TL;DR

The extended Squeeze security support is opt-in. One has to enable the squeeze-lts distribution in the APT sources; it is not provided through security.debian.org. Don't forget to do that if you're still running Squeeze, or you will not receive important security updates!

$ echo "deb http://ftp.nl.debian.org/debian squeeze-lts main non-free contrib" \
  >> sudo tee -a /etc/apt/sources.list \
  && sudo apt-get update \
  && sudo apt-get dist-upgrade

About Debian LTS

Standard security support for Debian GNU/Linux release 6.0 (codename Squeeze) has been terminated May 31st, 2014. While users should have been putting effort in upgrading to Wheezy, a separate team of volunteers announced prolonged security support on April 24, 2014 for at least until February 2016. Cool to see a Debian release to be supported for such a longer time, but I'm just not too excited about it, because I really think this should be announced from the initial release on. Now this is just discouraging users to upgrade to Wheezy and the user base of Squeeze-LTS is just only going to become smaller and smaller.

Not enabled by default

What's not mentioned in the announcement of Squeeze-LTS, is that one needs to enable the squeeze-lts release channel in order to receive the updates. I believe a lot of users will not notice it and their systems will likely not be receiving critical security updates released this month like the gnutls26 update and the openssl update.

With a fully updates Squeeze machine, I can confirm the updates are not pushed through security.debian.org.

$ apt-cache policy libgnutls26
libgnutls26:
Installed: 2.8.6-1+squeeze3
Candidate: 2.8.6-1+squeeze3
Version table:
*** 2.8.6-1+squeeze3 0
        500 http://security.debian.org/ squeeze/updates/main amd64 Packages
        100 /var/lib/dpkg/status
    2.8.6-1+squeeze2 0
        500 http://ftp.nl.debian.org/debian/ squeeze/main amd64 Packages

GnuTLS version 2.8.6-1+squeeze3 is from March 2014 (changelog) and clearly does not include fixes for those like the 'Client Hello' vulnerability (CVE-2014-3466) fixed in the announced 2.8.6-1+squeeze4 version by the Squeeze-LTS team.

How to enable Squeeze LTS?

Simply put, add the squeeze-lts distribution from your regular Debian mirror to your APT's sources.list configuration. E.g.:

deb http://ftp.nl.debian.org/debian squeeze main non-free contrib
deb http://ftp.nl.debian.org/debian squeeze-updates main non-free contrib
deb http://security.debian.org squeeze/updates main non-free contrib

# Squeeze LTS
deb http://ftp.nl.debian.org/debian squeeze-lts main non-free contrib

Then run

# apt-get update

to update the lists.

Now you can enjoy new security updates pending:

$ apt-cache policy libgnutls26
libgnutls26:
Installed: 2.8.6-1+squeeze3
Candidate: 2.8.6-1+squeeze4
Version table:
    2.8.6-1+squeeze4 0
        500 http://ftp.nl.debian.org/debian/ squeeze-lts/main amd64 Packages
*** 2.8.6-1+squeeze3 0
        500 http://security.debian.org/ squeeze/updates/main amd64 Packages
        100 /var/lib/dpkg/status
    2.8.6-1+squeeze2 0
        500 http://ftp.nl.debian.org/debian/ squeeze/main amd64 Packages

Don't forget to actually upgrade and to restart all related services!

# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
libgnutls26
[...]

# /etc/init.d/exim4 restart

Share on: TwitterHacker NewsFacebookLinkedInRedditEmail


Related Posts


Published

Category

Security

Tags

Connect with me on...