Hi Arne,
On Wed, Apr 13, 2011 at 11:23:10AM +0200, Arne Wichmann wrote:
> So, does that mean that CVE-2010-3847 and CVE-2011-0536 can be closed in
> the tracker?
Yes, that is my understanding. IIUC, 2.11.2-8 fixed CVE-2011-0536 by
updating the patches for CVE-2010-3847.
-Kees
--
Kee
tu-branches/ubuntu/maverick/eglibc/maverick-security/view/head:/debian/patches/any/disable-ld_audit.diff
> So, somebody else might still have a look at that.
CVE-2010-3847 is a real mess, especially since I *think* upstream hasn't
entirely fixed it.
-Kees
--
Kees Cook
debian.org/debian-kernel/2010/11/msg00378.html
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://l
fixed
> in Woody:
>
> http://lists.debian.org/debian-changes/2004/02/msg00029.html
lbreakout2 drops setgid immediately after opening the highscore file. This
crash isn't a security issue. (I've updated the bug report too.)
--
Kees Cook
ELF, though this is really
only useful when examining NX emulation.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101013194238.gc4...@outflux.net
ernel's CONFIG
options for PAE. The default for 32bit is _not_ PAE mode, so this is
probably what is happening.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of &quo
> system version?
Your CPU may not support NX enforcement. Check your dmesg output, and your
cpuflags line in /proc/cpuinfo for "nx".
See https://wiki.ubuntu.com/Security/Features#nx though ignore the nx-emu
notes, as that's not in De
hich ends
up being rather expensive. AT_RANDOM is the better solution and should
happen automatically if the kernel supports it.
The up-shot of the static canary is that usually it's string operations
that overflow the stack, and it's not possible to over and past a canary
with \x00 i
updated (AFAIK, Verisign has re-signed their
top-level certs with SHA-1).
-Kees
[1] http://marc.info/?l=openssl-cvs&m=124508133203041&w=2
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
tch for this one.
Actually, not even upstream has fixed this yet. :(
http://people.ubuntu.com/~ubuntu-security/cve/CVE-2008-2956
-Kees
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe&q
On Fri, Oct 24, 2008 at 10:35:52PM +0200, Sjors Gielen wrote:
> Kees Cook wrote:
> > Additionally, it doesn't matter -- it's just the md5 in the email
> > announcement. The Release and Packages files for the archive have SHA1
> > and SHA256. The md5 from the annou
es files for the archive have SHA1
and SHA256. The md5 from the announcement is almost not important,
IMO -- no one should download files individually from the announcement.
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
VE-2008-1679. Am I misunderstanding something?
Thanks,
-Kees
--
Kees Cook
Ubuntu Security Team
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hi,
On Wed, May 21, 2008 at 05:42:43AM -0400, Simon Valiquette wrote:
> Kees Cook un jour écrivit:
>> On Wed, May 21, 2008 at 07:07:34AM +0200, Vincent Bernat wrote:
>>
>> I could be mistaken, but prior to openssl breaking, ssh-keygen stopped
>> allowing dsa 2048 keys,
On Wed, May 21, 2008 at 07:07:34AM +0200, Vincent Bernat wrote:
> OoO En cette nuit nuageuse du mercredi 21 mai 2008, vers 01:32, Kees
> Cook <[EMAIL PROTECTED]> disait:
>
> > * Add empty DSA-2048, since they weren't any bad ones.
>
> How is it possible?
I
cklist.
Is there already a svn for openssl-blacklist? If I could be added to
that project ('keescook-guest' on alioth) and the Uploaders list, I'd be
happy to help with the package, and help get Jamie's changes into Debian.
Thanks,
-Kees
--
Kees Cook
Ubuntu Security Team
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ted in Ubuntu with the earlier releases.
--
Kees Cook
Ubuntu Security Team
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
t, but I'm missing others. I'm planning to
> publish 4096 bit keys list tomorrow. I'm not going to publish complete
> archives of private keys.
Thanks! We can verify our lists against yours to make sure we're all on
the same page. :)
-Kees
--
Kees Cook
Ubuntu
t.com/users/hdm/tools/debian-openssl/
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
be a bug in the hardening-wrapper. Cmake is doing
builds in a way that wasn't expected (i.e. passing -fPIC during
an executable build, which disables PIE at the compiler level,
but the linker will still attempt to do it). While I think cmake
is being weird, it is still a valid command line (
20 matches
Mail list logo
