clamav-freshclam volatile VS python-clamav

2008-07-10 Thread Elias Goldstein
Hi, I think i fuckd up the package system. I wanted a newer clamav and used the volatile packages - BUT I need python-clamav, which needs libclamav2 and now clamav-freshclam is "hold back". What can I do now? Please give me an advice. I do NOT want to install python-clamav package manually from

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

2008-07-10 Thread Joey Hess
Florian Weimer wrote: > On the hand, if you don't build a network of your own, and your ISP > properly filters their Internet connection and their customer interfaces > to stop source address spoofing, it's not possible forge DNS traffic > which claims to come from the ISP resolver. (Since the add

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

2008-07-10 Thread Rick Moen
Quoting Florian Weimer ([EMAIL PROTECTED]): > lwresd is far less-tested than BIND, and tweaking the NSS configuration > is something few people like to do. Incidentally, the documentation for nss_lwres suggests the following entry in /etc/nsswitch.conf, for Linux systems installing lwresd: "hosts

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

2008-07-10 Thread Henrique de Moraes Holschuh
On Thu, 10 Jul 2008, Florian Weimer wrote: > * Henrique de Moraes Holschuh: > > 3. Install lwresd from an updated BIND9, install libnss-lwres, and replace > > "dns" with "lwres" in /etc/nsswitch.conf. Make sure to restart lwres when > > /etc/resolv.conf changes. > > lwresd is far less-tested tha

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

2008-07-10 Thread Florian Weimer
* Noah Meyerhans: > On Wed, Jul 09, 2008 at 06:10:51PM +0200, Wolfgang Jeltsch wrote: >> > At this time, it is not possible to implement the recommended >> > countermeasures in the GNU libc stub resolver. >> >> I don???t have bind9 installed. Am I affected by the libc stub resolver bug? > > Yes.

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

2008-07-10 Thread Florian Weimer
* Henrique de Moraes Holschuh: > 3. Install lwresd from an updated BIND9, install libnss-lwres, and replace > "dns" with "lwres" in /etc/nsswitch.conf. Make sure to restart lwres when > /etc/resolv.conf changes. lwresd is far less-tested than BIND, and tweaking the NSS configuration is somethin

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

2008-07-10 Thread Rick Moen
Quoting Hubert Chathi ([EMAIL PROTECTED]): > I'm really more concerned about the fact that it's orphaned. And it > appears to be unmaintained upstream (last release in 2001, and > upstream moved it from the "releases" directory to the "old-releases" > directory). Point taken. I assume you are r

Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

2008-07-10 Thread John Elliot
Hi, We have a couple of Sarge servers running bind9(9.2.4-1sarge3) that appear to be vulnerable to the DNS cache poisoning issue(Looks like port randomization was only introduced in bind9.3?) - As the servers cannot be upgraded at this time to etch, what is the recommended course of action? Back