On Thu, Dec 13, 2001 at 05:20:14PM +0100, Wichert Akkerman wrote:
[SNIP]
> package
> * dpkg will call debsig-verify to verify the signature and validate the
> package
>
> The last step is currently skipped since /etc/dpkg/dpkg.cfg includes
> the no-debsig option by default, otherwise debsig-ve
- Original Message -
From: "Thomas Hallaran" <[EMAIL PROTECTED]>
To: "Daniel Rychlik" <[EMAIL PROTECTED]>
Cc:
Sent: Friday, December 14, 2001 6:53 PM
Subject: Re: Exim mail
> spoofing mail:
> telnet to port 25 on machine you want to spoof through.
> 1.Type 'mail from: [EMAIL PROTECT
spoofing mail:
telnet to port 25 on machine you want to spoof through.
1.Type 'mail from: [EMAIL PROTECTED]' (address you want to send mail as)
2.Type 'rcpt to: [EMAIL PROTECTED]'(person you are sending mail to)
3.Type 'data'
4.Type 'whatever you want , ending with a period on its
Thanks for the reply on this. I just found the header info. It does appear
that he sent it from a remailer. Thanks again, Sorry for the stupidity.
Envelope-to: [EMAIL PROTECTED]
Received: from rly-ip02.mx.aol.com ([152.163.225.160])
by earth.rychlik.ws with esmtp (Exim 3.12 #1 (Debian))
id
Hello Daniel:
Please check if this was actually a root account that generated this e-mail.
I recall that ANY sender that gets access to the e-mail port can generate an
e-mail thatmay APPEAR to be from root.
I also am newbie but not too green.
Jamie is correct that it is the false impression tha
On Fri, Dec 14, 2001 at 06:22:03PM -0600, Daniel Rychlik wrote:
> How do I stop this from happening. Apparently my bud telented to port 25
> and somehow sent mail from my root account. Any suggestions, white papers
> or links? Id would like to block the telnet application all together, but I
> d
Daniel Rychlik wrote:
> How do I stop this from happening. Apparently my bud telented to port 25
> and somehow sent mail from my root account. Any suggestions, white papers
> or links? Id would like to block the telnet application all together, but I
> dont think thats possible.
He didn't use
How do I stop this from happening. Apparently my bud telented to port 25
and somehow sent mail from my root account. Any suggestions, white papers
or links? Id would like to block the telnet application all together, but I
dont think thats possible.
Thanks in advance,
Daniel
im a newbie so ple
On Thu, Dec 13, 2001 at 05:20:14PM +0100, Wichert Akkerman wrote:
[SNIP]
> package
> * dpkg will call debsig-verify to verify the signature and validate the
> package
>
> The last step is currently skipped since /etc/dpkg/dpkg.cfg includes
> the no-debsig option by default, otherwise debsig-v
- Original Message -
From: "Thomas Hallaran" <[EMAIL PROTECTED]>
To: "Daniel Rychlik" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, December 14, 2001 6:53 PM
Subject: Re: Exim mail
> spoofing mail:
> telnet to port 25 on machine you want to spoof through.
> 1.Type 'mail
spoofing mail:
telnet to port 25 on machine you want to spoof through.
1.Type 'mail from: [EMAIL PROTECTED]' (address you want to send mail as)
2.Type 'rcpt to: [EMAIL PROTECTED]'(person you are sending mail to)
3.Type 'data'
4.Type 'whatever you want , ending with a period on its
Thanks for the reply on this. I just found the header info. It does appear
that he sent it from a remailer. Thanks again, Sorry for the stupidity.
Envelope-to: [EMAIL PROTECTED]
Received: from rly-ip02.mx.aol.com ([152.163.225.160])
by earth.rychlik.ws with esmtp (Exim 3.12 #1 (Debian))
id
Hello Daniel:
Please check if this was actually a root account that generated this e-mail.
I recall that ANY sender that gets access to the e-mail port can generate an
e-mail thatmay APPEAR to be from root.
I also am newbie but not too green.
Jamie is correct that it is the false impression th
On Fri, Dec 14, 2001 at 06:22:03PM -0600, Daniel Rychlik wrote:
> How do I stop this from happening. Apparently my bud telented to port 25
> and somehow sent mail from my root account. Any suggestions, white papers
> or links? Id would like to block the telnet application all together, but I
>
Daniel Rychlik wrote:
> How do I stop this from happening. Apparently my bud telented to port 25
> and somehow sent mail from my root account. Any suggestions, white papers
> or links? Id would like to block the telnet application all together, but I
> dont think thats possible.
He didn't use
How do I stop this from happening. Apparently my bud telented to port 25
and somehow sent mail from my root account. Any suggestions, white papers
or links? Id would like to block the telnet application all together, but I
dont think thats possible.
Thanks in advance,
Daniel
im a newbie so pl
Can we arrange things so that security advisories can be published to the
website at the same time that they are released? They make it to LWN before
they are up on debian.org.
--
- mdz
--- Begin Message ---
Not Found
The requested URL /security/2001/dsa-093 was not found on this server.
On Fr
Can we arrange things so that security advisories can be published to the
website at the same time that they are released? They make it to LWN before
they are up on debian.org.
--
- mdz
--- Begin Message ---
Not Found
The requested URL /security/2001/dsa-093 was not found on this server.
On
On Fri, Dec 14, 2001 at 10:59:47AM +0100, Wichert Akkerman wrote:
>
> > From what I know, this will be supported scheme in the next release.
>
> Well, afaik base is frozen and the current released version of
> apt doesn't do that yet..
>
Of course, I meant next to woody, *not* woody...
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> Should I do it?
Talk to Josip Rodin, he is currently responsible for doing this.
Personally I would love to see somebody else working on it as well.
> This means changing the current .data files and changing
> the way they are published so the BI
sOn Fri, Dec 14, 2001 at 12:45:41PM +0100, Wichert Akkerman wrote:
> Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> > A note for the Security Team: please add a new tag to the DSA's data:
> > and that would make it easier to
>
> Half the time we can't do that because we can't register a tag
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> A note for the Security Team: please add a new tag to the DSA's data:
> and that would make it easier to
Half the time we can't do that because we can't register a tag since
the information can't be released yet. We could add them at a later
dat
On Fri, Dec 14, 2001 at 10:59:47AM +0100, Wichert Akkerman wrote:
>
> > From what I know, this will be supported scheme in the next release.
>
> Well, afaik base is frozen and the current released version of
> apt doesn't do that yet..
>
Of course, I meant next to woody, *not* woody...
As I said yesterday I wanted to prepare an answer to the question "How
much
time does it take for Debian to fix a given bug?". I have made some analysis
regarding
vulnerabilities detected and posted in bugtraq and those sent as DSAs. It has
taken
some more time than expected since the D
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> Should I do it?
Talk to Josip Rodin, he is currently responsible for doing this.
Personally I would love to see somebody else working on it as well.
> This means changing the current .data files and changing
> the way they are published so the B
sOn Fri, Dec 14, 2001 at 12:45:41PM +0100, Wichert Akkerman wrote:
> Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> > A note for the Security Team: please add a new tag to the DSA's data:
> > and that would make it easier to
>
> Half the time we can't do that because we can't register a tag
(Please don't use overly long lines, it makes text hard to read).
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> A far better scheme was the one proposed by Wichert (signing
> only one file: Packages.gz and stablish a trust relationship
> like this):
FWIW, I didn't propose it I just described
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> A note for the Security Team: please add a new tag to the DSA's data:
> and that would make it easier to
Half the time we can't do that because we can't register a tag since
the information can't be released yet. We could add them at a later
da
On Thu, Dec 13, 2001 at 06:05:29PM -0600, Jor-el wrote:
> On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> Note that if the packages are PGP / GPG signed, the problem is
> only a little less acute. Mr. Cracker could sign the package with his /
> her key. How would a user know that Mr. Cracke
As I said yesterday I wanted to prepare an answer to the question "How much
time does it take for Debian to fix a given bug?". I have made some analysis regarding
vulnerabilities detected and posted in bugtraq and those sent as DSAs. It has taken
some more time than expected since the DSA
(Please don't use overly long lines, it makes text hard to read).
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> A far better scheme was the one proposed by Wichert (signing
> only one file: Packages.gz and stablish a trust relationship
> like this):
FWIW, I didn't propose it I just describe
On Thu, Dec 13, 2001 at 06:05:29PM -0600, Jor-el wrote:
> On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> Note that if the packages are PGP / GPG signed, the problem is
> only a little less acute. Mr. Cracker could sign the package with his /
> her key. How would a user know that Mr. Crack
32 matches
Mail list logo
