On Tue, Sep 23, 2003 at 04:13:02PM -0500, Jeff Bender wrote:
Thanks. Do you happen to have a link where this might be posted?
Well.. Advisory talks about version higher then the one in woody.
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
--
To
According to http://www.openssh.com/txt/sshpam.adv there are multiple
vulnerabilities in the new PAM code of Portable OpenSSH.
It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought
I'd ask if anyone knows for a fact that the older version in Woody does
not have this code.
I have strange result on two our debian servers - both are woody.
The first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22.
The A server is almost daily checked against new packages, the B
server was upgraded yesterday. Both have the same sources.list
But server A:
serverA:~# dpkg -l ssh
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which isn't enabled by default)
Is this something that needs to be taken
My understanding and look at the changelog is that there has been a
significant amount of work in the pam components of openssh from version
3.6.x to 3.7x. It is this new code, that has the vulnerability.
Ramon Kagan
York University, Computing and Network Services
Unix Team - Senior Unix
On Tue, Sep 23, 2003 at 04:26:14PM -0400, Matt Zimmerman wrote:
On Tue, Sep 23, 2003 at 02:45:24PM -0500, Bender, Jeff wrote:
Hi,
Looking for the Debian Woody patch. Anyone know if it is available or if
this version is exploitable?
According to the maintainer, the version in woody is
On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote:
I have strange result on two our debian servers - both are woody. The
first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server
is almost daily checked against new packages, the B server was upgraded
yesterday.
Am Mittwoch, 24. September 2003 02:34 schrieb Tomasz Papszun:
Sorry but I must say that this is an incorrect claim.
okay, not exclusively
Currently ClamAV's own database is quite big and is updated even a
couple of times a day if needed. It's quite good at new viruses caught
in the wild,
On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote:
On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote:
I have strange result on two our debian servers - both are woody. The
first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server
is almost
[EMAIL PROTECTED], Wed, Sep 24, 2003 at 01:04:20PM +:
Why the two servers, upgraded from the same server have different ssh
packages ? The same is with some other packages, e.g.: xfree86-common
I noticed the exact same behavior on one of my machines. After a number
of updates apt was
On Wed, Sep 24, 2003 at 03:23:35PM +0200, Thomas Ritter wrote:
Yes, I don't know the name, but there's a reference standard virus list.
I think you're talking about the Wildlist (www.wildlist.org). That's
not a reference list, but simply a list of viruses reported as
currently active by at
On Wed, Sep 24, 2003 at 01:54:42AM +0200, Thomas Ritter wrote:
And... a mail with a positive virus recognition can be deleted without having
to fear it's a false positive, against which a mail found to be Spam by
Spamassassin may be a real mail.
This is not true.
There's always the
[EMAIL PROTECTED] wrote:
On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote:
And /etc/apt/preferences? Sounds like they're using different pinning
settings.
serverA:~# cat /etc/apt/preferences
cat: /etc/apt/preferences: No such file or directory
The same on server
As far as my understanding goes, ssh was patched recently for security
fixes, so it should be coming from security.debian.org not us.debian.org.
Now security.debian.org is not at all mirrored for security reason than
how he has 2 different versions of ssh ?
1 Does he has proper
[ I'm resending it because yesterday try didn't appear on the list.
Thomas Ritter has already answered to the copy which I sent directly to
him. ]
On Wed, 24 Sep 2003 at 1:54:42 +0200, Thomas Ritter wrote:
Just a note: Open Antivirus programs like clamav are not perfect, because the
open
Hi,
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs --
On Wed, Sep 24, 2003 at 01:04:20PM +, [EMAIL PROTECTED] wrote:
ii ssh3.4p1-2Secure rlogin/rsh/rcp replacement (OpenSSH)
This version of ssh is neither directly from woody (which still has
3.4p1-1) nor from security.debian.org (which has 1:3.4p1-1.woody.3, and
Yogesh Sharma, Wed, Sep 24, 2003 at 09:14:52AM -0700:
As far as my understanding goes, ssh was patched recently for security
fixes, so it should be coming from security.debian.org not us.debian.org.
Now security.debian.org is not at all mirrored for security reason than
how he has 2
On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote:
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs --
On Wed, Sep 24, 2003 at 12:12:54PM +0300, Riku Anttila wrote:
According to http://www.openssh.com/txt/sshpam.adv there are multiple
vulnerabilities in the new PAM code of Portable OpenSSH.
It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought
I'd ask if anyone knows for
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default. Not running a mail server (or perhaps only running one on the
loopback interface) would be nice, too.
It can be damnably difficult to dump the web
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which
In article [EMAIL PROTECTED] you wrote:
I _do_ love lftp, and will have to mention it in the referenced document.
(Thanks.) It certainly is fast and easy (as is wget), but reliable is
somewhat precluded by the http protocol itself. (Admittedly, this is
being picky, and wget -c fixes many
In article [EMAIL PROTECTED] you wrote:
Why do you think there's anything wrong with ftp?
FTP is a firewal nightmare, it is unsecure (plaintext), the more advanced
features are not standadized. Even parsing the directory output is terror to
the programmer.
Greetings
Bernd
--
eckes privat -
For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally configured,
and which can allow exactly this sort of behavior;
At high security levels, any new services that get installed (from RPMs)
are only allowed from
Quoting Bernd Eckenfels ([EMAIL PROTECTED]):
Actually HTTP is much more reliable than FTP.
I should have defined my terms: When I said ftp transfers are more
reliable than are ftp ones (in my experience), I meant that, once
started, they are much less prone to dying. That is observed fact.
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally configured,
and which can allow exactly this sort of behavior;
Honestly, I think we can get away
On Wed, Sep 24, 2003 at 04:37:30PM -0700, Rick Moen wrote:
I should have defined my terms: When I said ftp transfers are more
reliable than are ftp ones (in my experience), I meant that, once
Thank you for clearing that up.
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject
On Mon, Sep 22, 2003 at 10:14:43PM +0100, Thomas Horsten wrote:
guess they are out there. Anyway, if you are truly security conscious you
should consider switching to qmail in any case.
Not. Postfix is just as good, but without an obnoxious license.
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL
On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote:
Basically, I think that security levels don't gain you anything over
don't install the package.
Until installing a package has the side effect of installing a network
service. Having a default-deny-incoming firewall or some such
On Thu, 25 Sep 2003 12:16, Noah L. Meyerhans wrote:
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally
configured, and which can allow exactly
In article [EMAIL PROTECTED] you wrote:
and what's about ssh/potato ?
I don't see any thing about a new upgrade foir ssh in potato ?
Potato is not anymore supported by debian security team, as you can read in
the faq. t is unfortunate, I still have some systems running.. well.. thanks
god no
In article [EMAIL PROTECTED] you wrote:
I am looking for a same solution. However, I am getting 40 to 70 of such
mails within 2 hours. There should be a possibility with exim-4.1, but
nothing for exim-3.X
i am using clamscan with exiscan on exim-3 and it works well, beside the
fact that it
On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote:
Until installing a package has the side effect of installing a network
service. Having a default-deny-incoming firewall or some such would go a
long way toward preventing accidental vulnerability exposure.
Well, remember that the
On Wed, Sep 24, 2003 at 09:39:32PM -0400, Noah L. Meyerhans wrote:
Well, remember that the scope of this discussion is the default Debian
installation.
Except, what is default? If you install a workstation task should you
assume that you'll get open ports? (As the task packages pull in
Agreed. The X maintainers (as one example) started doing that a while
back. I run exim and a few other services like this (manually
configured, sadly).
On Wed, 2003-09-24 at 15:04, Florian Weimer wrote:
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
Is there any effort to
On Tue, Sep 23, 2003 at 04:13:02PM -0500, Jeff Bender wrote:
Thanks. Do you happen to have a link where this might be posted?
Well.. Advisory talks about version higher then the one in woody.
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
According to http://www.openssh.com/txt/sshpam.adv there are multiple
vulnerabilities in the new PAM code of Portable OpenSSH.
It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought
I'd ask if anyone knows for a fact that the older version in Woody does
not have this code.
I have strange result on two our debian servers - both are woody.
The first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22.
The A server is almost daily checked against new packages, the B
server was upgraded yesterday. Both have the same sources.list
But server A:
serverA:~# dpkg -l ssh
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which isn't enabled by default)
Is this something that needs to be taken
My understanding and look at the changelog is that there has been a
significant amount of work in the pam components of openssh from version
3.6.x to 3.7x. It is this new code, that has the vulnerability.
Ramon Kagan
York University, Computing and Network Services
Unix Team - Senior Unix
On Tue, Sep 23, 2003 at 04:26:14PM -0400, Matt Zimmerman wrote:
On Tue, Sep 23, 2003 at 02:45:24PM -0500, Bender, Jeff wrote:
Hi,
Looking for the Debian Woody patch. Anyone know if it is available or if
this version is exploitable?
According to the maintainer, the version in woody is
On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote:
I have strange result on two our debian servers - both are woody. The
first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server
is almost daily checked against new packages, the B server was upgraded
yesterday.
Am Mittwoch, 24. September 2003 02:34 schrieb Tomasz Papszun:
Sorry but I must say that this is an incorrect claim.
okay, not exclusively
Currently ClamAV's own database is quite big and is updated even a
couple of times a day if needed. It's quite good at new viruses caught
in the wild,
[EMAIL PROTECTED] wrote:
On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote:
And /etc/apt/preferences? Sounds like they're using different pinning
settings.
serverA:~# cat /etc/apt/preferences
cat: /etc/apt/preferences: No such file or directory
The same on server
Hi,
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs --
On Wed, Sep 24, 2003 at 01:04:20PM +, [EMAIL PROTECTED] wrote:
ii ssh3.4p1-2Secure rlogin/rsh/rcp replacement
(OpenSSH)
This version of ssh is neither directly from woody (which still has
3.4p1-1) nor from security.debian.org (which has 1:3.4p1-1.woody.3, and
Yogesh Sharma, Wed, Sep 24, 2003 at 09:14:52AM -0700:
As far as my understanding goes, ssh was patched recently for security
fixes, so it should be coming from security.debian.org not us.debian.org.
Now security.debian.org is not at all mirrored for security reason than
how he has 2
On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote:
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs --
On Wed, Sep 24, 2003 at 12:12:54PM +0300, Riku Anttila wrote:
According to http://www.openssh.com/txt/sshpam.adv there are multiple
vulnerabilities in the new PAM code of Portable OpenSSH.
It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought
I'd ask if anyone knows for
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default. Not running a mail server (or perhaps only running one on the
loopback interface) would be nice, too.
It can be damnably difficult to dump the web
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which
In article [EMAIL PROTECTED] you wrote:
I _do_ love lftp, and will have to mention it in the referenced document.
(Thanks.) It certainly is fast and easy (as is wget), but reliable is
somewhat precluded by the http protocol itself. (Admittedly, this is
being picky, and wget -c fixes many
In article [EMAIL PROTECTED] you wrote:
Why do you think there's anything wrong with ftp?
FTP is a firewal nightmare, it is unsecure (plaintext), the more advanced
features are not standadized. Even parsing the directory output is terror to
the programmer.
Greetings
Bernd
--
eckes privat -
For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally configured,
and which can allow exactly this sort of behavior;
At high security levels, any new services that get installed (from RPMs)
are only allowed from
On Mon, 22 Sep 2003, Ted Roby wrote:
My secalert account for these lists is being drenched with 40 to 70 of
these fake Microsoft Update emails per day.
My filters on my client dump them to a Junk folder, but I would prefer
it if my Exim filter would do the job at the server level instead. I
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally configured,
and which can allow exactly this sort of behavior;
Honestly, I think we can get away
On Wed, Sep 24, 2003 at 04:37:30PM -0700, Rick Moen wrote:
I should have defined my terms: When I said ftp transfers are more
reliable than are ftp ones (in my experience), I meant that, once
Thank you for clearing that up.
Mike Stone
On Mon, Sep 22, 2003 at 10:14:43PM +0100, Thomas Horsten wrote:
guess they are out there. Anyway, if you are truly security conscious you
should consider switching to qmail in any case.
Not. Postfix is just as good, but without an obnoxious license.
Mike Stone
In article [EMAIL PROTECTED] you wrote:
and what's about ssh/potato ?
I don't see any thing about a new upgrade foir ssh in potato ?
Potato is not anymore supported by debian security team, as you can read in
the faq. t is unfortunate, I still have some systems running.. well.. thanks
god no
In article [EMAIL PROTECTED] you wrote:
I am looking for a same solution. However, I am getting 40 to 70 of such
mails within 2 hours. There should be a possibility with exim-4.1, but
nothing for exim-3.X
i am using clamscan with exiscan on exim-3 and it works well, beside the
fact that it
On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote:
Until installing a package has the side effect of installing a network
service. Having a default-deny-incoming firewall or some such would go a
long way toward preventing accidental vulnerability exposure.
Well, remember that the
On Wed, Sep 24, 2003 at 09:39:32PM -0400, Noah L. Meyerhans wrote:
Well, remember that the scope of this discussion is the default Debian
installation.
Except, what is default? If you install a workstation task should you
assume that you'll get open ports? (As the task packages pull in
On Wed, Sep 24, 2003 at 09:52:07PM -0400, Michael Stone wrote:
Except, what is default? If you install a workstation task should you
assume that you'll get open ports? (As the task packages pull in
dependencies, etc.) I think it makes more sense to provide a safety net
then to try to predict
There is a debian security manual I believe. I agree with you, leaving
services running by default in this day and age is really a no no.
regards
Steven
-Original Message-
From: Adam Lydick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 24 September 2003 11:42 PM
To:
Hello All,
I was surfing the Website http://www.xmms.org/ for new skins and
at one klick...
...xmms was hijacked !!!
No access on xmms posibel. Can anyone confirm this please...
Please Cc: me.
Three other .org Domains (my own) are hijacked this afternoon too.
Thanks
Michelle
--
Registered
On Tue, Sep 23, 2003 at 02:08:29AM +0200, Michelle Konzack wrote:
I was surfing the Website http://www.xmms.org/ for new skins and
at one klick...
...xmms was hijacked !!!
No access on xmms posibel. Can anyone confirm this please...
Please Cc: me.
Nope. Worked just fine for me. I
67 matches
Mail list logo