Kapitel 5. Problemområden att känna till för utgåvan stretch

Innehållsförteckning

5.1. Upgrade specific items for Stretch
5.1.1. Noteworthy obsolete packages
5.1.2. Deprecated components for Stretch
5.1.3. Things to do post upgrade before rebooting
5.2. Limitations in security support
5.2.1. Säkerhetsläget för webbläsare
5.2.2. Lack of security support for the ecosystem around libv8 and Node.js
5.3. Package specific issues
5.3.1. Older ciphers and SSH1 protocol disabled in OpenSSH by default
5.3.2. Possible backwards incompatible changes to APT
5.3.3. The Xorg server is no longer setuid root by default

Ibland innebär förändringar i en ny utgåva att sidoeffekter vi inte kunnat undvika uppstår, i vissa fall skapas nya fel någon annanstans. Här dokumenterar vi problem som vi känner till. Vänligen läs ävan erratan, dokumentationen för aktuella paket, felrapporter och annan information som nämns i Avsnitt 6.1, ”Ytterligare läsning”.

5.1. Upgrade specific items for Stretch

This section covers items related to the upgrade from Jessie to Stretch

5.1.1. Noteworthy obsolete packages

The following is a list of known and noteworthy obsolete packages (see Avsnitt 4.8, ”Föråldrade paket” for a description).

The list of obsolete packages includes:

  • TODO; add items here

5.1.2. Deprecated components for Stretch

With the next release of Debian 10 (codenamed Buster) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to 10.

This includes the following features:

  • TODO: Add items if any

5.1.3. Things to do post upgrade before rebooting

When apt-get dist-upgrade has finished, the formal upgrade is complete, but there are some other things that should be taken care of before the next reboot.


      add list of items here
      
    

5.2. Limitations in security support

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.

Note that the package debian-security-support helps to track security support status of installed packages.

5.2.1. Säkerhetsläget för webbläsare

Debian 9 innehåller flera webbläsarmotorer som påverkas av en strid ström av säkerhetshål. Den stora mängden fel och den partiella bristen på stöd uppströms i form av långsiktiga utvecklingsgrenar gör det mycket svårt att ha stöd för dessa webbläsare med bakåtporterade säkerhetslagningar. Dessutom gör biblioteksberoenden det omöjligt att uppdatera dessa till nyare versioner. Webbläsare utvecklade på webkit, qtwebkit- och khtml-motorerna ingår i Stretch men täcks inte av säkerhetsstödet. Dessa webbläsare ska inte användas tillsammans med webbplatser du inte litar på.

För generell webbsurfning rekommenderar vi Iceweasel eller Chromium.

Chromium - trots att den bygger på kodbasen Webkit - är ett löv-paket. Detta paket hålls uppdaterat genom att den aktuella Chromium-utgåvan byggs om för Debians stabila utgåva. Iceweasel och Icedove kommer också att hållas uppdaterat genom att den aktuella ESR-utgåvan byggs om för Debian stabila utgåva.

5.2.2. Lack of security support for the ecosystem around libv8 and Node.js

The Node.js platform is built on top of libv8-3.14, which experiences a high volume of security issues, but there are currently no volunteers within the project or the security team sufficiently interested and willing to spend the large amount of time required to stem those incoming issues.

Unfortunately, this means that libv8-3.14, nodejs, and the associated node-* package ecosystem should not currently be used with untrusted content, such as unsanitized data from the Internet.

In addition, these packages will not receive any security updates during the lifetime of the Stretch release.

5.3. Package specific issues

In most cases, packages should upgrade smoothly between Jessie and Stretch. There are a small number of cases where some intervention may be required, either before or during the upgrade; these are detailed below on a per-package basis.

5.3.1. Older ciphers and SSH1 protocol disabled in OpenSSH by default

The OpenSSH 7 release has disabled some older ciphers and the SSH1 protocol by default. Please be careful when upgrading machines, where you only have SSH access.

Please refer to the OpenSSH documentation for more information.

5.3.2. Possible backwards incompatible changes to APT

This section covers some of the incompatible changes to APT that may affect your system.

5.3.2.1. APT now fetches files with an unprivileged user ("_apt")

APT will now attempt to discard all root privileges before fetching files from mirrors. APT can detect some common cases where this will fail and fallback to fetching things as root with a warning. However, it may fail to detect some exotic setups (e.g. uid-specific firewall rules).

If you experience issues with this feature, please change to the "_apt" user and check that it:

  • has read access to files in /var/lib/apt/lists and /var/cache/apt/archives.

  • has read access to the APT trust store (/etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/)

  • can resolve DNS names and download files. Example methods for testing:

    # From the dnsutils package (if using tor, please check with tor-resolve instead).
    $ nslookup debian.org >/dev/null || echo "Cannot resolve debian.org"
    $ wget -q https://debian.org/ -O- > /dev/null || echo "Cannot download index page of debian.org"
    

    For DNS issues, please check that /etc/resolv.conf is readable.

5.3.2.2. New requirements for APT repository

[Notera]Notera

This section only applies if you have (or intend to use) third-party repositories enabled or if you maintain an APT repositories.

To improve the download stability and ensure security of the downloaded content, APT now requires the following from an APT repository:

  • The InRelease file must be available

  • All metadata must include at least SHA256 checksums of all items. This includes the gpg signature of the InRelease file.

  • Signatures on the InRelease file should be done with a key at the size of 2048 bit or larger.

If you rely on a third-party repository that cannot comply with the above, please urge them to upgrade their repository. More information about the InRelease file can be found on the Debian Wikipedia.

5.3.3. The Xorg server is no longer setuid root by default

[Notera]Notera

This change only applies if your X Display Manager supports running X as rootless (or if you start X manually via startx). Currently the only known display manager supporting this is gdm. Other display managers simply start X as root regardless of this change.

This reduces the risk of privilege escalation via bugs in the X server. However, it has some requirements for working:

  • It needs logind and libpam-systemd.

  • It needs a kernel video driver (as Xorg cannot talk directly to the hardware anymore).

  • It needs to run on the virtual console it was started from.

When run as a regular user, the Xorg log will be available from ~/.local/share/xorg/.

If these requirements are not possible, please install the xserver-xorg-legacy package to reinstate the setuid Xorg.