Re: Report to Recipient(s)

On Wed, 26 Feb 2003 16:43:54 +1100, SCVBNOTES/SCVB/[EMAIL PROTECTED] writes: >Incident Information:- >Subject:FW: Take a look at update from Microsoft. > >Message from "Paul" <[EMAIL PROTECTED]> was quarantined >because it contained banned content. So I want to know: Was the content banned bec

Re: Report to Recipient(s)

On 0, SCVBNOTES/SCVB/[EMAIL PROTECTED] wrote: > Incident Information:- <---SNIP A BUNCH OF NAMES---> > > Message from "Paul" <[EMAIL PROTECTED]> was quarantined > because it contained banned content. I would like to personally thank you for saving my soul from the banned content.

Report to Recipient(s)

Incident Information:- Originator: "Paul" <[EMAIL PROTECTED]> Recipients: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTEC

Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability

On Mon, Feb 24, 2003 at 07:41:20PM -0500, Raymond Wood wrote: > > For the unstable distribution (sid) this problem has been fixed in > > version 0.9.7a-1. > > > > We recommend that you upgrade your openssl packages. > [snip] > > On sid/unstable, I have installed all the recommended patches, > in

Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability

On Mon, Feb 24, 2003 at 07:41:20PM -0500, Raymond Wood wrote: > > For the unstable distribution (sid) this problem has been fixed in > > version 0.9.7a-1. > > > > We recommend that you upgrade your openssl packages. > [snip] > > On sid/unstable, I have installed all the recommended patches, > in

Re: Nessus 2.0.0 packages available

On Tue, Feb 25, 2003 at 02:10:54PM +0100, Luis Gomez wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Martes, 25 de Febrero de 2003 13:53, Javier Fernández-Sanguino Peña wrote: > > The nessus-plugin stuff is the source package, in order to make the > > packages yourself just do:

Re: Nessus 2.0.0 packages available

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Martes, 25 de Febrero de 2003 13:53, Javier Fernández-Sanguino Peña wrote: > The nessus-plugin stuff is the source package, in order to make the > packages yourself just do: > > $ dpkg-source -x nessus-plugins_2.0.0-1.dsc > $ cd nessus-plugin

Re: Nessus 2.0.0 packages available

On Tue, Feb 25, 2003 at 12:56:48PM +0100, Luis Gomez wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Great, but how about nessus-plugins? > > Your nessusd depends on nessus-plugins >= 1.3 , and Sarge provides > nessus-plugins 1.0.something, I think, so nessusd won't install.

Re: Nessus 2.0.0 packages available

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Great, but how about nessus-plugins? Your nessusd depends on nessus-plugins >= 1.3 , and Sarge provides nessus-plugins 1.0.something, I think, so nessusd won't install. I see some nessus-plugins files in your site (some gzipped stuff), do I have to

Re: Apache Virtual Hosts Chroot ?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi You may find useful the apache's suEXEC wrapper, it can be configured to be used inside a virtualhost... http://httpd.apache.org/docs/suexec.html This won't work with php scripts if you have mod_php.so loaded ( the php interpreter will run as a

Re: Nessus 2.0.0 packages available

On Tue, Feb 25, 2003 at 02:10:54PM +0100, Luis Gomez wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Martes, 25 de Febrero de 2003 13:53, Javier Fernández-Sanguino Peña wrote: > > The nessus-plugin stuff is the source package, in order to make the > > packages yourself just do:

Nessus 2.0.0 packages available

For those of you who are not aware of it: Nessus 2.0.0 has been released just today [1]. I've bugged Joy about this (Bug# 182411) but in order to make his (and my) life easier I've made new 2.0.0 packages for Nessus (i386 only). Just wanted to drop a note here in case anybody else wants to test th

Re: Nessus 2.0.0 packages available

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Martes, 25 de Febrero de 2003 13:53, Javier Fernández-Sanguino Peña wrote: > The nessus-plugin stuff is the source package, in order to make the > packages yourself just do: > > $ dpkg-source -x nessus-plugins_2.0.0-1.dsc > $ cd nessus-plugin

Re: Nessus 2.0.0 packages available

On Tue, Feb 25, 2003 at 12:56:48PM +0100, Luis Gomez wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Great, but how about nessus-plugins? > > Your nessusd depends on nessus-plugins >= 1.3 , and Sarge provides > nessus-plugins 1.0.something, I think, so nessusd won't install.

pop3-ssl with virtual users using popa3d HOWTO

Hi all, Sorry for cross-posting, but I think this might be of interest to both lists. The debian-security folks might remember my initial mail on the subject of setting up pop3-ssl with virtual users using popa3d[1]. At the time there appeared to be some interest from people implementing a setup

Apcupsd < 3.8.6

Hi, I'd like to know if the apcupsd package in woody is vulnerable against the following exploit [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0098], as the woody version is 3.8.5-1.1 and the exploit has been described for versions prior to 3.8.6. Thank you, -- Nicolas Stransky

Re: Apache Virtual Hosts Chroot ?

I think you can setup chrooted logins for uploading files: your chroot will run sshd (proftpd?) and users will have their homes in chroot to. Play with home directory permisions so they have no possibility access files they don't own. Another way is let people upload files to other location than y

Re: Nessus 2.0.0 packages available

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Great, but how about nessus-plugins? Your nessusd depends on nessus-plugins >= 1.3 , and Sarge provides nessus-plugins 1.0.something, I think, so nessusd won't install. I see some nessus-plugins files in your site (some gzipped stuff), do I have to

Re: [d-security] Apache Virtual Hosts Chroot ?

Hello On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote: > - chrooting virtual hosts in apache ? We had great success with a tiny tool called sbox. All CGI/PHP requests are rewritten to "/cgi-bin/sbox?..." This sbox then looks to the files owner and changes it's uid to the one (if it's

Re: Apache Virtual Hosts Chroot ?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi You may find useful the apache's suEXEC wrapper, it can be configured to be used inside a virtualhost... http://httpd.apache.org/docs/suexec.html This won't work with php scripts if you have mod_php.so loaded ( the php interpreter will run as a

Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability

On Mon, 2003-02-24 at 15:00, Martin Schulze wrote: > For the old stable distribution (potato) this problem has been fixed > in version 0.9.6c-0.potato.5. Please note that this updates the > version from potato-proposed-updates that superseds the version in > potato. Hmm. Now that a date is being

Nessus 2.0.0 packages available

For those of you who are not aware of it: Nessus 2.0.0 has been released just today [1]. I've bugged Joy about this (Bug# 182411) but in order to make his (and my) life easier I've made new 2.0.0 packages for Nessus (i386 only). Just wanted to drop a note here in case anybody else wants to test th

Apache Virtual Hosts Chroot ?

Hi all ! I am just asking myself how to secure our webserver with a couple of virtual hosts. Currently we have a large installation of typo3 running. It has a feature called fileadmin with which you can easily upload files. As it is thereby possible to upload php scripts and execute via the b

pop3-ssl with virtual users using popa3d HOWTO

Hi all, Sorry for cross-posting, but I think this might be of interest to both lists. The debian-security folks might remember my initial mail on the subject of setting up pop3-ssl with virtual users using popa3d[1]. At the time there appeared to be some interest from people implementing a setup

Apcupsd < 3.8.6

Hi, I'd like to know if the apcupsd package in woody is vulnerable against the following exploit [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0098], as the woody version is 3.8.5-1.1 and the exploit has been described for versions prior to 3.8.6. Thank you, -- Nicolas Stransky -- T

Re: Apache Virtual Hosts Chroot ?

I think you can setup chrooted logins for uploading files: your chroot will run sshd (proftpd?) and users will have their homes in chroot to. Play with home directory permisions so they have no possibility access files they don't own. Another way is let people upload files to other location than y

Re: [d-security] Apache Virtual Hosts Chroot ?

Hello On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote: > - chrooting virtual hosts in apache ? We had great success with a tiny tool called sbox. All CGI/PHP requests are rewritten to "/cgi-bin/sbox?..." This sbox then looks to the files owner and changes it's uid to the one (if it's

Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-basedattack vulnerability

On Mon, 2003-02-24 at 15:00, Martin Schulze wrote: > For the old stable distribution (potato) this problem has been fixed > in version 0.9.6c-0.potato.5. Please note that this updates the > version from potato-proposed-updates that superseds the version in > potato. Hmm. Now that a date is being

Apache Virtual Hosts Chroot ?

Hi all ! I am just asking myself how to secure our webserver with a couple of virtual hosts. Currently we have a large installation of typo3 running. It has a feature called fileadmin with which you can easily upload files. As it is thereby possible to upload php scripts and execute via the br