Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages

r message for this, but I'm not exactly sure. It should be verified that this detection will work the way you expect, so that the error message doesn't change and create a support burden for the installer team. Currently kernel-wedge generates the udeb package names and would need

Re: [SECURITY] [DSA 5173-1] linux security update

On Mon, 2022-07-04 at 22:17 +0200, Kurt Roeckx wrote: > On Sun, Jul 03, 2022 at 03:49:12PM +0000, Ben Hutchings wrote: > > > > For the oldstable distribution (buster), these problems have been > > fixed in version 4.19.249-2. > > It seems that linux-image-amd64 does

Re: [SECURITY] [DSA 4187-1] linux security update

On Thu, 2018-05-03 at 00:06 +0100, Dominic Hargreaves wrote: > On Tue, May 01, 2018 at 05:12:02PM +0000, Ben Hutchings wrote: > > - > > Debian Security Advisory DSA-4187-1 secur...@debia

Re: NSA software in Debian

ing > patches for GRSecurity and LSM/SELinux and doing this for every new Debian > kernel package and new version of GRSecurity and LSM/SELinux. > > http://packages.debian.org/jessie/linux-patch-grsecurity2 [...] I bet it doesn't apply to 3.2.y any more... no, it doesn't. B

Re: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)

andom, but credited as providing only a fraction of a bit of entropy. get_random_bytes() was changed to not use an architectural HWRNG. get_random_int() and get_random_bytes_arch() will use it and it is documented that they are not suitable for cryptographic purposes. Ben. -- Ben Hutchings Knowledge is power. France is bacon. signature.asc Description: This is a digitally signed message part

Re: [SECURITY] [DSA 2480-1] request-tracker3.8 security update

Hi I also came across this issue applying the fix yesterday. I did resolve it though by doing an apache restart. Ben Dominic Hargreaves wrote: > On Fri, May 25, 2012 at 09:29:44AM +0100, Dominic Hargreaves wrote: >> On Thu, May 24, 2012 at 07:37:03PM +0200, Moritz Muehlenh

Re: Bug#605090: Linux 3.2 in wheezy

rking on user-space hardening. > Well IMHO, at best, one should never need to rund anything from outside > the Debian archives ;) Wishing it so doesn't make it practically possible. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking.

Re: Bug#605090: Linux 3.2 in wheezy

On Wed, Feb 01, 2012 at 06:41:43PM +0100, Yves-Alexis Perez wrote: > On mer., 2012-02-01 at 14:32 +0000, Ben Hutchings wrote: > > On Wed, 2012-02-01 at 10:51 +0100, Yves-Alexis Perez wrote: > > > On mer., 2012-02-01 at 10:34 +0100, Wouter Verhelst wrote: > > > > On W

Re: Bug#605090: Linux 3.2 in wheezy

> member of the security team, It's definitely something I would object. > > > > Well, that's what we have the 'linux-source' packages for: to allow > > other packages to build-depend on them. > > > > Hmhm, that might be a good idea indeed. I

Re: Linux 3.2 in wheezy

On Mon, 2012-01-30 at 11:05 +0100, Yves-Alexis Perez wrote: > (adding few CC:s to keep track on the bug) > > On dim., 2012-01-29 at 21:26 +, Ben Hutchings wrote: > > On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote: > > > On dim., 2012-01-29 at 18:22 +0

Re: Upcoming stable point release

tant changes pending, including a fix for a regression in 2.6.32-40 (currently in stable-proposed-updates). I can probably make an upload this weekend, but cannot promise that a further upload will not be needed. We need some testing of the isci driver (added in 2.6.32-40) and more generally regres

RE: [SECURITY] [DSA 2222-1] tinyproxy security update

unsubscribe Cordialement, your sincerely, European Parliament Richard BEN ALEYA -Original Message- From: Moritz Muehlenhoff [mailto:j...@debian.org] Sent: 20 April 2011 19:16 To: debian-security-annou...@lists.debian.org Subject: [SECURITY] [DSA -1] tinyproxy security update

Re: Fwd: Fwd: question regarding verification of a debian installation iso

or any other checksum) of > the original files. How would the USB drive tell whether you were reading the file to verify its checksum or to use its contents? -- Ben Pfaff http://benpfaff.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "u

Re: [SECURITY] [DSA 1912-1] New camlimages fix arbitrary code execution

For the most part I'm on holidays until 19th of Oct. Cheers Benny If this is an Urgent ticket please submit a repair ticket herehttp://ts.sd57.bc.ca I will be checking my mail during the week! Personal contacts phone me cell at 250-640-3100 Thanks Benn -- To UNSUBSCRIBE, email to debian-se

Re: bind9_9.5.1.dfsg.P1-1_i386.changes is NEW

essive cache entry removal. Closes: #511768 > - other bug fixes worthy of patch-release inclusion This looks like much too big a change to get into lenny now. You'll probably need to upload just the two critical fixes to t-p-u or testing-security. Ben. signature.asc Description:

Re: clamav.* package versions (etch)

e.” —David Hume | _o__) | Ben Finney -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Debian Questions

ories about Debian packages on this list." -- Ben Pfaff http://benpfaff.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: policy change is needed to keep debian secure

Matt Zimmerman wrote: I guess you aren't reading my mail, then. He may well be. Which browser are you using? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: On Mozilla-* updates

Matt Zimmerman wrote: Ben has now explained that this is in fact not sufficient. No, I have not. Please read again what I wrote. There is clearly a communication gap. And it's not on my end. You still haven't answered my very specific questions about your problems and wha

Re: On Mozilla-* updates

antgel wrote: 2) Mozilla security patches are not easy to find and isolate. Ben has disputed this, saying that we should be able to extract all necessary patches. Public ones from http://www.mozilla.org/projects/security/known-vulnerabilities.html then bugzilla, and embargoed ones via mdz

Re: On Mozilla-* updates

Adeodato Simó wrote: "Publish to distributions" is effectively the same as making it completely public, so they won't. Wrong. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contac

Re: On Mozilla-* updates

Thomas Bushnell BSG wrote: It would be very nice if Mozilla would publish to distributions like ours a description of the security problem, and then a separate patch for that specific problem. 1. You to be going to

Re: On Mozilla-* updates

Matt Zimmerman wrote: To organize their development processes such that patches can be backported with a reasonable amount of effort. I wrote a response, but deleted it, because I simply don't understand what you mean. Please be concrete, very very concrete. I'm in Los Angeles, California,

Re: On Mozilla-* updates

Matt Zimmerman wrote: I'm guessing that you're not going to volunteer on the manpower side Actually, he did, in the previous posting. Which is admirable, because this is a dauntingly huge task (and he seems semi-aware of it) - in the area of a few hours *per week*, on average. mozilla.org (an

Importance of browser security (was: On Mozilla-* updates)

Stefano Salvi wrote: I prefer to have no X on the server and administer it from command line or Web interfaces (command line is better). Let's say 1. You use Mozilla from sarge 2. Somebody cracks you through known holes in that old Mozilla, either a mass exploit or an enemy of you sp

Re: On Mozilla-* updates

there that prevent you from shipping Firefox 1.0.6 and Mozilla 1.7.11 right now? In the end, though, you have to drop the idea of keeping the everything as-is, no user-noticable changes, for 3 years. You have to lose your current ideas and put security first. (I'm not including freedom

Re: safety of encrypted filesystems

martin f krafft <[EMAIL PROTECTED]> writes: > However, doesn't CBC or EBC make sure that every block is > chained to its predecessor, making even the very last block of > a file dependent on the bits of the very first block? Yes and no. If you change the first block in a set of CBC-chained block

Re: Procmail recipe for Nitwit unsubscribers who can't read DU sigs.

I've been adding unsubscribe requests and out-of-the-office-nitwit replies to my spam folder, and then training Ye Olde Classifier Of Choyce upon them. Works reasonably well... -- Ben Pearre http://hebb.mit.edu/~ben PGP: CFDA6CDA Don't let Bush read your email!

Re: arp table overflow due to windows worm (resolved)

/24 subnet and I reduced the arp cache size to 1024 again. And even though I can see 5 infected machine blasting through the network right now everything works fine. Cheers, Ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: arp table overflow due to windows worm

Use Iface 134.102.0.0/16 0.0.0.0 UG 0 0 0 eth1 With such a routing entry the firewall will try and resolve mac addresses when the worm is scanning 134.102.xxx.0 subnets, right? I off to the site to do some experimenting. Thanks, a lot so far. I'll post my findings. be

arp table overflow due to windows worm

e lan are extremely slow and unreliable. Should it really be possible for a single infected windows machine to dos a linux firewall? Please tell me it's not true and there's just something I'm overlooking. I'm at my wits end here and don't even know what to try next. So

Re: Bug#257165: udev: input device permissions

> It has been broken for weeks and somebody only noticed a couple of days > ago, if you can't update the config file by yourself I'm sure you can > wait for a few days while I work on other issues. It was repaired on my box before I reported it, of course. Given that it's a single user machine,

Re: Bug#257165: udev: input device permissions

Actually, re-reading the definitions in reportbug, this seems to be *critical*. Why doesn't anyone DO anything about this? NMU? Something??? > On Thu, Jul 01, 2004 at 10:28:04AM -0700, Itay Ben-Yaacov wrote: > > Package: udev > > Version: 0.026-1 > > Severity:

Re: DSA 282-1 and Bug #156937

On Wed, Apr 09, 2003 at 11:43:28AM -0400, John Kuhn wrote: > I just inherited a Debian SPARC box and the first thing I tried to do with > it was install the new glibc packages for DSA 282. I ran into bug #156937: > libc6-sparc64 2.2.5-11 conflicts with gcc-3.0. Running Woody. Any > suggestions?

Re: port 16001 and 111

On Tuesday 29 October 2002 01:02 am, Jean Christophe ANDRÉ wrote: > Hi, > > ben écrivait : > > way overkill. 16001 isn't being scanned and 111 is the most common target > > after 25. you're suggesting that the guy turn his server into a > > honeypot--to what

Re: port 16001 and 111

turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. ben

Re: port 16001 and 111

On Tuesday 29 October 2002 01:02 am, Jean Christophe ANDRÉ wrote: > Hi, > > ben écrivait : > > way overkill. 16001 isn't being scanned and 111 is the most common target > > after 25. you're suggesting that the guy turn his server into a > > honeypot--to what

Re: port 16001 and 111

turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Access on Port 0

Wade Richards <[EMAIL PROTECTED]> writes: > Notice the "PROTO=UDP" part of the message. It means that this > is a UDP packet, not a TCP packet. UDP is not a socket-based > protocol, so the port number is meaningless for UDP packets. This statement is nonsense. Both TCP and UDP have 16-bit port

Re: Access on Port 0

Wade Richards <[EMAIL PROTECTED]> writes: > Notice the "PROTO=UDP" part of the message. It means that this > is a UDP packet, not a TCP packet. UDP is not a socket-based > protocol, so the port number is meaningless for UDP packets. This statement is nonsense. Both TCP and UDP have 16-bit port

Re: Report on last cmd

On Monday 07 October 2002 04:14 am, Rune Kristian Viken wrote: > Ben wrote: > >>> shove off, troll > >> > >> I'm not sure why you're calling me a troll, but I would appreciate > >> it if you at least _attempted_ to be a tad more polite. > >

Re: Report on last cmd

On Monday 07 October 2002 02:21 am, Rune Kristian Viken wrote: > Monday, ben wrote: > > shove off, troll > > Uh.. WHAT? > > I'm not sure why you're calling me a troll, but I would appreciate it > if you at least _attempted_ to be a tad more polite. i'd

Re: Report on last cmd

On Monday 07 October 2002 04:14 am, Rune Kristian Viken wrote: > Ben wrote: > >>> shove off, troll > >> > >> I'm not sure why you're calling me a troll, but I would appreciate > >> it if you at least _attempted_ to be a tad more polite

Re: Report on last cmd

On Monday 07 October 2002 02:21 am, Rune Kristian Viken wrote: > Monday, ben wrote: > > shove off, troll > > Uh.. WHAT? > > I'm not sure why you're calling me a troll, but I would appreciate it > if you at least _attempted_ to be a tad more polite. i'd

Re: Report on last cmd

shove off, troll ben

Re: Report on last cmd

shove off, troll ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Report on last cmd

x27;s. i just tried an ftp connection to you and an anonymous login was rejected, so it's unlikely that anybody has done any harm there. the incidents in your sendmail logs are probably part of a port scan. you should make sure that the rest of your system is solid. ben

Re: Report on last cmd

x27;s. i just tried an ftp connection to you and an anonymous login was rejected, so it's unlikely that anybody has done any harm there. the incidents in your sendmail logs are probably part of a port scan. you should make sure that the rest of your system is solid. ben -- To UNSUBSCRIBE,

Re: SubRPC vulnerability: is Debian libc6 affected?

> > It looks like it is fixed in glibc 2.2.5-8, but again, it never made > > into official announcement. > > On woody, I believe Ben have been already working, but I don't know > its status. Ben? Should I go ahead for woody? Woody and potato are already uploaded to s

ot -- delivery errors

after both of my posts to the security list, i received delivery error messages in the form of: On Monday 29 July 2002 01:10 pm, [EMAIL PROTECTED] wrote: > No such user: [EMAIL PROTECTED] is anyone else seeing the same or similar? ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] wit

Re: Fwd: RAZOR advisory: Linux util-linux chfn local root vulnerability

On Monday 29 July 2002 01:04 pm, Wichert Akkerman wrote: > Previously ben wrote: > > when you say 'doesn't use,' do you perhaps mean 'never invokes'? because: > > > > # find / -name chfn > > /usr/bin/chfn > > /etc/pam.d/chfn > > Dif

Re: Fwd: RAZOR advisory: Linux util-linux chfn local root vulnerability

gt; > Debian doesn't use chfn & friends from util-linux. > when you say 'doesn't use,' do you perhaps mean 'never invokes'? because: # find / -name chfn /usr/bin/chfn /etc/pam.d/chfn and i'm damn sure i didn't put it there all by myself. ben -- To U

Re: beach towel

roblem in damn near every debian related list in the world. i mean, who knew, before now, that we even needed 100% cotton velour to get the job done? hopefully debian-bugs got the same update. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe".

Re: beach towel

ack problem in damn near every debian related list in the world. i mean, who knew, before now, that we even needed 100% cotton velour to get the job done? hopefully debian-bugs got the same update. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe".

Re: Bug#126441: [security] What's being done?

> > Ben is merely behind with updating the BTS, by the looks of it... > Can't close it till I fix woody/sid too. Which will be when 2.2.5 is released (days). -- .--===-=-==-=---==-=-. / Ben Collins--

Re: Bug#126441: [security] What's being done?

> > Ben is merely behind with updating the BTS, by the looks of it... > Can't close it till I fix woody/sid too. Which will be when 2.2.5 is released (days). -- .--===-=-==-=---==-=-. / Ben Collins--

Re: Apt-get is insecure

debsign is a part of devscripts. It looks to be present even in Potato. - Ben On Thu, Dec 13, 2001 at 05:37:42PM +0200, Samuli Suonpaa blathered thusly: > Wichert Akkerman <[EMAIL PROTECTED]> wrote: > > Previously Alexander Karelas wrote: > >> RedHat uses a PGP signa

Re: Apt-get is insecure

debsign is a part of devscripts. It looks to be present even in Potato. - Ben On Thu, Dec 13, 2001 at 05:37:42PM +0200, Samuli Suonpaa blathered thusly: > Wichert Akkerman <[EMAIL PROTECTED]> wrote: > > Previously Alexander Karelas wrote: > >> RedHat uses a PGP signa

Re: buffer overflow in /bin/gzip?

On Wed, 21 Nov 2001, Guillaume Morin wrote: > Dans un message du 20 nov à 23:33, Anders Gjære écrivait : > > > > in gzip.c > > > > the line: > > strcpy(nbuf,dir); > > > > should maybe be replaced with: > > strncpy(nbuf, dir,sizeof(nbuf)); > > gzip runs with user privileges, therefore th

Re: buffer overflow in /bin/gzip?

On Wed, 21 Nov 2001, Guillaume Morin wrote: > Dans un message du 20 nov à 23:33, Anders Gjære écrivait : > > > > in gzip.c > > > > the line: > > strcpy(nbuf,dir); > > > > should maybe be replaced with: > > strncpy(nbuf, dir,sizeof(nbuf)); > > gzip runs with user privileges, therefore t

Re: Port Scan for UDP

er -v -n udp returns the process(es) listening on the named UDP port. -- /-- | Ben Staffin gpg key: http://darkskie.net/~benley/pgp.txt | --/ pgpaNM6YoSBtN.pgp Description: PGP signature

Re: Port Scan for UDP

er -v -n udp returns the process(es) listening on the named UDP port. -- /-- | Ben Staffin gpg key: http://darkskie.net/~benley/pgp.txt | --/ PGP signature

Re: Need Help with the Debian Securing Manual (contributions accepted)

> > > > ?? > > Works fine for me, just tried it. Are you sure is not a problem > with your proxy? I too get the 403 forbidden error. I imagine this does not affect all of the servers that comprise www.debian.org, and those that are unlucky enough to get the affected on

Re: Need Help with the Debian Securing Manual (contributions accepted)

> > > > ?? > > Works fine for me, just tried it. Are you sure is not a problem > with your proxy? I too get the 403 forbidden error. I imagine this does not affect all of the servers that comprise www.debian.org, and those that are unlucky enough to get the affected on

enscript -e option a security risk?

In looking through the print filter generated by magicfilter, I noticed that it gives the -e option to GNU enscript. The -e option turns on special "escapes", including the following as documented in the enscript manpage: epsfinline EPS file to the document. Escape's syntax

enscript -e option a security risk?

In looking through the print filter generated by magicfilter, I noticed that it gives the -e option to GNU enscript. The -e option turns on special "escapes", including the following as documented in the enscript manpage: epsfinline EPS file to the document. Escape's syntax

Re: Is ident secure?

"Layne" <[EMAIL PROTECTED]> writes: > OK they just keep coming. I had 8 messages at 11:00PM , all of who I knew. > Now I have 227 in my in box of solicitors all of who I didn't subscribe to. > And you wonder why I get mad. Did it ever occur to you that maybe it's not acceptable to harass everyone

Re: Is ident secure?

"Layne" <[EMAIL PROTECTED]> writes: > OK they just keep coming. I had 8 messages at 11:00PM , all of who I knew. > Now I have 227 in my in box of solicitors all of who I didn't subscribe to. > And you wonder why I get mad. Did it ever occur to you that maybe it's not acceptable to harass everyon

Re: Layne (was: Re: Is ident secure?)

Paul Visscher <[EMAIL PROTECTED]> writes: > Ed Street [EMAIL PROTECTED] said: > > Already sent mail to the list admin on the bottom of each email. > > I just submitted his address in at > http://www.debian.org/MailingLists/unsubscribe to be unsubscribed, > hopefully that will work... I just subm

Re: Layne (was: Re: Is ident secure?)

Paul Visscher <[EMAIL PROTECTED]> writes: > Ed Street [[EMAIL PROTECTED]] said: > > Already sent mail to the list admin on the bottom of each email. > > I just submitted his address in at > http://www.debian.org/MailingLists/unsubscribe to be unsubscribed, > hopefully that will work... I just s

Re: A question about Knark and modules

On Sun, Jun 17, 2001 at 07:55:40PM -0800, Ethan Benson wrote: > > a bit. lids makes system adminsitration utterly impossible. unless > you leave enough holes open which an attacker can use to bypass it > all. well nearly... at least you can prevent new or unknown process/files from acessing stu

Re: A question about Knark and modules

On Sun, Jun 17, 2001 at 07:55:40PM -0800, Ethan Benson wrote: > > a bit. lids makes system adminsitration utterly impossible. unless > you leave enough holes open which an attacker can use to bypass it > all. well nearly... at least you can prevent new or unknown process/files from acessing st

Re: X & tcp listening

Jim Breton <[EMAIL PROTECTED]> writes: > On Mon, May 28, 2001 at 01:46:07PM +0200, Tomasz Olszewski wrote: > > If an user > > creates his own $HOME/.xserverrc, it overrides the system wide > > xserverrc. > > So make /usr/bin/X11/X a wrapper for the "real" X. > > Problem with this is, if you upgr

Re: X & tcp listening

Jim Breton <[EMAIL PROTECTED]> writes: > On Mon, May 28, 2001 at 01:46:07PM +0200, Tomasz Olszewski wrote: > > If an user > > creates his own $HOME/.xserverrc, it overrides the system wide > > xserverrc. > > So make /usr/bin/X11/X a wrapper for the "real" X. > > Problem with this is, if you upg

Re: strange file

On Mon, Nov 20, 2000 at 11:33:32AM +0100, Virginie-ML wrote: > On Mon, Nov 20, 2000 at 11:26:28AM +0100, Johan Bergström wrote: > > > # cat /.esd_auth > > > [EMAIL PROTECTED]:[EMAIL PROTECTED]@\x9e^@@ > > > > > > There is only this line in ... > > > > > > Could anybody reassure me please ?:) > >

Re: strange file

On Mon, Nov 20, 2000 at 11:33:32AM +0100, Virginie-ML wrote: > On Mon, Nov 20, 2000 at 11:26:28AM +0100, Johan Bergström wrote: > > > # cat /.esd_auth > > > ^M?^C@à:^C@^\óÿ¿^@\x9e^@@ > > > > > > There is only this line in ... > > > > > > Could anybody reassure me please ?:) > > > > I belive its

Re: funny rpc.statd events

Daniel Jacobowitz <[EMAIL PROTECTED]> writes: > This was fixed a month or two before potato was released. I've seen those too, on up-to-date woody, so I don't think it really got fixed. > On Tue, Oct 10, 2000 at 09:09:52PM -0500, Herbert Ho wrote: > > hi guys. i have logcheck installed so i got

Re: funny rpc.statd events

Daniel Jacobowitz <[EMAIL PROTECTED]> writes: > This was fixed a month or two before potato was released. I've seen those too, on up-to-date woody, so I don't think it really got fixed. > On Tue, Oct 10, 2000 at 09:09:52PM -0500, Herbert Ho wrote: > > hi guys. i have logcheck installed so i got

Re: On the security of e-mails

d so > on. > > Regards, > > Alex. > > --- > PGP/GPG Fingerprint: > EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 > > -BEGIN GEEK CODE BLOCK- > Version: 3.12 > GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w > O--- M- V- PS+ PE- Y