Hi,
(debian bug, Elliot)
> Package: wu-ftpd
> Version: 2.4-23
>
> I don't know the exploit, but tar in the anon ftp area is the
> same as the normal one, so I think Debian systems may have this
> problem too. Two messages from the linux-security list (the
> second one includes a patch for tar -
Package: ftp.debian.org
The current version of pine is in non-free because the copyright
is not clear. We really should talk to the maintainers - perhaps
we can get permission to distribute the package as part of the
distribution? (FYI, it's in Red Hat, and those guys are quite
careful about cop
Package: ssh
Version: 1.2.14-1
If compiled on a system which has no /etc/shadow file, sshd
doesn't support shadow passwords when using the password
authentication. All the necessary code is already there (will
work with both shadow and non-shadow passwords) - all that is
needed is to hack the con
At 1996-08-28 21:59 +, Brian C. White wrote:
>I know that at one point the dselect/dpkg combination had fairly serious
>problems if the same package name existed with multiple versions. I learned
>this the hard way when I installed from a mirror that had not run to
>completion and thus had not
>The same problem occurs using Slackware and RedHat Linux and on
>different hardware.
Would you be willing to try another amd package? To solve local
problems here I hand-patched a few things in the amd package, and
rolled in a few other patched from various newsgroups, and it has
worked withou
Package: ssh
Version: 1.2.14-1
The package is compiled with the -g -O flags (autoconf default)
- this results in larger and slower binaries. It might be a good
idea to use -O2 instead (no -g) and maybe strip the binaries too.
Marek
Package: ssh
Version: 1.2.14-1
sshd writes to the file /etc/ssh/ssh_random_seed during normal
operation - the file should be moved to /var according to the
FSSTND recommendations.
Marek
-BEGIN PGP SIGNED MESSAGE-
Format: 1.5
Date: Fri, 23 Aug 1996 22:51:53 -0400
Source: maplay
Binary: maplay
Architecture: source i386
Version: 1.2-1
Distribution: unstable
Urgency: low
Maintainer: Brian Mays <[EMAIL PROTECTED]>
Description:
maplay - An MPEG Audio Player.
Changes:
ma
-BEGIN PGP SIGNED MESSAGE-
Format: 1.5
Date: Sat, 24 Aug 1996 08:07:03 -0400
Source: netcdf-perl
Binary: netcdf-perl
Architecture: source i386
Version: 1.1-1
Distribution: unstable
Urgency: low
Maintainer: Brian Mays <[EMAIL PROTECTED]>
Description:
netcdf-perl - A perl extension for acc
Package: textutils
Version: 1.17-2
-chiark:~> echo -e 'hi^IthereM-z\011hi' | cat -vET
hi^IthereM-z^Ihi$
-chiark:~>
As you can see, it's not possible to distinguish a single escaped
control character ^ or M- from the corresponding
sequence of printable characters.
There should be an option to do
Package: squid
Version: 1.0.beta16-1
In the default configuration, squid runs as root. While it can be
changed in the config file, someone might forget to configure it
after installation, so I think the default should be secure. The
permissions/ownerships in /var/squid and /var/log/squid should
Package: netstd
Version: 2.06-1
Right now, telnetd checks for a few dangerous environment variables.
I think it should do what telnetd in NetKit-0.08 does: only allow
a few variables which are known to be safe, and don't allow any
others. The problem is that you never know that the list of the
da
Karl Sackett writes ("dpkg-buildpackage and -source questions"):
> Regarding the -r option for dpkg-buildpackage, are there any
> examples of what's called for here? Is the gain-root-command
> something each developer provides for himself, or is there a command
> or shell somewhere that performs t
Hi,
is there any way to change the subject line of an already existing
bug report? This hole is a really *serious* (not moderate) one -
it lets any local and remote users read any file on the system.
I think there are two possible ways to fix it:
(1) ignore the dangerous environment variables co
Package: xlib
Version: 3.1.2-7
It seems there is a buffer overrun in libXt, which may be a security
hole (some programs using libXt, such as xterm, are setuid root).
I haven't tried to exploit it, but xterm -fg very_long_string
segfaults, so it might be exploitable (stack overwrite). See the
atta
Package: wu-ftpd
Version: 2.4-23
I don't know the exploit, but tar in the anon ftp area is the
same as the normal one, so I think Debian systems may have this
problem too. Two messages from the linux-security list (the
second one includes a patch for tar - only for anon ftp, not
for the normal on
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Heiko Schlittermann) writes:
> perhaps I've missed an announcement or similar. Just I've downloaded
> qt-0.98, a C++ Class Library for GUI development (X11, WinNT, other?).
>
> The library (and source) seems to be free for X11 && devel of free
>
Package: amd
Version: upl102-3
Hi,
I am running the amd ("The 4.4BSD automounter") under Debian Linux
to mount users' home directories (and other shared filesystems).
The problem is that certain filesystems cause amd to lock up the
system, whereas mounting them using "mount" works fine. Other
fi
"Brian C. White":
> Could you write them to STDERR and the rest of the info to STDOUT?
An option to suppress them might be better.
> I thought about this, but it requries my script to know about the
> internals of crontab. If crontab ever changed, then a problem could
> arise. I prefer to keep
Hello,
to avoid duplicated effort ... is anybody out there already debianizing
the ctags package from Darren Hiebert <[EMAIL PROTECTED]>?
If not, I'd do it.
For further information about ctags I've appended posting to c.o.l.a.
[ And yes, I know of elvis-ctags, but it's up the user to evaluate w
Hello out there ...
perhaps I've missed an announcement or similar. Just I've downloaded
qt-0.98, a C++ Class Library for GUI development (X11, WinNT, other?).
The library (and source) seems to be free for X11 && devel of free
software. As time of this writing the libs get compiled. Some two
m
Susan G. Kleinmann writes:
> (Perhaps this should be a seperate bug report; if you want one, please
> let me know.)
No, it's not a bug I think.
> [...]
> New action 'view' for MIME type 'image/*'...
> --> package=metamailview=showpicture -viewer "xloadimage -view
> -quiet" %s
>
> 1)
On Wed, 28 Aug 1996, Dale Scheetz wrote:
> In particular it says that packages that depend on
> packages in non-free are to reside in contrib (or non-free if other
> restictions apply).
I've also been meaning to bring this up, but from another angle.
Previously, Ian, you've said that packages whi
On Wed, 28 Aug 1996, Brian C. White wrote:
> The reason I bring this up is that there are now several package that are
> _intentionally_ in the distribution multiple times with different versions:
>
> Debian-1.1-fixed/binary-i386/text/gs_2.62-2.deb
> non-free/binary/gs_4.01-2.deb
This is the
In article <[EMAIL PROTECTED]> you wrote:
:
: The only incompatibility is that you might have to add a :bk: entry to
: the printcap in order to print to a BSD-lpd-based network printer.
I care a lot about compatibility with other BSD'ish lpd-based systems. I
could live with this easily.
Bdale
[EMAIL PROTECTED] (Christopher R. Hertel) wrote on 12.08.96 in <[EMAIL
PROTECTED]>:
> Problem: On some systems, the compressed kernel image provided on the
> installation floppy (boot1440.bin) is not decompressed properly when
> read from floppy. One solution that seems to work for most users i
Package: emacs
Version: 19.31-2
I just upgraded from 19.29-3, and it left me with the following
/etc/site-start.el:
(load "/usr/lib/emacs/19.29/lisp/jka-compr.elc")
(if (file-exists-p "/usr/lib/emacs/site-lisp/w3-init.el") (load "w3-init"))
(autoload 'lout-mode "lout-mode" "Mode for editing Lou
I bit the bullet today and decided to install and implement pgp. Searching
the packages files did not turn it up, but I was able to deduce that it
was therefore, in non-free. However the search turned up this information:
mailcrypt - depends: pgp
dchanges - recommends: pgp
elm and w3-
Package: util-linux
Version: 2.5-5
If clock is invoked with the -u flag and the kernel has the real time
clock enabled, it causes a segmentation fault. omitting the -u flag
or running a kernel with the real time clock disabled will not cause
the problem.
I don't have the strace handy, but I can
> *** Bruce ***
> What's the "official" word on duplicate packages this way?
Ian Jackson wields the fiat power where software packaging is concerned.
Try dpkg_1.3.9 (or whatever version is now in incoming). Make up a good
test case and report the results as a bug.
Thanks
Bruce
I know that at one point the dselect/dpkg combination had fairly serious
problems if the same package name existed with multiple versions. I learned
this the hard way when I installed from a mirror that had not run to
completion and thus had not deleted the older packages.
Dpkg installed _both_ v
31 matches
Mail list logo
