Re: sources.list

2001-02-13 Thread Giacomo Mulas

On Sat, 10 Feb 2001, Duane Powers wrote:

 I have a question - I have a dozen boxen that I am maintaining, all with 
 Debian ( almost all potato - one woody) I would like to save bandwidth 
 and centralize administration by utilizing one of the boxes as a apt-get 
 source. then I can apt-get update ; apt-get dist-upgrade ; done, on one 
 box, and save all the .deb's then use those .deb's for the other boxen 
 without actually mirroring the whole debian site.

Here is one way to do it: 

- install a web proxy (e.g. squid) on one of your computers
- direct apt to go through the proxy (you need to add one line to the apt
configuration file, I don't quite remember the syntax but you will find it
in the man page)

In this way, the first box you upgrade will cause the proxy server to
download the packages, all the subsequent ones will get the cached file.

Bye
Giacomo

_

Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED]
_

OSSERVATORIO  ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216 Fax : +39 070 71180 222
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Apt-get package verification

2001-02-13 Thread marcoghidinelli

On Sat, Feb 10, 2001 at 02:52:57PM -0600, Bud Rogers wrote:
 On Saturday 10 February 2001 12:54, Carel Fellinger wrote:
  On Sat, Feb 10, 2001 at 06:11:01PM +0100, marcoghidinelli wrote:
  ...
 
   for the debian-developer keys:
   apt-get install debian-keyring
 
  I've done this some time ago, but now I get:
 
  [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --]
  gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID
  EBF15399 gpg: Good signature from "Marco Ghidinelli
  [EMAIL PROTECTED]" gpg: WARNING: This key is not certified with a
  trusted signature! gpg:  There is no indication that the
  signature belongs to the owner. gpg: Fingerprint: 1C34 97F7 1837 D525
  7E3F  C883 B572 DF1A EBF1 5399 [-- End of PGP output --]
 
 I have the same problem with Martin Schulze's sigs.  I've retrieved the 
 debian keyring from the website and from my CD,  I've manually 
 retrieved his key from public keyservers and from the debian website  
 All the fingerprints match.  I've signed his key on my keyring.  I even 
 tried giving it full trust.  His sigs are still flagged as bad here.  

sure?? all the debian-security-announce was correctly signed..

 What have I missed?

don't know...


-- 
BOFH excuse #425:

stop bit received

 PGP signature


Re: Apt-get package verification

2001-02-13 Thread Jim Breton

On Sat, Feb 10, 2001 at 07:54:49PM +0100, Carel Fellinger wrote:
 [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --]
 gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399
 gpg: Good signature from "Marco Ghidinelli [EMAIL PROTECTED]"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:  There is no indication that the signature belongs to the owner.
 gpg: Fingerprint: 1C34 97F7 1837 D525 7E3F  C883 B572 DF1A EBF1 5399
 [-- End of PGP output --]
 
 But I'm quit willing to trust debian developers in general.  I trust them
 with the packages, might as well trust their identity:)  I'm a bit uncertain
 how to achieve this though.  Is it enough if I tell gpg to trust James Troup?

You don't need to assign any trust to these keys; it's enough to get the
"Good signature..." output.  As long as the signature verifies
successfully (as it does in your example above), you know that the
person who created the key you've got on your keyring is the same person
who sent the message/signed the package/whatever.

The issue of trusting the key is a separate one: it answers the
question, "was this key created by the person whose name appears in the
key?"  If you can unconditionally answer Yes to this question then go
ahead and sign the key.  Otherwise you do not REALLY know that that key
was created by that person.

For instance, when I see security advisories sent by Wichert Akkerman, I
verify the signature using his public key which is on my keyring.  As
long as it says "Good signature" then I can be certain that it was
signed by whoever created the public key I've got.  But, unless I have
actually met him in person or spoken to him, etc. or otherwise verified
WITHOUT ANY DOUBT that he created that key, I should not assign trust to
that key.

None of this is any different from how you should handle anyone else's
keys, this is all standard procedure.


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




UPLOAD: Re: Mysql vulnerabilities

2001-02-13 Thread Christian Hammers

Hi

I uploaded mysql-3.22.32 (mysql-server, formaly non-free) and 
mysql-gpl-3.22.30 (libmysqlclient6...) due to three security patches.

They are for potato. A new version (this time upstream) for testing/unstable
will follow soon.

The corresponding BugTraq mail was:
http://lists.insecure.org/bugtraq/2001/Feb/0028.html
The 3rd bug was accidently found by me and fixed, as the others, too, by
Guillaume. 

bye,

 -christian-

-- 
Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
[EMAIL PROTECTED] Internet  Security for ProfessionalsFax 0241/911879
   WESTEND ist CISCO Systems Partner - Premium Certified


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Quick update ?

2001-02-13 Thread Peter Cordes

On Tue, Feb 13, 2001 at 11:00:18PM +0100, marcoghidinelli wrote:
 On Sun, Feb 11, 2001 at 08:10:36PM +0100, Christian Schlettig wrote:
  Hi again,
  
  so it finally worked fine - the update/upgrades  were installed - but i'm 
wondering about the size of these updates:
  in total it was about 9 MegaBytes or so. And i have made no update since September 
'00
  
  Is this amount o.k.? Or should it been more ??
 
 slink was dropped.
 you MUST upgrade to potato.
 
 substitute 'slink' with 'potato' in your apt/sources.list, and then make a 
 apt-get update; apt-get upgrade

 Make that  apt-get dist-upgrade, I think you'll need to do that to get some
bigger things up to potato level.  (normal upgrade won't upgrade when a
package has been split into multiple separate packages, e.g. xntp -
ntpdate, ntp or the netkit split.  dist-upgrade will do everything it can to
upgrade as much as possible, but it does make sure nothing has broken
dependencies once it's all done.) 

 BTW, before the upgrade would be a good time to backup the whole system :)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Proposal

2001-02-13 Thread Paul Haesler
All,

Carlos wrote:
 Sorry to disturb you all, but I am not too interested in the huge
 threads that have appeared in debian-security lately. I subscribed to
 this list mostly to get noticed of security problems in the
 distribution itself, and it seems like people are using it to get
 answers now (like debian-user focused on security). Perhaps the
 listmaster could create debian-security-announce, as a moderated,
 security announcements-focused list, and leave debian-security for
 general discussion? Thanks.

Gee, that sounds like a good idea.  In fact, SUCH a good idea that  
it's been implemented for years.

Seriously though, if there is anybody else on debian-security who 
is NOT also subscribed to debian-security-announce, you should 
probably do so.  There have been a few debian-security posts 
recently asking about the status of something for which a fix was 
announced on debian-security-announce a couple of days 
previously.

My understanding is that debian-security IS more or less a debian-
user for security issues.  :)
Paul Haesler
[EMAIL PROTECTED]

We are the Steely-Pips and we have no fear, no
 spats in our vats, no rules, no schools, no gloom,
 no evil influence of the moon, for we have a machine,
 a dream of a machine, with springs and gears and 
 perfect in every respect.

 Stanislaw Lem, The Cyberiad (Trurl's Prescription)



Security updates

2001-02-13 Thread Piotr Tarnowski
Hi,

I am new in Debian but I found its apt-based update system very useful.
Recently I have some problems with downloading from security.debian.org
(connection time-out and things like that).
Two questions:
1) Do others from Poland/Gdansk (via TPSA) have the same problem ?
2) When I fail with dselect/apt I use wget to download the package and
put it in /var/cache/apt/packages then restart dselect. Is it possible
to integrate wget with apt so that this process would go automatically ?
Or is this a case of some option tuning for apt ?

Regards,
Piotr Tarnowski



Re: sources.list

2001-02-13 Thread Giacomo Mulas
On Sat, 10 Feb 2001, Duane Powers wrote:

 I have a question - I have a dozen boxen that I am maintaining, all with 
 Debian ( almost all potato - one woody) I would like to save bandwidth 
 and centralize administration by utilizing one of the boxes as a apt-get 
 source. then I can apt-get update ; apt-get dist-upgrade ; done, on one 
 box, and save all the .deb's then use those .deb's for the other boxen 
 without actually mirroring the whole debian site.

Here is one way to do it: 

- install a web proxy (e.g. squid) on one of your computers
- direct apt to go through the proxy (you need to add one line to the apt
configuration file, I don't quite remember the syntax but you will find it
in the man page)

In this way, the first box you upgrade will cause the proxy server to
download the packages, all the subsequent ones will get the cached file.

Bye
Giacomo

_

Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED]
_

OSSERVATORIO  ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216 Fax : +39 070 71180 222
_

When the storms are raging around you, stay right where you are
 (Freddy Mercury)
_



Re: sources.list

2001-02-13 Thread Jerome Demeyer
You could mirror the nearest debian's ftp mirror, make your box an internal ftp 
server, with proftpd for example.
next, on the other boxes, you do an apt-config where you set your source as a 
ftp server, obviously yours... et voilĂ  !

Jerome Demeyer.

- Original Message - 
From: Giacomo Mulas [EMAIL PROTECTED]
To: security debian debian-security@lists.debian.org
Sent: Tuesday, February 13, 2001 11:41 AM
Subject: Re: sources.list


 On Sat, 10 Feb 2001, Duane Powers wrote:
 
  I have a question - I have a dozen boxen that I am maintaining, all with 
  Debian ( almost all potato - one woody) I would like to save bandwidth 
  and centralize administration by utilizing one of the boxes as a apt-get 
  source. then I can apt-get update ; apt-get dist-upgrade ; done, on one 
  box, and save all the .deb's then use those .deb's for the other boxen 
  without actually mirroring the whole debian site.
 
 Here is one way to do it: 
 
 - install a web proxy (e.g. squid) on one of your computers
 - direct apt to go through the proxy (you need to add one line to the apt
 configuration file, I don't quite remember the syntax but you will find it
 in the man page)
 
 In this way, the first box you upgrade will cause the proxy server to
 download the packages, all the subsequent ones will get the cached file.
 
 Bye
 Giacomo
 



Re: Security updates

2001-02-13 Thread Marcin 'Spock' Jurczuk
On Tue, 13 Feb 2001, Piotr Tarnowski wrote:

 Hi,
 
 I am new in Debian but I found its apt-based update system very useful.
 Recently I have some problems with downloading from security.debian.org
 (connection time-out and things like that).
 Two questions:
 1) Do others from Poland/Gdansk (via TPSA) have the same problem ?

Yes.. in Bialystok is the same problem, but here is a little strange:
Some day ftp.icm.edu.pl is working fine other day ftp.task.gda.pl...
I belive that source of this problems is dynamic routing in Polish
Telecomunication TPSA  backbone net.



 2) When I fail with dselect/apt I use wget to download the package and
 put it in /var/cache/apt/packages then restart dselect. Is it possible
 to integrate wget with apt so that this process would go automatically ?
 Or is this a case of some option tuning for apt ?
 

good idea :-)
does anyone try to do this ?


---
Marcin 'Spock' Jurczuk  [EMAIL PROTECTED]
Administrator sieci Cyber-Net   [EMAIL PROTECTED]
[EMAIL PROTECTED]
---



Nessusd

2001-02-13 Thread Craig



Hi 
everybody

I am trying to setup 
nessusd ... been though the config files but I keep getting the following error 
message
when trying to 
connect via the windows client:


ERROR: Server doesn't support NSP/0.3 protocol. 
Connection terminated.

If anyone can assist 
it would be greatly appreciated :)
-// Craig Schneider Systems Administrator Z Data Solutions http://www.zdata.co.za // 



Re: Security updates

2001-02-13 Thread \] n0iR \[
On Tue, Feb 13, 2001 at 08:19:10AM +0100, Piotr Tarnowski wrote:
 I am new in Debian but I found its apt-based update system very useful.
 Recently I have some problems with downloading from security.debian.org
 (connection time-out and things like that).
 Two questions:
 1) Do others from Poland/Gdansk (via TPSA) have the same problem ?
Not only in Gdansk, here, in Radom too. I had to make several attempts,
until I downloaded single 568Kb package :/

 2) When I fail with dselect/apt I use wget to download the package and
 put it in /var/cache/apt/packages then restart dselect. Is it possible
 to integrate wget with apt so that this process would go automatically ?
 Or is this a case of some option tuning for apt ?
Easier is to dumbly repeat install. Apt will automatically reget.

Aleander

-- 
/==]n0iR[==.__  /\
| [EMAIL PROTECTED]   `\ BOFH excuse #88: Boss' kid fucked up the machine   
`|
+ BOFH #1 of #radom `\   |
|\  UIN: #89507110`\ |
\--\/'



Re: Apt-get package verification

2001-02-13 Thread marcoghidinelli
On Sat, Feb 10, 2001 at 02:52:57PM -0600, Bud Rogers wrote:
 On Saturday 10 February 2001 12:54, Carel Fellinger wrote:
  On Sat, Feb 10, 2001 at 06:11:01PM +0100, marcoghidinelli wrote:
  ...
 
   for the debian-developer keys:
   apt-get install debian-keyring
 
  I've done this some time ago, but now I get:
 
  [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --]
  gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID
  EBF15399 gpg: Good signature from Marco Ghidinelli
  [EMAIL PROTECTED] gpg: WARNING: This key is not certified with a
  trusted signature! gpg:  There is no indication that the
  signature belongs to the owner. gpg: Fingerprint: 1C34 97F7 1837 D525
  7E3F  C883 B572 DF1A EBF1 5399 [-- End of PGP output --]
 
 I have the same problem with Martin Schulze's sigs.  I've retrieved the 
 debian keyring from the website and from my CD,  I've manually 
 retrieved his key from public keyservers and from the debian website  
 All the fingerprints match.  I've signed his key on my keyring.  I even 
 tried giving it full trust.  His sigs are still flagged as bad here.  

sure?? all the debian-security-announce was correctly signed..

 What have I missed?

don't know...


-- 
BOFH excuse #425:

stop bit received


pgpubWL4j9v9i.pgp
Description: PGP signature


Re: Apt-get package verification

2001-02-13 Thread Jim Breton
On Sat, Feb 10, 2001 at 07:54:49PM +0100, Carel Fellinger wrote:
 [-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --]
 gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399
 gpg: Good signature from Marco Ghidinelli [EMAIL PROTECTED]
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:  There is no indication that the signature belongs to the owner.
 gpg: Fingerprint: 1C34 97F7 1837 D525 7E3F  C883 B572 DF1A EBF1 5399
 [-- End of PGP output --]
 
 But I'm quit willing to trust debian developers in general.  I trust them
 with the packages, might as well trust their identity:)  I'm a bit uncertain
 how to achieve this though.  Is it enough if I tell gpg to trust James Troup?

You don't need to assign any trust to these keys; it's enough to get the
Good signature... output.  As long as the signature verifies
successfully (as it does in your example above), you know that the
person who created the key you've got on your keyring is the same person
who sent the message/signed the package/whatever.

The issue of trusting the key is a separate one: it answers the
question, was this key created by the person whose name appears in the
key?  If you can unconditionally answer Yes to this question then go
ahead and sign the key.  Otherwise you do not REALLY know that that key
was created by that person.

For instance, when I see security advisories sent by Wichert Akkerman, I
verify the signature using his public key which is on my keyring.  As
long as it says Good signature then I can be certain that it was
signed by whoever created the public key I've got.  But, unless I have
actually met him in person or spoken to him, etc. or otherwise verified
WITHOUT ANY DOUBT that he created that key, I should not assign trust to
that key.

None of this is any different from how you should handle anyone else's
keys, this is all standard procedure.



Oops

2001-02-13 Thread Carlos Laviola
Sorry! :)

-- 
Spruce: I got sucked into /dev/null!



Re: Quick update ? (was: Re: How to use apt to install security updates ?)

2001-02-13 Thread marcoghidinelli
On Sun, Feb 11, 2001 at 08:10:36PM +0100, Christian Schlettig wrote:
 Hi again,
 
 so it finally worked fine - the update/upgrades  were installed - but i'm 
 wondering about the size of these updates:
 in total it was about 9 MegaBytes or so. And i have made no update since 
 September '00
 
 Is this amount o.k.? Or should it been more ??

slink was dropped.
you MUST upgrade to potato.

substitute 'slink' with 'potato' in your apt/sources.list, and then make a 
apt-get update; apt-get upgrade

security patch was only made for potato.
slink is 'old' and 'insecure'.

switch! switch! switch!
:))


-- 
BOFH excuse #224:

Jan  9 16:41:27 huber su: 'su root' succeeded for  on /dev/pts/1


pgprOdP8ACqZi.pgp
Description: PGP signature


Re: Apt-get package verification

2001-02-13 Thread Carel Fellinger
On Tue, Feb 13, 2001 at 09:28:49PM +, Jim Breton wrote:

 You don't need to assign any trust to these keys; it's enough to get the
 Good signature... output.  As long as the signature verifies
 successfully (as it does in your example above), you know that the
 person who created the key you've got on your keyring is the same person
 who sent the message/signed the package/whatever.
 
 The issue of trusting the key is a separate one: it answers the
 question, was this key created by the person whose name appears in the
 key?  If you can unconditionally answer Yes to this question then go
 ahead and sign the key.  Otherwise you do not REALLY know that that key
 was created by that person.

Thanks for clearing this up.

-- 
groetjes, carel



UPLOAD: Re: Mysql vulnerabilities

2001-02-13 Thread Christian Hammers
Hi

I uploaded mysql-3.22.32 (mysql-server, formaly non-free) and 
mysql-gpl-3.22.30 (libmysqlclient6...) due to three security patches.

They are for potato. A new version (this time upstream) for testing/unstable
will follow soon.

The corresponding BugTraq mail was:
http://lists.insecure.org/bugtraq/2001/Feb/0028.html
The 3rd bug was accidently found by me and fixed, as the others, too, by
Guillaume. 

bye,

 -christian-

-- 
Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
[EMAIL PROTECTED] Internet  Security for ProfessionalsFax 0241/911879
   WESTEND ist CISCO Systems Partner - Premium Certified



Re: Quick update ?

2001-02-13 Thread Peter Cordes
On Tue, Feb 13, 2001 at 11:00:18PM +0100, marcoghidinelli wrote:
 On Sun, Feb 11, 2001 at 08:10:36PM +0100, Christian Schlettig wrote:
  Hi again,
  
  so it finally worked fine - the update/upgrades  were installed - but i'm 
  wondering about the size of these updates:
  in total it was about 9 MegaBytes or so. And i have made no update since 
  September '00
  
  Is this amount o.k.? Or should it been more ??
 
 slink was dropped.
 you MUST upgrade to potato.
 
 substitute 'slink' with 'potato' in your apt/sources.list, and then make a 
 apt-get update; apt-get upgrade

 Make that  apt-get dist-upgrade, I think you'll need to do that to get some
bigger things up to potato level.  (normal upgrade won't upgrade when a
package has been split into multiple separate packages, e.g. xntp -
ntpdate, ntp or the netkit split.  dist-upgrade will do everything it can to
upgrade as much as possible, but it does make sure nothing has broken
dependencies once it's all done.) 

 BTW, before the upgrade would be a good time to backup the whole system :)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces! -- Plautus, 200 BCE



Re: Nessusd

2001-02-13 Thread volker . tanger
Greetings!

On 13 Feb, Craig wrote:
 I am trying to setup nessusd ... been though the config files but I keep
 getting the following error message
 when trying to connect via the windows client:
 
 ERROR: Server doesn't support NSP/0.3 protocol. Connection terminated.

The nessusd in Debian 2.2 is a 0.9x version whereas the Windows client
is a 1.0.7 (probably) release. The client-server protocol changed some
time ago. So you either have to use 0.9x server AND client - or both
1.0.x.  Best solution would be to update the server to 1.0.7.  Just
unins tall the debian file, grab the current tarballs from
http://www.nessus.org/ and install that manually.

Bye
Volker

-- 

Volker Tanger   [EMAIL PROTECTED]
-===-
Research  Development Division, WYAE




Re: PGP and GnuPG

2001-02-13 Thread Hanno Böttcher


I got another problem, at work I use Winnt (have to) and PGP Freeware, but
when I write an encrypted mail to a friend of mine using GNU PGP he can read
my mails, but I can't read his? I think it's a problem of the MIME Body?


Thx for help Hanno