On Mon, Jun 20, 2022 at 09:25:38AM -0700, Noah Meyerhans wrote:
> https://security-tracker.debian.org/tracker/source-package/imagemagick
>
> If you're processing data (images, videos, audio files, etc) from
> unknown sources, it's a really good idea to use sandboxing of so
On Mon, Jun 20, 2022 at 06:10:45PM +0200, Sebastian Rose wrote:
> >> how do you guys test all of the potential PNG/JPG potential malware
> >> payloads
>
> What's your use-case? As I'm not aware of an vector for GNU/Linux in
> normal everyday use¹, I guess you host files for Windows clients?
http
Can we please take this tinfoil hat lunacy somewhere else? There are
plenty of conspiracy theory forums out there. I'm sure you've got your
favorite, but this isn't one.
On Fri, May 13, 2022 at 08:15:52PM +0200, Elmar Stellnberger wrote:
> I mean Michael Lazin didn´t say anything bad, on the c
On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote:
> The signed metadata includes cryptographic checksums of the package
> contents. Thus, package contents can't be modified in storage on the
> mirror or in transit to your system without invalidating the checksum,
> and
On Wed, Jan 27, 2021 at 10:23:44AM -0800, Ramin Doe wrote:
>This lead me to search for more answers online, where I have found an
>article that suggests that package metadata is verified, but that package
>contents are not.
>
> ([1]https://blog.packagecloud.io/eng/2014/10/28/howto-g
On Wed, Oct 21, 2020 at 09:22:11PM +0300, Pavlos Ponos wrote:
>Thunderbird 1:78.3.1-2 accepted in unstable at 30/09/2020, 21 days passed
>since then, so i think it would be enough time to consider it ready for
>testing.
Normally it would be, but issues (release-critical bugs, test
regr
On Wed, Oct 21, 2020 at 07:03:35PM +0300, Pavlos Ponos wrote:
>Apologies if this should be directed to another list, but I've already
>tried in 'debian-testing' with no luck, see [1]here.
>In Debian's package tracker I see that Thunderbird in stable through the
>security updates is
On Sat, Mar 07, 2020 at 08:22:59PM +1100, Russell Coker wrote:
> For subsystems that are complex and security critical (like Apache and Samba
> for example) you could have other packages providing check scripts that look
> for common configuration choices that might reduce security. Such scripts
On Sat, Mar 07, 2020 at 11:46:54AM -0600, Jonathan Hutchins wrote:
> The only way to achieve real security is through knowledge. Pressing a
> shiny automated button is just going to implement what somebody else thinks
> is good for the system they assume you're running. Find the security
> websit
On Sat, Jan 06, 2018 at 05:10:10PM +0100, Davide Prina wrote:
> https://haveibeenpwned.com/
>
> that inform you if your credential have been compromised in data brench
> (only for public compromised data).
>
> I have try it with sub...@bugs.debian.org and this account result
> compromised!! for:
On Wed, Aug 30, 2017 at 08:49:44AM +0200, Guido Günther wrote:
> Hi gnupg maintainers, security team,
> attached debdiff addresses the above CVE for jessie. O.k. to upload to
> security-master?
debian-security@lists.debian.org is the public discussion list and isn't
necessarily monitored by the se
On Tue, Mar 01, 2016 at 08:35:43PM +0100, Zack Piper wrote:
> > "someone take my email off the list or I will report it as harassment."
>
> Oh wow I forgot about this. They've tried unsubscribing in the past
> from other lists just to refuse to follow instructions' I imagine
> they're a troll.
It
On Tue, Feb 16, 2016 at 04:32:00PM +0100, Peter Ludikovsky wrote:
> A question to those more knowledgeable: we're using our own DNS
> servers for all lookups, and those do recursive lookup for any
> external addresses. Am I right to assume that Bind9 uses it's own
> implementation for DNS lookups?
On Mon, Jan 11, 2016 at 11:14:52AM -0500, Cindy-Sue Causey wrote:
> Just thinking out loud... that maybe the Announce list settings might
> need a quick once-over review depending on admin's intentions for it.
The ability to send mail to the debian-security-announce list is
restricted, and the set
On Wed, Sep 09, 2015 at 01:24:05PM -0400, Justin R. Andrusk wrote:
> Was just wondering if there was any mentoring opportunities available on
> the Debian Security team.
Per https://www.debian.org/security/faq#contact you should be contacting
t...@security.debian.org to reach the security team.
On Sun, May 03, 2015 at 10:06:20PM +0530, bkpsusmitaa wrote:
> I have added the lines. The issue is regarding non-availability of
> security keys. Yes, it is about an old laptop that ran superbly in
> lenny, but somewhat slower in squeeze,
The keys are available in the debian-archive-keyring packa
On Sat, Nov 01, 2014 at 04:21:53PM +, Jack wrote:
> This mailing list is for security announcements. All Debian users are
> encouraged to subscribe, so that they know about the latest threats and
> updates.
Incorrect; you're thinking of debian-security-announce, which is
moderated and only use
On Sun, Jul 13, 2014 at 08:35:56AM +0900, Joel Rees wrote:
> MD5 has been broken for a small number of applications. Its status is
> questionable for the rest, but if we want to help break it completely,
> let's get all the distros that insist on still using MD5 to use it,
> not just for signing, b
On Jan 22, 2014 9:11 AM, Nico Angenon wrote:
>
> Here is the ps aufx result... (a bit long)
(Please excuse any wonky formatting or glaring oversights, I'm on a mobile
device.)
You appear to be running an nfs server on this host. Try stopping the
nfs-kernel-server service and see if anythin
On Sat, Jan 18, 2014 at 08:30:49PM +0100, Marco Saller wrote:
> i am not sure if this question has been asked or answered yet, please do not
> mind if i would ask it again.
> Is it possible that the NSA or other services included investigative software
> in some Debian packages?
It is absolutely
On Tue, Feb 05, 2013 at 10:45:39PM +, Jérémie Marguerie wrote:
>You'll be scanned, many times a day, you'll also be bruteforced and
>however not normal, this is just "noise".
See also http://en.wikipedia.org/wiki/Internet_background_radiation
signature.asc
Description: Digital signa
On Thu, Nov 01, 2012 at 10:48:46PM +0900, Hideki Yamane wrote:
> So I suggest switch from Exim to Postfix for default MTA.
This has been discussed in depth fairly recently on debian-devel.
http://lists.debian.org/debian-devel/2012/04/msg00719.html
The short answer, from my recollection of that t
On Thu, Dec 29, 2011 at 11:30:27PM +0400, Taz wrote:
> Anybody want's to check it out?
> I can provide ssh access, if u will give me ssh key.
From the sound of things, we're not going to find much. It's clear that
the attackers have already cleaned up their tracks by editing auth.log,
etc. The d
On Thu, Dec 29, 2011 at 04:39:24PM +0100, Kees de Jong wrote:
> I guess I already pointed out everything. I added the updating part to it.
>
> * Use private not public keys with strong passwords
This doesn't make any sense at all. You need both private and public
keys for key-based authenticatio
On Fri, Dec 16, 2011 at 09:34:40PM +0100, Marko Randjelovic wrote:
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fff98fbd270) = -1 ENOTTY
> (Inappropriate ioctl for device)
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fff98fbd3e0) = -1 ENOTTY
> (Inappropriate ioctl for device)
Those are the key
On Thu, Oct 06, 2011 at 12:47:09AM +0200, Poison Bit wrote:
> >> You can migrate data between service versions or environments, have
> >> rollbacks, backups and etc.
> >
> > Across a fleet of 15000 hosts? With no downtime? Without impacting the
> > schedule of whatever software you actually run o
On Wed, Oct 05, 2011 at 03:20:08PM -0700, Noah Meyerhans wrote:
> Debian's goal is to have an 18 month release cycle. stable becomes
> oldstable when the next version is released, and oldstable is supported
> for 1 year. That's 28 months. Where do you get the idea of 3 years
On Thu, Oct 06, 2011 at 12:15:45AM +0200, Sythos wrote:
> > And that's 2 years less for LTS ... especially in bigger Setup's
> > LTS-Support is mandatory so there (because there is no Debian LTS's)
> > Debian cannot be used due to the lack of Support. Instead - Redhat
> > or Ubuntu or any other dis
On Thu, Oct 06, 2011 at 12:33:39AM +0200, Poison Bit wrote:
> In my experience: if a company does not perform operative system
> upgrades, the company does not have more than 5 years and does not
> understand how open source, and in special linux kernel, works.
I'm certain I can name several large
On Wed, Oct 05, 2011 at 09:15:18PM +0100, Bart Swedrowski wrote:
> I have been "forced" to use switch from Debian to RedHat and clones
> in my last job specifically because usual life time of a server was
> 3.5 - 4 years.
Same here. In my exerience, large sites typically use a 3-5 year
lifetime fo
On Mon, Oct 25, 2010 at 05:16:51PM -0400, Brad Tilley wrote:
> While experimenting with PCI DSS on a default Debian Linux system, I
> found that when I comment out this line:
>
> authrequiredpam_unix.so nullok_secure
>
> in /etc/pam.d/common-auth, any account may ssh into the box by t
On Thu, Jan 21, 2010 at 04:39:14PM +0100, Thiemo Nagel wrote:
> having read your email concerning the termination of etch security
> support, I'm looking for an upgrade path for our installation of ~100
> machines.
>
> Is it planned to start squeeze security support in time to allow a
> direc
On Wed, Dec 16, 2009 at 05:59:13PM -0500,
whereislibertyandjust...@safe-mail.net wrote:
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
>
> __gmon_start__
> _Jv_RegisterClasses
They're put there by gcc and are perfectly
On Thu, Oct 08, 2009 at 09:08:31AM +, Jörg Sommer wrote:
> > You need to make sure that the machine actually gets rebooted when
> > security updates are made.
>
> I thought for security fixes in modules it's enough to update/replace
> the module. Isn't it?
No. If the module is already loaded
On Sun, Oct 04, 2009 at 07:35:53PM +0300, Török Edwin wrote:
>
> Why is not EXTRAVERSION updated during the kernel package build?
>
EXTRAVERSION indicates the ABI version number. It's only updated when
that changes, in order to indicate that the new kernel is not compatible
with the old one and
On Sun, Oct 04, 2009 at 11:44:52AM -0400, Thomas Krichel wrote:
> > this looks like a standard privilege escalation (not a rootkit). it
> > appears to be using one of the recent null pointer dereference kernel
> > vulnerabilities. your fricka machine is probably running one of the
> > unpatched ke
On Thu, Jul 09, 2009 at 06:02:37PM +0200, Peter Jordan wrote:
> > If you have Kerberos, why would you use ssh keys? GSS-API is so much
> > nicer if you already have a Kerberos environment.
>
> And how to login passwordless from outside the kerberos network?
There's no such thing as "outside the
On Wed, Jul 08, 2009 at 02:03:57PM -0700, Roger Bumgarner wrote:
> As far as I know, it does keys first then falls back to passwords. I'd
> imagine PAM could help, but I'm not knowledgeable enough in regards to
> that. I know you're only limited by your imagination when it comes to
> PAM authentica
On Wed, Jul 09, 2008 at 06:10:51PM +0200, Wolfgang Jeltsch wrote:
> > At this time, it is not possible to implement the recommended
> > countermeasures in the GNU libc stub resolver.
>
> I don???t have bind9 installed. Am I affected by the libc stub resolver bug?
Yes. I suggest that you install
On Thu, May 15, 2008 at 11:08:58AM +0300, Mikko Rapeli wrote:
> > It would be also helpful to print the line as dokuwd.pl does.
> > Is there any repository with newer versions of ssh-vulnkey or dokuwd.pl ?
>
> Try the Ubuntu version which contains a fixed ssh-vulnkey (
> http://www.ubuntu.com/usn/
On Wed, May 14, 2008 at 10:39:10AM -0700, Harry Edmon wrote:
> Are there any plans to issue the same openssl/openssh security fixes for
> lenny has have been done for etch?
OpenSSL has already been fixed in lenny. The openssh package containing
ssh-vulkey should hit testing tomorrow at the lates
On Fri, May 09, 2008 at 05:54:40AM -0700, phobot wrote:
> On May 7, 1:10 pm, martin f krafft <[EMAIL PROTECTED]> wrote:
> > > use integrit/aide/tripwire
> >
> > only useful with read-only media
>
> OK, I don't get it if the media is read-only none can alter it so you
> don't really need tripwire.
On Mon, May 05, 2008 at 02:57:34AM +0200, Peter Palfrader wrote:
> On Mon, 05 May 2008, Bernd Eckenfels wrote:
>
> > In article <[EMAIL PROTECTED]> you wrote:
> > > Apropos. Is there a way to get that information from a vmlinuz file on
> > > disk? Without booting it, that is.
> >
> > Interestin
On Mon, Mar 10, 2008 at 04:33:53PM -0400, Filipus Klutiero wrote:
> > Their public one, the one you referenced.
> Argh. If I'm asking about a statement, that's because I read it. Obviously,
> the author didn't bother checking whether he was right, which is why I'm
> asking whether there are some
On Mon, Mar 10, 2008 at 01:36:46PM -0500, Filipus Klutiero wrote:
> I reported #468765 about a questionable statement on www.debian.org. Frank
> Lichtenheld wants this to be discussed.
>
> This statement is in a security announcement. Martin Schulze confirmed that
> he
> wrote the statement. Do
On Thu, Feb 21, 2008 at 01:16:33PM +0100, Thomas Hungenberg wrote:
> I am a little bit surprised that - apart from small graphics errors
> and some performance issues - the fglrx driver runs fine without
> the kernel module.
> I thought that starting x.org would fail if the kernel module is not
> a
On Sun, Feb 17, 2008 at 03:12:26PM -0500, Jim Popovitch wrote:
> > http://lists.debian.org/debian-announce/debian-announce-2008/msg0.html
>
> One additional thing that is not clear to me is that I see pending
> updates for libc6 and libc6-dev that are NOT mentioned in that
> announcement.
No?
On Wed, Feb 13, 2008 at 06:23:16PM -0200, Martin Spinassi wrote:
> > > I just upgraded my linux-source-2.6.18 to 2.6.18.dfsg.1-18etch1_all and
> > > build a new linux-image. But after installing an rebooting I still was
> > > able to become root with this exploit:
> > > http://milw0rm.com/exploits
On Tue, Feb 12, 2008 at 04:09:00PM +0100, Nicolas Boullis wrote:
>
> I think this package deserves an official upgrade.
It'll get one. The severity of the issue dictates that we release
kernel builds for the various architectures as soon as we get them,
rather than waiting until they're all read
On Fri, Jan 11, 2008 at 12:53:08PM -0500, Joey Hess wrote:
> Noah Meyerhans wrote:
> > We mention all the binary packages in the advisory because they're the
> > versions that are going to be installed by apt* and people are going
> > to want checksums, file sizes, etc.
On Fri, Jan 11, 2008 at 01:24:28AM -0500, Thomas Bushnell BSG wrote:
> If a security bug were found in the afs client-side package, which is
> implemented as a kernel module, would the announcement not look just
> like the one we saw for DSA 1458-1?
See for yourself:
http://www.debian.org/security
On Thu, Jan 10, 2008 at 11:25:07PM -0500, Thomas Bushnell BSG wrote:
> > Except that the security flaw is in the fileserver, which does not
> > involve the kernel module at all and runs fine even without it
> > installed.
>
> Surely. But then the security update shouldn't mention unaffected
> pac
On Thu, Jan 10, 2008 at 05:29:18PM -0500, Thomas Bushnell BSG wrote:
> This is not sufficient advice for how to upgrade. Merely installing a
> new version of openafs-modules-source will not build it. Some form of
> m-a invocation as well will be necessary.
Except that the security flaw is in the
On Sun, Jan 06, 2008 at 01:36:26PM -0600, William Twomey wrote:
>
> I also disabled ipv6, which I was seeing a lot of from this host.
Probably not, unless you've knowingly configured IPv6 routing and all
that; you were probably seeing a lot of IPv4 mapped v6 addresses, which
look (in netstat) lik
On Fri, Nov 23, 2007 at 11:10:09AM +0100, Alfio wrote:
> (Reading database ... 360460 files and directories currently installed.)
> Preparing to replace samba 3.0.24-6etch4 (using
> samba_3.0.24-6etch5_i386.deb) ...
> invoke-rc.d: dangling symlink: /etc/rc2.d/S91samba
> dpkg: warning - old pre-rem
On Fri, Sep 21, 2007 at 12:04:22PM -0400, Noah Meyerhans wrote:
> > kdebase is arch:all and therefore installable on i386. kappfinder isn't
> > and there aren't any i386 binary packages for it available.
>
> This problem is being worked on right now and will be cor
On Fri, Sep 21, 2007 at 04:48:34PM +0100, Adam D. Barratt wrote:
> I'm guessing the people reporting problems are i386 users.
>
> > > kdebase: Depends: kappfinder (>= 4:3.5.5a.dfsg.1-6etch1) but
> > > 4:3.5.5a.dfsg.1-6 is installed.
> >
> > kappfinder is a binary coming from the kdebase packa
On Fri, Sep 21, 2007 at 04:24:38PM +0100, Steve Kemp wrote:
> > It seems at kdebase and fetchmailconf depencies are broken.
>
> I don't see what the source of this is.
>
> > kdebase: Depends: kappfinder (>= 4:3.5.5a.dfsg.1-6etch1) but
> > 4:3.5.5a.dfsg.1-6 is installed.
>
> kappfinder is a
On Wed, May 16, 2007 at 09:39:56PM +0200, Thomas Korber wrote:
> Moritz Muehlenhoff <[EMAIL PROTECTED]> writes:
>
> >> Nice work on getting this out. Is sarge going to get an update, is it
> >> even affected? I've looked into CVE-2007-2444, and
> >> http://www.securityfocus.com/bid/23974/ says tha
On Wed, May 16, 2007 at 09:03:12AM +1000, Andrew Vaughan wrote:
> > Package: qt4-x11
>
> > For the stable distribution (etch), this problem has been fixed in
> > version 4.2.1-2etch1
> >
> Etch shipped with 4.2.1-2+b1 packages.
>
> $ dpkg --compare-versions "4.2.1-2+b1" ">>" "4.2.1-2etc
On Tue, May 08, 2007 at 05:34:30PM -0400, Gerardo Curiel wrote:
> El mar, 08-05-2007 a las 22:24 +0200, Thomas Hochstein escribi?:
> > Chris Adams schrieb:
> >
> > > Do you have a VNC server installed?
> >
> > | But I do have vino-server running.
>
> That's the problem, the same happened to me
On Tue, May 01, 2007 at 11:18:22AM -0700, Michael Leibowitz wrote:
> The DSA incorrectly identifies etch as the unstable distribution.
>
Yeah, my fault. The web site will have it listed correctly, of course.
noah
signature.asc
Description: Digital signature
On Wed, Feb 07, 2007 at 04:38:30PM +0100, Holger Levsen wrote:
> > Lalala
>
> WTF? At least you used a proper from:-header...
>
> Could you *please* correct your errors (which are no problem per se) correct
> in a professional way?
The errors have already been corrected:
http://www.debian.o
On Sun, Nov 26, 2006 at 12:47:55AM +0100, Alexander Klauer wrote:
> there has been a texinfo update for sarge available from
> security.debian.org for a few days now. The changelog in the
> source package says something about arbitrary code execution.
> The GPG signature by Noah
On Wed, Oct 18, 2006 at 02:11:24AM +0100, paddy wrote:
> > NB: although some are saying this is a local root exploit only, the
> > bulletin points out it can be exploited by visiting a malicious
> > webpage.
>
> I've not scrutinised the claims closely, but it looks like a remote
> vulnerability to
On Tue, Oct 10, 2006 at 09:22:43PM -0400, David Kennedy CISSP wrote:
> signed by a key not included in
> http://www.debian.org/security/keys.txt and not on the PGP.COM,
> MIT.EDU or any other of several public key servers.
It's on pgp.mit.edu
(http://pgp.mit.edu:11371/pks/lookup?search=noahm%40deb
On Wed, Sep 06, 2006 at 06:14:51PM +0200, Allard Hoeve wrote:
> Please take note of:
>
> http://www.openssl.org/news/secadv_20060905.txt
Acknowledged. A fix is already in the works.
noah
signature.asc
Description: Digital signature
On Tue, Aug 29, 2006 at 10:54:45PM +0200, Moritz Muehlenhoff wrote:
> If there's anything special to do (e.g. kernel or glibc) we alredy add this
> to the DSA text.
I don't think that's quite enough. I have a few hundred Debian
workstations for which I'm responsible, and it's difficult for me to
On Mon, Jul 17, 2006 at 06:13:28PM +0200, Moritz Muehlenhoff wrote:
>
> This was an error on my side, it's already corrected on the web:
> http://www.debian.org/security/2006/dsa-
>
Any idea why this DSA isn't linked to from
http://www.debian.org/security/ ? The document is there, but there
On Wed, Apr 19, 2006 at 03:56:41PM -0600, Michael Loftis wrote:
> Increasingly 2.6 is unsuitable for production use due to its huge amount of
> change and lack of stable tree. There was a decision to do away with the
> old split development/odd numbered development model sometime after about
>
On Wed, Jan 04, 2006 at 06:25:02PM +0100, martin f krafft wrote:
> > Nevertheless the sysvinit maintainers thought it would be a good
> > idea to ask here whether anyone sees any security problems arising
> > from this feature.
>
> ... sounds like a nice way to infest a system with a trojan, in
>
On Thu, Dec 15, 2005 at 10:19:48PM +, kevin bailey wrote:
> good point - also the fact that the users stick their email passwords to
> their monitors using postits!
Well, at least there's still *some* level of physical security there;
an attacker has to be at your user's desk to get the passwo
On Thu, Dec 15, 2005 at 06:46:02PM +0100, Florian Weimer wrote:
> > It may be nothing. The fact that it showed up as filterd in the nmap
> > output indicates that nmap didn't received a TCP RST packet back when it
> > tried to contact that port. That may mean you have iptables configured
> > to D
On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote:
> the service:
> 443/tcp open https
> is used to protect the webmail service. it is meant to stop the email
> passwords from being sniffed.
If you're concerned about passwords being sniffed, you better shut off
pop3 and imap, too
On Wed, Nov 23, 2005 at 12:59:02PM +0100, Florian Weimer wrote:
> Availability is typically considered one aspect of security (and
> arguably the hardest one to get right in networked applications).
I tend to consider it the other way around. Security is a subset of
availability. Availability mu
On Wed, Nov 09, 2005 at 10:28:53AM -0500, Kevin B. McCarty wrote:
> I received the following (see below) in an email from logcheck on my
> home desktop running Sarge. Looks like an attempt to cause a buffer
> overflow in rpc.statd. System logs don't include anything else that
> looks suspicious.
On Thu, Oct 20, 2005 at 07:22:30AM -0400, Baxley, Dewayne (ISS Atlanta) wrote:
> Please unscribe me from this list. Thanks!
Instructions for unsubscribing are included at the bottom of every
message posted to the list. Please follow them.
noah
signature.asc
Description: Digital signature
On Thu, Sep 29, 2005 at 09:50:34PM +0200, Arnaud Fontaine wrote:
> Is it possible to have a warranty that the package in the mirror archive
> hasn't be modified by someone else ? Maybe my question is stupid but i
> wasn't able to find an answer on replicator website ;).
Is this really more impor
On Mon, Sep 19, 2005 at 10:45:37PM +0200, Bartosz Fenski aka fEnIo wrote:
> I wonder what else should I read to keep in touch with such important
> information?
slashdot? ;)
signature.asc
Description: Digital signature
On Mon, Sep 19, 2005 at 09:18:29PM +0200, No?l K?the wrote:
> anybody knows what's the problem with klecker/security.d.o?
> The whole day I get timeouts but I could update xfree(woody)/xorg(sarge)
> on some machine but I didn't find the DSA for it.
>
> Any information about this?
See http://lists
On Tue, Aug 02, 2005 at 09:56:12PM +0200, Petter Reinholdtsen wrote:
>
> [Noah Meyerhans]
> >> How about actually maintaining them?
> >
> > That's exactly what I think we should do.
>
> Is this "we" as in you, or "we" as in someone els
On Tue, Aug 02, 2005 at 10:09:13AM -0700, Thomas Bushnell BSG wrote:
> >> > IMHO, sloopy security support (by uploading new upstream versions) is
> >> > better than no security support.
> >>
> >> Are you prepared to make sure all the packages that depend on mozilla
> >> will have packages ready to
On Mon, Aug 01, 2005 at 04:57:31PM -0700, Thomas Bushnell BSG wrote:
> > IMHO, sloopy security support (by uploading new upstream versions) is
> > better than no security support.
>
> Are you prepared to make sure all the packages that depend on mozilla
> will have packages ready to enter at once?
Most other OS vendors are willing to make updates for errata beyond
simple security updates. Often this means minor updates to software
packages like web browsers. I believe the community will be better able
to help us prepare e.g. bug-free firefox 1.0.5 packages than it will to
produce 1.0.4+sec
On Mon, Jun 27, 2005 at 09:05:53PM +0200, martin f krafft wrote:
>
> How much information can be disclosed about the inner workings of
> the security team without damage?
Most, but not all, of the security team's work is rather routing and
very uninteresting. Often it is necessary to review code
On Mon, Jun 27, 2005 at 11:26:37AM -0700, Matt Zimmerman wrote:
> The security team has always been a difficult one to expand. A strong level
> of trust is necessary due to confidentiality issues, and security support is
> a lot of (mostly boring and thankless) work. However, expanding it seems
>
On Thu, Jun 23, 2005 at 09:21:14AM +0200, anders alm wrote:
> This has happened twice for me, first on an old mdk
> dist, so i went paranoid and upgraded to debian, and a
> few weeks ago my /root/.bash_history was empty again!
> Can it be something other than a break in? The
> partition /root lies
On Thu, Mar 31, 2005 at 10:44:53PM -0600, Brad Sims wrote:
> `less /var/log/auth.log|grep Failed|wc -l` shows 185 attempts to compromise
> my machine since March 27th...
A similar command on the log server on a class B network (/16) shows
1482 such attempts in the past 19 hours or so. It's just a
On Wed, Mar 30, 2005 at 07:16:31AM +1000, David Pastern wrote:
> And this, in reality, is why Woody is so old. I cannot imagine any
> other distro providing such an old kernel.
You've got cause and effect mixed up. Debian is not outdated *because*
we support ancient versions of software. We sup
On Tue, Mar 29, 2005 at 01:38:55PM +0100, Simon Heywood wrote:
> > Sorry, but this isn't correct. kernel 2.4.18-1 in woody is patched
> > against known vulnerability.
>
> The security team have quietly stopped updating it, preferring to
> concentrate on the Sarge kernels.
The security team does
On Tue, Mar 29, 2005 at 03:43:11AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> And, yes, if you need outgoing FTP/WWW access from that box then you should
> have a filter for those servers you actually need (like
> security.debian.org). Sorry, allowing remote access to an SSH server that
> is no
On Mon, Mar 28, 2005 at 02:41:06PM -0500, Malcolm Ferguson wrote:
> Machine was running Debian 3.0 and was behind a NAT box with ports
> forwarded for SMTP, HTTP and SSH. It hadn't been rebooted for 430
> days. I was using a 2.4 kernel with MPPE builtin.
If it had an uptime of 430 days, there
On Sat, Mar 19, 2005 at 01:35:06PM +0100, LeVA wrote:
> Can someone please suggest me a secure ident daemon. I can not choose from
> the
> apt searched list.
>
What do you mean by secure? None of the ident daemons have any known
security vulnerabilities, per se, but the ident protocol itself h
On Wed, Mar 02, 2005 at 08:34:44PM +0100, martin f krafft wrote:
> > Sounds like a job for user-mode-linux.
>
> Sounds like overkill.
"When the only tool you have is a hammer, everything looks like a nail"
noah
pgpAY8YkhcgGa.pgp
Description: PGP signature
On Wed, Oct 06, 2004 at 02:53:19PM +0100, Dale Amon wrote:
> I've been running tripwire on a particular server
> for some years and finally got annoyed at skimming through
> the large reports, so I began an update... After 24 hours
> I thought it was hung and killed it. I restarted it
> with verbos
On Tue, Sep 28, 2004 at 08:23:49PM -0300, Peter Cordes wrote:
> Not if the pattern you want to ignore is more than one line. egrep is
> purely line-by-line. This worm (or script-kiddie zombie?) always tries
> root, admin, then test, ...
That doesn't seem to be the case. The most common one use
On Tue, Sep 28, 2004 at 11:15:09AM -0400, Alfie wrote:
> Assuming the U.S. government doesn't freak out and stop it, IPSEC
> encryption will soon(?) be used for all internet communication
That's the funniest thing I've read in a long time. Unless you mean
"soon" on an astronomical time scale, and
On Sun, Sep 19, 2004 at 10:09:12PM +0200, martin f krafft wrote:
> These scripts already exist. However, they require you to look
> continuously. That's not an option. And it has to keep the admin in
> the loop (and thus not be an automated blocker) because otherwise
> you are open for denial-of-se
On Sun, Sep 19, 2004 at 09:53:23PM +0200, Bernd Eckenfels wrote:
> You can either move your ssh to another port, that will greatly reduce the
> distributed brute force attacks, or you can put a filter with port knocking
> in front of it. Another option is to turn off password authentication,
> comp
On Sun, Sep 19, 2004 at 02:42:08PM -0400, Dossy Shiobara wrote:
> > Other than blacklisting the IPs (which is a race I am going to
> > lose),
>
> Why do you say that? I haven't seen this more than a few times a week
> so I haven't bothered to do anything yet, but I'm very close to writing
> a scr
1 - 100 of 179 matches
Mail list logo
