Most active commenters
  • mjevans(3)
  • bandrami(3)

←back to thread

Multiple security issues in GNU Screen

(www.openwall.com)
414 points st_goliath | 13 comments | 13 May 25 11:28 UTC | HN request time: 1.17s | source | bottom
Show context
teddyh ◴[13 May 25 12:09 UTC] No.43972000[source]
Note: In Debian, GNU screen is not installed with setuid-root privileges.
replies(4): >>43972155 #>>43972240 #>>43972667 #>>43972691 #
1. perlgeek ◴[13 May 25 13:24 UTC] No.43972691[source]
And the package in Debian Stable (aka bookworm) is too old to be affected by the vulnerabilities in 5.0.0.

I used to hate that Debian always was behind on software versions, but now I use different package sources for the few applications where I really don't want to rely on old software (like browsers), and otherwise doing great with the old stuff :-)

replies(2): >>43972806 #>>43980202 #
2. mjevans ◴[13 May 25 13:35 UTC] No.43972806[source]
Related... https://bugzilla.mozilla.org/show_bug.cgi?id=1966096

If you're running Firefox on Debian please make sure you manually update it since the package repo's been down for a while. I filed a 'support' ticket first ( https://support.mozilla.org/en-US/questions/1510388 ) since it seemed to be the proper place, but no one seems to look at those.

replies(2): >>43974517 #>>43974767 #
3. sillystuff ◴[13 May 25 16:12 UTC] No.43974517[source]
The repo appears to be working for installing/updating packages. Mozilla should allow file listing which should fix the 404s, and make this repo behave as expected when manually browsed (Apparently hosted on a Google webserver; maybe Google forbids this?).

  apt-get changelog firefox
  Get:1 store: firefox 138.0.3~build1 Changelog
  Fetched 129 B in 0s (0 B/s)
  firefox (138.0.3~build1) UNRELEASED; urgency=medium
 
    * N/A
 
   -- Mozilla <release@mozilla.com>  Mon, 12 May 2025 12:40:33 -0000

  date
  Tue May 13 08:56:09 AM PDT 2025
Or, to really prove it to yourself, you can re-download the package:

  apt-get install --download-only --reinstall firefox
replies(1): >>43975405 #
4. foresto ◴[13 May 25 16:35 UTC] No.43974767[source]
This is about Mozilla's builds of Firefox for Debian, not Debian's builds, right? So regular Debian users who run the default Firefox (firefox-esr) would be unaffected.
replies(1): >>43975107 #
5. mjevans ◴[13 May 25 17:00 UTC] No.43975107{3}[source]
Correct, but that's firefox-esr not firefox. At one point I found it necessary to switch as there was an issue with security updates, but that might have been an issue in that particular system's configuration that I since resolved.
replies(1): >>43979073 #
6. mjevans ◴[13 May 25 17:25 UTC] No.43975405{3}[source]
I will have to look into that more tomorrow. My only Debian desktop is a laptop at family's house and currently asleep. It mentioned an error with the repository but my first troubleshooting step was to try to manually verify I could _get_ to the repo in a browser.
7. foresto ◴[13 May 25 23:34 UTC] No.43979073{4}[source]
To be clear for the sake of other readers, Debian's firefox-esr package is Firefox.

It's simply a release from Mozilla's Extended Support Release channel, as distinct from the Rapid Release channel that you are apparently using. Not a different project/product.

https://support.mozilla.org/en-US/kb/choosing-firefox-update...

8. bandrami ◴[14 May 25 02:45 UTC] No.43980202[source]
Debian stable users missed heartbleed entirely. I think the glacial pace is underrated.
replies(2): >>43980272 #>>43982665 #
9. krferriter ◴[14 May 25 02:57 UTC] No.43980272[source]
Glacial page bedrock of an OS with optional sandboxed more-up-to-date userspace packages and runtimes that can be layered on top of the host system was the dream of flatpak/snap/appimage, right?
replies(1): >>43980724 #
10. bandrami ◴[14 May 25 04:11 UTC] No.43980724{3}[source]
Yes, though that comes with its own headaches since the data those sandboxed applications are supposed to touch are the only actually valuable data on my computer. (How many versions of OpenSSL are currently running on my Silverblue system? I literally couldn't tell you.) My spreadsheet is only vouched for by some random dude on Flathub and it can steal all my financial information. But at least it can't add a printer, or delete a system file that I can freely download from the Internet at any time.
replies(1): >>43996520 #
11. rs_rs_rs_rs_rs ◴[14 May 25 09:49 UTC] No.43982665[source]
> Debian stable users missed heartbleed entirely

Missed it? Not at all, Debian pioneered that style of bugs years before!

https://github.com/g0tmi1k/debian-ssh

replies(1): >>43983784 #
12. bandrami ◴[14 May 25 12:38 UTC] No.43983784{3}[source]
And the default SELinux config was broken for like 15 years IIRC. It's always pick your poison.
13. rlpb ◴[15 May 25 16:16 UTC] No.43996520{4}[source]
This a decent observation, but I would add that some other Flatpak app that you run might be correctly sandboxed from accessing your financial information, and this is the real benefit of such a system.