as recommended by Andrew Griffiths @ text @d117 1 a117 1 $ gpg --recv-keys --keyserver keyserver.pgp.com 63C4CB9F @ 1.18 log @activate SA @ text @d78 2 d165 1 a165 1 $ rpm --checksig name.rpm @ 1.17 log @add SA @ text @d77 1 @ 1.16 log @SA 2002.004 apache @ text @d76 1 @ 1.15 log @add SA related stuff @ text @d75 1 @ 1.14 log @better optical appearance @ text @d74 1 a74 1 # @ 1.13 log @add SA list @ text @d67 3 a69 3
  • [OpenPKG-SA-%0] %1 (HTML, TXT) d71 1 a71 2
      d74 1 a74 1
    @ 1.12 log @Cleanup and minor corrections. @ text @d65 1 d67 3 a69 2
  • [OpenPKG-SA-%0] %1 (HTML, TXT) d71 1 d73 2 a74 1 # d76 1 @ 1.11 log @finally decided to use a dot @ text @d8 1 a8 2 OpenPKG takes security very seriously. Experience has shown that "security d51 1 a51 1 to one of the supported releases mentioned above. Like all development d84 1 a84 2 In order to verify the digital signatures you first have to follow these steps: d93 1 a93 1 Alternatively you can also fetch it from its official homepage name.rpm (both source or d166 2 a167 2 you can be sure the RPM was tampered or provided not by the OpenPKG project. @ 1.10 log @provide better listing @ text @d71 1 a71 1 # @ 1.9 log @add anchors @ text @d64 1 a64 1 The complete list of OpenPKG Security Advisories (OSA) follow: d66 4 d71 1 a71 1 #
  • [OpenPKG-SA-2001:000] template @ 1.8 log @update our OpenPGP stuff for our new and final key @ text @d31 1 d33 1 d70 1 d72 1 @ 1.7 log @do not show template @ text @a8 1 # Most security problems brought to our attention are corrected within 48 hours. d96 1 a96 1 key of "The OpenPKG Project <openpkg@@openpkg.org>" into your d102 1 a102 1 $ gpg --recv-keys --keyserver keyserver.pgp.com 113E6CFC d118 1 a118 1 8D99 3BBD 6420 7D81 4625   EEC2 463B E53A 113E 6CFC d137 1 a137 1 gpg: Good signature from "The OpenPKG Project " d141 1 a141 1 gpg: BAD signature from "The OpenPKG Project " @ 1.6 log @information about digital signatures @ text @d66 1 a66 1
  • [OpenPKG-SA-2001:000] template @ 1.5 log @adjust text @ text @d69 98 @ 1.4 log @Rewording and other corrections. @ text @d8 3 a10 2 OpenPKG takes security very seriously. Most security problems brought to our attention are corrected within 48 hours. Experience has shown that "security d16 2 d32 24 d66 1 a66 1
  • [OSA-000] template @ 1.3 log @add OpenPGP key @ text @d9 1 a9 1 attention are corrected within 48 hours. Experience has shown that "security d17 1 a17 2 Notification of security incidents should be reported to