Tag usage for filenames, commands, packages, ...

[Jens Seidel]

Hi,

I recently added some HTML tags to the German translation of
key-rollover/index and wanted to merge it also to the English version
as I think it improved readability a lot.

Nevertheless I wonder whether we have a proper tag usage schema.
http://www.debian.org/devel/website/htmlediting contains only
very limited information.

I decided to use  for filenames (not optimal!) and  for
commands. But we should also mark packages.

Has anyone a good suggestion? Maybe we should create new WML macros
 and  as synonyms for ? Later we could even
redefine  to link to packages.debian.org ...

Jens


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Important: maxdelta and mindelta in translation check header and missing Makefile dependencies

[Jens Seidel]

Hi,

I added recently maxdelta="1" to german/security/key-rollover/index.wml
because it is a very important document and the translation is always
outdated :-) See http://www.debian.org/devel/website/uptodate for
documentation of it.

There exists also mindelta= and I wonder about the difference. Also does
using a number argument make sense? In general not the number of
revisions but the content (or at least the size of the patch) is
important.

Nevertheless I noticed now that
http://www.debian.org/security/key-rollover/index.de.html
does not contain a warning about outdated text (it worked yesterday)!
I first assumed that building of the website takes too long. As far as
I know the site is updated every 4 hours. How long does it take to
synchronize the mirrors? What it the most up-to-date mirror?

Nevertheless I noticed that the problem is a missing Makefile dependency.
index.de.html needs to depend on the English source of index.wml if
maxdelta= is used as in
#use wml::debian::translation-check translation="1.6" maxdelta="1"
Strange ...

I added such a dependency to english/security/key-rollover/Makefile
but I'm not happy about this. We need a proper solution and a default
dependency
%.$(LANGUAGE).html: index.wml $(ENGLISHSRCDIR)/.../index.wml
which can be extended by users.

Will think about a proper solution during the weekend ...

Jens


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Important: maxdelta and mindelta in translation check header and missing Makefile dependencies

[Peter Karlsson]

Jens Seidel:

> Nevertheless I noticed that the problem is a missing Makefile
> dependency.

That should be handled through the "touch_translations" script, which
should make sure that all language versions are updated when another
language version is updated, for instance to fix the inter-language
navigation links without having to clutter the Makefile with
dependencies on all languages (which may, or may not, exist).

-- 
\\// Peter - http://www.softwolves.pp.se/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Dai un'occhiata agli oggetti appena messi in vendita

[Newsletter Ebay]

Comunichiamo che la vs mail è stata da voi comunicata, oppure acquisita 
nell'esercizio della propria attività statutaria, e che sarà trattata secondo 
quanto previsto dalla corrente legislazione. Se così non fosse e qualora la 
nostra mail non risultasse di vostro interesse ci scusiamo per il disturbo 
arrecatovi. 

Non deteniamo dati sensibili ma inviamo secondo logica menzionata. Qualora 
fossero stati fatti invii erronei vi invitiamo a rettificare i vostri dati o a 
richiedere la cancellazione dalle nostre liste secondo la vigente normativa 
sulla Privacy e ci scusiamo anticipatamente. 
Per cancellazione e/o rettifiche scrivere a [EMAIL PROTECTED]

PRIVACY - INFORMATIVA AI SENSI DELL'ART. 13 DEL DLGS. 196 DEL 30 GIUGNO 2003
Gli indirizzi e-mail dei destinatari provengono o da richieste d'iscrizioni 
pervenute al n/s recapito o da pubblici registri, elenchi, atti o documenti 
conoscibili da chiunque o sono stati prelevati da elenchi pubblicati su 
internet ( art.12 ed art. 20 ) dove riteniamo vi sia stato Vostro esplicito e 
preventivo consenso all'atto della pubblicazione. Se cosÏ non fosse e qualora 
la nostra informativa non risultasse di Vostro interesse ci scusiamo per il 
disturbo arrecatoVi. Ai sensi dell'art 7 del D. lgs. 196/2003 Ë suo diritto 
accedere ai propri dati, ottenere senza ritardo l'aggiornamento o la 
cancellazione per eventuali trattamenti in violazione di legge, contattandoci

Re: conversion to subversion

[Roland Mas]

Raphael Hertzog, 2008-05-13 12:05:07 +0200 :

> On Tue, 13 May 2008, MJ Ray wrote:
>> Raphael Hertzog <[EMAIL PROTECTED]> wrote:
>> > On Thu, 08 May 2008, Josip Rodin wrote:
>> > > Speaking of which, we have been getting a few requests via
>> > > alioth - would it be possible for alioth to avoid using
>> > > personal mails and instead mail webmaster@, or even
>> > > [EMAIL PROTECTED]
>> >
>> > Well, no, it mails all accounts listed as "admin". Unless you
>> > create a fake admin account pointing to the list (which is not
>> > desirable IMO), there's no simple solution.
>> 
>> It seems a shame if moving to alioth causes webwml administration
>> to become less open and hidden from our users.  If someone patches
>> gforge 4.5 to add an attribute to a project for a debian-style
>> admin (list as admin contact instead of direct mail to admin
>> accounts), would that be applicable to alioth directly?

Certainly.

> I believe so. I cced Roland who is upstream Gforge developer. But
> I'm not sure it's worth the effort really... people can always send
> the request to the mailing list and give their Alioth login and
> admins can add them directly. Nobody is forced to used the "request
> to join" web page.

  I think the feature could be useful in the general case too, but I'm
not sure it's worth the coding and maintenance effort.  It needs an
extra field in the database, some UI to fill it and keep it
up-to-date, in addition to the obvious "send mail to this one address
instead of that list of addresses".

Roland.
-- 
Roland Mas

Why did the tachyon cross the road?
Because it was on the other side.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

key rollover: dropbear, bincimap

[Moritz Muehlenhoff]

Another two packages:

dropbear

 
If you have /etc/ssh/*host* keys, either remove them, or follow the
openssh instructions below, first, before updating dropbear's
keys.

Dropbear's postinst converts existing openssh keys to dropbear format,
if it cannot find the dropbear host keys.

rm /etc/dropbear/*_host_key
dpkg-reconfigure dropbear
 
Note that keys that have been generated by Dropbear itself are not
vulnerable (it uses libtomcrypt rather than OpenSSL).


bincimap


The bincimap package automatically creates a self-signed certificate
through the openssl program for the bincimap-ssl service, and puts it
into /etc/ssl/certs/imapd.pem. To regenerate run:

rm -f /etc/ssl/certs/imapd.pem
dpkg-reconfigure bincimap


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

key rollover: tor

[Moritz Muehlenhoff]

Dear WWW Team,
Another round of updates:

tor
===

Tor is not in stable, but affected in Lenny.

Clients running 0.1.2.x are not affected.  Tor nodes or hidden service
providers running any version, as well as everyone on 0.2.0.x are
affected.

Please see the vulnerability announcement on the Tor announce mailing
list[0].

Upgrading to 0.1.2.19-3 (available in testing, unstable, backports.org,
and the usual noreply.org repository[1]) or 0.2.0.26-rc-1 (available in
experimental and the usual noreply.org repository[1]) is recommended.
If you run a relay these versions will force new server keys
(/var/lib/tor/keys/secret_*) being generated.

Should you run a Tor node without using the package's infrastructure
(debian-tor user, /var/lib/tor as DataDirectory etc.) you manually need
to remove bad keys.  See the advisory link posted above.

If you are hidden service provider, and have created your key in
the affected timeframe with a bad libssl then please delete your hidden
service's private key. This will change your hidden service's host name
and may require reconfiguring your servers.

If you are running 0.2.0.x, an upgrade is highly recommended -- 3 of the
6 v3 authority servers have compromised keys.  Old 0.2.0.x versions
will stop working in a week or two.


0. http://archives.seul.org/or/announce/May-2008/msg0.html
1. https://wiki.torproject.org/noreply/TheOnionRouter/TorOnDebian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: Change email address

[Debian Bug Tracking System]

Processing commands for [EMAIL PROTECTED]:

> submitter 475479 !
Bug#475479: If /boot is on RAID, /boot mountpoint record is lost after 
configuring LVM
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 375311 !
Bug#375311: debian-installer: [powerpc] oldworld mac BootX booted netboot fails 
with garbled screen
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 377152 !
Bug#377152: debian-installer: BootX of (hd-media|cdrom) vmlinux and initrd.gz 
fails; miBoot works
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 420392 !
Bug#420392: installation-report: Install succeeds but reboot fails due to 
incorrect drive code in grub
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 369303 !
Bug#369303: [powerpc] On oldworld macintosh need fbcon compiled in
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 367026 !
Bug#367026: linux-image-2.6.15-1-486: HID sermouse driver fails to detect 
Logitech mouse on ttyS0
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 369312 !
Bug#369312: miBoot enable floppies don't eject; must use a paperclip
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 383739 !
Bug#383739: separate root and /boot doesnt work
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 383740 !
Bug#383740: quik-installer incorrectly allows separate root and /boot
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 385797 !
Bug#385797: wiki.debian.org: Wiki does not have a license
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 461045 !
Bug#461045: installation-reports: Installing on Dell PERC3 / Ami MegaRAID Elite 
1600 Hardware RAID & Extraneous Samba Questions
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 478194 !
Bug#478194: shorewall: macro.BitTorrent doesn't open full port range for 3.2+ 
clients
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 478896 !
Bug#478896: flight-of-the-amazon-queen: Not DFSG-free; just READ the copyright 
notice in /usr/share/doc
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 480989 !
Bug#480989: exaile: Creating a playlist empties all playlists
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 480990 !
Bug#480990: exaile: Fails to play FLAC files
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 462613 !
Bug#462613: gnome-system-tools: Default install but static ips on multiple 
interfaces loses DNS information (lenny)
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 480588 !
Bug#480588: xscreensaver-gl: gflux and polytopes hang X
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 466313 !
Bug#466313: rhythmbox: Rhythmbox must be launch twice to launch it
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 477644 !
Bug#477644: dwww: Should have swish++ as at least suggests
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 478205 !
Bug#478205: shorewall: macro.BitTorrent doesn't include required outgoing port
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 478898 !
Bug#478898: beneath-a-steel-sky: Not DFSG-free
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 478901 !
Bug#478901: flight-of-the-amazon-queen: May be an illegal repackaging of 
copyrighted material
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 478902 !
Bug#478902: beneath-a-steel-sky: May be an illegal repa

Processed: Change email address

[Debian Bug Tracking System]

Processing commands for [EMAIL PROTECTED]:

> submitter 475479 !
Bug#475479: If /boot is on RAID, /boot mountpoint record is lost after 
configuring LVM
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 375311 !
Bug#375311: debian-installer: [powerpc] oldworld mac BootX booted netboot fails 
with garbled screen
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 377152 !
Bug#377152: debian-installer: BootX of (hd-media|cdrom) vmlinux and initrd.gz 
fails; miBoot works
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 420392 !
Bug#420392: installation-report: Install succeeds but reboot fails due to 
incorrect drive code in grub
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 369303 !
Bug#369303: [powerpc] On oldworld macintosh need fbcon compiled in
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 367026 !
Bug#367026: linux-image-2.6.15-1-486: HID sermouse driver fails to detect 
Logitech mouse on ttyS0
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 369312 !
Bug#369312: miBoot enable floppies don't eject; must use a paperclip
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 383739 !
Bug#383739: separate root and /boot doesnt work
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 383740 !
Bug#383740: quik-installer incorrectly allows separate root and /boot
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 385797 !
Bug#385797: wiki.debian.org: Wiki does not have a license
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 461045 !
Bug#461045: installation-reports: Installing on Dell PERC3 / Ami MegaRAID Elite 
1600 Hardware RAID & Extraneous Samba Questions
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 478194 !
Bug#478194: shorewall: macro.BitTorrent doesn't open full port range for 3.2+ 
clients
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 478896 !
Bug#478896: flight-of-the-amazon-queen: Not DFSG-free; just READ the copyright 
notice in /usr/share/doc
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 480989 !
Bug#480989: exaile: Creating a playlist empties all playlists
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 480990 !
Bug#480990: exaile: Fails to play FLAC files
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 462613 !
Bug#462613: gnome-system-tools: Default install but static ips on multiple 
interfaces loses DNS information (lenny)
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.

> submitter 480588 !
Bug#480588: xscreensaver-gl: gflux and polytopes hang X
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 466313 !
Bug#466313: rhythmbox: Rhythmbox must be launch twice to launch it
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 477644 !
Bug#477644: dwww: Should have swish++ as at least suggests
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 478205 !
Bug#478205: shorewall: macro.BitTorrent doesn't include required outgoing port
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 478898 !
Bug#478898: beneath-a-steel-sky: Not DFSG-free
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 478901 !
Bug#478901: flight-of-the-amazon-queen: May be an illegal repackaging of 
copyrighted material
Changed Bug submitter from Daniel Dickinson <[EMAIL PROTECTED]> to Daniel 
Dickinson <[EMAIL PROTECTED]>.
(By the way, that Bug is currently marked as done.)

> submitter 478902 !
Bug#478902: beneath-a-steel-sky: May be an illegal repa

Bu Fırsatları Kaçırmayın !!!

[TRinkalisveris]

TRink Alışveriş
Hızlı -Güvenli - Kolay
Alışveriş
Size Özel Fırsat Ürünleri
ALO SİPARİŞ : 0232 2770770  / 0544 5923237





İstridye İçinde Gerçek İnci Kolye (1. Kalite
,Orjinal)   




Okyanustan gelen güzellik...
Sevdiklerinize Çok Özel Bir Hediye...
Hediye Paketi ve Notunuz İle Birlikte...

Ücretsiz  ve Aynı Gün Kargo Avantajı 
İle  Sadece 
   29,90
   YTL  

   


Chicco  
Bebek Dinleme Telsizi   


Elektrikli ve Pilli...
250m. Çekme Mesafesi...

Düşük elektromanyetik dalga yayımı
Parazit azaltıcı ile donatılmış iki 
kanal

Ücretsiz ve Aynı Gün Kargo Avantajı İle 
 Sadece 
83,60   YTL 




Pelimed Yoğurmalı Masaj ve Zayıflama 
Kemeri 

Yüksek Performanslı İncelme Kemeri İle 
Çalışın...
Güçlü motor ve Geniş Titreşim alanı...  


Ücretsiz  ve Aynı Gün Kargo Avantajı 
İle  Sadece 
   79.90   YTL  

   


Cyberg  Termal Sauna Şort + 
1,5 KG. Lut Tuzu  
Hediyeli  

Lut Gölünden Gelen İncelik ve 
Güzellik...
Orjinal Tescil Belgeli Termal Sauna 
Zayıflama Şortu...
Size Özel Kampanya Fiyatımızla...   


Aynı Gün Kargo Avantajı İle  Sadece 

  

key rollover: tinc

[Moritz Muehlenhoff]

tinc

 
Remove all suspect public and private key files:

   1. Remove rsa_key.priv.
   2. Edit all files in the hosts/ directory and remove the public key blocks. 
 
Generate a new public/private key pair:
 
tincd -n  -K
 
Exchange your host config file with the new public key with other
members of your VPN. Do not forget to restart your tinc daemons.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: krb5 / Lenny status

[Russ Allbery]

> * All of the random session key generation inside the PKINIT plugin is
>   done using the regular MIT Kerberos random key functions, *not* the
>   OpenSSL random number generator, and hence sessions created via PKINIT
>   are not subject to this vulnerability.

It looks like this may not be the case.  Upstream thought my statement
above was correct, but I just got a correction from someone else who
believes that the DH session key is used for the Kerberos session key,
which means that PKINIT sessions would be subject to a brute force attack
on the weak session key.  I'm not sure exactly what the implications of
that would be, since the PKINIT session key would not normally have been
used directly to encrypt regular network traffic for, say, GSSAPI.  I'm
trying to get further clarification from upstream.

It remains the case that once libssl has been upgraded to a fixed version,
there should be no vulnerabilities remaining in a MIT Kerberos
installation going forward; there is no persistant bad key material
involved.  The only question is whether past sessions created using a
vulnerable libssl should be treated as suspect.

Sorry about the reversal here.

(It continues to be the case that any issue would only be an issue for
lenny, not etch.)

-- 
Russ Allbery ([EMAIL PROTECTED])   


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

key rollover page: boxbackup

[Moritz Muehlenhoff]

boxbackup
=

Boxbackup is not present in Debian stable, only in testing/Lenny.

Upstream has published a first impact analysis of key material created
on system with insufficient random PRNG. You can read the details
here:
http://lists.warhead.org.uk/pipermail/boxbackup/2008-May/004476.html

If the PRNG in your OpenSSL was insufficiently random, you need to:

* Regenerate all affected certificates, which have been generated or 
  signed on an affected system
* Regenerate all the data keys (*-FileEncKeys.raw)
* Destroy the data stored on your server to an appropriate level of 
  security (overwrite with zeros at the least, more if you're paranoid)
* Upload everything again
* Take appropriate measures under the assumption that you have been 
  storing your data in plain text on a public server without authentication.
  (ie, start from scratch, destroying all trace of the backed up
  data, and take other measures to mitigate the exposure of your
  secrets)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: key rollover: tor

[Joey Hess]

Moritz Muehlenhoff wrote:
> Dear WWW Team,
> Another round of updates:

Added.

-- 
see shy jo


signature.asc
Description: Digital signature

schoonmaak bedrijf

[Atef Mohamed]

Geachte Heer /Mevrouw, 
 
Graag zou ik Arkou Cleaning Onderhouds Service bij u onder de aandacht willen 
brengen. Arkou is een dienstverlenend bedrijf in de schoonmaak en 
reinigingsbranche en biedt een complete set van diensten aan in een compleet 
pakket.
Speciaal voor u heb ik een aantrekkelijke prijs. 
Dit betekent voor u een contactpersoon om alles te regelen. Voor meer 
informatie, kijk op onze website www.arkoucleaningservice.nl of neem contact 
met onze manager, de Heer A.Mohamed. 
 
Met vriendelijke groet, 
A. Mohamed 
Tel: 06 - 44 50 99 54
Fax: 070 - 78 03 215
Email: [EMAIL PROTECTED]
Internet: www.arkoucleaningservice.nl

Re: key rollover: tinc

[Joey Hess]

Moritz Muehlenhoff wrote:
> tinc
> 

Added

-- 
see shy jo


signature.asc
Description: Digital signature

Re: key rollover page: boxbackup

[Joey Hess]

Moritz Muehlenhoff wrote:
> boxbackup
> =

Added.

-- 
see shy jo


signature.asc
Description: Digital signature

Corsi serali di Grafica e Lingue

[Corsi di aggiornamento]

Sono aperte le iscrizione ai prossimi corsi di Maggio

corsi di 3D Studio Max inizio corso 20/05/2008  
http://www.associazioneadac.com/3dmax.html

corsi di Arabo 2° L  inizio corso 19/05/2008 
http://www.associazioneadac.com/arabo2.html

corsi di Francese  inizio corso 12/05/2008  
http://www.associazioneadac.com/francese.html

corsi di AutoCad 2D  inizio corso 19/05/2008
http://www.associazioneadac.com/cad2d.html

corsi di Flash  inizio corso 19/05/2008 
http://www.associazioneadac.com/flash.html

corsi di Spagnolo 2L  inizio corso 19/05/2008
http://www.associazioneadac.com/spagnolo2l.html

corsi di Inglese I° e Inglese II° Livello inizio corso 28/04/2008e   
19/05/2008
http://www.associazioneadac.com/inglese.html

corsi di Photoshop  inizio corso 22/04/2008  
http://www.associazioneadac.com/photoshop.html

corsi di AutoCad 3D  inizio corso 19/05/2008
 
http://www.associazioneadac.com/cad3d.html


corsi di Materiale 3D max  inizio corso febbraio/2008   
http://www.associazioneadac.com/materiale.html

Luogo di svolgimento Venezia centro polivalente Agostino Nardocci
Per l'iscrizione è necessario compilare il modulo di iscrizione presso la 
segreteria del corso in orario di ricevimento
Quota associativa è di 225 euro fissa per tutti le partecipazioni

Cordiali saluti per
informazioni ed iscrizioni
Dal Lunedì al Giovedì ore 17.30 - 21.45
331 80 80 537 

041 5241422

[EMAIL PROTECTED]

C/O ESU DI VENEZIA, CALLE LARGA FOSCARI, PALAZZO DEI POMPIERI,
1° PIANO PRESSO IL CENTRO POLIVALENTE AGOSTINO NARDOCCI
http://www.associazioneadac.com

In conformità con le nuove disposizioni in materia di invii telematici in 
vigore dal 1 gennaio '04 (Testo Unico sulla tutela della privacy emanato con 
D.Lgs 196/2003 pubblicato sulla G.U. n.174),
la informiamo che il suo indirizzo e-mail è stato reperito attraverso vostra 
mail da noi ricevuta o da voi comunicataci o reperita presso pubblici elenchi. 
Tutti i destinatari sono in copia nascosta (privacy L. 75/96).
Se non desiderate ricevere in futuro le nostre comunicazioni e desiderate 
essere cancellati dalla nostra mailing-list è sufficiente inviare un messaggio 
vuoto all'indirizzo [EMAIL PROTECTED] con oggetto la parola "cancellami", 
specificando l'indirizzo che si desidera eliminare.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

key rollover page: cryptsetup

[Moritz Muehlenhoff]

>From David Härdeman and Jonas Meurer.

cryptsetup
==

Cryptsetup itself does not use openssl for encryption (this applies to
both LUKS and dm-crypt devices).

*If* cryptsetup has been configured to use SSL-encrypted keyfiles (a
non-default setup which must be explicitly configured by the user)
and a broken version of openssl was used to generate the keyfile, the
keyfile encryption may be weaker than expected (as the salt is not
truly random).

The solution is either to re-encrypt the keyfile (if you are
reasonably certain that the encrypted key has not been disclosed to to
any third parties) or to wipe and reinstall the affected partition(s)
using a new key.

Instructions for re-encrypting a keyfile:

Do the following for each SSL-encrypted keyfile, replacing
 with the path to the actual keyfile:

tmpkey=$(tempfile)
openssl enc -aes-256-cbc -d -salt -in  -out "$tmpkey"
shred -uz 
openssl enc -aes-256-cbc -e -salt -in "$tmpkey" -out 
shred -uz "$tmpkey"


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: krb5 / Lenny status

[Moritz Muehlenhoff]

On Fri, May 16, 2008 at 07:44:48AM -0700, Russ Allbery wrote:
> > * All of the random session key generation inside the PKINIT plugin is
> >   done using the regular MIT Kerberos random key functions, *not* the
> >   OpenSSL random number generator, and hence sessions created via PKINIT
> >   are not subject to this vulnerability.
> 
> It looks like this may not be the case.  Upstream thought my statement
> above was correct, but I just got a correction from someone else who
> believes that the DH session key is used for the Kerberos session key,
> which means that PKINIT sessions would be subject to a brute force attack
> on the weak session key.  I'm not sure exactly what the implications of
> that would be, since the PKINIT session key would not normally have been
> used directly to encrypt regular network traffic for, say, GSSAPI.  I'm
> trying to get further clarification from upstream.

Ok, let's wait to change this until upstream confirms, ok?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT

[Russ Allbery]

Here is the confirmation and analysis from upstream, forwarded with
permission.  Another person (not publicly, so I won't mention his name
just in case he didn't wish to be mentioned) also pointed out that since
you can break the encryption used to protect the TGT, you can also then
use that Kerberos TGT to obtain further tickets until it expires (which in
the Kerberos world is usually some locally-configured time period between
eight hours and two weeks, usually on the shorter end of that range).

Any sessions started via a Kerberos TGT issued by a vulnerable Kerberos
KDC should be considered suspect, although the key space isn't, I believe,
quite as small as it is for some of the other affected software.

--- Begin Message ---
Yeah, it looks worse than I thought.

If I understand correctly, though, it's not the Kerberos session key  
itself that's generated via DH, it's the key used to protect the AS- 
REP message, isn't it?  (And it's not required to be produced via DH,  
but that is the mandatory-to-implement approach, and the default in  
the MIT code.)  But the ability to decode the AS-REP gets you the  
session key.

The terminology in RFC 4556 looks a little confusing; it refers to a  
"session key" in at least one place when it appears to be referring to  
the key protecting the AS-REP enc-part field, which normally would be  
the principal's long-term key.  (Maybe that's common usage from the  
PKI world?)

On May 16, 2008, at 12:52, Russ Allbery wrote:
> The TGT session key itself is only used for requesting additional
> tickets in the most common case, however, correct?  So normally this
> flaw would not expose, for instance, GSSAPI sessions, since the client
> would use the TGT to request a service ticket and the session key in the
> service ticket would be generated by MIT Kerberos's random number code
> and hence not be subject to this vulnerability?

But it gets conveyed in encrypted messages protected only by a  
compromised key.  So if all of the traffic is recorded, the other keys  
would be exposed as well.  The attacker does have to get the AS  
exchange and the TGS exchange(s) and, if subsession keys are used, the  
initial exchange of GSSAPI tokens, in order to compromise the GSSAPI  
session.

As we have no support for perfect forward secrecy, it all hinges on  
the privacy of the initial exchange with the KDC.  Lose that, and the  
rest comes down like a row of dominos.

Ken
--- End Message ---

Re: key rollover page: cryptsetup

[Joey Hess]

Moritz Muehlenhoff wrote:
> >From David Härdeman and Jonas Meurer.
> 
> cryptsetup
> ==

Added

-- 
see shy jo


signature.asc
Description: Digital signature

Re: Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT

[Joey Hess]

Russ Allbery wrote:
> Here is the confirmation and analysis from upstream, forwarded with
> permission.  Another person (not publicly, so I won't mention his name
> just in case he didn't wish to be mentioned) also pointed out that since
> you can break the encryption used to protect the TGT, you can also then
> use that Kerberos TGT to obtain further tickets until it expires (which in
> the Kerberos world is usually some locally-configured time period between
> eight hours and two weeks, usually on the shorter end of that range).
> 
> Any sessions started via a Kerberos TGT issued by a vulnerable Kerberos
> KDC should be considered suspect, although the key space isn't, I believe,
> quite as small as it is for some of the other affected software.

Could you summarise the changes that should be made to the key-rollover
page (or provide a patch)?

-- 
see shy jo


signature.asc
Description: Digital signature

Re: Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT

[Russ Allbery]

Joey Hess <[EMAIL PROTECTED]> writes:

> Could you summarise the changes that should be made to the key-rollover
> page (or provide a patch)?

Absolutely.  Here's a patch that I think captures the essence and the
important details.

--- rollover.html.orig  2008-05-16 15:07:35.0 -0700
+++ rollover.html   2008-05-16 15:07:11.0 -0700
@@ -261,27 +261,36 @@
 in Debian 4.0 is not affected at all.
 
 
-In Lenny the separate binary package krb5-pkinit uses OpenSSL.
-
-
-MIT Kerberos itself does not generate long-term key pairs even when the
-PKINIT plugin is used, so any vulnerable long-term key pairs would have
-been generated outside of the MIT Kerberos software itself. The PKINIT
-plugin only references existing key pairs and isn't responsible for key
+In Lenny the separate binary package krb5-pkinit uses OpenSSL.  MIT
+Kerberos itself does not generate long-term key pairs even when the PKINIT
+plugin is used, so any vulnerable long-term key pairs would have been
+generated outside of the MIT Kerberos software itself. The PKINIT plugin
+only references existing key pairs and isn't responsible for key
 management.
-
-
-All of the random session key generation inside the PKINIT plugin is
-done using the regular MIT Kerberos random key functions, not the
-OpenSSL random number generator, and hence sessions created via PKINIT
-are not subject to this vulnerability.
-
-
-
+
+
+Long-term key pairs used with PKINIT may be affected if generated on an
+affected Debian system, but such generation is external to MIT Kerberos.
+
 
-MIT Kerberos itself is not in affected. However, long-term key pairs used
-with PKINIT may be affected if generated on an affected Debian system, but
-such generation is external to MIT Kerberos.
+However, the OpenSSL random key functions are used for the DH exchange
+when PKINIT authentication is used, which means that an attacker may be
+able to use brute-force to gain access to the KDC response to a PKINIT
+authentication and subsequently gain access to any sessions created using
+service tickets from that authentication.
+
+
+Any KDCs using the PKINIT plugin from Lenny should have their libssl0.9.8
+packages upgraded immediately and the Kerberos KDC restarted with:
+
+
+/etc/init.d/krb5-kdc restart
+
+
+Any Kerberos ticket-granting tickets (TGTs) or encrypted sessions resulting
+from PKINIT authentication using a Kerberos KDC with the affected libssl
+should be treated as suspect; it's possible that attackers with packet
+captures will be able to compromise those keys and sessions.
 
 OpenSWAN / StrongSWAN
 rm /etc/ipsec.d/private/`hostname`Key.pem 
/etc/ipsec.d/certs/`hostname`Cert.pem

-- 
Russ Allbery ([EMAIL PROTECTED])   


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Zenyth Moonfest Press Release.

[Zenyth]

Title: ReverbNation Email





  





  



  

  


  

  
  


  
  


   
  

  Zenyth

   

  Cardiff, UK

  


  
  


   
  

  Rock / Alternative / Indie Rock
  Members: Paul, Chris, Chud, Rich & Adam

  



 




 PLAY SONGS 
 SHARE SONGS  







  








www.zenyth-rocks.comZenyth
 confirmed for Moonfest, Wiltshire, includes support from Pete DohertyZenythThe fast
 rising Cardiff rockers making waves this year in the UK festival scene are one of
 the Top Acts billed on the main stage they will be supported by a solo performance
 by Pete Doherty & the cult classic rock band Leafhound and will be supporting
 The Australian Pink Floyd and Ozric Tentacles on the Saturday of the 3 day festival.
 Zenyths  fresh ballsy rock and their powerful sound
 & stage presence is gathering big attention that means these guys are set for
 big things  watch out for their single release on the 14th July
 2008– Mr. Nobody.Pete DohertyNotorious tabloid darling and now Marlborough-based indie pop star
 Pete Doherty is to play a solo set. There had been some confusion as to whether
 he would appear as he has recently been serving a 14-week stretch for drug offences
 in Wormwood Scrubs prison. However, the star was controversially released early
 on Tuesday 6th May.A new festival on
 the block in Wiltshire will boast some great musical acts on the bill when it's
 held in August.Wiltshire plays host to numerous
 outdoor music events over the summer months each year, and in 2008 there's a new
 kid on the block.The inaugural 'Moonfest' is to be held
 at Storridge Farm near Westbury over the weekend of Friday 29th-Sunday 31st August
 and numerous top international acts have already signed up to appear.Friday sees a dance night featuring DJ sets on the Main Stage but
 the Saturday and Sunday calendar is packed with well-known names.Ozric TentaclesIf
 you were an outdoor gig-goer in the nineties, you can't fail to have seen Somerset
 space rockers Ozric Tentacles also set for the Main Stage on Saturday. They were
 ubiquitous on the festival circuit in that era, and 27 albums later, they are still
 going strong.And headlining the Main Stage on Saturday
 are top international tribute act, The Australian Pink Floyd. As there is little
 chance of ever seeing the original band reunite for a tour, The Australian Pink
 Floyd are considered the next best thing to seeing the real thing. They will also
 be bringing their stunning light show.Back
 to the EightiesSunday on the Main Stage
 at Moonfest is dedicated to The Eighties. Things kick off with Into the Bleach -
 a Blondie tribute act before the real fun starts with a succession of top bands
 from the era that taste forgot.Heaven 17Hip soulsters Curiosity Killed the Cat, funksters Shakatak, soul
 trio Imagination, popsters Go West and synth poppers Heaven 17 are all set to appear.
 This a line-up no Wiltshire Eighties kid should miss out on!Fans
 of the many talented local bands and singers Wiltshire has to offer will not miss
 out either.Over the whole weekend, on two separate
 stages in The Sovereign Marquee and The Riffs Marquee, local acts such as Rob Sharples,
 The Doubtful Guest, The Alfonz and The Mentalists will be playing live.In total, nearly 50 Wiltshire bands and musicians are set to appear
 at Moonfest over the festival weekend. Weekend
 (£79.00) and single day (£39.00) tickets are available now which you
 can purchase at the official Moonfest website via the website www.moonfest.co.uk.
 Camping site tickets are also available (£12.00).PLEASE
 CONTACT [EMAIL PROTECTED]
 FOR MORE INFO ON ZENYTH


Click here to put our songs on your Facebook profile.







MUSIC





  


  
















  
Upcoming Shows for Zenyth
  

  
05/23/2008 07:30 PM
Swindon, UK

  Riffs Bar



 Tickets
   

  

  
06/01/2008 07:00 PM
Cardiff, WALES, UK

  10 Feet Tall



 Tickets
   

  

  
06/13/2008 08:00 PM
Cardiff, UK

  Coopers Field



 Tickets
   

  

  
06/14/2008 08:00 PM
Cardiff, UK

  Barfly



 Tickets
   

  

  
06/19/2008 07:00 PM
Swansea, UK

  The Milkwood Jam


   
  
   

  

  
07/03/2008 07:00 PM
Cardiff, UK

  10 Feet Tall



 Tickets
   

  

  
   

key rollover: Generic OpenSSL PEM instructions

[Moritz Muehlenhoff]

Hi,
please add this to the top next to OpenSSH, since it can be referenced
by the instructions for several other packages.

OpenSSL: Generic PEM key generation instructions


This is just a reminder for those who (re-)generate PEM encoded
certificates. Your site probably has other policies in place about how
to manage keys which you should follow. Additionally, you may need to
get the certificates signed again by a 3rd party Certificate Authority
rather than by using a self-signed certificate as shown below:

cd /etc/ssl/private
openssl genrsa 1024 > mysite.pem
cd /etc/ssl/certs
openssl req -new -key ../private/mysite.pem -x509 -days  -out mysite.pem


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: key rollover: Generic OpenSSL PEM instructions

[Joey Hess]

Moritz Muehlenhoff wrote:
> please add this to the top next to OpenSSH, since it can be referenced
> by the instructions for several other packages.

mmmkay.

-- 
see shy jo


signature.asc
Description: Digital signature

Novo Site - WebMemorial

[WebMemorial]

  Novidade na internet

  O site Web Memorial - www.webmemorial.com.br – foi criado e está em 
lançamento para que o internauta preste homenagem póstuma a seus entes 
queridos, preservando sua memória.
 Através desse serviço, a pessoa tem a possibilidade de criar uma página 
exclusiva na internet com o nome do homenageado, facilitando a memorização 
pelos parentes e amigos.
  O site tem as funções de “acender velas virtuais”, montar álbuns de fotos, 
exibir vídeos, prestar condolências, contar o legado e montar a linha do tempo 
do ente falecido.
  Estão disponíveis recursos de fácil utilização para criação e edição do 
website, totalmente gratuitos.
  Para montar um WebMemorial é necessário que o internauta escolha um entre os 
vários modelos de páginas, preencha o formulário com seus dados e os dados do 
homenageado - a criação dura em média três minutos. Visite o site e conheça 
alguns modelos já criados.
  A hospedagem é gratuita por um período de 14 dias. Após este período, os 
valores cobrados poderão variar de  R$ 8,00 por mês (período de 12 meses) até 
R$ 12,00 por mês, por um período mínimo de 4 meses.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]