Re: sources.list
On Sat, 10 Feb 2001, Duane Powers wrote: I have a question - I have a dozen boxen that I am maintaining, all with Debian ( almost all potato - one woody) I would like to save bandwidth and centralize administration by utilizing one of the boxes as a apt-get source. then I can apt-get update ; apt-get dist-upgrade ; done, on one box, and save all the .deb's then use those .deb's for the other boxen without actually mirroring the whole debian site. Here is one way to do it: - install a web proxy (e.g. squid) on one of your computers - direct apt to go through the proxy (you need to add one line to the apt configuration file, I don't quite remember the syntax but you will find it in the man page) In this way, the first box you upgrade will cause the proxy server to download the packages, all the subsequent ones will get the cached file. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apt-get package verification
On Sat, Feb 10, 2001 at 02:52:57PM -0600, Bud Rogers wrote: On Saturday 10 February 2001 12:54, Carel Fellinger wrote: On Sat, Feb 10, 2001 at 06:11:01PM +0100, marcoghidinelli wrote: ... for the debian-developer keys: apt-get install debian-keyring I've done this some time ago, but now I get: [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --] gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399 gpg: Good signature from "Marco Ghidinelli [EMAIL PROTECTED]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 1C34 97F7 1837 D525 7E3F C883 B572 DF1A EBF1 5399 [-- End of PGP output --] I have the same problem with Martin Schulze's sigs. I've retrieved the debian keyring from the website and from my CD, I've manually retrieved his key from public keyservers and from the debian website All the fingerprints match. I've signed his key on my keyring. I even tried giving it full trust. His sigs are still flagged as bad here. sure?? all the debian-security-announce was correctly signed.. What have I missed? don't know... -- BOFH excuse #425: stop bit received PGP signature
Re: Apt-get package verification
On Sat, Feb 10, 2001 at 07:54:49PM +0100, Carel Fellinger wrote: [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --] gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399 gpg: Good signature from "Marco Ghidinelli [EMAIL PROTECTED]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 1C34 97F7 1837 D525 7E3F C883 B572 DF1A EBF1 5399 [-- End of PGP output --] But I'm quit willing to trust debian developers in general. I trust them with the packages, might as well trust their identity:) I'm a bit uncertain how to achieve this though. Is it enough if I tell gpg to trust James Troup? You don't need to assign any trust to these keys; it's enough to get the "Good signature..." output. As long as the signature verifies successfully (as it does in your example above), you know that the person who created the key you've got on your keyring is the same person who sent the message/signed the package/whatever. The issue of trusting the key is a separate one: it answers the question, "was this key created by the person whose name appears in the key?" If you can unconditionally answer Yes to this question then go ahead and sign the key. Otherwise you do not REALLY know that that key was created by that person. For instance, when I see security advisories sent by Wichert Akkerman, I verify the signature using his public key which is on my keyring. As long as it says "Good signature" then I can be certain that it was signed by whoever created the public key I've got. But, unless I have actually met him in person or spoken to him, etc. or otherwise verified WITHOUT ANY DOUBT that he created that key, I should not assign trust to that key. None of this is any different from how you should handle anyone else's keys, this is all standard procedure. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
UPLOAD: Re: Mysql vulnerabilities
Hi I uploaded mysql-3.22.32 (mysql-server, formaly non-free) and mysql-gpl-3.22.30 (libmysqlclient6...) due to three security patches. They are for potato. A new version (this time upstream) for testing/unstable will follow soon. The corresponding BugTraq mail was: http://lists.insecure.org/bugtraq/2001/Feb/0028.html The 3rd bug was accidently found by me and fixed, as the others, too, by Guillaume. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Quick update ?
On Tue, Feb 13, 2001 at 11:00:18PM +0100, marcoghidinelli wrote: On Sun, Feb 11, 2001 at 08:10:36PM +0100, Christian Schlettig wrote: Hi again, so it finally worked fine - the update/upgrades were installed - but i'm wondering about the size of these updates: in total it was about 9 MegaBytes or so. And i have made no update since September '00 Is this amount o.k.? Or should it been more ?? slink was dropped. you MUST upgrade to potato. substitute 'slink' with 'potato' in your apt/sources.list, and then make a apt-get update; apt-get upgrade Make that apt-get dist-upgrade, I think you'll need to do that to get some bigger things up to potato level. (normal upgrade won't upgrade when a package has been split into multiple separate packages, e.g. xntp - ntpdate, ntp or the netkit split. dist-upgrade will do everything it can to upgrade as much as possible, but it does make sure nothing has broken dependencies once it's all done.) BTW, before the upgrade would be a good time to backup the whole system :) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Proposal
All, Carlos wrote: Sorry to disturb you all, but I am not too interested in the huge threads that have appeared in debian-security lately. I subscribed to this list mostly to get noticed of security problems in the distribution itself, and it seems like people are using it to get answers now (like debian-user focused on security). Perhaps the listmaster could create debian-security-announce, as a moderated, security announcements-focused list, and leave debian-security for general discussion? Thanks. Gee, that sounds like a good idea. In fact, SUCH a good idea that it's been implemented for years. Seriously though, if there is anybody else on debian-security who is NOT also subscribed to debian-security-announce, you should probably do so. There have been a few debian-security posts recently asking about the status of something for which a fix was announced on debian-security-announce a couple of days previously. My understanding is that debian-security IS more or less a debian- user for security issues. :) Paul Haesler [EMAIL PROTECTED] We are the Steely-Pips and we have no fear, no spats in our vats, no rules, no schools, no gloom, no evil influence of the moon, for we have a machine, a dream of a machine, with springs and gears and perfect in every respect. Stanislaw Lem, The Cyberiad (Trurl's Prescription)
Security updates
Hi, I am new in Debian but I found its apt-based update system very useful. Recently I have some problems with downloading from security.debian.org (connection time-out and things like that). Two questions: 1) Do others from Poland/Gdansk (via TPSA) have the same problem ? 2) When I fail with dselect/apt I use wget to download the package and put it in /var/cache/apt/packages then restart dselect. Is it possible to integrate wget with apt so that this process would go automatically ? Or is this a case of some option tuning for apt ? Regards, Piotr Tarnowski
Re: sources.list
On Sat, 10 Feb 2001, Duane Powers wrote: I have a question - I have a dozen boxen that I am maintaining, all with Debian ( almost all potato - one woody) I would like to save bandwidth and centralize administration by utilizing one of the boxes as a apt-get source. then I can apt-get update ; apt-get dist-upgrade ; done, on one box, and save all the .deb's then use those .deb's for the other boxen without actually mirroring the whole debian site. Here is one way to do it: - install a web proxy (e.g. squid) on one of your computers - direct apt to go through the proxy (you need to add one line to the apt configuration file, I don't quite remember the syntax but you will find it in the man page) In this way, the first box you upgrade will cause the proxy server to download the packages, all the subsequent ones will get the cached file. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: sources.list
You could mirror the nearest debian's ftp mirror, make your box an internal ftp server, with proftpd for example. next, on the other boxes, you do an apt-config where you set your source as a ftp server, obviously yours... et voilĂ ! Jerome Demeyer. - Original Message - From: Giacomo Mulas [EMAIL PROTECTED] To: security debian debian-security@lists.debian.org Sent: Tuesday, February 13, 2001 11:41 AM Subject: Re: sources.list On Sat, 10 Feb 2001, Duane Powers wrote: I have a question - I have a dozen boxen that I am maintaining, all with Debian ( almost all potato - one woody) I would like to save bandwidth and centralize administration by utilizing one of the boxes as a apt-get source. then I can apt-get update ; apt-get dist-upgrade ; done, on one box, and save all the .deb's then use those .deb's for the other boxen without actually mirroring the whole debian site. Here is one way to do it: - install a web proxy (e.g. squid) on one of your computers - direct apt to go through the proxy (you need to add one line to the apt configuration file, I don't quite remember the syntax but you will find it in the man page) In this way, the first box you upgrade will cause the proxy server to download the packages, all the subsequent ones will get the cached file. Bye Giacomo
Re: Security updates
On Tue, 13 Feb 2001, Piotr Tarnowski wrote: Hi, I am new in Debian but I found its apt-based update system very useful. Recently I have some problems with downloading from security.debian.org (connection time-out and things like that). Two questions: 1) Do others from Poland/Gdansk (via TPSA) have the same problem ? Yes.. in Bialystok is the same problem, but here is a little strange: Some day ftp.icm.edu.pl is working fine other day ftp.task.gda.pl... I belive that source of this problems is dynamic routing in Polish Telecomunication TPSA backbone net. 2) When I fail with dselect/apt I use wget to download the package and put it in /var/cache/apt/packages then restart dselect. Is it possible to integrate wget with apt so that this process would go automatically ? Or is this a case of some option tuning for apt ? good idea :-) does anyone try to do this ? --- Marcin 'Spock' Jurczuk [EMAIL PROTECTED] Administrator sieci Cyber-Net [EMAIL PROTECTED] [EMAIL PROTECTED] ---
Nessusd
Hi everybody I am trying to setup nessusd ... been though the config files but I keep getting the following error message when trying to connect via the windows client: ERROR: Server doesn't support NSP/0.3 protocol. Connection terminated. If anyone can assist it would be greatly appreciated :) -// Craig Schneider Systems Administrator Z Data Solutions http://www.zdata.co.za //
Re: Security updates
On Tue, Feb 13, 2001 at 08:19:10AM +0100, Piotr Tarnowski wrote: I am new in Debian but I found its apt-based update system very useful. Recently I have some problems with downloading from security.debian.org (connection time-out and things like that). Two questions: 1) Do others from Poland/Gdansk (via TPSA) have the same problem ? Not only in Gdansk, here, in Radom too. I had to make several attempts, until I downloaded single 568Kb package :/ 2) When I fail with dselect/apt I use wget to download the package and put it in /var/cache/apt/packages then restart dselect. Is it possible to integrate wget with apt so that this process would go automatically ? Or is this a case of some option tuning for apt ? Easier is to dumbly repeat install. Apt will automatically reget. Aleander -- /==]n0iR[==.__ /\ | [EMAIL PROTECTED] `\ BOFH excuse #88: Boss' kid fucked up the machine `| + BOFH #1 of #radom `\ | |\ UIN: #89507110`\ | \--\/'
Re: Apt-get package verification
On Sat, Feb 10, 2001 at 02:52:57PM -0600, Bud Rogers wrote: On Saturday 10 February 2001 12:54, Carel Fellinger wrote: On Sat, Feb 10, 2001 at 06:11:01PM +0100, marcoghidinelli wrote: ... for the debian-developer keys: apt-get install debian-keyring I've done this some time ago, but now I get: [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --] gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399 gpg: Good signature from Marco Ghidinelli [EMAIL PROTECTED] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 1C34 97F7 1837 D525 7E3F C883 B572 DF1A EBF1 5399 [-- End of PGP output --] I have the same problem with Martin Schulze's sigs. I've retrieved the debian keyring from the website and from my CD, I've manually retrieved his key from public keyservers and from the debian website All the fingerprints match. I've signed his key on my keyring. I even tried giving it full trust. His sigs are still flagged as bad here. sure?? all the debian-security-announce was correctly signed.. What have I missed? don't know... -- BOFH excuse #425: stop bit received pgpubWL4j9v9i.pgp Description: PGP signature
Re: Apt-get package verification
On Sat, Feb 10, 2001 at 07:54:49PM +0100, Carel Fellinger wrote: [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --] gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399 gpg: Good signature from Marco Ghidinelli [EMAIL PROTECTED] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 1C34 97F7 1837 D525 7E3F C883 B572 DF1A EBF1 5399 [-- End of PGP output --] But I'm quit willing to trust debian developers in general. I trust them with the packages, might as well trust their identity:) I'm a bit uncertain how to achieve this though. Is it enough if I tell gpg to trust James Troup? You don't need to assign any trust to these keys; it's enough to get the Good signature... output. As long as the signature verifies successfully (as it does in your example above), you know that the person who created the key you've got on your keyring is the same person who sent the message/signed the package/whatever. The issue of trusting the key is a separate one: it answers the question, was this key created by the person whose name appears in the key? If you can unconditionally answer Yes to this question then go ahead and sign the key. Otherwise you do not REALLY know that that key was created by that person. For instance, when I see security advisories sent by Wichert Akkerman, I verify the signature using his public key which is on my keyring. As long as it says Good signature then I can be certain that it was signed by whoever created the public key I've got. But, unless I have actually met him in person or spoken to him, etc. or otherwise verified WITHOUT ANY DOUBT that he created that key, I should not assign trust to that key. None of this is any different from how you should handle anyone else's keys, this is all standard procedure.
Oops
Sorry! :) -- Spruce: I got sucked into /dev/null!
Re: Quick update ? (was: Re: How to use apt to install security updates ?)
On Sun, Feb 11, 2001 at 08:10:36PM +0100, Christian Schlettig wrote: Hi again, so it finally worked fine - the update/upgrades were installed - but i'm wondering about the size of these updates: in total it was about 9 MegaBytes or so. And i have made no update since September '00 Is this amount o.k.? Or should it been more ?? slink was dropped. you MUST upgrade to potato. substitute 'slink' with 'potato' in your apt/sources.list, and then make a apt-get update; apt-get upgrade security patch was only made for potato. slink is 'old' and 'insecure'. switch! switch! switch! :)) -- BOFH excuse #224: Jan 9 16:41:27 huber su: 'su root' succeeded for on /dev/pts/1 pgprOdP8ACqZi.pgp Description: PGP signature
Re: Apt-get package verification
On Tue, Feb 13, 2001 at 09:28:49PM +, Jim Breton wrote: You don't need to assign any trust to these keys; it's enough to get the Good signature... output. As long as the signature verifies successfully (as it does in your example above), you know that the person who created the key you've got on your keyring is the same person who sent the message/signed the package/whatever. The issue of trusting the key is a separate one: it answers the question, was this key created by the person whose name appears in the key? If you can unconditionally answer Yes to this question then go ahead and sign the key. Otherwise you do not REALLY know that that key was created by that person. Thanks for clearing this up. -- groetjes, carel
UPLOAD: Re: Mysql vulnerabilities
Hi I uploaded mysql-3.22.32 (mysql-server, formaly non-free) and mysql-gpl-3.22.30 (libmysqlclient6...) due to three security patches. They are for potato. A new version (this time upstream) for testing/unstable will follow soon. The corresponding BugTraq mail was: http://lists.insecure.org/bugtraq/2001/Feb/0028.html The 3rd bug was accidently found by me and fixed, as the others, too, by Guillaume. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
Re: Quick update ?
On Tue, Feb 13, 2001 at 11:00:18PM +0100, marcoghidinelli wrote: On Sun, Feb 11, 2001 at 08:10:36PM +0100, Christian Schlettig wrote: Hi again, so it finally worked fine - the update/upgrades were installed - but i'm wondering about the size of these updates: in total it was about 9 MegaBytes or so. And i have made no update since September '00 Is this amount o.k.? Or should it been more ?? slink was dropped. you MUST upgrade to potato. substitute 'slink' with 'potato' in your apt/sources.list, and then make a apt-get update; apt-get upgrade Make that apt-get dist-upgrade, I think you'll need to do that to get some bigger things up to potato level. (normal upgrade won't upgrade when a package has been split into multiple separate packages, e.g. xntp - ntpdate, ntp or the netkit split. dist-upgrade will do everything it can to upgrade as much as possible, but it does make sure nothing has broken dependencies once it's all done.) BTW, before the upgrade would be a good time to backup the whole system :) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: Nessusd
Greetings! On 13 Feb, Craig wrote: I am trying to setup nessusd ... been though the config files but I keep getting the following error message when trying to connect via the windows client: ERROR: Server doesn't support NSP/0.3 protocol. Connection terminated. The nessusd in Debian 2.2 is a 0.9x version whereas the Windows client is a 1.0.7 (probably) release. The client-server protocol changed some time ago. So you either have to use 0.9x server AND client - or both 1.0.x. Best solution would be to update the server to 1.0.7. Just unins tall the debian file, grab the current tarballs from http://www.nessus.org/ and install that manually. Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: PGP and GnuPG
I got another problem, at work I use Winnt (have to) and PGP Freeware, but when I write an encrypted mail to a friend of mine using GNU PGP he can read my mails, but I can't read his? I think it's a problem of the MIME Body? Thx for help Hanno