|K.S. Bhaskar via plug on 21 Sep 2019 15:37:45 -0700|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|Re: [PLUG] Changes Upgrading Debian 9 to Debian 10|
___________________________________________________________________________If you are upgrading Debian 9 to Debian 10, you will come across some onscreen reading of what changes are taking effect. I am posting those onscreen changes here, so you can give them a look over before you do your upgrade.apt (1.8.0~alpha3) unstable; urgency=medium
The PATH for running dpkg is now configured by the option DPkg::Path,
and defaults to "/usr/sbin:/usr/bin:/sbin:/bin". Previous behavior of
not changing PATH may be restored by setting the option to an empty string.
Support for /etc/apt/auth.conf.d/ has been added, see apt_auth.conf(5).
-- Julian Andres Klode <firstname.lastname@example.org> Tue, 18 Dec 2018 15:02:11 +0100
apt (1.6~rc1) unstable; urgency=medium
Seccomp sandboxing has been turned off by default for now. If it works
for you, you are encouraged to re-enable it by setting APT::Sandbox::Seccomp
-- Julian Andres Klode <email@example.com> Fri, 06 Apr 2018 14:14:29 +0200
apt (1.6~beta1) unstable; urgency=medium
APT now verifies that the date of Release files is not in the future. By
default, it may be 10 seconds in the future to allow for some clock drift.
Two new configuration options can be used to tweak the behavior:
These can be overridden in sources.list entries using the check-date
and date-future-max options. Note that disabling check-date also
disables checks on valid-until: It is considered to mean that your
machine's time is not reliable.
-- Julian Andres Klode <firstname.lastname@example.org> Mon, 26 Feb 2018 13:14:13 +0100
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
can be used to configure this further:
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
-- Julian Andres Klode <email@example.com> Mon, 23 Oct 2017 01:58:18 +0200
apt (1.5~beta1) unstable; urgency=medium
[ New HTTPS method ]
The default http method now supports HTTPS itself, including encrypted proxies
and connecting to HTTPS sites via HTTPS proxies; and the apt-transport-https
package only provides a "curl+https" method now as a fallback, but will be
removed shortly. If TLS support is unwanted, it can be disabled overall by
setting the option Acquire::AllowTLS to "false".
As for backwards compatibility, the options IssuerCert and SslForceVersion
are not supported anymore, and any specified certificate files must be in the
PEM format (curl might have allowed DER files as well).
[ Changes to unauthenticated repositories ]
The security exception for apt-get to only raise warnings if it encounters
unauthenticated repositories in the "update" command is gone now, so that it
will raise errors just like apt and all other apt-based front-ends do since
at least apt version 1.3.
It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous
behaviour of apt-get by setting the option
See apt-secure(8) manpage for configuration details.
[ Release Info Changes ]
If values like Origin, Label, and Codename change in a Release file,
update fails, or asks a user (if interactive). Various
--allow-releaseinfo-change are provided for non-interactive use.
-- Julian Andres Klode <firstname.lastname@example.org> Mon, 03 Jul 2017 15:09:23 +0200
glibc (2.26-5) unstable; urgency=medium
Starting with version 2.26-1, the glibc requires a 3.2 or later Linux
kernel. If you use an older kernel, please upgrade it *before*
installing this glibc version. Failing to do so will end-up with the
Preparing to unpack .../libc6_2.26-5_amd64.deb ...
ERROR: This version of the GNU libc requires kernel version
3.2 or later. Please upgrade your kernel before installing
The decision to not support older kernels is a GNU libc upstream
Note: This obviously does not apply to non-Linux kernels.
-- Aurelien Jarno <email@example.com> Tue, 23 Jan 2018 22:03:12 +0100
gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
In this version we adopt GnuPG's upstream approach of making keyserver
access default to self-sigs-only. This defends against receiving
flooded OpenPGP certificates. To revert to the previous behavior (not
recommended!), add the following directive to ~/.gnupg/gpg.conf:
We also adopt keys.openpgp.org as the default keyserver, since it avoids
the associated bandwidth waste of fetching third-party certifications
that will not be used. To revert to the older SKS keyserver network (not
recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
Note: we do *not* adopt upstream's choice of import-clean for the
keyserver default, since it can lead to data loss, see
https://dev.gnupg.org/T4628 for more details.
-- Daniel Kahn Gillmor <firstname.lastname@example.org> Wed, 21 Aug 2019 14:53:47 -0400
ifupdown (0.8.34) unstable; urgency=medium
VLAN interfaces that are marked allow-hotplug are now brought up
automatically when the parent interface is hotplugged.
-- Guus Sliepen <email@example.com> Fri, 25 May 2018 22:33:22 +0200
ifupdown (0.8.32) unstable; urgency=medium
Since version 0.8, ifupdown allows concurrent calls of ifup and ifdown.
While calls for the same interface will be serialized, calls for different
interfaces can run in parallel. This is especially important during boot
time, when the chance is high that multiple interfaces are being brought up
concurrently. Ensure that any if-pre/post-up/down.d scripts you use are safe
to run concurrently, as well as any pre/post-up/down commands in
-- Guus Sliepen <firstname.lastname@example.org> Wed, 04 Apr 2018 23:20:51 +0200
ifupdown (0.8.20) unstable; urgency=medium
Ifupdown now supports pattern matching for interfaces. This will help
writing /etc/network/interfaces for systems with changing interface names,
or to simplify configuration for a large number of interfaces. The details
are in the interfaces(5) manual page, and examples are provided in
-- Guus Sliepen <email@example.com> Tue, 10 Jan 2017 17:20:09 +0100
iptables (1.8.1-2) unstable; urgency=medium
All the iptables binaries have been moved away from /sbin to /usr/sbin.
Some compatibility symlinks have been added for the Buster release cycle,
but please make sure your scripts aren't using hardcoded binary paths.
The plan after Buster is to drop the symlinks.
-- Arturo Borrero Gonzalez <firstname.lastname@example.org> Wed, 25 Oct 2018 12:00:00 +0200
iptables (1.8.1-1) unstable; urgency=medium
By default, this package will try to use the nf_tables kernel backend
instead of the xtables one. Please, read more about this in
/usr/share/doc/iptables/README.Debian, including details about the new
update-alternatives configuration possibilities.
This is a major update on the way iptables works and may have severe impact
in running systems which are upgrading between Debian versions.
The arptables and ebtables binaries are also affected, and those packages
will be updated soon as well.
-- Arturo Borrero Gonzalez <email@example.com> Wed, 24 Oct 2018 14:00:00 +0200
linux-latest (86) unstable; urgency=medium
* From Linux 4.13.10-1, AppArmor is enabled by default. This allows
defining a "profile" for each installed program that can mitigate
security vulnerabilities in it. However, an incorrect profile might
disable some functionality of the program.
In case you suspect that an AppArmor profile is incorrect, see
consider reporting a bug in the package providing the profile. The
profile may be part of the program's package or apparmor-profiles.
-- Ben Hutchings <firstname.lastname@example.org> Thu, 30 Nov 2017 20:08:25 +0000
linux-latest (81) unstable; urgency=medium
* From Linux 4.10, the old 'virtual syscall' interface on 64-bit PCs
(amd64) is disabled. This breaks chroot environments and containers
that use (e)glibc 2.13 and earlier, including those based on Debian 7
or RHEL/CentOS 6. To re-enable it, set the kernel parameter:
-- Ben Hutchings <email@example.com> Fri, 30 Jun 2017 23:50:03 +0100
newt (0.52.20-4) unstable; urgency=medium
* Drop Priority: important for whiptail, to minimize system size.
This means any package that requires 'whiptail' for dialogs in scripts,
etc. must now explicitly depend on it.
-- Alastair McKinstry <firstname.lastname@example.org> Mon, 19 Mar 2018 13:07:22 +0000
openssh (1:7.9p1-1) unstable; urgency=medium
OpenSSH 7.9 includes a number of changes that may affect existing
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
bans the use of DSA keys as certificate authorities.
* sshd(8): the authentication success/failure log message has changed
format slightly. It now includes the certificate fingerprint
(previously it included only key ID and CA key fingerprint).
-- Colin Watson <email@example.com> Sun, 21 Oct 2018 10:39:24 +0100
openssh (1:7.8p1-1) unstable; urgency=medium
OpenSSH 7.8 includes a number of changes that may affect existing
* ssh-keygen(1): Write OpenSSH format private keys by default instead of
using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH
releases since 2014 and described in the PROTOCOL.key file in the
source distribution, offers substantially better protection against
offline password guessing and supports key comments in private keys.
If necessary, it is possible to write old PEM-style keys by adding "-m
PEM" to ssh-keygen's arguments when generating or updating a key.
* sshd(8): Remove internal support for S/Key multiple factor
authentication. S/Key may still be used via PAM or BSD auth.
* ssh(1): Remove vestigial support for running ssh(1) as setuid. This
used to be required for hostbased authentication and the (long gone)
rhosts-style authentication, but has not been necessary for a long
time. Attempting to execute ssh as a setuid binary, or with uid !=
effective uid will now yield a fatal error at runtime.
* sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
HostbasedAcceptedKeyTypes options have changed. These now specify
signature algorithms that are accepted for their respective
authentication mechanism, where previously they specified accepted key
types. This distinction matters when using the RSA/SHA2 signature
algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
counterparts. Configurations that override these options but omit
these algorithm names may cause unexpected authentication failures (no
action is required for configurations that accept the default for these
* sshd(8): The precedence of session environment variables has changed.
~/.ssh/environment and environment="..." options in authorized_keys
files can no longer override SSH_* variables set implicitly by sshd.
* ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a
detailed rationale, please see the commit message:
-- Colin Watson <firstname.lastname@example.org> Thu, 30 Aug 2018 15:35:27 +0100
openssh (1:7.6p1-1) unstable; urgency=medium
OpenSSH 7.6 includes a number of changes that may affect existing
* ssh(1): Delete SSH protocol version 1 support, associated configuration
options and documentation.
* ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
* ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
* Refuse RSA keys <1024 bits in length and improve reporting for keys
that do not meet this requirement.
* ssh(1): Do not offer CBC ciphers by default.
-- Colin Watson <email@example.com> Fri, 06 Oct 2017 12:36:48 +0100
openssh (1:7.5p1-1) experimental; urgency=medium
OpenSSH 7.5 includes a number of changes that may affect existing
* This release deprecates the sshd_config UsePrivilegeSeparation option,
thereby making privilege separation mandatory.
* The format of several log messages emitted by the packet code has
changed to include additional information about the user and their
authentication state. Software that monitors ssh/sshd logs may need to
account for these changes. For example:
Connection closed by user x 184.108.40.206 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 220.127.116.11 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
-- Colin Watson <firstname.lastname@example.org> Sun, 02 Apr 2017 02:58:01 +0100
openssl (1.1.1-2) unstable; urgency=medium
Following various security recommendations, the default minimum TLS version
has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple
plan to do same around March 2020.
The default security level for TLS connections has also be increased from
level 1 to level 2. This moves from the 80 bit security level to the 112 bit
security level and will require 2048 bit or larger RSA and DHE keys, 224 bit
or larger ECC keys, and SHA-2.
The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications
might also have a way to override the defaults.
In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString
line. The CipherString can also sets the security level. Information about the
security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage.
The list of valid strings for the minimum protocol version can be found in
SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and
Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide
defaults can be done using:
MinProtocol = None
CipherString = DEFAULT
It's recommended that you contact the remote site in case the defaults cause
-- Kurt Roeckx <email@example.com> Sun, 28 Oct 2018 20:58:35 +0100
systemd (236-1) unstable; urgency=medium
DynamicUser=yes has been enabled for systemd-journal-upload.service and
This means we no longer need to statically allocate a systemd-journal-upload
and systemd-journal-gateway user and you can now safely remove those system
users along with their associated groups.
-- Michael Biebl <firstname.lastname@example.org> Sun, 17 Dec 2017 21:17:32 +0100
util-linux (2.32-0.4) unstable; urgency=medium
The util-linux implementation of /bin/su is now used, replacing the
one previously supplied by src:shadow (shipped in login package), and
bringing Debian in line with other modern distributions. The two
implementations are very similar but have some minor differences (and
there might be more that was not yet noticed ofcourse), e.g.
- new 'su' (with no args, i.e. when preserving the environment) also
preserves PATH and IFS, while old su would always reset PATH and IFS
even in 'preserve environment' mode.
- new 'su -' (creating new environment) will do just that, while old
su would always preserve content of DISPLAY and XAUTHORITY
environment variables. Set them as needed (but beware X doesn't give
you any real privileges separation anyway if you can access an X
server of another user). See pam_xauth(8) if you want to reconfigure
pam for seamless xauth keys.
- su '' (empty user string) used to give root, but now returns an error.
- previously su only had one pam config, but now 'su -' is configured
separately in /etc/pam.d/su-l. This file additionally invokes
'pam_keyinit' to revoke the session keyring.
The first difference is probably the most user visible one. Doing
plain 'su' is a really bad idea for many reasons, so using 'su -' is
strongly recommended to always get a newly set up environment similar
to a normal login. If you want to restore behaviour more similar to
the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs.
-- Andreas Henriksson <email@example.com> Fri, 03 Aug 2018 10:52:22 +0200
util-linux (2.29.2-3) experimental; urgency=medium
* The cfdisk, fdisk and sfdisk utilities has been split out into a
separate fdisk package. Any package needing these utilities should
add a dependency on: fdisk | util-linux (<< 2.29.2-3~)
(The second part of it makes the dependency also be fulfilled in case
of stretch-backports and should be considered optional.)
-- Andreas Henriksson <firstname.lastname@example.org> Sun, 06 Aug 2017 14:59:02 +0200
util-linux (2.29.2-2) unstable; urgency=medium
* The deprecated 'pg' utility is no longer shipped.
(Please use either 'more' or 'less' instead.)
* The deprecated 'tunelp' utility is no longer shipped.
(Parallell port printers are suspected to be extinct by now.)
* The deprecated 'line' utility is no longer shipped.
(Please use the 'head' utility instead.)
* The deprecated 'tailf' utility is no longer shipped.
(Please use 'tail -f' instead.)
-- Andreas Henriksson <email@example.com> Mon, 13 Mar 2017 19:27:14 +0100
wpasupplicant (2:2.6-19) unstable; urgency=medium
With this release, wpasupplicant no longer respects the system
default minimum TLS version, defaulting to TLSv1.0, not TLSv1.2. If
you're sure you will never connect to EAP networks requiring anything less
than 1.2, add this to your wpasupplicant configuration:
wpasupplicant also defaults to a security level 1, instead of the system
default 2. Should you need to change that, change this setting in your
Unlike wpasupplicant, hostapd still respects system defaults.
-- Andrej Shadura <firstname.lastname@example.org> Sat, 15 Dec 2018 14:22:18 +0100
apt-listchanges (3.14) unstable; urgency=low
When displaying changelogs during upgrades is enabled, but no changelog
file is provided by any of binary packages being processed together, then
apt-listchanges will call `apt-get changelog' command to retrieve changes
over network. (Similar functionality has existed in Ubuntu for ages, and
was incorporated into Debian a few versions ago.)
If for some reason, like limited network connectivity, this behavior
is undesirable, it can be now disabled with the new `--no-network' option
that can be also set using debconf interface:
Additionally the debconf interface was improved to manage a few older
configuration options, for example `--email-format'.
-- Robert Luberda <email@example.com> Sun, 09 Jul 2017 09:55:48 +0200
debconf (1.5.68) unstable; urgency=low
From now on, Kde frontend requires debconf-kde-helper package.
libqtcore4-perl and libqtgui4-perl packages can be safely removed.
-- Modestas Vainius <firstname.lastname@example.org> Wed, 18 Jul 2018 21:12:23 +0100--Ron
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug