Re: Ssh2-packet still secure?

2003-09-16 Thread Bas Zoetekouw 
[ccing to debian-devel]

Hi Johan!

You wrote:

> I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
> not been updated since Sat, 15 Dec 2001 12:43:25 +. My question is if
> this packet is still considered secure and reliable to use after all
> OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
> it's considered outdated?

AFAIK, the ssh2 package was removed ages ago because of it having
security bugs and it being obsoleted by openssh.  As far as I can see,
it's not even present in woody any more.  Are you still running potato
or is perhaps the upgrade path broken?  

Anyway, you should really upgrade to openssh ("ssh" package in Debian);
I guess your current package is very much not patched to security
trouble.

-- 
Kind regards,
++
| Bas Zoetekouw  | GPG key: 0644fab7 |
|| Fingerprint: c1f5 f24c d514 3fec 8bf6 |
| [EMAIL PROTECTED], [EMAIL PROTECTED] |  a2b1 2bae e41f 0644 fab7 |
++ 


pgpjFS0hNwkYE.pgp
Description: PGP signature

libmail-bulkmail-perl_3.09-1_i386.changes is NEW

2003-09-16 Thread Debian Installer 
(new) libmail-bulkmail-perl_3.09-1.diff.gz optional non-free/perl
(new) libmail-bulkmail-perl_3.09-1.dsc optional non-free/perl
(new) libmail-bulkmail-perl_3.09-1_i386.deb optional non-free/perl
WARNING: Already present in main distribution.
Platform independent mailing list module
 Mail::Bulkmail gives a fairly complete set of tools for
 managing mass-mailing lists.  It's really, really fast and
 can handle huge lists.
 .
 DO NOT USE THIS SOFTWARE TO SEND SPAM!
(new) libmail-bulkmail-perl_3.09.orig.tar.gz optional non-free/perl
Changes: libmail-bulkmail-perl (3.09-1) unstable; urgency=low
 .
  * New upstream version (Closes: #186494, #199378)
  * In 3.09, the config file has changed incompatibly from that in 2.05.
(The old format was a Debian-specific patch.  Upstream chose a
different format.)  Also there have been some architectural changes.
See /usr/share/doc/libmail-bulkmail-perl/migration.guide.txt and the
files in /usr/share/doc/libmail-bulkmail-perl/examples.
  * Distribution set to non-free (owing to non-DFSG license for
Mail::Bulkmail::Object) and section set to perl.
  * Orphaned: Maintainer set to Debian QA Group.
Announcing to debian-devel-changes@lists.debian.org
Closing bugs: 186494 199378 


Your package contains new components which requires manual editing of
the override file.  It is ok otherwise, so please be patient.  New
packages are usually added to the override file about once a week.

You may have gotten the distribution wrong.  You'll get warnings above
if files already exist in other distributions.

Re: Ssh2-packet still secure?

2003-09-16 Thread Colin Watson 
On Tue, Sep 16, 2003 at 09:32:00PM +0100, Colin Watson wrote:
> On Tue, Sep 16, 2003 at 08:38:39PM +0200, Johan C wrote:
> > I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
> > not been updated since Sat, 15 Dec 2001 12:43:25 +. My question is if
> > this packet is still considered secure and reliable to use after all
> > OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
> > it's considered outdated?
> 
> The ssh2 package was the non-free ssh.com version of SSH, not OpenSSH.
> We removed it from Debian testing and unstable some time ago, and the
> last version uploaded to Debian was a long way behind ssh.com's version
> even then. I would be astonished if it didn't have a number of security
> holes.

Here's a possible privilege escalation requiring a local account:

  http://www.securityfocus.com/bid/6247

There are several reports of vulnerabilities in newer versions of ssh2,
but 2.0.13 is so old that people don't often even bother to quote it as
vulnerable or not vulnerable.

> (QA group: should we ask for ssh2 to be removed from stable as well? I
> don't think the project can reasonably support it at this point.)

I've mailed the security team about this.

Cheers,

-- 
Colin Watson  [EMAIL PROTECTED]

Re: Ssh2-packet still secure?

2003-09-16 Thread Colin Watson 
On Tue, Sep 16, 2003 at 08:38:39PM +0200, Johan C wrote:
> I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
> not been updated since Sat, 15 Dec 2001 12:43:25 +. My question is if
> this packet is still considered secure and reliable to use after all
> OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
> it's considered outdated?

The ssh2 package was the non-free ssh.com version of SSH, not OpenSSH.
We removed it from Debian testing and unstable some time ago, and the
last version uploaded to Debian was a long way behind ssh.com's version
even then. I would be astonished if it didn't have a number of security
holes. Notwithstanding today's OpenSSH vulnerability, I still very
strongly recommend that you stop using ssh2 and switch to ssh.

See also http://lists.debian.org/debian-qa-0209/msg00038.html.

(QA group: should we ask for ssh2 to be removed from stable as well? I
don't think the project can reasonably support it at this point.)

Cheers,

-- 
Colin Watson  [EMAIL PROTECTED]

Processing of libmail-bulkmail-perl_3.09-1_i386.changes

2003-09-16 Thread James Troup 
libmail-bulkmail-perl_3.09-1_i386.changes uploaded successfully to 
auric.debian.org
along with the files:
  libmail-bulkmail-perl_3.09-1.dsc
  libmail-bulkmail-perl_3.09.orig.tar.gz
  libmail-bulkmail-perl_3.09-1.diff.gz
  libmail-bulkmail-perl_3.09-1_i386.deb

Greetings,

Your Debian queue daemon

Ssh2-packet still secure?

2003-09-16 Thread Johan C 
Hey,

I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
not been updated since Sat, 15 Dec 2001 12:43:25 +. My question is if
this packet is still considered secure and reliable to use after all
OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
it's considered outdated?

Thanks alot in advance :-)

// Johan email: [EMAIL PROTECTED]

Bug#211249: default /etc/cron.d/cacti does not work

2003-09-16 Thread Oliver Zimmermann 
Package: cacti
Version: 0.6.8a-13.1
Severity: normal

By default there is in /etc/cron.d/cacti:
*/5 * * * * www-data php4 /usr/share/cacti/cmd.php > /dev/null 2>&1

This doesn't work, because php4 is not startet in the right directory.
To succeed I had to change it like this:
*/5 * * * * www-data cd /usr/share/cacti && php4 cmd.php > /dev/null 2>&1

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux testix 2.4.20 #2 SMP Wed Jan 29 14:10:21 CET 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages cacti depends on:
ii  apache 1.3.27.1-3Versatile, high-performance HTTP s
ii  debconf1.3.14Debian configuration management sy
ii  mysql-client   4.0.14-1  mysql database client binaries
ii  php4-cgi   4:4.3.2+rc3-6 A server-side, HTML-embedded scrip
ii  php4-mysql 4:4.3.2+rc3-6 MySQL module for php4
ii  rrdtool1.0.42-2  Time-series data storage and displ
ii  snmp   5.0.7-1.1 NET SNMP (Simple Network Managemen
ii  wwwconfig-common   0.0.30Debian web auto configuration

-- debconf information excluded