On Wed, Aug 27, 2008, Michael Gilbert wrote:
> what about a getting a fix for this issue into stable?
it doesn't affect stable
--
Loïc Minier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
at's what I took as an example in the upstream thread as well:
overwriting /etc/passwd is a local DoS.
You write "create the needed directories", but if the program fails
when the directory exists, this means that it isn't exploitable?
--
Loïc Minier <[EMAIL PROTECTED]>
"Forget your stupid theme park! I'm gonna make my own! With hookers!
And blackjack! In fact, forget the theme park!" -- Bender
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ach/tmp/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11-1.0.3-6.centos4.src.rpm
(here centos-4-i386-os is the chroot name and libX11-1.0.3-6 the source
package)
And mach will also copy the spec file to hand to rpmbuild into:
/var/tmp/mach/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11.spec
--
Loïc
ailarchive/forum.php?thread_id=31117825&forum_id=35925
... but I failed convincing them that there is some security risk.
Would someone be so kind to either correct me or to help me word why
this is a bad idea?
Thanks,
--
Loïc Minier <[EMAIL PROTECTED]>
"Forget your stu
s/2006-April/thread.html
--
Loïc Minier <[EMAIL PROTECTED]>
"You can gtk_main_run, but you can't gtk_widget_hide." --danw, 19-jul-04
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
t's painful. :(
--
Loïc Minier <[EMAIL PROTECTED]>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
o CD burning, and metadata editing.
>
> There's *nothing* in that description (which is Rhythmbox' package) that
> implies that Rhythmbox provides music sharing capabilities. Is there?
Of course, you didn't imagine for a second that the description wasn't
updated s
ng committee as mstone puts it.
Other technical enhancements can of course be proposed via the BTS.
Cheers,
[1] This might sound harsh, but it really isn't, I think it's the role of
that committee.
--
Loïc Minier <[EMAIL PROTECTED]>
--
To UNSUBSCRIBE, email to [EMA
only by a limited
> number of users overweighs the possible security implications of another
> open port, I think we really cannot come to a consensus in this point.
It's exactly the way you put, it, we can not come close to a consensus
by comparing apples to oranges, securit
e default Debian install does *not*
> setup a firewall or configure one at all after installation. I wonder why a
> default GNOME install does *not* install 'firestarter' (a GTK-based firewall
> configuration tool) Feature-bloat? (grin)
I suggested iptables because all people in
On Fri, Mar 03, 2006, Javier Fernández-Sanguino Peña wrote:
> On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
> > This is a desktop machine, it should permit sharing of files on your
> > local network. DNS servers have their port 53 open to respond to name
> >
On Fri, Mar 03, 2006, Michael Stone wrote:
> On Fri, Mar 03, 2006 at 02:36:38PM +0100, Loïc Minier wrote:
> >Do you have any other solution permitting the same functionalities, but
> >without the listening port?
> No. If someone wants that functionality than that's how
behind a NAT with
responsible coworkers than connected to the Internet directly, without
any firewall, and that's where desktops sit most of the time.
Bye,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> On Fri, 03 Mar 2006, Loïc Minier wrote:
> > On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > > True. But that requires a broken kernel, which we patch regularly as a
> > > security procedure
On Fri, Mar 03, 2006, Joey Hess wrote:
> Standard Desktop task installs do not install Recommends anyway, so
> rhythmbox does not pull in avahi-daemon in those situations and you need
> to deal with that somehow.
It's a but in task installation then.
--
Loïc Minier <[EMAIL PRO
o support avahi security-wise, and would patch it in the case
of a knwon vulnerability.
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ms out-of-the box and does so without
> specifying nodev, nosuid ?
Think just before that: it's not only the mount options, it's the
simple mounting which is risky. It's not music sharing, it's listening
on the network.
Cheers,
--
Loïc Minier <[EMAIL PROTECTED]&
Hi,
On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> On Fri, 03 Mar 2006, Loïc Minier wrote:
> > If music sharing is a questionable feature to you, you don't need to
> > discuss this further, you're obviously the security guy, talking in
> >
Hi there,
For people on the list interested in the discussion, Michael Stone has
filed #355064, where the "discussion" went on.
Bye,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
w
onable basis for a default
> configuration.
Right, people running Debian or Ubuntu at home are typically not
interested in sharing music between computers at home.
I completely agree with the managed network part, but in such a
network:
- would you have music players installed?
- wouldn't you filter out any other port than HTTP, HTTPS, and FTP?
Cheers,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
if the rhytmbox-power-user will
> press the button "browse for music"...
Well, no: that's the opposite of plug'n'play. See, if you're USB stick
contains a malicious vfat file system, it gets automatically mounted
nevertheless. It's a feature.
Cheers,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
that
to be simple. You can't cut every feature out because only 10% of the
users use it.
It's not like you're running Rhythmbox on a firewall, and iptables is
still there, you can remove avahi, you can configure it not to start
etc.
Cheers,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
hat's less common)
- administrative interface for wifi APs
Cheers,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
like "xyz is a service that does blah
> blah,
> ... For most users this service should bind only to a local area network
> and not to the internet. (If you need this service at all) Do you want
> to bind to all interface?" - with no as default!
In the case of a discovery dae
d play: closing all doors and
requiring people to open N doors to use a high-level feature such as
music browsing is *not* intuitive.
Parts of this discussion are available in #349478.
Cheers,
--
Loïc Minier <[EMAIL PROTECTED]>
Current Earth status: NOT DESTROYED
--
To UNSUBS
e in /etc/init.d/networking but I really don't like this
> approach. I don't think that it's even the right thing to do cause of
> upgrade issues.
I think you can use this instead:
auto eth0
iface eth0 inet manual
up ifconfig $IFACE up
down ifconfig $IFACE down
--
Hi,
On Tue, Sep 13, 2005, Sam Morris wrote:
> Is the version in stable too high, or is the version in stable/updates
> too low? :)
I think packages never leave from security.d.o.
Bye,
--
Loïc Minier <[EMAIL PROTECTED]>
--
To UNSUBSCRIBE, email to [EMAIL PROTE
27 matches
Mail list logo
