According to http://packages.qa.debian.org/x/xfree86/news/1.html xfree86
4.2.1-9 fixes some security issues (just in xterm?) along with doing some
other things.
Drew Daniels
According to http://packages.qa.debian.org/x/xfree86/news/1.html xfree86
4.2.1-9 fixes some security issues (just in xterm?) along with doing some
other things.
Drew Daniels
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
The original anouncment was on debian-devel and can be seen in the
archives here:
http://lists.debian.org/debian-devel/2003/debian-devel-200306/msg01655.html
To: Debian Developers <[EMAIL PROTECTED]>
Subject: Announcement: APT Secure
From: Isaac Jones <[EMAIL PROTECTED]>
Date: Thu, 26 Jun 2003 10:
The original anouncment was on debian-devel and can be seen in the
archives here:
http://lists.debian.org/debian-devel/2003/debian-devel-200306/msg01655.html
To: Debian Developers
Subject: Announcement: APT Secure
From: Isaac Jones <[EMAIL PROTECTED]>
Date: Thu, 26 Jun 2003 10:30:02 -0400
Message
I'm writing [unconfirmed] now when I've found new advisories or bugs but
haven't had time to fully research them and see if they really are
vulnerabilities and whether Debian is vulnerable (potato, woody, sarge,
sid). It seems that since mdz has been put on the Security Team proper
that he's releas
I'm writing [unconfirmed] now when I've found new advisories or bugs but
haven't had time to fully research them and see if they really are
vulnerabilities and whether Debian is vulnerable (potato, woody, sarge,
sid). It seems that since mdz has been put on the Security Team proper
that he's releas
http://www.securityfocus.com/bid/7757 says Debian Linux 2.2 has Aladdin
Enterprises Ghostscript 5.10.10 and is vulnerable toan arbitrary command
execution vulnerability. It lists cve CAN-2003-0354 and zfile.c...
It says that the vulnerability was published May 17th, 2003.
Is this really a vulner
http://www.securityfocus.com/bid/7757 says Debian Linux 2.2 has Aladdin
Enterprises Ghostscript 5.10.10 and is vulnerable toan arbitrary command
execution vulnerability. It lists cve CAN-2003-0354 and zfile.c...
It says that the vulnerability was published May 17th, 2003.
Is this really a vulner
http://packetstorm.linuxsecurity.com/filedesc/atftpdx.c.html says: Proof
of concept remote root exploit for atftpd version 0.6. Makes use of the
filename overflow found by Rick Patel. Related post here. Tested against
Debian 3.0. By gunzip
http://packetstorm.linuxsecurity.com/filedesc/atftpd.patch
http://packetstorm.linuxsecurity.com/filedesc/atftpdx.c.html says: Proof
of concept remote root exploit for atftpd version 0.6. Makes use of the
filename overflow found by Rick Patel. Related post here. Tested against
Debian 3.0. By gunzip
http://packetstorm.linuxsecurity.com/filedesc/atftpd.patch
Colin Watson has written new code for the BTS to allow it to display bugs
with certain tags, like security [1].
The new URL for bugs tagged security is
http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security and the old URL
that's no longer linked to from qa.debian.org is still being updated at
On Tue, 6 May 2003, Florian Weimer wrote:
> Drew Scott Daniels <[EMAIL PROTECTED]> writes:
>
> > This bug may be worked around (and therefore downgraded) by having a
> > configuration to warn the user that they must trust the DNS servers
> > (wherever this is configu
Sorry for the crosspost, but I wanted to include everyone potentially
interested in this bug.
The home page for dnrd [1] seems to indicate that it is intended for use
for a single computer or an internal network. The typical user will likely
only want to allow input to dnrd from trusted sources [2
http://www.securityfocus.com/bid/7109 says Sun's JRE and Java SDKs versions
less than 1.4.1_02 are vulnerable as well as IBM's JDK.
The BID seems to indicate the vulnerability is in java.util.zip
I'm not sure which versions of Java JRE's and SDKs are in Debian, but it
seems to me that in Contrib
On Fri, 2 May 2003, Wolfgang Sourdeau wrote:
> I am not subscribed to debian-security, so please include me in your Cc:
> for this discussion.
>
Likewise.
> I have noticed a "fax" user was expected in mgetty-1.1.30 (never played
> with 1.1.29). The problem I have with that is that this user is req
http://serg.cs.drexel.edu/phpnuke/html/modules.php?name=Project&pa=showproject&pid=1
lists Bunch which is an interesting tool to show modularity. I haven't yet
tried it.
Also on this site they link to CoSAK which is an interesting newer
security audit tool set.
Has anyone tried these tools?
I don't know whether potato, woody, sarge and sid should have a security
bug filed against them.
According to http://packages.qa.debian.org/m/mgetty.html sid has version
1.1.30-1, sarge has version 1.1.28-5, and woody has version 1.1.27-4.1.
Note that Debian packages contain changes. I have not lo
http://www.securityfocus.com/bid lists two bugs in phpsysinfo. I'm unsure
as to whether Debian is affected. Can someone else check and file a bug if
necessary?
Thanks
Drew Daniels
http://packetstorm.linuxsecurity.com/filedesc/injectso-0.2.1.tar.html
describes injectso, "a tool that can be used to inject shared libraries
into running processes on Linux (x86/IA32 and Sparc)...".
Maybe I misunderstand, but might it not be also possible to use this to
inject replacements for sh
Are you referring to
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=173337 (more info in
DSA 212) or something else?
Where did you get the information that said mysql was vulnerable?
http://www.securityfocus.com/cgi-bin/sfonline/vulns.pl and some security
scanners sometimes doesn't update their
As promissed in
http://lists.debian.org/debian-security/2003/debian-security-200304/msg00373.html
I've written a rough plan...
Bugs get filed using appropriate procedure then... The "team to patch
vulnerabilities" finds the bugs and starts its procedure... I still need
to work on the procedure, an
28 Apr 2003, Consti75 wrote:
> Hi,
> I would like to help, but don't really
> know how to start and what regulation etc.
> there are! Can you help me getting
> started?
> Best regards,
> Constantin
>
> Drew Scott Daniels wrote:
>
> >Hi,
> >There are
Woody CD updates afaik are only done when stable releases are done.
See http://people.debian.org/~joey/stable.html for details. There are
nightly builds of CD's for Sarge and Sid, but I don't think I've seen any
such thing for stable or oldstable that includes security updates. The
nightly builds c
Hi,
There are a large number of security issues discussed in the BTS.
http://qa.debian.org/bts-security.html lists almost all of them. I'm
looking at them and trying to create patches for some and bring them to
the attention of the appropriate parties. Any help would be appreciated.
The security t
For those that missed it on Debian-devel, there's a patched version of
fakeroot that does chroot too. You can read about it and better/worse
alternatives in the thread at:
http://lists.debian.org/debian-devel/2003/debian-devel-200304/msg00747.html
Drew Daniels
> > On Tue, Mar 11, 2003 at 06:53:48PM +0900, Hideki Yamane wrote:
> > >
> > > >This was added to the SANS Advisory on Sendmail last week.
> > > >I have not seen any news nor postings related to Snort with
> > > >Debian and was wondering about the status of Snort in stable
> > > >at this time.
> >
oops, wrong address.
-- Forwarded message --
Date: Wed, 4 Dec 2002 08:06:00 -0600 (CST)
From: Drew Scott Daniels <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: exploit for (Debian's?) pfinger
I found an exploit on Packetstorm described as "Pfinger v0.7.8 and
oops, wrong address.
-- Forwarded message --
Date: Wed, 4 Dec 2002 08:06:00 -0600 (CST)
From: Drew Scott Daniels <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: exploit for (Debian's?) pfinger
I found an exploit on Packetstorm described as "Pfinger v0.7.8 and
28 matches
Mail list logo
