Re: [SECURITY] [DSA 2548-1] Debian Security Team PGP/GPG key change notice

~smi~ Nico Golde wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >- - >Debian Security Advisory DSA-2548-1 secur...@debian.org >http://www.debian.org/security/Nic

Re: [SECURITY] [DSA 2549-1] devscripts security update

~smi~ s Vaughn Raphael Geissert wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >- - >Debian Security Advisory DSA-2549-1 secur...@debian.org >http://www.debian.org/security/

Re: bastille in lenny

On Thu, Jul 9, 2009 at 8:19 AM, Matt Richardson wrote: > On Thu, Jul 9, 2009 at 5:07 AM, Joseph Abbotts > wrote: >> Matt, >> >> It works perfectly on Lenny after two quick edits: Worked like a champ. I made one more trivial change in API.pm: $stable="5.0"

Re: HEAD's UP: possible 0day SSH exploit in the wild

t it. [1] http://isc.sans.org/diary.html?storyid=6760 [2] http://isc.sans.org/diary.html?storyid=6742 -- Matt -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: bastille in lenny

On Thu, Jul 9, 2009 at 5:07 AM, Joseph Abbotts wrote: > Matt, > > It works perfectly on Lenny after two quick edits: > Still, it's something one > can fix themselves in ten seconds unless there is something deeper than > those two files. The only other snag I've hit is

bastille in lenny

th running 'bastille -b' after making a couple of changes, I'll be happy. Otherwise, I guess my dreams of a pure lenny system will be dashed and I'll have to pin the newer version. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510884 -- Matt -- To UNSUBSCRIBE,

Re: samba printer question

..@lists.samba.org I can't speak to your specific issue, but I did just set up samba and cups with AD authentication. -- Matt -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: dhcp delivered subnet broadcast address: 255.255.255.255

Hello, I'm having the same issue. I can broadcast to the ###.###.###.255 fine but my switches/routers throw out 255.255.255.255. Have you found any solution? Matt Kincaid --- DISCLAIMER: Information contained in

RE: [SECURITY] [DSA 1658-1] New dbus packages fix denial of service

unsubscribe -Original Message- From: Thijs Kinkhorst [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2008 2:50 PM To: [EMAIL PROTECTED] Subject: [SECURITY] [DSA 1658-1] New dbus packages fix denial of service Importance: High -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - ---

Re: getting to www servers from inside where they have an Internal IP

.2/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.2.254 Hope this helps! Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: "Fix" of sudo with DSA-946-1

now when I should be watching various automated process more closely. - Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: hardening checkpoints

malicious damage. Matt begin:vcard fn:Matt Resong n:Resong;Matt org:DPD;IT / Graphics adr:;; W 78th Street;Edina;MN;55439;USA email;internet:[EMAIL PROTECTED] title:System Admin tel;work:952-946-1196 tel;fax:952-826-7993 tel;pager:612-510-2893 url:http://www.dpd-info.com version:2.1 end:vcard

Re: policy change is needed to keep debian secure

On Tue, Aug 23, 2005 at 12:04:17PM -0500, David Ehle wrote: > As you can see in the subject, the OP understands the policy, but believes > it should be changed. To what? The suggestions that I have seen so far seem to be reiterations of the existing policy. > I support introducting new packages

Re: policy change is needed to keep debian secure

On Tue, Aug 23, 2005 at 10:04:24AM -0700, Al Eridani wrote: > This is a strawman argument: I haven't seen anybody write that they want a > new release of Firefox because is "sexy". I guess you aren't reading my mail, then. People request new versions in stable all the time for little reason more

Re: policy change is needed to keep debian secure

On Tue, Aug 23, 2005 at 09:33:02AM -0700, Matt Zimmerman wrote: > On Tue, Aug 23, 2005 at 09:46:54PM +1000, Paul Gear wrote: > > Daniel Sterling wrote: > > > Debian stable cannot stay stable without changing, sometimes > > > drastically. > > > ... > &

Re: policy change is needed to keep debian secure

On Tue, Aug 23, 2005 at 12:51:54PM -0400, Michael Stone wrote: > On Tue, Aug 23, 2005 at 09:33:02AM -0700, Matt Zimmerman wrote: > >That is what stable is about: not changing, or when change is absolutely > >necessary, changing as little as possible. A hot new Firefox release may

Re: policy change is needed to keep debian secure

done to death already. Please read the archives of > this list, especially one of Matt Zimmerman's posts in the "On Mozilla-* > updates" thread, which reads in part: Paul seems to be working from a different definition of "stable" than the one used in the cont

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 06:51:59PM +0200, Ben Bucksch wrote: > Matt Zimmerman wrote: > > >Ben has now explained that this is in fact not sufficient. > > > > > No, I have not. Please read again what I wrote. > > >There is clearly a communication gap. >

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 01:01:40PM +0100, antgel wrote: > Matt Zimmerman wrote: > > You're welcome to attempt to convince the Mozilla project to change > > the way that they work for the benefit of distribution security teams. If I > > recall correctly, others have uns

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 02:51:04PM +0200, Ben Bucksch wrote: > antgel wrote: > > >2) Mozilla security patches are not easy to find and isolate. > > > >Ben has disputed this, saying that we should be able to extract all > >necessary patches. Public ones from > >http://www.mozilla.org/projects/secu

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 01:11:59AM +0200, Frank Wein wrote: > Matt Zimmerman wrote: > >On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: > >>BTW: Where are you located physically? Maybe you can meet with > >>mozilla.orgians in person. I think y

Re: On Mozilla-* updates

On Wed, Aug 03, 2005 at 12:08:10AM +0200, Ben Bucksch wrote: > Matt Zimmerman wrote: > >You're welcome to attempt to convince the Mozilla project to change > >the way that they work for the benefit of distribution security teams. > > > I don't even know wh

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 04:39:21PM -0500, David Ehle wrote: > The solution to this problem is simple. We change the meaning of stable > to "stable except for such cases as security demands upgrading versions > rather than backporting patches." > > We can dilly dally about it all we want but this i

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 09:04:01PM +0100, antgel wrote: > Matt Zimmerman wrote: > > Have you been following this discussion? That is exactly what we have been > > killing ourselves doing for the past few years. It is a _losing battle_. > > I've been following a fair

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 08:15:22PM +0100, antgel wrote: > Matt Zimmerman wrote: > > the issue is that they often don't apply to versions which are a few > > months old. > > Not automatically, but perhaps if we had a dedicated team of a few people > who can code, we

Re: On Mozilla-* updates

On Tue, Aug 02, 2005 at 02:29:51PM +0200, Moritz Muehlenhoff wrote: > If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann > (who appears to be Debian's Mozilla security delegate) and published as part > of a DSA this would point to the core of each vulnerab

Re: On Mozilla-* updates

.html > > > > No, I meant Matt is our mozilla security delegate: > > http://www.mozilla.org/projects/security/secgrouplist.html I am not an official representative, but I am subscribed to the Mozilla Security Group mailing list. I do not have any influence over Mozilla

Re: On Mozilla-* updates

On Mon, Aug 01, 2005 at 09:55:03AM +0200, Jan Luehr wrote: > Have I said so? I've tried to point out, that debian is "an universal > operating system" - as proclaimed on the homepage. > So at least here is a common consensus for the purpose of debian. In fact there is a controversy over that labe

Re: On Mozilla-* updates

On Sun, Jul 31, 2005 at 02:03:28PM +0200, Jan Luehr wrote: > Am Sonntag, 31. Juli 2005 09:49 schrieb Bernd Eckenfels: > > No but I think most of the desktop packages suffer from the slow release > > cycle. > > Debian is not primarily intended for being used as a desktop system. If > you are up to

Re: gpg-errors with apt

On 7/7/05, Steve Kemp <[EMAIL PROTECTED]> wrote: > On Thu, Jul 07, 2005 at 12:22:36PM +0200, Johann Spies wrote: > > > I have read http://www.debian-administration.org/articles/174 about > > this topic and have done what the article suggested: > > "~# gpg --keyserver keyring.debian.org --recv 4F36

Re: Bad press related to (missing) Debian security

On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote: > On Mon, 27 Jun 2005, Matt Zimmerman wrote: > > >The security team has always been a difficult one to expand. A strong > >level of trust is necessary due to confidentiality issues, and security > >sup

Re: Bad press related to (missing) Debian security

On Tue, Jun 28, 2005 at 01:56:55AM +0200, Moritz Muehlenhoff wrote: > Have a look at the system we use for the testing security team (I always > thought it originated in the security team): > http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html > > This system is

Re: Bad press related to (missing) Debian security

chulze > /member/ Wichert Akkerman > /member/ Daniel Jacobowitz > /member/ Michael Stone > /member/ Matt Zimmerman > /secretary/ Noah Meyerhans > /secretary/ Steve Kemp > > Is this enough? I expect it would be enough if they were all active, bu

Re: Analysis vulnerabilities associated to published security advisories, anyone?

On Thu, Mar 10, 2005 at 10:08:24AM +0100, Javier Fernández-Sanguino Peña wrote: > On Wed, Mar 09, 2005 at 11:24:54AM -0800, Matt Zimmerman wrote: > > FWIW, Ubuntu vulnerabilities will intersect with Woody vulnerabilities, but > > there are many vulnerabilities which affect only

Re: Analysis vulnerabilities associated to published security advisories, anyone?

On Wed, Mar 09, 2005 at 12:25:06PM +0100, Javier Fernández-Sanguino Peña wrote: > I would like somebody to do a similar analysis regarding Debian's > vulnerabilities (Ubuntu vulns are probably a subset of those affecting > woody). Has anyone enough spare time? FWIW, Ubuntu vulnerabilities will

Re: telnetd vulnerability from BUGTRAQ

On Mon, Sep 27, 2004 at 12:59:28PM +0100, Steve Kemp wrote: > On Mon, Sep 27, 2004 at 01:17:47PM +0200, Milan Jurik wrote: > > > Yes, it's time to look at the sources and find the truth. > > This appears to have been addressed by the patch in DSA-070-1, > so you should be able to apply that

Re: apt 0.6 and how it does *not* solve the problem

On Mon, Aug 23, 2004 at 01:03:54AM +0200, martin f krafft wrote: > the Debian project as we have it. Bear with me for a second... I am > not about to take the piss out of the APT 0.6 people, who have done > an outstanding job. The problem is deeper... If the issues you mean to address are not rel

Re: [SECURITY] [DSA 535-1] New squirrelmail packages fix multiple vulnerabilities

On Mon, Aug 02, 2004 at 09:26:20PM -0700, [EMAIL PROTECTED] wrote: > Awesome! I'm amazed that it finally got done. Way to go! Jeroen van Wolffelaar (Debian) and Thijs Kinkhorst (SquirrelMail) deserve the credit for preparing and testing the update. -- - mdz -- To UNSUBSCRIBE, email to [EM

Re: FWD: Squirrelmail XSS + SQL security bug?

On Thu, Jul 29, 2004 at 11:27:55AM +0200, Roman Medina-Heigl Hernandez wrote: > On Thu, 22 Jul 2004 20:28:23 +0200 (CEST), you wrote: > > >About security fixes in the SquirrelMail code; SquirrelMail does not > >(contrary to Roman's standpoint) adhere to a obscurity-policy but in > >stead openly d

Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities

On Thu, Jul 29, 2004 at 11:56:41AM +0200, Tim Dijkstra wrote: > As the advisory recommended, I 'apt-get upgrade'd my stable boxen, but I > noticed that on my alpha server the only thing that was updated where the > docs. Indeed the advisory doesn't talk about a new version for alpha. Is > there a

Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities

On Tue, Jul 27, 2004 at 01:01:10PM +0200, Rhesa Rozendaal wrote: > The main reason is that it adds the line > > LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so > > to the apache config file /etc/apache/httpd.conf. > > Here's why this breaks my setup: I run two instances of apache, a

Re: Apache-SSL and DSA-532

On Mon, Jul 26, 2004 at 11:15:02AM +0100, Chris Morris wrote: > > DSA-532 contained: > >Package: libapache-mod-ssl > >Vulnerability : several > >Problem-Type : remote > >Debian-specific: no > >CVE Ids: CAN-2004-0488 CAN-2004-0700 > > Is apache-ssl also vulnerable to these? No

Re: [SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities

On Mon, Jul 26, 2004 at 01:32:24AM +0200, Hilko Bengen wrote: > I imagine that some work on these checks could be saved if security > updates generally used a scheme like ${LAST_USED_VERSION}woody${N}. Have you considered that this might be part of the reason why the security team uses the versio

Re: [SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities

On Sun, Jul 25, 2004 at 11:54:56PM +0200, Hilko Bengen wrote: > Matt Zimmerman <[EMAIL PROTECTED]> writes: > > > On Thu, Jul 22, 2004 at 04:25:30PM +0200, Hilko Bengen wrote: > > > >> Why has a new Debian version been introduced? Previous security > >&g

Re: [SECURITY] [DSA 533-1] New courier packages fix cross-site scripting vulnerability

On Fri, Jul 23, 2004 at 10:11:30AM +0200, Robert Penz wrote: > On Friday 23 July 2004 06:20, Matt Zimmerman wrote: > > I've just updated to the new packages and now I've following problem > > Jul 23 10:03:41 blackstar courieresmtpd: started,ip=[:::62.138.5.44] &g

Re: [SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities

On Thu, Jul 22, 2004 at 04:25:30PM +0200, Hilko Bengen wrote: > Matt Zimmerman <[EMAIL PROTECTED]> writes: > > > Package: php4 > > Vulnerability : several > > Problem-Type : remote > > Debian-specific: no > > CVE Ids: CAN-2004-0594 C

Re: mod_ssl 2.8.19 for Apache 1.3.31

On Mon, Jul 19, 2004 at 09:33:40PM +0200, Peter Holm wrote: > as you can see [1] there was a problem with mod_ssl. Are there any > security updates for woody? I see nothing with apt-get upgrade, am I > doing something wrong? Or do I have to install new mod_ssl package > myself? > > my understand

Re: Proposal/suggestion for security team w.r.t. published vulerabilities

On Sun, Jul 18, 2004 at 11:47:38PM -0400, Bradley Alexander wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Sunday 18 July 2004 23:11, Matt Zimmerman wrote: > > As you have repeatedly confirmed, the security team is very busy. > > Matt, > > Is ther

Re: Proposal/suggestion for security team w.r.t. published vulerabilities

On Tue, Jul 06, 2004 at 08:06:36PM +0200, Jeroen van Wolffelaar wrote: > Or is there some reason filing bugs like I described here isn't > wanted? As you have repeatedly confirmed, the security team is very busy. Generally, if an issue doesn't affect stable, I don't track it at all. If an issue d

Re: Proposal/suggestion for security team w.r.t. published vulerabilities

On Wed, Jul 07, 2004 at 01:17:01PM +0200, Jeroen van Wolffelaar wrote: > On Wed, Jul 07, 2004 at 02:49:54AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > > Why does the security team have to do this? Anybody can do it. > > Not without spending lots of time crawling through security lists, > CAN/

Re: Proposal/suggestion for security team w.r.t. published vulerabilities

On Tue, Jul 06, 2004 at 09:13:18PM +0200, Jeroen van Wolffelaar wrote: > On Tue, Jul 06, 2004 at 03:08:38PM -0400, Michael Stone wrote: > > On Tue, Jul 06, 2004 at 08:06:36PM +0200, Jeroen van Wolffelaar wrote: > > >As an example, take CAN-2004-0519, CAN-2004-0520 and CAN-2004-0521, all > > >three

Re: FWD: Squirrelmail XSS + SQL security bug?

On Mon, Jul 05, 2004 at 06:05:34PM -0300, Henrique de Moraes Holschuh wrote: > Isn't this enough reason to demote squirrelmail to an "unstable-only" > package? I use it everywhere, and it will be an extereme hindrance to > me, but we have to be realistic on these issues... Without cooperation w

Re: FWD: Squirrelmail XSS + SQL security bug?

On Mon, Jul 05, 2004 at 10:57:16PM +0200, Jeroen van Wolffelaar wrote: > I've done a squirrelmail NMU in fruitful cooperation with one of the > upstream squirrelmail maintainers, former stable release manager Thijs > Kinkhorst, who happens to also be a personal friend of mine. Thanks ver ymuch fo

Re: Bug#257165: udev: input device permissions

On Mon, Jul 05, 2004 at 08:24:56PM +0100, Itay Ben-Yaacov wrote: > Actually, re-reading the definitions in reportbug, this seems to be > *critical*. Why doesn't anyone DO anything about this? NMU? Something??? Dear Debian User, You have opted to use an unstable, pre-release version of Debian.

Re: FWD: Squirrelmail XSS + SQL security bug?

On Mon, Jul 05, 2004 at 12:05:23PM -0700, [EMAIL PROTECTED] wrote: > Long ago and far away, I sent this message to security@, and a small > amount of conversation occured, but I never heard back from Sam Johnston > or Matt Zimmerman (the two parties present in the discussion in addi

Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability

On Sat, Jun 19, 2004 at 11:46:37AM +0200, Bernhard Kuemel wrote: > Matt Zimmerman wrote: > > >Package: super > >Vulnerability : format string > >Problem-Type : remote > > >Max Vozeler discovered a format string vulnerability in super, a > >prog

Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability

On Sat, Jun 19, 2004 at 11:46:37AM +0200, Bernhard Kuemel wrote: > Matt Zimmerman wrote: > > >Package: super > >Vulnerability : format string > >Problem-Type : remote > > >Max Vozeler discovered a format string vulnerability in super, a > >prog

Re: [EMAIL PROTECTED]

On Thu, Jun 03, 2004 at 02:42:59AM +0200, Florian Weimer wrote: > Has [EMAIL PROTECTED] been directed away from debian-private? It's > probably a good move. In the past, the old setup resulted in some > confusion because submitters usually do not expect that security@ is read > by all people in

Re: security@debian.org

On Thu, Jun 03, 2004 at 02:42:59AM +0200, Florian Weimer wrote: > Has [EMAIL PROTECTED] been directed away from debian-private? It's > probably a good move. In the past, the old setup resulted in some > confusion because submitters usually do not expect that security@ is read > by all people in

Re: how debconf manages passwds

On Wed, May 26, 2004 at 07:33:12PM +0200, jorge salamero wrote: > yes but ... > > /usr/sbin/dpkg-reconfigure: cacti is not fully installed man dpkg-reconfigure -- - mdz

Re: how debconf manages passwds

On Wed, May 26, 2004 at 07:33:12PM +0200, jorge salamero wrote: > yes but ... > > /usr/sbin/dpkg-reconfigure: cacti is not fully installed man dpkg-reconfigure -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386)

On Mon, Apr 19, 2004 at 06:40:35PM +0200, Jan Minar wrote: > Could You tell us what _exactly_ happened? (DWN cover-story ;-)) Are > there no testsuites/scripts to ensure basic sanity of the packages being > built packages? Or what _exactly_ was the mistake (I'm personally > interested in the se

Re: [SECURITY] [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386)

On Mon, Apr 19, 2004 at 06:40:35PM +0200, Jan Minar wrote: > Could You tell us what _exactly_ happened? (DWN cover-story ;-)) Are > there no testsuites/scripts to ensure basic sanity of the packages being > built packages? Or what _exactly_ was the mistake (I'm personally > interested in the se

Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]

On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > And as a part of this community, I am... > [doing more pointing and whining] Did you miss the bit where I said that didn't help? > Haha, I can feel the free spirit of the computer labs of the late > sixties: > > /usr/src/linux/drivers

Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]

On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote: > Come on, Matt: Virtually all terminal emulators are vulnerable, and the > vulnerability is a common knowledge. The abovementioned paper was on > Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do > someth

Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]

On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > And as a part of this community, I am... > [doing more pointing and whining] Did you miss the bit where I said that didn't help? > Haha, I can feel the free spirit of the computer labs of the late > sixties: > > /usr/src/linux/drivers

Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]

On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote: > On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > > control sequences may be contained in the data. > > I've read

Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]

On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote: > Come on, Matt: Virtually all terminal emulators are vulnerable, and the > vulnerability is a common knowledge. The abovementioned paper was on > Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do > someth

Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]

On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote: > On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > > control sequences may be contained in the data. > > I've read

Re: CAN-2003-0020?

On Sun, Apr 18, 2004 at 08:47:16PM +0200, Jan L?hr wrote: > Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman: > > On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > > > what about > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-002

Re: CAN-2003-0020?

On Sun, Apr 18, 2004 at 08:47:16PM +0200, Jan L?hr wrote: > Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman: > > On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > > > what about > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-002

Re: CAN-2003-0020?

On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > what about http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? > Is debian finally going to fix it? Current consensus between the security team and the Apache maintainers is that it is not necessary to fix this in woody.

Re: suid

On Fri, Apr 16, 2004 at 11:02:56PM +0100, Mario Ohnewald wrote: > Ok, the suid is set for the crontab binary because you have to edit the root > owned file. crontab in unstable is no longer setuid root. -- - mdz

Re: Security holes in 2.4.25?

On Wed, Apr 14, 2004 at 04:16:28PM -0500, Micah Anderson wrote: > With the rash of security gaffs in the kernel related to mmap and > mremap, does it make anyone else nervous to see the following in the > changelog for 2.4.26: > > o mremap NULL pointer dereference fix > > If this was a security

Re: CAN-2003-0020?

On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > what about http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? > Is debian finally going to fix it? Current consensus between the security team and the Apache maintainers is that it is not necessary to fix this in woody.

Re: suid

On Fri, Apr 16, 2004 at 11:02:56PM +0100, Mario Ohnewald wrote: > Ok, the suid is set for the crontab binary because you have to edit the root > owned file. crontab in unstable is no longer setuid root. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe".

Re: Security holes in 2.4.25?

On Wed, Apr 14, 2004 at 04:16:28PM -0500, Micah Anderson wrote: > With the rash of security gaffs in the kernel related to mmap and > mremap, does it make anyone else nervous to see the following in the > changelog for 2.4.26: > > o mremap NULL pointer dereference fix > > If this was a security

Re: Terminal Emulator Security Issues

On Sun, Apr 11, 2004 at 05:31:55PM +0200, Torsten Werner wrote: > I have taken over the multi-gnome-terminal package recently and I have > found out that it has still the bugs described in > http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 . I have > contacted the upstream author. Fur

Re: Terminal Emulator Security Issues

On Sun, Apr 11, 2004 at 05:31:55PM +0200, Torsten Werner wrote: > I have taken over the multi-gnome-terminal package recently and I have > found out that it has still the bugs described in > http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 . I have > contacted the upstream author. Fur

Re: Positive press for Debian's security team

On Wed, Apr 07, 2004 at 10:41:24AM +0200, Florian Weimer wrote: > Matt Zimmerman wrote: > > > On Wed, Mar 31, 2004 at 09:22:38AM +0200, Florian Weimer wrote: > > > > > Chad Waters wrote: > > > > > > > Better metric: fix time from vendor&#

Re: Positive press for Debian's security team

On Wed, Apr 07, 2004 at 10:41:24AM +0200, Florian Weimer wrote: > Matt Zimmerman wrote: > > > On Wed, Mar 31, 2004 at 09:22:38AM +0200, Florian Weimer wrote: > > > > > Chad Waters wrote: > > > > > > > Better metric: fix time from vendor&#

Re: Positive press for Debian's security team

On Wed, Mar 31, 2004 at 09:22:38AM +0200, Florian Weimer wrote: > Chad Waters wrote: > > > Better metric: fix time from vendor's notification date > > The last DSA was released with a delay of 2.5 years... No idea what you are talking about. -- - mdz

Re: Positive press for Debian's security team

On Wed, Mar 31, 2004 at 09:22:38AM +0200, Florian Weimer wrote: > Chad Waters wrote: > > > Better metric: fix time from vendor's notification date > > The last DSA was released with a delay of 2.5 years... No idea what you are talking about. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PRO

Re: [SECURITY] [DSA 473-1] New oftpd packages fix denial of service

On Mon, Apr 05, 2004 at 11:33:53AM -0600, Joe Blackbird wrote: > I am not sure the CVE reference is correct for this issue. You forgot to include the reason why you are unsure. The CVE reference is correct; if your concern is that it isn't visible on the CVE website yet, that is normal. They do

Re: [SECURITY] [DSA 473-1] New oftpd packages fix denial of service

On Mon, Apr 05, 2004 at 11:33:53AM -0600, Joe Blackbird wrote: > I am not sure the CVE reference is correct for this issue. You forgot to include the reason why you are unsure. The CVE reference is correct; if your concern is that it isn't visible on the CVE website yet, that is normal. They do

Re: Positive press for Debian's security team

On Tue, Mar 30, 2004 at 05:24:29PM -0600, James Miller wrote: > > Positive press for Debian's security team. > > > > Using numbers from a pair of metrics, Forrester Research's > > recommendation was "businesses that value quick patches look to > > Microsoft and Debian". > > > > Full article at > >

Re: Positive press for Debian's security team

On Tue, Mar 30, 2004 at 05:24:29PM -0600, James Miller wrote: > > Positive press for Debian's security team. > > > > Using numbers from a pair of metrics, Forrester Research's > > recommendation was "businesses that value quick patches look to > > Microsoft and Debian". > > > > Full article at > >

Re: Known vulnerabilities left open in Debian?

On Mon, Mar 22, 2004 at 01:56:48PM -0800, Jamie Heilman wrote: > Matt Zimmerman wrote: > > If you have concrete information about unfixed bugs, bring it forth. > > Otherwise this is just more FUD. > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196590 Thanks; this is somet

Re: Known vulnerabilities left open in Debian?

On Mon, Mar 22, 2004 at 09:45:00PM +0100, Jan L?hr wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Greetings,... > > Am Montag, 22. M?rz 2004 21:05 schrieb Matt Zimmerman: > > On Mon, Mar 22, 2004 at 08:57:26PM +0100, Jan L?hr wrote: > > > Cron i

Re: Known vulnerabilities left open in Debian?

On Mon, Mar 22, 2004 at 01:56:48PM -0800, Jamie Heilman wrote: > Matt Zimmerman wrote: > > If you have concrete information about unfixed bugs, bring it forth. > > Otherwise this is just more FUD. > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196590 Thanks; this is somet

Re: Known vulnerabilities left open in Debian?

On Mon, Mar 22, 2004 at 08:57:26PM +0100, Jan L?hr wrote: > Cron is another example Cron is another example of what? By all means, please elaborate. > - the be honest, the debian security team seems to be crippled by the > debian release policy. Because of this policy debian stable is insecure

Re: Known vulnerabilities left open in Debian?

On Mon, Mar 22, 2004 at 06:57:39PM +0100, Giacomo Mulas wrote: > There is a \begin{sarcasm} nice \end{sarcasm} article in > linuxworld Australia (see > http://www.linuxworld.com.au/index.php/id;1607539824;fp;2;fpid;1) which, > among other things, claims that "Debian (Debian GNU/Linux) has le

Re: Known vulnerabilities left open in Debian?

On Mon, Mar 22, 2004 at 09:45:00PM +0100, Jan L?hr wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Greetings,... > > Am Montag, 22. M?rz 2004 21:05 schrieb Matt Zimmerman: > > On Mon, Mar 22, 2004 at 08:57:26PM +0100, Jan L?hr wrote: > > > Cron i

Re: Known vulnerabilities left open in Debian?

On Mon, Mar 22, 2004 at 08:57:26PM +0100, Jan L?hr wrote: > Cron is another example Cron is another example of what? By all means, please elaborate. > - the be honest, the debian security team seems to be crippled by the > debian release policy. Because of this policy debian stable is insecure

Re: Known vulnerabilities left open in Debian?

On Mon, Mar 22, 2004 at 06:57:39PM +0100, Giacomo Mulas wrote: > There is a \begin{sarcasm} nice \end{sarcasm} article in > linuxworld Australia (see > http://www.linuxworld.com.au/index.php/id;1607539824;fp;2;fpid;1) which, > among other things, claims that "Debian (Debian GNU/Linux) has le

Re: Checking what running program are using old libraries

On Thu, Mar 18, 2004 at 10:03:34AM +, Ronny Adsetts wrote: > Whilst doing security upgrades this morning for openssl, it occurred to me > that lots of software that uses the openssl libraries will not > automatically get restarted and will therefore still be running with old > libraries and

Re: Checking what running program are using old libraries

On Thu, Mar 18, 2004 at 10:03:34AM +, Ronny Adsetts wrote: > Whilst doing security upgrades this morning for openssl, it occurred to me > that lots of software that uses the openssl libraries will not > automatically get restarted and will therefore still be running with old > libraries and

Re: mozilla - the forgotten package?

On Thu, Mar 11, 2004 at 04:32:30PM +0100, Florian Weimer wrote: > There's no obvious solution. If Debian sticks to 1.0 on principle, > there's nothing we can do. It's unlikely we'll find a volunteer who > backports all those fixes to 1.0. I haven't found any commercial > distributor who still s

Re: mozilla - the forgotten package?

On Thu, Mar 11, 2004 at 04:32:30PM +0100, Florian Weimer wrote: > There's no obvious solution. If Debian sticks to 1.0 on principle, > there's nothing we can do. It's unlikely we'll find a volunteer who > backports all those fixes to 1.0. I haven't found any commercial > distributor who still s

Re: mozilla - the forgotten package?

On Wed, Mar 10, 2004 at 05:06:12PM +0100, Florian Weimer wrote: > Jan L?hr wrote: > > > So is mozilla the forgotten package? Considering how popular mozilla is, > > making it secure would be worth the effort - imho. > > How many of Mozilla's security bugs which are fix during routine > upgrades

  1   2   3   4   5   >