Re: The same debian - different packages

On Wed, Sep 24, 2003 at 10:08:36PM +0700, Jean Christophe ANDR? wrote: > Could you please show us a apt-cache policy ssh on both servers? > > Here is mine: > > # apt-cache policy ssh > ssh: > Installed: 1:3.4p1-1.woody.3 > Candidate: 1:3.4p1-1.woody.3 > Version Table: >*** 1:3

Re: Watch out! vsftpd anonymous access always enabled!

On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > Why do you think there's anything wrong with ftp? > > FTP is a firewal nightmare, You think? Firewalls are nightmare, and the only result of prefering http-only protocols is what you'l

Re: services installed and running "out of the box"

On Thu, 2003-09-25 at 03:19, Stefano Salvi wrote: > At 22.16 24/09/03 -0400, Noah L. Meyerhans wrote: > >How 'bout this idea: We can create a user-definable policy as to whether > >or not newly installed packages that provide init scripts actually have > >these init scripts run during their post

Re: services installed and running "out of the box"

At 22.16 24/09/03 -0400, Noah L. Meyerhans wrote: How 'bout this idea: We can create a user-definable policy as to whether or not newly installed packages that provide init scripts actually have these init scripts run during their postinst. So, we have a file in /etc/defaults or something that is

Re: services installed and running "out of the box"

I haven't done more then look at the screen shots for it, but the "personal firewall" (eg: iptables frontend) that comes with RH9 looks to be default deny for most incoming traffic while providing a nice (read: graphical and straightforward) way to punch essential holes through it as needed. (and o

Re: services installed and running "out of the box"

I like that idea, and it sounds fairly simple - packages just check /etc/secure_level (or something similar) and do the "right thing". The tricky part is convincing every package maintainer to adopt it ;) There are some "hardening" packages available, but I haven't had a chance to play with them y

Re: Versign has hijacked www.xmms.org

On Tue, Sep 23, 2003 at 02:08:29AM +0200, Michelle Konzack wrote: > I was surfing the Website for new skins and > at one klick... > > ...xmms was hijacked !!! > > No access on xmms posibel. Can anyone confirm this please... > Please Cc: me. Nope. Worked just fine for me.

Re: services installed and running "out of the box"

Agreed. The X maintainers (as one example) started doing that a while back. I run exim and a few other services like this (manually configured, sadly). On Wed, 2003-09-24 at 15:04, Florian Weimer wrote: > On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote: > > > Is there any effort to r

Versign has hijacked www.xmms.org

Hello All, I was surfing the Website for new skins and at one klick... ...xmms was hijacked !!! No access on xmms posibel. Can anyone confirm this please... Please Cc: me. Three other .org Domains (my own) are hijacked this afternoon too. Thanks Michelle -- Registere

RE: services installed and running "out of the box"

There is a debian security manual I believe. I agree with you, leaving services running by default in this day and age is really a no no. regards Steven -Original Message- From: Adam Lydick [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 11:42 PM To: debian-security@lists.de

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 09:52:07PM -0400, Michael Stone wrote: > Except, what is "default"? If you install a workstation task should you > assume that you'll get open ports? (As the task packages pull in > dependencies, etc.) I think it makes more sense to provide a safety net > then to try to pred

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 09:39:32PM -0400, Noah L. Meyerhans wrote: Well, remember that the scope of this discussion is the default Debian installation. Except, what is "default"? If you install a workstation task should you assume that you'll get open ports? (As the task packages pull in depend

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote: > Until installing a package has the side effect of installing a network > service. Having a default-deny-incoming firewall or some such would go a > long way toward preventing accidental vulnerability exposure. Well, remember that the

Re: Versign has hijacked www.xmms.org

On Tue, Sep 23, 2003 at 02:08:29AM +0200, Michelle Konzack wrote: > I was surfing the Website for new skins and > at one klick... > > ...xmms was hijacked !!! > > No access on xmms posibel. Can anyone confirm this please... > Please Cc: me. Nope. Worked just fine for me.

Versign has hijacked www.xmms.org

Hello All, I was surfing the Website for new skins and at one klick... ...xmms was hijacked !!! No access on xmms posibel. Can anyone confirm this please... Please Cc: me. Three other .org Domains (my own) are hijacked this afternoon too. Thanks Michelle -- Registere

Re: MS BS

In article <[EMAIL PROTECTED]> you wrote: > I am looking for a same solution. However, I am getting 40 to 70 of such > mails within 2 hours. There should be a possibility with > exim-4.1, but > nothing for exim-3.X i am using clamscan with exiscan on exim-3 and it works well, beside the fact that

Re: OpenSSH in Woody

In article <[EMAIL PROTECTED]> you wrote: > and what's about ssh/potato ? > I don't see any thing about a new upgrade foir ssh in potato ? Potato is not anymore supported by debian security team, as you can read in the faq. t is unfortunate, I still have some systems running.. well.. thanks god no

Re: services installed and running "out of the box"

On Thu, 25 Sep 2003 12:16, Noah L. Meyerhans wrote: > On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote: > > For what its worth, and without wanting a distro-religious war about it, > > Mandrake has a variety of security levels, which can be locally > > configured, and which can allow exac

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote: Basically, I think that "security levels" don't gain you anything over "don't install the package". Until installing a package has the side effect of installing a network service. Having a default-deny-incoming firewall or som

Re: MS BS

On Mon, Sep 22, 2003 at 10:14:43PM +0100, Thomas Horsten wrote: guess they are out there. Anyway, if you are truly security conscious you should consider switching to qmail in any case. Not. Postfix is just as good, but without an obnoxious license. Mike Stone

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

On Wed, Sep 24, 2003 at 04:37:30PM -0700, Rick Moen wrote: I should have defined my terms: When I said ftp transfers are more reliable than are ftp ones (in my experience), I meant that, once Thank you for clearing that up. Mike Stone

RE: services installed and running "out of the box"

There is a debian security manual I believe. I agree with you, leaving services running by default in this day and age is really a no no. regards Steven -Original Message- From: Adam Lydick [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 11:42 PM To: [EMAIL PROTECTED] Subjec

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 09:52:07PM -0400, Michael Stone wrote: > Except, what is "default"? If you install a workstation task should you > assume that you'll get open ports? (As the task packages pull in > dependencies, etc.) I think it makes more sense to provide a safety net > then to try to pred

Re: services installed and running "out of the box"

On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote: > For what its worth, and without wanting a distro-religious war about it, > Mandrake has a variety of security levels, which can be locally configured, > and which can allow exactly this sort of behavior; Honestly, I think we can get awa

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 09:39:32PM -0400, Noah L. Meyerhans wrote: Well, remember that the scope of this discussion is the default Debian installation. Except, what is "default"? If you install a workstation task should you assume that you'll get open ports? (As the task packages pull in dependenci

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote: > Until installing a package has the side effect of installing a network > service. Having a default-deny-incoming firewall or some such would go a > long way toward preventing accidental vulnerability exposure. Well, remember that the

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

Quoting Bernd Eckenfels ([EMAIL PROTECTED]): > Actually HTTP is much more reliable than FTP. I should have defined my terms: When I said ftp transfers are more reliable than are ftp ones (in my experience), I meant that, once started, they are much less prone to dying. That is observed fact. >

Re: MS BS

On Mon, 22 Sep 2003, Ted Roby wrote: > My secalert account for these lists is being drenched with 40 to 70 of > these fake Microsoft Update emails per day. > My filters on my client dump them to a Junk folder, but I would prefer > it if my Exim filter would do the job at the server level instead.

Re: MS BS

In article <[EMAIL PROTECTED]> you wrote: > I am looking for a same solution. However, I am getting 40 to 70 of such > mails within 2 hours. There should be a possibility with > exim-4.1, but > nothing for exim-3.X i am using clamscan with exiscan on exim-3 and it works well, beside the fact that

Re: OpenSSH in Woody

In article <[EMAIL PROTECTED]> you wrote: > and what's about ssh/potato ? > I don't see any thing about a new upgrade foir ssh in potato ? Potato is not anymore supported by debian security team, as you can read in the faq. t is unfortunate, I still have some systems running.. well.. thanks god no

Re: services installed and running "out of the box"

For what its worth, and without wanting a distro-religious war about it, Mandrake has a variety of security levels, which can be locally configured, and which can allow exactly this sort of behavior; At high security levels, any new services that get installed (from RPMs) are only allowed from loc

Re: services installed and running "out of the box"

On Thu, 25 Sep 2003 12:16, Noah L. Meyerhans wrote: > On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote: > > For what its worth, and without wanting a distro-religious war about it, > > Mandrake has a variety of security levels, which can be locally > > configured, and which can allow exac

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote: Basically, I think that "security levels" don't gain you anything over "don't install the package". Until installing a package has the side effect of installing a network service. Having a default-deny-incoming firewall or some su

Re: MS BS

On Mon, Sep 22, 2003 at 10:14:43PM +0100, Thomas Horsten wrote: guess they are out there. Anyway, if you are truly security conscious you should consider switching to qmail in any case. Not. Postfix is just as good, but without an obnoxious license. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL P

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

On Wed, Sep 24, 2003 at 04:37:30PM -0700, Rick Moen wrote: I should have defined my terms: When I said ftp transfers are more reliable than are ftp ones (in my experience), I meant that, once Thank you for clearing that up. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject

Re: Watch out! vsftpd anonymous access always enabled!

In article <[EMAIL PROTECTED]> you wrote: > Why do you think there's anything wrong with ftp? FTP is a firewal nightmare, it is unsecure (plaintext), the more advanced features are not standadized. Even parsing the directory output is terror to the programmer. Greetings Bernd -- eckes privat - h

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

In article <[EMAIL PROTECTED]> you wrote: > I _do_ love lftp, and will have to mention it in the referenced document. > (Thanks.) It certainly is fast and easy (as is wget), but "reliable" is > somewhat precluded by the http protocol itself. (Admittedly, this is > being picky, and "wget -c" fixes

Re: services installed and running "out of the box"

On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote: > For what its worth, and without wanting a distro-religious war about it, > Mandrake has a variety of security levels, which can be locally configured, > and which can allow exactly this sort of behavior; Honestly, I think we can get awa

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

Quoting Bernd Eckenfels ([EMAIL PROTECTED]): > Actually HTTP is much more reliable than FTP. I should have defined my terms: When I said ftp transfers are more reliable than are ftp ones (in my experience), I meant that, once started, they are much less prone to dying. That is observed fact. >

Re: MS BS

On Mon, 22 Sep 2003, Ted Roby wrote: > My secalert account for these lists is being drenched with 40 to 70 of > these fake Microsoft Update emails per day. > My filters on my client dump them to a Junk folder, but I would prefer > it if my Exim filter would do the job at the server level instead.

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote: > Is there any effort to reduce the number of services running on a > default debian install? For example: a typical workstation user doesn't > really need to have inetd enabled, nor portmap (unless they are running > fam or nfs -- which

Re: services installed and running "out of the box"

For what its worth, and without wanting a distro-religious war about it, Mandrake has a variety of security levels, which can be locally configured, and which can allow exactly this sort of behavior; At high security levels, any new services that get installed (from RPMs) are only allowed from loc

Re: Watch out! vsftpd anonymous access always enabled!

In article <[EMAIL PROTECTED]> you wrote: > Why do you think there's anything wrong with ftp? FTP is a firewal nightmare, it is unsecure (plaintext), the more advanced features are not standadized. Even parsing the directory output is terror to the programmer. Greetings Bernd -- eckes privat - h

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

In article <[EMAIL PROTECTED]> you wrote: > I _do_ love lftp, and will have to mention it in the referenced document. > (Thanks.) It certainly is fast and easy (as is wget), but "reliable" is > somewhat precluded by the http protocol itself. (Admittedly, this is > being picky, and "wget -c" fixes

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote: > Is there any effort to reduce the number of services running on a > default debian install? For example: a typical workstation user doesn't > really need to have inetd enabled, nor portmap (unless they are running > fam or nfs -- which

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote: > For starters, I think portmap, rpc.statd, and inetd should not run by > default. Not running a mail server (or perhaps only running one on the > loopback interface) would be nice, too. It can be damnably difficult to dump the we

Re: Newest OpenSSH advisory

On Wed, Sep 24, 2003 at 12:12:54PM +0300, Riku Anttila wrote: > According to http://www.openssh.com/txt/sshpam.adv there are multiple > vulnerabilities in the "new PAM code of Portable OpenSSH". > > It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought > I'd ask if anyone kno

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote: > > Is there any effort to reduce the number of services running on a > > default debian install? For example: a typical workstation user doesn't > > really need to have inetd enabled, nor portmap (unless they are running > > fam or nf

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote: > For starters, I think portmap, rpc.statd, and inetd should not run by > default. Not running a mail server (or perhaps only running one on the > loopback interface) would be nice, too. It can be damnably difficult to dump the we

Re: Newest OpenSSH advisory

On Wed, Sep 24, 2003 at 12:12:54PM +0300, Riku Anttila wrote: > According to http://www.openssh.com/txt/sshpam.adv there are multiple > vulnerabilities in the "new PAM code of Portable OpenSSH". > > It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought > I'd ask if anyone kno

Re: The same debian - different packages

Yogesh Sharma, Wed, Sep 24, 2003 at 09:14:52AM -0700: > As far as my understanding goes, ssh was patched recently for security > fixes, so it should be coming from security.debian.org not us.debian.org. > Now security.debian.org is not at all mirrored for security reason than > how he has 2 diff

Re: The same debian - different packages

On Wed, Sep 24, 2003 at 01:04:20PM +, [EMAIL PROTECTED] wrote: > ii ssh3.4p1-2Secure rlogin/rsh/rcp replacement > (OpenSSH) This version of ssh is neither directly from woody (which still has 3.4p1-1) nor from security.debian.org (which has 1:3.4p1-1.woody.3, and

Re: services installed and running "out of the box"

Hi, On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote: > Is there any effort to reduce the number of services running on a > default debian install? For example: a typical workstation user doesn't > really need to have inetd enabled, nor portmap (unless they are running > fam or nfs --

Re: services installed and running "out of the box"

On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote: > > Is there any effort to reduce the number of services running on a > > default debian install? For example: a typical workstation user doesn't > > really need to have inetd enabled, nor portmap (unless they are running > > fam or nf

Re: The same debian - different packages

Yogesh Sharma, Wed, Sep 24, 2003 at 09:14:52AM -0700: > As far as my understanding goes, ssh was patched recently for security > fixes, so it should be coming from security.debian.org not us.debian.org. > Now security.debian.org is not at all mirrored for security reason than > how he has 2 diff

Re: The same debian - different packages

On Wed, Sep 24, 2003 at 01:04:20PM +, [EMAIL PROTECTED] wrote: > ii ssh3.4p1-2Secure rlogin/rsh/rcp replacement (OpenSSH) This version of ssh is neither directly from woody (which still has 3.4p1-1) nor from security.debian.org (which has 1:3.4p1-1.woody.3, and pro

Re: MS BS + Sorting out the virii

[ I'm resending it because yesterday try didn't appear on the list. Thomas Ritter has already answered to the copy which I sent directly to him. ] On Wed, 24 Sep 2003 at 1:54:42 +0200, Thomas Ritter wrote: > > Just a note: Open Antivirus programs like clamav are not perfect, because the > open

Re: services installed and running "out of the box"

Hi, On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote: > Is there any effort to reduce the number of services running on a > default debian install? For example: a typical workstation user doesn't > really need to have inetd enabled, nor portmap (unless they are running > fam or nfs --

Re: The same debian - different packages

As far as my understanding goes, ssh was patched recently for security fixes, so it should be coming from security.debian.org not us.debian.org. Now security.debian.org is not at all mirrored for security reason than how he has 2 different versions of ssh ? 1 Does he has proper /etc/apt/sources.

Re: MS BS + Sorting out the virii

[ I'm resending it because yesterday try didn't appear on the list. Thomas Ritter has already answered to the copy which I sent directly to him. ] On Wed, 24 Sep 2003 at 1:54:42 +0200, Thomas Ritter wrote: > > Just a note: Open Antivirus programs like clamav are not perfect, because the > open

Re: The same debian - different packages

[EMAIL PROTECTED] wrote: > On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote: > > > > And /etc/apt/preferences? Sounds like they're using different pinning > > settings. > > serverA:~# cat /etc/apt/preferences > cat: /etc/apt/preferences: No such file or directory > > The same

Re: MS BS + Sorting out the virii

On Wed, Sep 24, 2003 at 01:54:42AM +0200, Thomas Ritter wrote: > And... a mail with a positive virus recognition can be deleted without having > to fear it's a false positive, against which a mail found to be Spam by > Spamassassin may be a real mail. This is not true. There's always the possi

Re: MS BS + Sorting out the virii

On Wed, Sep 24, 2003 at 03:23:35PM +0200, Thomas Ritter wrote: > Yes, I don't know the name, but there's a reference standard virus list. I think you're talking about the Wildlist (www.wildlist.org). That's not a reference list, but simply a list of viruses reported as "currently active" by at le

Re: The same debian - different packages

As far as my understanding goes, ssh was patched recently for security fixes, so it should be coming from security.debian.org not us.debian.org. Now security.debian.org is not at all mirrored for security reason than how he has 2 different versions of ssh ? 1 Does he has proper /etc/apt/sources.l

Re: The same debian - different packages

[EMAIL PROTECTED], Wed, Sep 24, 2003 at 01:04:20PM +: > > Why the two servers, upgraded from the same server have different ssh > packages ? The same is with some other packages, e.g.: xfree86-common > I noticed the exact same behavior on one of my machines. After a number of updates apt w

Re: The same debian - different packages

[EMAIL PROTECTED] wrote: > On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote: > > > > And /etc/apt/preferences? Sounds like they're using different pinning > > settings. > > serverA:~# cat /etc/apt/preferences > cat: /etc/apt/preferences: No such file or directory > > The same

Re: The same debian - different packages

On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote: > On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote: > > I have strange result on two our debian servers - both are woody. The > > first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server > > is alm

Re: MS BS + Sorting out the virii

Am Mittwoch, 24. September 2003 02:34 schrieb Tomasz Papszun: > Sorry but I must say that this is an incorrect claim. okay, not exclusively > Currently ClamAV's own database is quite big and is updated even a > couple of times a day if needed. It's quite good at new viruses caught > "in the wild"

Re: MS BS + Sorting out the virii

On Wed, Sep 24, 2003 at 01:54:42AM +0200, Thomas Ritter wrote: > And... a mail with a positive virus recognition can be deleted without having > to fear it's a false positive, against which a mail found to be Spam by > Spamassassin may be a real mail. This is not true. There's always the possi

Re: MS BS + Sorting out the virii

On Wed, Sep 24, 2003 at 03:23:35PM +0200, Thomas Ritter wrote: > Yes, I don't know the name, but there's a reference standard virus list. I think you're talking about the Wildlist (www.wildlist.org). That's not a reference list, but simply a list of viruses reported as "currently active" by at le

Re: The same debian - different packages

On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote: > I have strange result on two our debian servers - both are woody. The > first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server > is almost daily checked against new packages, the B server was upgraded > yesterday

Re: ProFTPD ASCII File Remote Compromise Vulnerability

On Tue, Sep 23, 2003 at 04:26:14PM -0400, Matt Zimmerman wrote: > On Tue, Sep 23, 2003 at 02:45:24PM -0500, Bender, Jeff wrote: Hi, > > Looking for the Debian Woody patch. Anyone know if it is available or if > > this version is exploitable? > > According to the maintainer, the version in woody

Re: The same debian - different packages

[EMAIL PROTECTED], Wed, Sep 24, 2003 at 01:04:20PM +: > > Why the two servers, upgraded from the same server have different ssh > packages ? The same is with some other packages, e.g.: xfree86-common > I noticed the exact same behavior on one of my machines. After a number of updates apt w

Re: Newest OpenSSH advisory

My understanding and look at the changelog is that there has been a significant amount of work in the pam components of openssh from version 3.6.x to 3.7x. It is this new code, that has the vulnerability. Ramon Kagan York University, Computing and Network Services Unix Team - Senior Unix Systems

services installed and running "out of the box"

Is there any effort to reduce the number of services running on a default debian install? For example: a typical workstation user doesn't really need to have inetd enabled, nor portmap (unless they are running fam or nfs -- which isn't enabled by default) Is this something that needs to be taken u

Re: The same debian - different packages

On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote: > On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote: > > I have strange result on two our debian servers - both are woody. The > > first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server > > is alm

Re: MS BS + Sorting out the virii

Am Mittwoch, 24. September 2003 02:34 schrieb Tomasz Papszun: > Sorry but I must say that this is an incorrect claim. okay, not exclusively > Currently ClamAV's own database is quite big and is updated even a > couple of times a day if needed. It's quite good at new viruses caught > "in the wild"

The same debian - different packages

I have strange result on two our debian servers - both are woody. The first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server is almost daily checked against new packages, the B server was upgraded yesterday. Both have the same sources.list But server A: serverA:~# dpkg -l ssh

Re: The same debian - different packages

On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote: > I have strange result on two our debian servers - both are woody. The > first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server > is almost daily checked against new packages, the B server was upgraded > yesterday

Re: ProFTPD ASCII File Remote Compromise Vulnerability

On Tue, Sep 23, 2003 at 04:26:14PM -0400, Matt Zimmerman wrote: > On Tue, Sep 23, 2003 at 02:45:24PM -0500, Bender, Jeff wrote: Hi, > > Looking for the Debian Woody patch. Anyone know if it is available or if > > this version is exploitable? > > According to the maintainer, the version in woody

Re: Newest OpenSSH advisory

My understanding and look at the changelog is that there has been a significant amount of work in the pam components of openssh from version 3.6.x to 3.7x. It is this new code, that has the vulnerability. Ramon Kagan York University, Computing and Network Services Unix Team - Senior Unix Systems

services installed and running "out of the box"

Is there any effort to reduce the number of services running on a default debian install? For example: a typical workstation user doesn't really need to have inetd enabled, nor portmap (unless they are running fam or nfs -- which isn't enabled by default) Is this something that needs to be taken u

Newest OpenSSH advisory

According to http://www.openssh.com/txt/sshpam.adv there are multiple vulnerabilities in the "new PAM code of Portable OpenSSH". It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought I'd ask if anyone knows for a fact that the older version in Woody does not have this code.

The same debian - different packages

I have strange result on two our debian servers - both are woody. The first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server is almost daily checked against new packages, the B server was upgraded yesterday. Both have the same sources.list But server A: serverA:~# dpkg -l ssh

Newest OpenSSH advisory

According to http://www.openssh.com/txt/sshpam.adv there are multiple vulnerabilities in the "new PAM code of Portable OpenSSH". It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought I'd ask if anyone knows for a fact that the older version in Woody does not have this code.

Re: ProFTPD ASCII File Remote Compromise Vulnerability

On Tue, Sep 23, 2003 at 04:13:02PM -0500, Jeff Bender wrote: > Thanks. Do you happen to have a link where this might be posted? Well.. Advisory talks about version higher then the one in woody. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9