On Sun, Jul 03, 2022 at 03:49:12PM +, Ben Hutchings wrote:
>
> For the oldstable distribution (buster), these problems have been
> fixed in version 4.19.249-2.
It seems that linux-image-amd64 does not depend on
linux-image-4.19.0-21-amd64 but still on linux-image-4.19.0-20-amd64,
so the fixed
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote:
>
> > If I don't mistake the automatic package build system don't require that the
> > source signature is verified correctly.
>
> To clarify what Adam said; there are two times where
On Fri, Nov 03, 2017 at 07:51:34PM +, Salvatore Bonaccorso wrote:
> CVE-2017-15721
>
> Joseph Bisch discovered that Irssi does not properly handle
> incorrectly formatted DCC CTCP messages. A malicious IRC server can
> take advantage of this flaw to cause Irssi to crash, resulting
On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> Hello,
>
> Just wondering if there is some other way we can track security issues
> for when CVEs are not available.
>
> Thinking of imagemagick here, it has a lot of security issues, and
> requests for CVEs are not getting any response
On Sat, Jun 20, 2015 at 07:35:14PM -0400, Bryan L. Gay wrote:
> Your email for CVE-2015-1851 does not verify against your GPG signature:
>
> Wrong signature of Sebastien Delafond
It worked perfectly for me. On the other hand, for your message I get:
gpg: no valid OpenPGP data found.
gpg: block_f
On Mon, Jun 08, 2015 at 10:00:00AM +, Thorsten Glaser wrote:
> Stefan Fritsch sfritsch.de> writes:
>
> > And custom DH groups are not that easy to handle in an automated way.
>
> Right. I'm currently suggesting each "site" to generate one and
> roll that out for the whole "site" (e.g. compa
On Fri, Jun 05, 2015 at 01:56:18PM +0200, Thorsten Glaser wrote:
>
> OpenSSL upstream is said (citation needed) to wish to require a
> 1024 bit minimum in some later version but require 768 bits now.
http://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
> I cannot find this
On Fri, Dec 26, 2014 at 02:02:31PM +0100, Luciano Bello wrote:
> > BTW, the situation with elfutils is somewhat similar, the bug report is
> > here:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1170810
>
> I'm reporting this issue to our elfutils maintainer to keep the track of it.
> Do
> you
On Mon, Dec 08, 2014 at 08:17:53PM +0100, Daniel Pocock wrote:
>
> If I understand your reply correctly, the version in Ubuntu and Fedora
> will still talk TLS 1.0 with the version now waiting in jessie?
Yes.
> Do you believe it would be reasonable for me to request a smaller
> unblock that just
On Mon, Dec 08, 2014 at 07:42:54PM +0100, Daniel Pocock wrote:
>
> Is it something that is going to happen with Ubuntu releases next year
> (e.g. April 2015)?
>
> If so, it means that the repro package in jessie won't talk to a repro
> package in Ubuntu.
I think there is some misunderstanding.
On Mon, Dec 08, 2014 at 07:22:33PM +0100, Daniel Pocock wrote:
>
> Will the TLSv1 method be removed in jessie or while jessie is still
> supported?
This is something post jessie.
Kurt
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Troubl
On Mon, Dec 08, 2014 at 02:35:00PM +0100, Daniel Pocock wrote:
>
> I have no idea what technology is in use in the remote/client system.
>
> If my server socket is using TLSv1_method it is rejecting the connection
> and logging those errors on my server:
>
> error:1408F10B:SSL routines:SSL3_GET_
On Mon, Dec 08, 2014 at 01:20:39PM +0100, Daniel Pocock wrote:
> >> Just one other point: if somebody is trying sending the client hello
> >> using SSL v2 record layer but indicating support for TLS v1.0, should
> >> TLSv1_method or SSLv23_method accept that?
> > I would expect that both should sup
On Mon, Dec 08, 2014 at 11:42:28AM +0100, Daniel Pocock wrote:
> On 08/12/14 11:12, Kurt Roeckx wrote:
> > On Mon, Dec 08, 2014 at 09:16:45AM +0100, Daniel Pocock wrote:
> >> Hi all,
> >>
> >> I've made some changes to TLS code in reSIProcate
> &g
On Mon, Dec 08, 2014 at 09:16:45AM +0100, Daniel Pocock wrote:
>
> Hi all,
>
> I've made some changes to TLS code in reSIProcate
>
> - setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method()
This has no effect in jessie. SSLv2 and SSLv3 are disabled if you
use the SSLv23_* meth
On Thu, Jun 05, 2014 at 05:13:33PM +0100, Adam D. Barratt wrote:
> On 2014-06-05 15:46, Florian Zumbiehl wrote:
> >Hi,
> >
> >>Package: openssl
> >>CVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470
> >
> >is it intentional that you didn't fix CVE-2014-0198
>
> That w
On Sat, May 31, 2014 at 05:28:59PM +0200, Kurt Roeckx wrote:
> I've just updated the chroots. But there is reason to be
> concerned that it was build against when there were some
> older packages installed.
That should have said "no reason".
Kurt
--
To UNSUBSCRIBE,
On Sun, Jun 01, 2014 at 03:46:35AM +1000, Andrew McGlashan wrote:
> We may see certificate stapling as an answer, but that won't be enough
> if it cannot be certified to /require/ stapling in the cert itself.
I've mailed the TLS workgroup about this very issue but didn't get
any reply.
Kurt
--
On Sat, May 31, 2014 at 12:26:45PM -0400, Michael Gilbert wrote:
> On Sat, May 31, 2014 at 12:19 PM, Kurt Roeckx wrote:
> > This is a manual, I currently see no need to automate it.
>
> Does buildd.debian.org provide any information about the up to
> dateness of its chroots
On Sat, May 31, 2014 at 11:53:23AM -0400, Michael Gilbert wrote:
> On Sat, May 31, 2014 at 11:28 AM, Kurt Roeckx wrote:
> >> It could be nice if the stable buildds were kept more up to date.
> >> I've CC'd am...@buildd.debian.org to get their opinion on that.
> &
On Sat, May 31, 2014 at 10:25:28AM -0400, Michael Gilbert wrote:
> On Sat, May 31, 2014 at 5:27 AM, Georgi Naplatanov wrote:
> > When I choose "About Chromium" menu item it says:
> >
> > Version 35.0.1916.114 Built on Debian 7.1, running on Debian 7.5 (270117)
> >
> > Is that true that package for
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
> > On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
> > >The public Debian mirrors seem like an obvious target for governments to
> > >MITM. I know that the MD5s are als
On Tue, May 06, 2014 at 11:39:48PM +0200, Cyril Brulebois wrote:
> https://security-tracker.debian.org/tracker/CVE-2014-0198
I'm waiting for upstream to ACK the patch, not sure which one
Ubuntu used.
Kurt
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of
On Mon, Dec 30, 2013 at 06:45:48PM +0100, Florian Weimer wrote:
> * Kurt Roeckx:
>
> > On Sun, Dec 15, 2013 at 03:15:03AM +, adrelanos wrote:
> >> > When you implement this, please ensure it isn't vulnerable to any
> >> > duplicate-key
On Sun, Dec 15, 2013 at 03:15:03AM +, adrelanos wrote:
> > When you implement this, please ensure it isn't vulnerable to any
> > duplicate-keyid problems:
> >
> > http://debian-administration.org/users/dkg/weblog/105
>
> Damn, I wasn't aware of the latest news that long key ids are now also
>
On Sun, Dec 01, 2013 at 11:18:47PM +0900, Joel Rees wrote:
> optimizer's excuse to silently kill undefined behavior code.
As far as I know, all examples I have seen this is not what
happens. What happens is that the compiler assumes you write code
that has defined behavior and optimises based on
On Wed, Aug 28, 2013 at 11:45:07PM -0400, Hans-Christoph Steiner wrote:
> I want to run an unusual idea by everyone here as an approach to getting an
> outside signature into a packaged Java jar built from source on the Debian
> build machines: we want to get http://martus.org packaged and into Deb
On Mon, Aug 05, 2013 at 05:07:20PM -0400, Paul Henning wrote:
>
> Yes, kick Kurt Roeckx from his admin privileges to start. [...]
> And not just for OpenSSL, he
> contributes to ntp as well.
You forget that I also have access to all the buildds.
Kurt
--
To UNSUBSCRIBE, ema
On Wed, Jun 19, 2013 at 06:55:57PM +, Roland Karch wrote:
> Indeed I am. And I got it from wheezy:
>
> http://packages.debian.org/wheezy/libtiff4
>
>
> And me running the version just between those was, well... part of why I
> asked my original question.
So it seems we have those source pa
On Wed, Jun 19, 2013 at 08:44:02AM +0200, Roland Karch wrote:
> Hi,
>
> I have noticed that my wheezy install has this package installed which was
> not updated by the packages in this advisory:
> ii libtiff4:armel3.9.6-11
> armelTag Image File Format (TIFF) librar
Hi,
I just found this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Does anybody know if all the problems mentioned in that document
are tracked somewhere?
Kurt
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact lis
On Fri, Jul 29, 2011 at 12:26:18PM +0200, Moritz Mühlenhoff wrote:
> Kurt Roeckx schrieb:
> > On Thu, Jul 28, 2011 at 06:23:46PM +0200, Luciano Bello wrote:
> >> For the oldstable distribution (lenny), this problem has been fixed in
> >> version 1.2.27-2+lenny5. Due t
On Thu, Jul 28, 2011 at 06:23:46PM +0200, Luciano Bello wrote:
> For the oldstable distribution (lenny), this problem has been fixed in
> version 1.2.27-2+lenny5. Due to a technical limitation in the Debian
> archive processing scripts, the updated packages cannot be released
> in paralell with the
On Sun, Apr 10, 2011 at 11:55:28PM +0200, Nico Golde wrote:
>
> We recommend that you upgrade your isc-dhcp packages.
I'm guessing that for the update to be active we need to bring
down any interface that is using the client? (Or reboot.)
The server seems to be restarted on upgrade.
Kurt
--
On Wed, Jan 26, 2011 at 07:49:48PM +, Adam D. Barratt wrote:
> On Wed, 2011-01-26 at 19:06 +0100, Kurt Roeckx wrote:
> > On Wed, Jan 26, 2011 at 05:18:12PM +0100, Martin Schulze wrote:
> > >
> > > For the upcoming stable distribution (squeeze) these problems have
On Wed, Jan 26, 2011 at 05:18:12PM +0100, Martin Schulze wrote:
>
> For the upcoming stable distribution (squeeze) these problems have
> been fixed in version 3.2.1-11+squeeze1.
>
> For the unstable distribution (sid) these problems have been fixed in
> version 3.2.1-11+squeeze1.
When will those
On Mon, Jan 03, 2011 at 03:42:42AM +0100, Naja Melan wrote:
> > You've downloaded a bunch of certificates that came with your web browser.
> > Why do you trust them?
> >
>
> As I pointed out above there are many problems associated with https.
> Trusting the root certificates is one of those. Sti
On Mon, Jan 03, 2011 at 12:24:16AM +0100, Naja Melan wrote:
> Arto Artinian :
>
> > Hi Naja,
> >
>
> > I am not sure what your point is here? You don't trust pgp webs of trust,
> > nor https, nor md5 checksums of debian sources. I mean, at some point if
> > you want to use software that you di
On Sun, Jan 02, 2011 at 06:56:06PM +0100, Naja Melan wrote:
> hi,
>
> Im trying to verify that the debian iso I downloaded has not been tampered
> with by following the following faq entry:
>
> http://www.debian.org/CD/faq/#verify
>
> There are some things I don't understand yet. I have gotten a
On Fri, Oct 01, 2010 at 12:26:31AM +0200, Kurt Roeckx wrote:
> On Wed, Sep 29, 2010 at 02:13:37PM -0700, Kyle Bader wrote:
> > > Debian, being a volunteer organization, has it's upsides and
> > > downsides. The downside here being without an active volunteer
> &
On Wed, Sep 29, 2010 at 02:13:37PM -0700, Kyle Bader wrote:
> > Debian, being a volunteer organization, has it's upsides and
> > downsides. The downside here being without an active volunteer
> > interested in this problem, nothing has happened.
> >
> > What is needed here is someone to step up to
On Thu, Sep 09, 2010 at 10:36:58AM -0700, Kyle Bader wrote:
> I saw the security tag on bug #555829, I meant that the package page
> should reflect the current security situation:
>
> http://packages.debian.org/lenny/openssl
>
> Shouldn't it show a [security] tag similar to:
>
> http://packages.
On Wed, Sep 08, 2010 at 10:20:11AM -0700, Kyle Bader wrote:
> Hello Deb-sec!
>
> I'd like to bring to the attention of the developers and the Debian
> community that CVE-2009-3555 has not been completely addressed in
> Debian/stable as we are meant to believe here:
>
> http://security-tracker.deb
On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote:
> Hi,
> I received DSA-2040-1 and verified its GPG signature, as I always do.
> I found out that I am unable to correctly verify the signature.
Works for me:
gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA
On Thu, Apr 15, 2010 at 12:52:47PM -0700, Jason Self wrote:
> Kurt Roeckx wrote ..
>
> > What does this mean exactly?
>
> It means that versions older than 0.95 will be remotely disabled by the
> ClamAV
> folks once your copy of ClamAV gets the CVD update that in
On Wed, Apr 14, 2010 at 10:35:41PM +0100, Adam D. Barratt wrote:
>
> The clamav project have announced that they will be publishing a
> specially formed virus signature which disables older versions of the
> software, including the version in lenny. If you have not yet migrated
> to using the vol
On Sun, Sep 06, 2009 at 08:45:12PM +0200, Moritz Muehlenhoff wrote:
> Please test the openssl packages from
> http://people.debian.org/~kroeckx/openssl
> and report success/failure briefly to j...@debian.org. This update deprecates
> MD-2 (CVE-2009-2409) and we'd like to hear about affected certif
On Sun, Feb 22, 2009 at 10:06:41PM +0100, Florian Weimer wrote:
> * Luk Claes:
>
> > Currently the security support for the volatile archive is supposed
> > to be taken care of by the uploaders of the respective packages.
> >
> > I think it would make sense to have someone or a team tracking
> > s
On Mon, Dec 29, 2008 at 07:32:47AM -0500, Simon Valiquette wrote:
>
> So here are my questions:
>
> 1. Do both keys are still valid?
>
> 2. If the key F2E861A3 is legitimate (which I think it is because
> I have a trust path to it), wouldn't it makes sense to sign it with
> the old key as well
There seems to be some confusion going around about the effect of the
openssl issue on dsa keys.
>From what I understand, when using a DSA key and the random number used
to generate a signature is known, predictable, or used twice the private
key can be calculated.
So it seem to me that if a DSA
On Thu, Nov 02, 2006 at 11:33:49PM -0700, Scott Edwards wrote:
> Does this affect sarge?
bind9 in sarge is dynamicly linked to libssl0.9.7. Sarge has a fixed
version of openssl. You only need to restart your daemon.
The fixed version of libssl0.9.7 is 0.9.7e-3sarge4.
Kurt
--
To UNSUBSCRIBE
On Wed, Oct 11, 2006 at 09:22:49PM +0200, Florent Rougon wrote:
> Hi,
>
> I appreciate your help (Joerg, David and Kurt), but there is still a
> problem to solve before I can trust my connection to db.debian.org via
> HTTPS.
>
> Kurt Roeckx <[EMAIL PROTECTED]>
On Tue, Oct 10, 2006 at 09:57:33PM +0200, Florent Rougon wrote:
> > For those that don't know those files:
> > http://www.spi-inc.org/secretary/spi-ca.crt
> > http://www.spi-inc.org/secretary/spi-ca-fingerprint.txt
So Joerg just replaced them with the new ones:
http://www.spi-inc.org/secretary/spi
On Tue, Oct 10, 2006 at 06:37:16PM +0200, Florent Rougon wrote:
> Hi,
>
> David Clymer <[EMAIL PROTECTED]> wrote:
>
> > With a signature, he just has to trust that signer f00's key has not
> > been compromised, thus the published host key info is trustworthy and a
> > MITM is not happening.
>
>
On Mon, Oct 09, 2006 at 08:19:33PM +0200, Florent Rougon wrote:
>
> 2. I have to trust the integrity of db.debian.org.
>
> I think it would be much better if someone from debian-admin would be so
> kind to GPG-sign the public RSA keys of Debian hosts. This way, I'd only
> have to trust that Jam
On Mon, Feb 20, 2006 at 06:25:47PM -0800, Michael Sabala wrote:
> > > host -t a security.debian.org
> > > security.debian.org has address 82.94.249.158 <- slow
>
> I checked traceroute to 82.94.249.158 from two different ISPs.
>
> When the route goes through:
> ameritech->sbcglobal->he.ne
On Sat, Nov 12, 2005 at 02:24:21PM +0100, Adrian von Bidder wrote:
> Yo!
>
> The sending end:
> Nov 11 16:48:27 papillon postfix/smtp[8145]: setting up TLS connection to
> 10.48.13.1
> Nov 11 16:48:27 papillon postfix/smtp[8145]: SSL_connect error to 10.48.13.1:
> -1
> Nov 11 16:48:27 papillon p
On Thu, Nov 10, 2005 at 12:35:22PM -0800, alex black wrote:
> hi all,
>
> I'm running a locally patched version of libsasl2, look here:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328879
>
> to see why. (basically, once you compile libsasl2 --with-authdaemond,
> authentication with vir
On Sun, Jul 10, 2005 at 03:59:43PM +0200, Florian Weimer wrote:
> On my system, the following packages contain statically linked copies
> of zlib-related code:
I'm still interested in a full list of pacakges staticly linked
to any version of zlib.
We had a few advisories about zlib so far:
DSA-76
Hi Florian,
Thanks for doing all of this, since it was rather manual work for me.
Afaik, there are 3 kind of problems with zlib:
- It's build-depending zlib, but linking staticly
- It has it's own copy of zlib, and links staticly to it
- It has it's own copy of the zlib package (ia32-libs, amd64-
On Sat, Oct 16, 2004 at 01:39:29PM +0200, Benjamin Goedeke wrote:
> Henrique de Moraes Holschuh wrote:
>
> >Well, I have seen ARP overflows on very big flat networks (e.g.
> >172.16.0.0/16) for example. Is any of yours that big? Otherwise, why
> >would
> >the firewall be trying to resolve so ma
61 matches
Mail list logo
