On Sun, Apr 17, 2022 at 10:05:39AM +0200, Friedhelm Waitzmann wrote:
vendor_id : GenuineIntel
cpu family : 15
model : 2
model name : Intel(R) Pentium(R) 4 CPU 2.00GHz
stepping : 4
cpu MHz : 1993.656
cache size : 512 KB
?
Celeron 440 for sure is 64-
On Thu, Apr 14, 2022 at 02:34:22PM +0200, Elmar Stellnberger wrote:
On Wed, Apr 13, 2022 at 03:11:04PM -0400, Michael Stone wrote:
On Wed, Apr 13, 2022 at 08:18:30PM +0200, Levis Yarema wrote:
> What about Spectre /Meltdown? P3/P4/Pentium M systems don´t have that? Core 2
> systems
On Wed, Apr 13, 2022 at 08:18:30PM +0200, Levis Yarema wrote:
What about Spectre /Meltdown? P3/P4/Pentium M systems don´t have that? Core 2
systems to my knowledge can.
There's no reason to believe netburst systems are not affected by any of
the cpu issues identified in the past few years, but
On Wed, Apr 13, 2022 at 07:18:53PM +0200, Levis Yarema wrote:
If I would get an x64 CPU from a Linux pro, sure I would take it. Otherwise I
would not recommend to just take any old hardware for exchange with my working
one since not all of it was easily well supported by Linux these days, as far
On Wed, Apr 13, 2022 at 05:32:10PM +0200, Odo Poppinger wrote:
I have a beloved P4 Gericom Frontman and I do not want to give it
away.
and that's fine, but it's increasingly unreasonable to try to run a
modern general purpose OS on hardware that's 20 years old. if the driver
is nostalgia, som
On Wed, Apr 13, 2022 at 03:44:00PM +0100, piorunz wrote:
On 12/04/2022 04:59, Friedhelm Waitzmann wrote:
You mean, that it is possible to run amd64 on my old hardware
1#
vendor_id : GenuineIntel
cpu family : 6
model : 22
model name : Intel(R) Celeron(R) CPU 4
On Wed, Jan 13, 2021 at 09:49:43PM +0100, Christoph Pflügler wrote:
[ 0.00] microcode: microcode updated early to revision 0xd6,
date = 2019-10-03
[ 0.379026] SRBDS: Vulnerable: No microcode
[ 1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[ 1.625215] microcode: Microcod
On Tue, Jan 12, 2021 at 05:25:23PM +0100, Giacomo Catenazzi wrote:
In any case, according Intel, microcode should be updated by BIOS
I wonder if anyone from intel can manage to say that with a straight face.
On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote:
On 08.01.21 22:34, Michael Stone wrote:
On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:
Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown
On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:
Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-mel
On Tue, Jun 11, 2019 at 08:00:49PM +0200, Davide Prina wrote:
On 10/06/19 20:31, Michael Stone wrote:
On Mon, Jun 10, 2019 at 07:46:47PM +0200, Davide Prina wrote:
On 10/06/19 13:16, Michael Stone wrote:
Your CPU is not supported my Intel, so you either accept the
risk or buy a new one.
you
On Mon, Jun 10, 2019 at 07:46:47PM +0200, Davide Prina wrote:
On 10/06/19 13:16, Michael Stone wrote:
Your CPU is not supported my Intel, so you either accept the risk or
buy a new one.
you have another choice: disable the SMP & C. and all mitigation form Linux
That's not correct,
On Mon, Jun 10, 2019 at 02:01:25PM +1000, Russell Coker wrote:
I just discovered the spectre-meltdown-checker package (thanks Sylvestre for
packaging this).
model name : Intel(R) Core(TM)2 Quad CPUQ9505 @ 2.83GHz
On a system with the above CPU running Debian/Testing I get the followin
On Thu, Oct 13, 2016 at 02:45:29PM -, te3...@sigaint.org wrote:
As you asked me for a specific case, may I bring up CVE-2016-5696.
A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
Eric Dumazet (cf.
https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e5
On Wed, Oct 12, 2016 at 10:43:41AM -, te3...@sigaint.org wrote:
1. If I understood correctly the contents of your reply, on what basis
does the Debian security team assess the severity of each security
vulnerability? What are those criteria?
You'll find that there's a lot of criticism of CV
On Wed, Jul 20, 2016 at 03:27:56PM +0200, Christoph Anton Mitterer wrote:
If had a small mail conversion with Dominic Scheirlinck (one of the
"original" people discovering that issue), and in principle he seemed
to confirm that the above could happen, while of course it's less
likely than with ht
On Tue, May 17, 2016 at 04:02:37PM +0800, seamli...@gmail.com wrote:
BoringSSL is also free software, as long as there are maintainers who
are willing to spend time on it, I think it has rights to exist in
Debian. Well I have been contributing to Debian for not long, so
please point me out my mis
On Tue, Apr 12, 2016 at 08:56:35PM -0300, Henrique de Moraes Holschuh wrote:
Then, maybe we should consider a better way to deal with areas where you
get only one choice out of geoip?
Reach out to the relevant team outlining your issues (e.g., lack of IPv6
connectivity)? Advising people to har
On Tue, Apr 12, 2016 at 04:19:20PM -0300, Henrique de Moraes Holschuh wrote:
We don't disclose which mirrors are members of the security.debian.org
pool anywhere (that I could find), so we are currently hiding everything
behind security.debian.org. This wasn't a problem when a DNS lookup for
secu
On Wed, Mar 23, 2016 at 10:59:34AM +0800, Paul Wise wrote:
I think Debian needs to go towards the approach of VRDX-SIG and do
identifier cross-referencing instead of settling on *one* system for
referring to security vulnerabilities. Internally, we would continue
to use CVEs and CVE-2016- for
On Wed, Feb 17, 2016 at 10:58:01AM +0100, Jan Lühr wrote:
Comparing the age (2015-07) and the severity: Can you give some details
on the situation? Why was the bug fixed so late?
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
Mike Stone
On Tue, Jun 02, 2015 at 02:01:47PM +, Thorsten Glaser wrote:
Michael Stone debian.org> writes:
You can mitigate it right now by reconfiguring your server to remove DH
ciphers from SSLCipherSuite.
That’s throwing the baby out with the bathwater and removing the
ability to use PFS w
On Wed, May 20, 2015 at 12:47:35PM -0400, Dan Ritter wrote:
Is there any chance of getting Logjam ( https://weakdh.org/ )
mitigation for Wheezy packages?
You can mitigate it right now by reconfiguring your server to remove DH
ciphers from SSLCipherSuite.
Mike Stone
--
To UNSUBSCRIBE, email
On Thu, Feb 19, 2015 at 07:29:29AM -0600, John Goerzen wrote:
However, part of what I was trying to figure out here is: do we have a
lot of unpatched vulnerabilities in our archive?
Yes. Every system (not just debian) has unpatched vulnerabilities. In
some cases those vulnerabilities are known
On Thu, Feb 05, 2015 at 09:38:11AM +0100, Paul van der Vlis wrote:
Op 05-02-15 om 00:54 schreef Holger Levsen:
and then finally, sometime later in 2014, security support for oldstable was
finally introduced for the first time.
There was always a year security support for oldstable (sometimes w
[I suggested using ftp.us.debian.org rather than http.debian.net because
of problems with squeeze-lts on the latter]
On Thu, Feb 05, 2015 at 01:57:34PM +0100, Ml Ml wrote:
Looks good!
Who can report this? :)
CC'd the http.debian.net maintainer.
Jens, you wrote the original wiki page, is the
On Thu, Feb 05, 2015 at 01:34:36PM +0100, Ml Ml wrote:
can anyone confirm this?:
# cat /etc/apt/sources.list
deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free
deb http://http.debian.net/debian squeeze-lts main
On Thu, Sep 25, 2014 at 10:54:38AM -0300, Henrique de Moraes Holschuh wrote:
I suggest everyone to do a spring cleanup in the login shells for system
accounts, and to deploy mitigation.
In general it's a good idea to have /bin/sh point to something other
than bash. That's the default on curren
On Wed, Sep 03, 2014 at 11:34:46AM -0700, Jameson Graef Rollins wrote:
Is 20MB really a lot? That seems like essentially nothing to me
nowadays. I'm in the middle of a 2.2GB upgrade right now.
It sure is for people doing minimal installations in a number of
contexts. Yeah, it's nothing compa
On Tue, Sep 02, 2014 at 01:41:05PM -0700, Jameson Graef Rollins wrote:
This package is "Priority: optional", and therefore not installed by
default. What about just making it "important" or "required"?
On my system it pulled in more than 20MB of dependencies. That's a lot
to push onto every d
On Thu, Jul 17, 2014 at 12:55:10PM -0400, Hans-Christoph Steiner wrote:
Not without modifying the apt config. The point here is to have a working
system that is tested and audited, rather than just a set of instructions or
recommendations.
That would be why you'd create a wrapper to faciliate
On Wed, Jul 16, 2014 at 01:45:36AM +0200, Holger Levsen wrote:
AIUI Hans-Christoph wants something else _also_, not instead. And technically
I think those signed .debs even exist already, via hashes in signed .changes
files. Or am I getting something wrong?
Yes you are--what you described is ex
On Tue, Jul 15, 2014 at 04:24:38PM -0400, Hans-Christoph Steiner wrote:
I'm not saying that adding .deb signature validation to `dpkg -i` would be
trivial and without risk. But the idea of validating signed package files on
install is hardly revolutionary or even novel any more. Indeed it is pre
On Tue, Jul 15, 2014 at 01:28:08PM -0400, Hans-Christoph Steiner wrote:
How do you propose managing a distro that mostly needs apt as is, but other
times need "Acquire::Check-Valid-Until off;"? In other words, how would you
manage a distro that sometimes uses apt as it was designed, and other ti
On Mon, Jul 14, 2014 at 01:22:10PM -0400, Hans-Christoph Steiner wrote:
Or, you could make use of the Check-Valid-Until and Min-ValidTime options in
apt.conf. There's a reason things are done the way they are, and you probably
aren't going to find a lot of interest in getting people to do a lot o
On Mon, Jul 14, 2014 at 12:45:38PM -0400, Hans-Christoph Steiner wrote:
One place that this will help a lot is managing completely offline machines,
like machines for running secure build and signing processes. Right now, in
order to install a package securely on an offline machine, I have to ma
On Wed, Jul 09, 2014 at 11:56:43PM -0400, Darius Jahandarie wrote:
Someone who is unwilling to click past the first link /now/ may become
very willing to continue clicking once they read it.
"Debian will not protect you against nation-state adversaries" is a
very useful bit of information for ma
On Wed, Jul 09, 2014 at 10:24:18PM -0600, Kitty Cat wrote:
I seem to remember being offered security updates for the kernel, OpenSSL, SSH,
etc. where my only option was to download
untrusted packages. I would get warning messages from aptitude about installing
security updates.
Probably a confi
On Wed, Jul 09, 2014 at 11:11:44PM -0400, Darius Jahandarie wrote:
If Tux Q. Debiannewbie doesn't know what adversaries with what powers
they are/aren't protected against for their use cases without looking
hard and being a security expert, it's hard to make serious claims
that Debian is actually
On Wed, Jul 09, 2014 at 10:15:59PM -0400, Darius Jahandarie wrote:
It would be nice for this information to be somewhere more formal than
in mailing list archives. Threat models are becoming increasingly
important to convey to end users.
The mailing list discussion referenced the sources...
-
On Wed, Jul 09, 2014 at 06:29:09PM -0600, Kitty Cat wrote:
For years I have been concerned with MITM attacks on Debian mirrors.
We discussed this literally within the past couple of months on this
list, at length. Have you read the archives, including the posts about
how to establish a trust
On Sat, Jul 05, 2014 at 08:54:55AM +0900, Joel Rees wrote:
And you know, the funny thing is that MSIE took to "warning" people
when there was a mix of encrypted and unencrypted data on a page. How
long ago? Yeah, I know, it was so they could display that red herring
of a lock for "secured pages".
On Thu, Jul 03, 2014 at 12:46:45PM -0400, Hans-Christoph Steiner wrote:
Google uses SPKI pinning heavily, for example,
but they still use CA-signed certificates so their HTTPS works with Firefox,
IE, Opera, etc.
Yes, and MS does similar. The difference is, they own their
infrastructure and deb
On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt
mirrors would help, and people who suggest otherwise are out of date on what
the threats are. I think the integrity of the package itself is not reas
On Tue, Jun 10, 2014 at 02:08:48PM +0200, Matus UHLAR - fantomas wrote:
I want to say that debian LTS team are volunteers, but they are not "other"
than debian security team, because some of them are in both teams.
afaik "other" would imply that people from LTS are not in the debian
security tea
On Fri, May 30, 2014 at 09:43:47PM +0200, Erwan David wrote:
Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
which allows to check that the certificate used by a debian.org site is
the real one.
We're not at the point where that can be relied on in the real world.
There
On Fri, May 30, 2014 at 10:35:58AM -0700, Jeremie Marguerie wrote:
In the end, the PPA can do pretty much whatever it wants from your
system and this is scary. This is a hard problem to protect against
and the only protection I see is... only install PPAs you can trust.
Yup; any pinning mechani
On Sat, May 31, 2014 at 12:46:12AM +1000, Alfie John wrote:
Sorry for asking questions.
Don't apologize for asking questions, it's perfectly reasonable to do so
and you'll find that many people in debian are more than happy to answer
questions. Just make sure that you put in enough effort you
On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote:
I'm definitely wanting to engage in serious discussion. I'm an avid
Debian user and am wanting to protect its users. This *is* the Debian
security mailing list after all right? All I was trying to do is ask
questions as to why it is curr
On Sat, May 31, 2014 at 12:11:28AM +1000, Alfie John wrote:
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
. keeps an adversary who may be listening on the wire from
looking at what you are installing. who cares what you are
installing? well it turns out tha
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
Several times (public and private) I tried to explain how the download
of APT (the binary itself) on an initial Debian install could be
compromised via MITM since it's over plaintext. Then the verification of
packages could simply be ski
On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote:
Well yes, that's something. But serving Debian over HTTPS would prevent
the need for this.
No, it wouldn't--you'd just have a different set of problems. Given that
mirrors are distributed, it would probably be much more likely that
y
On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
That's why you verify the initial install media per the link I posted
earlier...
Oh, and those key fingerprints are on an https page for those who
actually trust the CA system.
--
To UNSUBSCRIBE, email to debian-security
On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote:
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming code!
That's why you verify the initial install media per t
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
What's stopping the attacker from serving a compromised apt?
https://www.debian.org/CD/verify
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.deb
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what's stopping the MD5s being
compromised too?
The cryptograp
On Sat, Nov 30, 2013 at 06:30:50PM -0600, Jordon Bedwell wrote:
On Nov 30, 2013 6:29 PM, "Bernhard R. Link" wrote:
I think the only answer to those lines is to advise you to not use
any programs written in C. I suggest writing everything in Haskell
and compiling that to java byte code run in a
On Mon, Nov 25, 2013 at 03:10:07PM -0700, Bob Proulx wrote:
In those systems the zero page is initially bit-zero and reading from
the zero point will return zero values from the contents there. If
the program writes to the zero page then subsequent reads will return
whatever was written there.
On Sun, Sep 01, 2013 at 12:36:59PM +0200, Florian Weimer wrote:
How so? The code that performs the signature check (or reports the
failure) relies on bits that we (Debian) ship. It's impossible to
bootstrap trust, unless you already trust Debian.
There's no such thing as perfect security, onl
On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote:
Yes but the whole thing looks weird, on one hand OP wants to include a
signed jar in the package, on the other hand he says "signature could be
omitted if quick update is needed"… What's the point having signed JAR
if unsigned JAR
On Wed, Aug 07, 2013 at 05:26:24PM +0100, Daniel Sousa wrote:
I think most of you are foccusing in servers running Debian, but when I asked
the question I was thinking about personal computers.
For example, if there are any vulnerabilities on ssh, they won't be able to get
into my computer anyway
On Mon, Aug 05, 2013 at 09:11:21PM +0100, Joe wrote:
I don't think there is a goal, I think we are all ruefully conceding
that the much-vaunted Open Source process is simply unable to deliver
trustworthy code, since the process of compiling the Open Sources
to binary involves using utterly un-aud
On Sun, Aug 04, 2013 at 05:13:51PM +0100, Daniel Sousa wrote:
First of all, they could apply that change (calling it a patch was not one of
my greatest ideas) for every update they do, it's not necesserily a one time
thing. It's also much easier (and probably much dangerous) to write some code
th
On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
I think the real issue is about if the malicious patch is not part of
the source package
Why? It certainly makes your argument simpler if you arbitrarily
restrict the problem set, but it isn't obvious that it makes sense. If I
wa
On Thu, Apr 15, 2010 at 02:29:58PM -0600, Jason Kolpin wrote:
seem to simply refuse to work with. I fail to understand this, and I'm
no genius but there must be a way for the entire Debian team to figure
some sort of elegant, permanent, and secure solution to this whole thing
instead of patc
On Wed, Jan 13, 2010 at 06:18:02PM -0600, Boyd Stephen Smith Jr. wrote:
IPv6 uses path MTU detection.
So does IPv4 these days, doesn't mean people don't break it. :-)
Mike Stone
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Con
On Wed, Jan 13, 2010 at 08:59:18PM +0100, Martin Zobel-Helas wrote:
Can you give us a tcptraceroute6 to from your machine to security.d.o?
Also, can you download from other servers with ipv6? Could be local mtu
issue if nothing works. (Ping would be ok, but large TCP downloads would
flake out
On Wed, Jan 13, 2010 at 05:37:20PM +0100, Eelco Jepkema wrote:
;; ANSWER SECTION:
security.debian.org.263 IN 2001:a78::16
security.debian.org.263 IN 2001:8d8:2:1:6564:a62:0:2
security.debian.org.263 IN 2001:a78::1a
This seems to wor
On Wed, Nov 25, 2009 at 01:28:41AM +0100, Bernd Eckenfels wrote:
In article <0e753136-d929-11de-9b6a-001cc0cda...@msgid.mathom.us> you wrote:
My inclination is to say that this sort of thing is largely
unsupportable in a debian release. It's fine for unstable, but 2-3 years
from now is anyone g
On Tue, Nov 24, 2009 at 07:18:29PM +0100, Gabriele Giacone wrote:
it is not possible to build instantbird with system libpurple.
I forward you the instantbird developer explanation and Mike Hommey
point of view.
What do you think about? Can a package like this be accepted?
If you want to take a
On Wed, Jul 08, 2009 at 11:18:43PM +0200, Sebastian Posner wrote:
Jim Popovitch wrote:
Is there a way to force keys AND passwd verification?
Normally you'd want to DISABLE PasswordAuthentication and
ChallengeResponseAuthentication
...
Something that would indeed be interesting is a way to en
On Fri, Jun 19, 2009 at 01:56:05PM +0200, Josselin Mouette wrote:
Le vendredi 19 juin 2009 à 12:54 +0200, Jaap Keuter a écrit :
> What I've noticed is that Debian (still) requires the user to run
> Wireshark with root credentials in order to be able to launch a
> network
> capture. Otherwise the
On Mon, Jun 01, 2009 at 12:31:04PM +0100, Marcin Owsiany wrote:
Note that this seems to be a simple "expect(1)" script which runs a
shell. Not necessarily an indication of anything apart from a possible
attacker trying to exploit something using expect.
It's also an indication that the attacker
On Mon, Jun 01, 2009 at 10:46:54AM +0200, Johann Spies wrote:
I am a bit worried that my computer have been compromised.
...
I think the last three lines are not problematic but in /dev/shm/r I found:
spawn /bin/bash
interact
Do I have reason to be worried?
Yes, that's a typical location fo
On Mon, Feb 23, 2009 at 07:27:14PM +0100, Kurt Roeckx wrote:
I think one the reason why clamav is in volatile is that the engine
might need updating to detect new viruses. Is that something you
want to support in stable-security?
I think there's a couple of questions to answer:
1) is there any
On Wed, Dec 31, 2008 at 02:15:18PM -0500, Micah Anderson wrote:
Does anyone have a legitimate reason to trust any particular Certificate
Authority?
Of course--some charge *lots* of money, and we all know that expensive
bits are better than cheap bits.
Mike Stone
--
To UNSUBSCRIBE, email t
On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote:
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
auth.log was invented for this reason, and separated to standard log:
it should be readable only by root,
Then there is a bug in another package if this is what
On Mon, Jul 28, 2008 at 03:20:56PM +0200, Frédéric PICA wrote:
In the tool I'm developping, I rely on the package channel to know if
a package was installed because of a security concern or not (never
mind if this is a minor one or not)
and now I can't be sure of the update type.
Is there a more
On Mon, Jul 21, 2008 at 06:43:31PM -0500, JW wrote:
This has turned into an unexpected nightmare: my users have, between them all,
dozens of cached host keys, and they are nearly unable to work because every
time they turn around they're getting bad-old-cached-key warnings (REMOTE
HOST IDENTIFI
On Fri, Jul 18, 2008 at 09:56:45PM +0200, Goswin von Brederlow wrote:
See the latest DNS vulnerability about how you can compromise a clients
DNS without having to hack a DNS server.
Thanks, I had heard of it. Note that you ignored the part about keeping
it compromised. For this attack to be s
On Fri, Jul 18, 2008 at 01:17:43PM +0200, Goswin von Brederlow wrote:
Or just one DNS server or even just the users client.
You'd also have to keep the DNS server wrong. Doing this in a manner
that people don't notice is (IMO) hard, because people do go looking for
particular security updates
On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
and not only on a master, the various .gpg files and packages can,
even though difficult, be modified on the single mirror. IMHO,
verification needs to have an alt
On Thu, Jul 17, 2008 at 11:30:12AM -0400, Micah Anderson wrote:
Although PGP-signed Release file prevent tampering with files, the
attack doesn't require tampering with files or tampering with signed
release files. If I were to MitM security.debian.org, I could provide
an outdated (yet properly s
On Thu, Jul 17, 2008 at 04:46:54PM +0200, Daniel Leidert wrote:
Today there were some news about a study from the University of Arizona
regarding security issues with package management systems (like apt). I
did not yet read the whole study, but probably it's interesting for the
project (they wri
On Fri, May 23, 2008 at 04:31:15PM +0200, you wrote:
* Dirk-Willem van Gulik:
Could be. Anyway, I'm ready disprove any false positive claims by
providing key material. So far, that's been quite successful.
Do you have below key on your list ?
Yes, I have. It's being worked on.
Does th
I'd suggest posting your sshd_config & your ssh -v output.
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Wed, Apr 23, 2008 at 09:14:28AM +0200, Vladislav Kurz wrote:
This bight be a little off-topic, but I'd like to know if there is a
definition of what is a "security issue" ? Once I learned that security
consists of confidentiality, integrity and availability. And data corruption
destroys inte
On Sun, Mar 16, 2008 at 03:30:46AM -0400, Filipus Klutiero wrote:
The most popular derivative, CentOS, does provide security support.
You realize that this consists essentially of recompiling the relevant
RHEL update, right? Note that the CentOS advisory even references the
parent RHEL adviso
On Mon, Jul 09, 2007 at 04:24:30PM +1000, Russell Coker wrote:
On Monday 02 July 2007 11:35, Anders Breindahl <[EMAIL PROTECTED]> wrote:
In servers, you might want to trust physical security, since
whole-system encryption incurs a performance degradation. (However, on a
reasonably recent system,
On Thu, Jun 14, 2007 at 11:37:33AM +0200, Steffen Schulz wrote:
On 070614 at 00:00, Michael Stone wrote:
On Wed, Jun 13, 2007 at 11:14:15PM +0200, Steffen Schulz wrote:
>http://www.cits.rub.de/MD5Collisions/
>One example how to create two files with same hash that act
>differently. Sh
On Wed, Jun 13, 2007 at 11:14:15PM +0200, Steffen Schulz wrote:
On 070613 at 10:43, Florian Weimer wrote:
> AND the fact that it needs to be a valid .deb archive, they are
> probably more than strong enough.
This is actually not much of a problem:
http://www.cits.rub.de/MD5Collisions/
One ex
On Mon, Jan 22, 2007 at 08:49:08PM +0100, Adrian von Bidder wrote:
I trust the users who have shell access to keep their keys secure. I don't
trust the users to have unguessable (think dictionary attacks!) passwords.
I see dictionary attacks on ssh on a daily basis.
Hmm. Which of these two t
On Sat, Sep 02, 2006 at 12:28:17AM +0300, Mikko Rapeli wrote:
- can a process running vulnerable code be exploited to not show the
shared libraries and other non-shared libraries and files it had opened for
reading at some point?
Of course it can. And that's irrelevant to the question at
ha
On Mon, Jul 17, 2006 at 03:45:25PM +0200, Arnd Hannemann wrote:
shouldn't that read CVE-2006-3626 instead?
Yes.
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Tue, May 23, 2006 at 02:10:19PM +0200, marco.celeri wrote:
yes, i think this allow incoming spoofed traffic to eth0 (or it is
"martian?") but the response must follow what found in routing table ->
lo interfaces... am i wong?
Yes, but that doesn't necessarily help in the case of a single-pa
On Tue, May 23, 2006 at 04:20:58PM +0200, Uwe Hermann wrote:
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently flawe
On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses. rp_filter should catch this
easily, if you can use it. If not, an IP-based
rule i
On Thu, May 18, 2006 at 02:39:25PM -0700, [EMAIL PROTECTED] wrote:
So how to have PASS_MIN_DAYS set but to allow/require the new user to
change his password on the first login?
Use passwd -e to force the user to change his password.
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
wi
On Mon, May 08, 2006 at 09:06:37PM +0200, Emanuele Rocca wrote:
The only situation I've been able to imagine is a human error leading to
a change to your security policy.
For instance, a co-worker which temporary allows remote root logins, god
knows why. I'd be sad of my choice of filtering out
On Sun, May 07, 2006 at 09:11:53AM +0200, martin f krafft wrote:
machines. On all these machines, sshd root login is restricted to
password-less login (RSA/DSA keys), so brute force attacks are never
going to succeed.
Probably what you want to highlight, then, is a *successful* login.
Mike Sto
1 - 100 of 381 matches
Mail list logo
