geoip and geoip-database news!


geoip version 1.6.2-2 and geoip-database version 20141027-1 are now available in Debian unstable/sid, with some news of more free databases available :)

geoip changes:

   * Add patch for geoip-csv-to-dat to add support for building GeoIP city DB.
     Many thanks to Andrew Moise for contributing!
   * Add and install geoip-generator-asn, which is able to build the ASN DB. It
     is a modified version from the original geoip-generator. Much thanks for
     contributing also to Aaron Gibson!
   * Bump Standards-Version to 3.9.6 (no changes required).

geoip-database changes:

   * New upstream release.
   * Add new databases GeoLite city and GeoLite ASN to the new package
     geoip-database-extra. Also bump build depends on geoip to 1.6.2-2.
   * Switch to xz compression for the orig tarball.

So much thanks to both contributors!

BASH fix Debian Lenny (5.0) CVE-2014-6271, CVE-2014-7169 aka Shellshock


I have decided to create fixed bash packages for Debian Lenny. I have applied the upstream patchsets from from 052 until 057, so some other issues are also addressed in it. :-)
And here they are:

Source .dsc:
amd64 package:
i386 package:

Much fun with it!

otrs and geoip-database updates

I have just uploaded the monthly update of geoip-database to Debian unstable and squeeze-backports, unblock request already filled.

I also uploaded otrs2 in the new version 3.2.1+dfsg1-1, which is also “fixing” bug #690306, “fixing” because the upgrade will abort with a list of MySQL tables where the administrator has to fix ether the engine from MyISAM to InnoDB (or the other way, as he want to) and by fxing the default engine of his MySQL database server. Ugly issue, ugly hack, but there is no better solution..

Full changelog of otrs Debian packaging:

   * New upstream release.
     - Add new dependency libyaml-libyaml-perl.
     - Refresh patch 03-postmaster.
     - Refresh patch 05-opt.
     - Refresh patch 13-dont-chown-links.
     - Refresh patch 16-disable-DashboardProductNotify.
     - Refresh patch 19-fix-SetPermissions-to-include-some-more-dirs.
     - Rewrite patch 25-use-locale-country, since all_country_names() does not
       accept arguments.
     - Refresh patch 26-font-paths.
     - Rewrite patch 04-backup.
     - Rewrite patch 15-usable-apache-config.
     - Rewrite patch 21-use-debian-libjs-packages.
     - Rewrite patch 23-load-debian-libjs.
     - Remove old database schemas and add new 3.2 ones.
   * Monitor all releases again.
   * Drop patch 24-default-myisam and check with the new script,
     if the available tables and the used storage engine are equal. If it is not
     the case the installation should abort, so that the administrator can fix
     his MySQL server or the already created tables.
     Closes: #690306
   * Remove deprecated packaging notes from README.Debian.
   * Remove deprecated NEWS file from packaging.
   * Remove deprecated files from otrs2.examples.
   * Solve duplicate-changelog-files by not installing the CHANGES file.
   * Remove some more deprecated files from
   * Add lintian override for empty-binary package otrs.
   * Remove some old permission fixes from debian/rules.
   * Add upstream patch 01-innodb-fk-error to fix some foreign key errors if the
     tables are created with InnoDB.

What an ugly (PHP) work..

We still have got some more or less webapplications which are not compatible with PHP higher than version 5.2.x, which is the only blocker for the last Lenny servers to upgrade them to Squeeze.. I do not think that I am alone with this ****** topic :)

So the new “masterplan” is to deploy those applications on seperated Wheezy servers, with PHP 5.2.x running as FastCGI, so that most parts of the system are “security supported”.

First; I didn’t documented my steps and I am not 100% done (something like 99%) but I have done the following to have it “as clean as possible”:

  • Catch the original 5.2.17 sources and build them, urgs.. it fails at all with the new multiarch paths from Wheezy, after a few hours of patching I gave up..
  • Using dotdeb Lenny sources as reference, they also have got 5.2.17 sources, but what the fuck? The orig sources of their mirror also could not build, because the patch series FAILS (not hunky, they fail!), how did they build them???
  • After some sanitizing of the dotdeb packages I thought it is better to smoke some cigarette and to delete them, urgs..
  • My next step was to catch the latest 5.2.12-x packaging from, here the story continues… again…:

PHP 5.2.x is just not able to detect the new multiarch paths, it fails at most “dir” options. Since patching the whole build system would be *too* much work I decided to hack around this (ln -s /usr/lib/x86…./ /usr/lib/), then some adjustions to the build dependencies, disablieng some modules, like SSL and libdb (incompatible versions), disabling merged patches and refresh the suhosin hardening patch; I get an working PHP 5.2.17 package on Wheezy.
But this is too easy!
I want packages which I could co-install with the PHP 5.4 packages from Wheezy, 5.2 should only used withing vHosts where I have enabled them..

So I rewrote the whole packaging (*burg* IMHO at all) to use “php52” instead of “php5” as packaging namespace and also everything is put into “/opt” as prefix. Much painfull work, but yeah it works.. :)
Some packages, like php52-dev or php-pear are broken, but those were not my goal of this action.

If someone is interested in those packages please send me an email.
Since PHP 5.2 is not supported any longer (and that this is at all a big hack) I will not publish the source and binaries at all.

Squeeze or Wheezy for new projects?


I am interested in your opionions! If you would setup today an new server for a (business) project, would you use Debian Squeeze or Wheezy?

Personal – and already in most business cases – we have decided for Wheezy, because the pros are:

  • Enhanced hardening
  • More up to date technologies and scripting languages
  • Longer security support, because..
  • .. you do not have to dist-upgrade within the next year(?)

The cons:

  • It is not stable yet

What is your (business) opionion about it?

otrs 3.1.12 in Debian experimental


I have just uploaded otrs2 version 3.1.12+dfsg1-1 to Debian experimental yesterday! It includes many bugfixes, for a full list have a look at [0].

I also would welcome help for two important tasks:
#690306: Upgrade to Wheezy fails, if InnoDB is used in (some) tables
#695664: Embedded JavaScript code copies. As usual problematic with a package which is as big as otrs..

I also will backport otrs 3.1.x to Wheezy backports, if it is released. After this step, work on the 3.2.x packaging will begin.

[0]: otrs changelog

Package updates from the middle of october


3.3.1 has been released with a bunch of bugfixes, yeah! 3.3.1-1 is uploaded to experimental.


As usual the monthly database update, already migrated to Wheezy from Sid.


Today 3.1.11 has been released with a few bugfixes and one security fix for a XSS vulnerability on viewing special prepared HTML e-mails, which leads to that the browser executes JavaScript code (as described in CVE-2012-4751 and OTRS security announcement OSA-2012-03).
otrs2 3.1.11+dfsg1-1 is just accepted in experimental and I also backported the patch to the Wheezy version with 3.1.7+dfsg1-6.

Playing with Apache mod_geoip

If you want to add some rules to your Apache based on the clients country, mod_geoip is perfect for it.


On Squeeze following is enough: # apt-get install libapache2-mod-geoip geoip-database/squeeze-backports

Note that you should use the geoip-database version from squeeze-backports to have got the most up to date database version, I am updating it every month.


You can add the rules to your VirtualHost, Directory, Location directives and also to your apache2.conf (“serverwide”). So you are flexible with where to use it.

Blocking countries

On some servers I have got more than 90 percent of spam requests only from three countries, so I blocked them with:

<DirectoryMatch “^/var/www/.*/html”>
Deny from env=BlockCountry

Allow only specific countries

In the other way you also can allow specific countries to have got access to your website, this also may be a good idea for extranets, where you know from where your customers are:

<Directory “/var/www/”>
Deny from all
Allow from env=AllowCountry

Very easy!

Rewrite Rules

You can also use it for mod_rewrite. Within a project, customers from CN and TW should be redirected to the chinese page:

RewriteRule ^(.*)$ [L]

mod_geoip with proxy frontends

Normaly mod_geoip works behinds load balancers and proxy servers, since it also take care of the HTTP_X_FORWARDED_FOR header.

But with haproxy it looks problematic, since it does not add the HTTP_X_FORWARDED_FOR header to KeepAlive’d requests :( Disabling KeepAlive is a bad idea on this cluster, so we decided to also use php5-geoip in our application, so everything is working nice now..

What mod_geoip is NOT is

mod_geoip helps you to block/allow specific countries, but it does not protect you from them.
Also keep in mind that the database is only ~ 99,8% accurate, so you may have got false positives/negatives. If you only allow german users, a german IP could be listed as russian.
This is much more problematic with mobile/satellite connections and surely you can also not access your page, if you are on vacation in another country. ;)

Recent packaging updates 2012/09

What I have done (on my packages for Wheezy) in the last weeks?


0.9.4-3 and 0.9.4-4 adds two upstream patches to remove an applicable use of /proc in Perls procfs_read() method, which fixes LXC detection and another patch to not count the dmesg lines twice within the KVM detection module.
Much thanks to Thomas Liske!


The 0.8.0-4 upload also adds two upstream patches to fix an major memory leak in the mlt_cache function and a crash with LADSPA plugins on dlclose().
And here much thanks to Dan Dennedy!
I have also uploaded 0.8.2-1 to experimental.


1.0~beta2-2 and 1.0~beta2-3 added a few upstream patches to fix security and major use problems. The debdiff was a bit huge so it took a bit more time to unblock/migrate.
1.0~beta5-1 is also available in experimental.
Much thanks for the patch support to Philipp Schafft!


With the 2.4.9+dfsg1-3+squeeze3 upload (DSA-2536-1) there was an security update for otrs2 on Squeeze which fixes a cross-site scripting issue and improved the e-mail filter to detect nested tags. Those – with a few other fixes – migrated with 3.1.7+dfsg1-5 to testing, while I also uploaded 3.1.10+dfsg1-1 to experimental.
Now I can focus on the upcoming 3.2.x packaging. :)