On Thu, Jul 21, 2005 at 08:17:38PM +0200, Karsten Dambekalns wrote:
> Now, I find it unlikely to see the same local root exploit in 2.4.18 and
> 2.6.7.
They are both old kernels, compile your own and apply suitable patches.
Grsecurity is one, and it doesn't need any particular configuration.
>
On Tue, Apr 05, 2005 at 07:21:28PM +0800, xiang sen wrote:
> thanks!
passwdqc
/Thomas
--
signature.asc
Description: Digital signature
On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote:
> You should start with grsec low and proc restricions set customly.
> Hardening your kernel is always a option.
Running grsec isn't a problem, I use on both clients and servers.
Dont start with grsec low but with the custom option,
CON
On Thu, Aug 26, 2004 at 09:44:51PM +0200, Jan Luehr wrote:
> Greetings,
> Am Donnerstag, 26. August 2004 19:32 schrieb UnKnown:
> > Hi ppl, first I wont to state that this is my first mail to this list, if
> > by any chance this is not the right list to do so plz point me to the
> > correct one
On Thu, Aug 12, 2004 at 10:40:14AM -0700, Adam Morley wrote:
> Hi,
>
> I'm interested in setting up an NTP server on a debian machine with security in
> mind, but from my lookings at the official NTP server (www.ntp.org), the daemon
> which serves time also updates the local clock, and hence has
PaX support in binutils and SSP compiled packages are two very nice
things to have. The problem at this moment is that you cant have
both at the same time at this moment.
Using for example Steve Kemp's GCC w SSP[1], binutils comes compiled with
SSP. If you then installs Petersen's binutils with
On Tue, Apr 20, 2004 at 02:29:34PM -0400, Eric Dantan Rzewnicki wrote:
> Has anyone heard about this? this article has no details ... appologies
> for the post's data-mining ... I'm still looking for other references.
>
> http://www.washingtonpost.com/wp-dyn/articles/A27403-2004Apr20.html
Since t
On Tue, Apr 20, 2004 at 02:29:34PM -0400, Eric Dantan Rzewnicki wrote:
> Has anyone heard about this? this article has no details ... appologies
> for the post's data-mining ... I'm still looking for other references.
>
> http://www.washingtonpost.com/wp-dyn/articles/A27403-2004Apr20.html
Since t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Feb 25, 2004 at 06:02:22PM +0200, Martin Hardie wrote:
> so the use of debian products for rascist work is ok for debian
its a distribution of an operating system, how do you intend to stop
from using it?
> by using debian he associates
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Feb 25, 2004 at 06:02:22PM +0200, Martin Hardie wrote:
> so the use of debian products for rascist work is ok for debian
its a distribution of an operating system, how do you intend to stop
from using it?
> by using debian he associates
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[Sorry for the cross-posting]
Hi,
with gcc-3.3 (1:3.3.3ds4-0pre4) the maintainers updated the SSP patch.
It is not however applied by default.
I submitted a bug report [1] about this, but the problem is that my
experience with GCC w. SSP in only on t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[Sorry for the cross-posting]
Hi,
with gcc-3.3 (1:3.3.3ds4-0pre4) the maintainers updated the SSP patch.
It is not however applied by default.
I submitted a bug report [1] about this, but the problem is that my
experience with GCC w. SSP in only on t
On Tue, Jan 20, 2004 at 08:47:40AM -0800, Johannes Graumann wrote:
> Now: how do I make sure this is AES-256 and not some other permutation
> of the cypher?
You use the losetup -k (or --keybits) option.
Eg. losetup -e aes -k 256 ...
/Thomas
--
== [EMAIL PROTECTED] | [EMAIL PROTECTED]
== Encrypte
On Tue, Jan 20, 2004 at 08:47:40AM -0800, Johannes Graumann wrote:
> Now: how do I make sure this is AES-256 and not some other permutation
> of the cypher?
You use the losetup -k (or --keybits) option.
Eg. losetup -e aes -k 256 ...
/Thomas
--
== [EMAIL PROTECTED] | [EMAIL PROTECTED]
== Encrypte
On Tue, Jan 20, 2004 at 10:00:04AM +0100, Oliver Hitz wrote:
> I think you should be able to avoid such exploits by using PHP's safe
> mode. It allow you, among other things, to specify that only files in
> a particular directory may be executed. This way, even if someone
> succeeds uploading an ex
On Tue, Jan 20, 2004 at 10:00:04AM +0100, Oliver Hitz wrote:
> I think you should be able to avoid such exploits by using PHP's safe
> mode. It allow you, among other things, to specify that only files in
> a particular directory may be executed. This way, even if someone
> succeeds uploading an ex
If you haven't heard it already:
Synopsis: Linux kernel do_mremap local privilege escalation
vulnerability
Product: Linux kernel
Version: 2.2, 2.4 and 2.6 series
http://isec.pl/vulnerabilities/isec-0013-mremap.txt
Patch:
http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]
/Thomas
--
==
If you haven't heard it already:
Synopsis: Linux kernel do_mremap local privilege escalation
vulnerability
Product: Linux kernel
Version: 2.2, 2.4 and 2.6 series
http://isec.pl/vulnerabilities/isec-0013-mremap.txt
Patch:
http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]
/Thomas
--
==
On Mon, Dec 22, 2003 at 12:35:49PM -0700, s. keeling wrote:
> > >gpg: Signature made Sun Dec 21 17:50:12 2003 MST using DSA key ID 946886AE
> > >gpg: BAD signature from "Trey Sizemore <[EMAIL PROTECTED]>"
>
> Now, from the same guy, same key, why do I get "Bad signature?"
Is there something diffe
On Mon, Dec 22, 2003 at 12:35:49PM -0700, s. keeling wrote:
> > >gpg: Signature made Sun Dec 21 17:50:12 2003 MST using DSA key ID 946886AE
> > >gpg: BAD signature from "Trey Sizemore <[EMAIL PROTECTED]>"
>
> Now, from the same guy, same key, why do I get "Bad signature?"
Is there something diffe
On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote:
> BUT! Does anybody have a patch for the do_brk vuln on any kernel-source
> package >= 2.4.20 as they are currently in the archives? I would like to
> build a new kernel with the vuln patched ASAP, rather than wait for the
> upload to
On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote:
> BUT! Does anybody have a patch for the do_brk vuln on any kernel-source
> package >= 2.4.20 as they are currently in the archives? I would like to
> build a new kernel with the vuln patched ASAP, rather than wait for the
> upload to
On Fri, Nov 21, 2003 at 09:17:33AM -0500, Michael Stone wrote:
> Thank you for not starting wild unfounded rumors. If you don't have the
> facts it is unproductive to speculate wildly, especially in a pejorative
> fashion.
No starting rumours or specualting, just asking how the servers got got
roo
On Fri, Nov 21, 2003 at 09:17:33AM -0500, Michael Stone wrote:
> Thank you for not starting wild unfounded rumors. If you don't have the
> facts it is unproductive to speculate wildly, especially in a pejorative
> fashion.
No starting rumours or specualting, just asking how the servers got got
roo
On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote:
> On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote:
> > Anyone to shed some light over this?
>
> There has been an announcement on the Debian-announce-list a few
> minutes ago which clarifies the situat
On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote:
> On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote:
> > Anyone to shed some light over this?
>
> There has been an announcement on the Debian-announce-list a few
> minutes ago which clarifies the situat
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote:
> Thats ATM unknown. It seems, that nobody (except the bad boys) has access to
> the boxes. But there are ppl on the way to catch local access. Thats all I
> heared.
Ok, so there's no manual auditing on services, processes, etc (on a da
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote:
> Thats ATM unknown. It seems, that nobody (except the bad boys) has access to
> the boxes. But there are ppl on the way to catch local access. Thats all I
> heared.
Ok, so there's no manual auditing on services, processes, etc (on a da
On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote:
> http://luonnotar.infodrom.org/~joey/debian-announce.txt
Read that a minute ago, but what happended?
/Thomas
--
== [EMAIL PROTECTED] | [EMAIL PROTECTED]
== Encrypted e-mails preferred | GPG KeyID: 114AA85C
--
signature.asc
Descriptio
On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote:
> http://luonnotar.infodrom.org/~joey/debian-announce.txt
Read that a minute ago, but what happended?
/Thomas
--
== [EMAIL PROTECTED] | [EMAIL PROTECTED]
== Encrypted e-mails preferred | GPG KeyID: 114AA85C
--
signature.asc
Descriptio
Anyone to shed some light over this?
"Someone has cracked all the servers of the Debian Project. There has
been a severe security mishap and guys should uninstall all stuff
downloaded and installed in the past 2 days. Please do not apt-get
anything right now! Please wait till an `official' release
Anyone to shed some light over this?
"Someone has cracked all the servers of the Debian Project. There has
been a severe security mishap and guys should uninstall all stuff
downloaded and installed in the past 2 days. Please do not apt-get
anything right now! Please wait till an `official' release
Tried the Titan noshell and it works as expected.
However, Tiger complains about it if you follow the CERT installation
procedure and "Register the noshell program as the valid login shell."
There's no need to do this, as noshell really doesn't care and still
works a non-valid shell.
[...]
NEW: --
Tried the Titan noshell and it works as expected.
However, Tiger complains about it if you follow the CERT installation
procedure and "Register the noshell program as the valid login shell."
There's no need to do this, as noshell really doesn't care and still
works a non-valid shell.
[...]
NEW: --
On Wed, Oct 22, 2003 at 07:41:33PM +1000, Russell Coker wrote:
> We can start with "bin", "daemon", "sys", and "sync" which are the least
> likely accounts to need a login shell. After those changes have been tested
> to everyone's satisfaction we can then move on to others.
why not deny those
On Wed, Oct 22, 2003 at 07:41:33PM +1000, Russell Coker wrote:
> We can start with "bin", "daemon", "sys", and "sync" which are the least
> likely accounts to need a login shell. After those changes have been tested
> to everyone's satisfaction we can then move on to others.
why not deny those
On Tue, Sep 16, 2003 at 11:59:34AM -0700, TongKe Xue wrote:
> Hello,
Hi,
> On a slightly off topic note, I'm thinking about running an
> ftp/http/ssh server for personal use in college. What precautionary
> measures should I take, or rather can I take? From reading over the
> various Slashdot p
On Tue, Sep 16, 2003 at 11:59:34AM -0700, TongKe Xue wrote:
> Hello,
Hi,
> On a slightly off topic note, I'm thinking about running an
> ftp/http/ssh server for personal use in college. What precautionary
> measures should I take, or rather can I take? From reading over the
> various Slashdot p
On Thu, Aug 14, 2003 at 09:57:26AM -0400, Todd Charron wrote:
> I'm using the latest 2.4.18 kernel in woody (came out very recently). I was
> wondering if anyone else was running into this problem and perhaps knew a way
> around it? Thanks,
The Debian kernel contains patches not present in th
On Thu, Aug 14, 2003 at 09:57:26AM -0400, Todd Charron wrote:
> I'm using the latest 2.4.18 kernel in woody (came out very recently). I was
> wondering if anyone else was running into this problem and perhaps knew a way
> around it? Thanks,
The Debian kernel contains patches not present in th
Ugly reply, but here goes...
On Tue, Jul 01, 2003 at 04:27:21PM -0700, Alvin Oga wrote:
>
> On Tue, 1 Jul 2003, valerian wrote:
>
> > On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote:
> > > Hi all,
> > >
> > > I want to setup a new linux server in internet (apache, php, p
Ugly reply, but here goes...
On Tue, Jul 01, 2003 at 04:27:21PM -0700, Alvin Oga wrote:
>
> On Tue, 1 Jul 2003, valerian wrote:
>
> > On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote:
> > > Hi all,
> > >
> > > I want to setup a new linux server in internet (apache, php, p
On Mon, 10 Mar 2003, Johannes Berth wrote:
> You don't have to make your $HOME world readable, just world executable.
[...]
> With 711 on your $HOME and secure chmods on your files nobody will be
> able to see files you don't want them to see.
... but there's still no reason to place "public html"
On Mon, 10 Mar 2003, Johannes Berth wrote:
> You don't have to make your $HOME world readable, just world executable.
[...]
> With 711 on your $HOME and secure chmods on your files nobody will be
> able to see files you don't want them to see.
... but there's still no reason to place "public html"
On Monday 10 March 2003 15.19, Rob VanFleet wrote:
> > No they don't.
> > You shouldn't place user websites in their home dirs. Place the
> > user "webspace" in e.g /var/www/[user] and symlink from
> > public_html or whatever.
>
> ..and this makes a difference how...? I'm not necessarily trying t
On Monday 10 March 2003 15.19, Rob VanFleet wrote:
> > No they don't.
> > You shouldn't place user websites in their home dirs. Place the
> > user "webspace" in e.g /var/www/[user] and symlink from
> > public_html or whatever.
>
> ..and this makes a difference how...? I'm not necessarily trying t
On Sat, 8 Mar 2003, Birzan George Cristian wrote:
> > It should be locked down and not touched by adduser ("Would You Like To
> > Make All Homedirs World-Readable?").
> root is not the regular user. Users need o+x on their home dirs for
> Apache to be able to serve pages.
No they don't.
You shoul
On Sat, 8 Mar 2003, Birzan George Cristian wrote:
> > It should be locked down and not touched by adduser ("Would You Like To
> > Make All Homedirs World-Readable?").
> root is not the regular user. Users need o+x on their home dirs for
> Apache to be able to serve pages.
No they don't.
You shoul
48 matches
Mail list logo
