Apt Security - Ubuntu MATE 16.04 action required

security

#1

:astonished: Debian and Ubuntu apt requirements are in the middle of a significant update. If you’re running Ubuntu MATE 16.04 you may need to take action!

apt in Debian Unstable and Ubuntu 16.04 now requires that repositories be signed with RSA keys using SHA256 or higher. Some 3rd party repositories don’t meet these requirements.

Currently the Google Music Manager, Google Talk Plugin, and SpiderOakONE repositories are affected and will cause graphical package and update managers to fail out right. So subscribe to Welcomes updates to ensure the applications above are no longer listed. Also it is recommended that if you’ve installed Google Music Manager, Google Talk Plugin or SpiderOakONE you uninstall them using Ubuntu MATE Welcome or disable their repositories in Software and Updates.

I spent last evening working with the Debian team to determine the extent of the issue and which 3rd party repositories are affected and what they need to do to become compliant. Thankfully the Google Chrome repository was updated yesterday. We’ll be contacting affected maintainers of the non-compliant repositories over the weekend.

Google Music Manager, Google Talk Plugin and SpiderOakONE are the only 3rd party repositories used by Ubuntu MATE Welcome that are not compliant with the new apt security requirements.


When running apt update in Ubuntu MATE 16.04
Faulty SpiderOakONE packages?
pinned #2

#3

In case helpful, for those having trouble installing Tvheadend due apt update and Bintray sha1 signing, Bintray Support mention this should be fixed by the end of the week.


#4

Ubuntu MAte 16.04, I do have the issue with SpideroakOne, how strange it is to see back “Hardy” in repositories !

E: Failed to fetch http://APT.spideroak.com/ubuntu-spideroak-hardy/dists/release/Release No Hash entry in Release file /var/lib/apt/lists/partial/APT.spideroak.com_ubuntu-spideroak-hardy_dists_release_Release which is considered strong enough for security purpose

I can do the update anyway, install software or this kind of admin things without trouble or issue.
Spideroak team could help ? Should we contact them ?
Thanks ! Ans sorry for my english …


#5

I do not know where you found that link, but its dead. Here’s my findings…

https://spideroak.com/opendownload


#6

Hi v3xx,

That where the strange things start. I always download on that link, on official website of Spideroak to install and activate my account.
Hi did installed the 6.1.3 version, has your link mention it.
So, i don’t get why i do have that particular mistake then, with “hardy” repositorie (if i get it well)


#7

Lets see what you have going on :slight_smile:

Code:
tail -v -n +1 /etc/apt/sources.list.d/*


#8

Thanks v3xx
here :
==> /etc/apt/sources.list.d/appgrid-stable-xenial.list <==
deb http://ppa.launchpad.net/appgrid/stable/ubuntu xenial main

==> /etc/apt/sources.list.d/appgrid-stable-xenial.list.save <==
deb http://ppa.launchpad.net/appgrid/stable/ubuntu xenial main

==> /etc/apt/sources.list.d/audio-recorder-ubuntu-ppa-xenial.list <==
deb http://ppa.launchpad.net/audio-recorder/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/audio-recorder/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/audio-recorder-ubuntu-ppa-xenial.list.save <==
deb http://ppa.launchpad.net/audio-recorder/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/audio-recorder/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/costales-ubuntu-anoise-xenial.list <==
deb http://ppa.launchpad.net/costales/anoise/ubuntu xenial main
deb-src http://ppa.launchpad.net/costales/anoise/ubuntu xenial main

==> /etc/apt/sources.list.d/costales-ubuntu-anoise-xenial.list.save <==
deb http://ppa.launchpad.net/costales/anoise/ubuntu xenial main
deb-src http://ppa.launchpad.net/costales/anoise/ubuntu xenial main

==> /etc/apt/sources.list.d/heyarje-ubuntu-makemkv-beta-xenial.list <==
deb http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial main
deb-src http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial main

==> /etc/apt/sources.list.d/heyarje-ubuntu-makemkv-beta-xenial.list.save <==
deb http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial main
deb-src http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial main

==> /etc/apt/sources.list.d/insync.list <==
deb http://apt.insynchq.com/ubuntu trusty non-free contrib

==> /etc/apt/sources.list.d/insync.list.save <==
deb http://apt.insynchq.com/ubuntu trusty non-free contrib

==> /etc/apt/sources.list.d/libdvdcss2.list <==
deb http://download.videolan.org/pub/debian/stable/ /
deb-src http://download.videolan.org/pub/debian/stable/ /

==> /etc/apt/sources.list.d/libdvdcss2.list.save <==
deb http://download.videolan.org/pub/debian/stable/ /
deb-src http://download.videolan.org/pub/debian/stable/ /

==> /etc/apt/sources.list.d/maarten-baert-ubuntu-simplescreenrecorder-xenial.list <==
deb http://ppa.launchpad.net/maarten-baert/simplescreenrecorder/ubuntu xenial main
deb-src http://ppa.launchpad.net/maarten-baert/simplescreenrecorder/ubuntu xenial main

==> /etc/apt/sources.list.d/maarten-baert-ubuntu-simplescreenrecorder-xenial.list.save <==
deb http://ppa.launchpad.net/maarten-baert/simplescreenrecorder/ubuntu xenial main
deb-src http://ppa.launchpad.net/maarten-baert/simplescreenrecorder/ubuntu xenial main

==> /etc/apt/sources.list.d/ravefinity-project-ubuntu-ppa-xenial.list <==
deb http://ppa.launchpad.net/ravefinity-project/ppa/ubuntu xenial main
# deb-src http://ppa.launchpad.net/ravefinity-project/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/ravefinity-project-ubuntu-ppa-xenial.list.save <==
deb http://ppa.launchpad.net/ravefinity-project/ppa/ubuntu xenial main
# deb-src http://ppa.launchpad.net/ravefinity-project/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/spideroakone.list <==
deb http://APT.spideroak.com/ubuntu-spideroak-hardy/ release restricted


==> /etc/apt/sources.list.d/spideroakone.list.save <==
deb http://APT.spideroak.com/ubuntu-spideroak-hardy/ release restricted


==> /etc/apt/sources.list.d/spotify.list <==
deb http://repository.spotify.com stable non-free

==> /etc/apt/sources.list.d/spotify.list.save <==
deb http://repository.spotify.com stable non-free

==> /etc/apt/sources.list.d/team-xbmc-ubuntu-ppa-xenial.list <==
deb http://ppa.launchpad.net/team-xbmc/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/team-xbmc/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/team-xbmc-ubuntu-ppa-xenial.list.save <==
deb http://ppa.launchpad.net/team-xbmc/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/team-xbmc/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntuhandbook1-ubuntu-corebird-xenial.list <==
deb http://ppa.launchpad.net/ubuntuhandbook1/corebird/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntuhandbook1/corebird/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntuhandbook1-ubuntu-corebird-xenial.list.save <==
deb http://ppa.launchpad.net/ubuntuhandbook1/corebird/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntuhandbook1/corebird/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntu-mate-dev-ubuntu-welcome-xenial.list <==
deb http://ppa.launchpad.net/ubuntu-mate-dev/welcome/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/welcome/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntu-mate-dev-ubuntu-welcome-xenial.list.save <==
deb http://ppa.launchpad.net/ubuntu-mate-dev/welcome/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/welcome/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntu-wine-ubuntu-ppa-xenial.list <==
deb http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntu-wine-ubuntu-ppa-xenial.list.save <==
deb http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu xenial main

#9

==> /etc/apt/sources.list.d/spideroakone.list <== deb http://APT.spideroak.com/ubuntu-spideroak-hardy/ release restricted ==> /etc/apt/sources.list.d/spideroakone.list.save <== deb http://APT.spideroak.com/ubuntu-spideroak-hardy/ release restricted

Ok, need to remove this. Should be good to go after that.


#10

working, i’lle try out and let u know about. Thanks


#11

Ok it solved the problem with spideroak source list, but still geu this in terminal

/usr/share/appgrid/appdata/helpers.py:9: PyGIWarning: Soup was imported without specifying a version first. Use gi.require_version('Soup', '2.4') before import to ensure that the right version gets loaded.
  from gi.repository import GLib, GObject, Soup
Lecture des listes de paquets... Fait
W: http://download.videolan.org/pub/debian/stable/Release.gpg: Signature by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 uses weak digest algorithm (SHA1) 

i did nothing wrong with appgrid, don’t get what’s this about
usr/share/appgrid/appdata/helpers
Is Ubuntu MAte using any ppa for VLC ?
By the way, by disable spideroak repo, i don’t get any update, if so … :astonished:
Thanks !!!


#12

Talking about this?

https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1558331


#13

looks the same, so seems to be a bug reported …
thanks anyway


#14

just have to read this !!
https://www.debian-administration.org/users/dkg/weblog/48
Bug is still there if saw well, even with last update. I’ll see.
Thanks


closed #15

This topic was automatically closed after 15 days. New replies are no longer allowed.