date:20020627

RE: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread David Bell

Use apt-get -u upgrade to show what packages are being upgraded, then
apt-get install them to fetch the dependencies as well, or just use
apt-get dist-upgrade, which gets additional dependencies (And removed
conflicting packages), automatically.

On Thu, 2002-06-27 at 19:14, Howland, Curtis wrote:
> I noticed the same thing when doing the 3.3 thing two days ago that I 
> commented on on this list.
> 
> The security server is in my apt.sources list, but when I executed "apt-get 
> upgrade", it said "0 new, 0 to be removed, 1 package(s) not updated".

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Problem with ssh

2002-06-27 Thread aku

On Fri, 28 Jun 2002, Howland, Curtis wrote:

> Too bad you didn't copy all the other lists with this one.
>
> At this point, I'm out of ideas. Time for someone else to take you further.
>
> However, I can point out something: You're using ssh 3.4, which is very new. 
> Make sure that it has worked using version 3.4 before. Like less than 48 
> hours ago.
>
> Yes, I know you said "it did work before" and that you hadn't made any 
> changes, but I've been in the tech support business for 20 years and that is 
> the one statement from a user I have learned to never trust.
>
> Good luck,
>
> Curt-

Thank's curt,
I just reconfigure my sshd and try using another ssh client then work
again.

i get something, my sshd server and ssh client using arround protocol
1 and  2 (Tom
Cook <[EMAIL PROTECTED]> said) so if i am using the protocol 1, my
client should be using 1.

Thank's


Ryansimon aku


>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > Sent: Friday, June 28, 2002 00:10
> > To: Howland, Curtis
> > Cc: debian-security@lists.debian.org
> > Subject: RE: Problem with ssh
> >
> >
> > On Fri, 28 Jun 2002, Howland, Curtis wrote:
> >
> > > Try connecting in verbose mode for debugging, I think it's
> > "ssh -v" or even "-v -v" as I saw someone suggest recently.
> >
> > I try using ssh -v and get a message :
> >
> > ~$ ssh -v yans xxx.xxx.xxx.xxx
> > OpenSSH_3.4p1 Debian 1:3.4p1-0.0potato1, SSH protocols
> > 1.5/2.0, OpenSSL
> > 0x0090603f
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Rhosts Authentication disabled, originating port will not be
> > trusted.
> > debug1: ssh_connect: needpriv 0
> > ssh: myusername: Name or service not known
> >
> >
> > >
> > > Something changed. The goal is to find out what.
> > >
> > > Also try "ssh -1 ..." to force version 1 access and see if
> > that works.
> >
> > it doesn't work.
> >
> >
> > - Ryansimon aku
> >
> > >
> > > Curt-
> > >
> > > > > First question:
> > > > >
> > > > > Has it worked before now?
> > > >
> > > > Yes.
> > > >
> > > > >
> > > > > Second question:
> > > > >
> > > > > What did you change between then and now?
> > > >
> > > > no, i did not change anything with my configuration (ssh client or
> > > > ssh server)
> > > >
> > > > -Ryansimon aku
> > >
> >
> >
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Problem with ssh

2002-06-27 Thread Hari S

On Thu, Jun 27, 2002 at 10:10:27PM +0700, [EMAIL PROTECTED] wrote:
> On Fri, 28 Jun 2002, Howland, Curtis wrote:
> 
> > Try connecting in verbose mode for debugging, I think it's "ssh -v" or even 
> > "-v -v" as I saw someone suggest recently.
> 
> I try using ssh -v and get a message :
> 
> ~$ ssh -v yans xxx.xxx.xxx.xxx
^
you forget @ character

> OpenSSH_3.4p1 Debian 1:3.4p1-0.0potato1, SSH protocols 1.5/2.0, OpenSSL
> 0x0090603f
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug1: ssh_connect: needpriv 0
> ssh: myusername: Name or service not known
> 
> 
> >
> > Something changed. The goal is to find out what.
> >
> > Also try "ssh -1 ..." to force version 1 access and see if that works.
> 
> it doesn't work.
> 
> 
> - Ryansimon aku
> 
> >
> > Curt-
> >
> > > > First question:
> > > >
> > > > Has it worked before now?
> > >
> > > Yes.
> > >
> > > >
> > > > Second question:
> > > >
> > > > What did you change between then and now?
> > >
> > > no, i did not change anything with my configuration (ssh client or
> > > ssh server)
> > >
> > > -Ryansimon aku
> >
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Problem with ssh

2002-06-27 Thread aku

On Fri, 28 Jun 2002, Howland, Curtis wrote:

> Try connecting in verbose mode for debugging, I think it's "ssh -v" or even 
> "-v -v" as I saw someone suggest recently.

I try using ssh -v and get a message :

~$ ssh -v yans xxx.xxx.xxx.xxx
OpenSSH_3.4p1 Debian 1:3.4p1-0.0potato1, SSH protocols 1.5/2.0, OpenSSL
0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
ssh: myusername: Name or service not known

>
> Something changed. The goal is to find out what.
>
> Also try "ssh -1 ..." to force version 1 access and see if that works.

it doesn't work.

- Ryansimon aku

>
> Curt-
>
> > > First question:
> > >
> > > Has it worked before now?
> >
> > Yes.
> >
> > >
> > > Second question:
> > >
> > > What did you change between then and now?
> >
> > no, i did not change anything with my configuration (ssh client or
> > ssh server)
> >
> > -Ryansimon aku
>

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Problem with ssh

2002-06-27 Thread Howland, Curtis

Try connecting in verbose mode for debugging, I think it's "ssh -v" or even "-v 
-v" as I saw someone suggest recently.

Something changed. The goal is to find out what.

Also try "ssh -1 ..." to force version 1 access and see if that works.

Curt-

> > First question:
> >
> > Has it worked before now?
> 
> Yes.
> 
> >
> > Second question:
> >
> > What did you change between then and now?
> 
> no, i did not change anything with my configuration (ssh client or
> ssh server)
> 
> -Ryansimon aku


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Problem with ssh

2002-06-27 Thread aku

On Fri, 28 Jun 2002, Howland, Curtis wrote:

> First question:
>
> Has it worked before now?

Yes.

>
> Second question:
>
> What did you change between then and now?

no, i did not change anything with my configuration (ssh client or
ssh server)

-Ryansimon aku

>
> Curt-
>
> > Dear All,
> >
> > I have a problem with my ssh, when i try to connect to our
> > server using
> > ssh have an error like this :
> >
> > ssh -l [EMAIL PROTECTED]
> > 2f65 7463 2f73 7368
> > Disconnecting: Bad packet length 795178083.
> >
> >
> > What's Wrong with my server or my ssh client. And how to solve them.
> >
> >
> > Thank's
> >
> > Ryansimon Aku
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Problem with ssh

2002-06-27 Thread Ljungström

On Thu, 27 Jun 2002 21:25:52 +0700 (JAVT)
<[EMAIL PROTECTED]> wrote:

> Dear All,
> 
> I have a problem with my ssh, when i try to connect to our server
> using ssh have an error like this :
> 
> ssh -l [EMAIL PROTECTED]
> 2f65 7463 2f73 7368
> Disconnecting: Bad packet length 795178083.
> 
> 
> What's Wrong with my server or my ssh client. And how to solve them.
> 
> 
> Thank's
> 
> Ryansimon Aku
> 
> 

Make sure that your sshd uses the same protocol as your client. 
There's both ssh1 and ssh2. Look att www.ssh.com for more info.

-- 
Best regards, Erik
Main: 
[EMAIL PROTECTED]
Alternative:
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Problem with ssh

2002-06-27 Thread Howland, Curtis

First question:

Has it worked before now?

Second question:

What did you change between then and now?

Curt-

> Dear All,
> 
> I have a problem with my ssh, when i try to connect to our 
> server using
> ssh have an error like this :
> 
> ssh -l [EMAIL PROTECTED]
> 2f65 7463 2f73 7368
> Disconnecting: Bad packet length 795178083.
> 
> 
> What's Wrong with my server or my ssh client. And how to solve them.
> 
> 
> Thank's
> 
> Ryansimon Aku


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Problem with ssh

2002-06-27 Thread aku

Dear All,

I have a problem with my ssh, when i try to connect to our server using
ssh have an error like this :

ssh -l [EMAIL PROTECTED]
2f65 7463 2f73 7368
Disconnecting: Bad packet length 795178083.


What's Wrong with my server or my ssh client. And how to solve them.


Thank's

Ryansimon Aku


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Vineet Kumar

* Howland, Curtis ([EMAIL PROTECTED]) [020627 17:15]:
> I noticed the same thing when doing the 3.3 thing two days ago that I 
> commented on on this list.
> 
> The security server is in my apt.sources list, but when I executed
> "apt-get upgrade", it said "0 new, 0 to be removed, 1 package(s) not
> updated".

apt-get dist-upgrade would have worked. This happens when the new
version of a package has a new dependency on something you don't already
have installed. upgrade won't automatically pull in the new package, but
dist-upgrade will.

> Dselect showed the ssh package as ready to be updated, and when I
> selected "install and update" from the dselect menu it did the work
> without argument.

dselect resolves all of these things (even the Suggests:) when you hit
enter.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes." -E.W. Dijkstra


pgp7wuP44MrZT.pgp
Description: PGP signature

RE: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Howland, Curtis

Not "security updates" as such, but since the software has been changed,
doesn't testing have its package replaced with the new version?

I can't imagine that a known hole would be deliberately left in a
package when an update has already been compiled. This is "testing", not
Hamm".

> Testing doesn't get security updates, so when the next testing comes
> along, its directory on security.debian.org, if it exists at all, will
> be empty.
> 
> The only reason woody is getting security updates now is that it's so
> close to release this provides a good opportunity to give the 
> new build
> infrastructure a shake-down.
> 
> noah


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Noah L. Meyerhans

On Thu, Jun 27, 2002 at 04:55:31PM -0700, Tom Dominico wrote:
> When woody goes stable, though, I want to move on to whatever "testing"
> is at that point.  That's why I had been using "testing" in my
> sources.list rather than explicitly saying "woody"; I thought it would
> make it easier to stay current.  Is it better to explicitly state
> "woody" in your sources.list, and then change it when woody is no longer
> the name for testing?  Thanks.

Testing doesn't get security updates, so when the next testing comes
along, its directory on security.debian.org, if it exists at all, will
be empty.

The only reason woody is getting security updates now is that it's so
close to release this provides a good opportunity to give the new build
infrastructure a shake-down.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

pgpn5WxfBBnwL.pgp
Description: PGP signature

RE: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Howland, Curtis

I noticed the same thing when doing the 3.3 thing two days ago that I commented 
on on this list.

The security server is in my apt.sources list, but when I executed "apt-get 
upgrade", it said "0 new, 0 to be removed, 1 package(s) not updated".

Dselect showed the ssh package as ready to be updated, and when I selected 
"install and update" from the dselect menu it did the work without argument.

Maybe, since it was a major upgrade at the time (not just 3.3 to 3.4 for 
example), was there a cue in the package file not to perform the upgrade unless 
it was being done in an interactive mode? Certainly it did take substantial 
interaction to get it right, and that is one reason I do not put "apt-get 
update" in any kind of script.

Curt-

> -Original Message-
> From: Tom Dominico [mailto:[EMAIL PROTECTED]
> Sent: Friday, June 28, 2002 08:29
> To: debian-security@lists.debian.org
> Subject: RE: Ssh not upgraded when doing apt-get upgrade?
> 
> 
> Thanks for all the rapid replies folks, apparently I was 
> mixed up there.
> Adding the security line for "testing" did the trick.
> 
> Tom


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Tom Dominico

When woody goes stable, though, I want to move on to whatever "testing"
is at that point.  That's why I had been using "testing" in my
sources.list rather than explicitly saying "woody"; I thought it would
make it easier to stay current.  Is it better to explicitly state
"woody" in your sources.list, and then change it when woody is no longer
the name for testing?  Thanks.

Tom

-Original Message-
From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 27, 2002 4:39 PM
To: Moti Levy
Cc: debian-security@lists.debian.org
Subject: Re: Ssh not upgraded when doing apt-get upgrade?

On Thu, Jun 27, 2002 at 07:35:21PM -0400, Moti Levy wrote:
> this line in /etc/apt/sources.list did it for me ...
> deb http://security.debian.org testing/updates main contrib non-free

You should probably use 'woody', not 'testing'.  After all, testing
doesn't normally get security updates.  Once woody becomes stable, you
are still going to want them.  Specifiying the distribution by name will
get you the updated packages for as long as the security team supports
that version.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Noah L. Meyerhans

On Thu, Jun 27, 2002 at 07:35:21PM -0400, Moti Levy wrote:
> this line in /etc/apt/sources.list did it for me ...
> deb http://security.debian.org testing/updates main contrib non-free

You should probably use 'woody', not 'testing'.  After all, testing
doesn't normally get security updates.  Once woody becomes stable, you
are still going to want them.  Specifiying the distribution by name will
get you the updated packages for as long as the security team supports
that version.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

pgpMcEV7Cque5.pgp
Description: PGP signature

RE: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Tom Dominico

Thanks for all the rapid replies folks, apparently I was mixed up there.
Adding the security line for "testing" did the trick.

Tom

-Original Message-
From: A.J. Rossini [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 27, 2002 4:29 PM
To: Tom Dominico
Cc: debian-security@lists.debian.org
Subject: Re: Ssh not upgraded when doing apt-get upgrade?

you need something like:

deb http://security.debian.org stable/updates main contrib non-free

or 

deb http://security.debian.org woody/updates main contrib non-free

(I think "testing/updates" ought to work, but am not sure).

> "tom" == Tom Dominico <[EMAIL PROTECTED]> writes:

tom> Hello,
tom> I am on testing, and when I do an apt-get update/apt-get
upgrade, I do
tom> not seem to be getting the "new and improved" ssh.  I checked
ssh -v,
tom> and I'm not on 3.4 yet.  I've done the "workarounds", so I
shouldn't be
tom> vulnerable, but I can't figure out why I'm not getting the new
version.
tom> Has it not been put into the testing packages?

tom> Here are the lines in my sources.list:

tom> deb http://http.us.debian.org/debian

tom> testing main contrib non-free
tom> deb http://non-us.debian.org/debian-non-US
tom>   testing/non-US main
contrib
tom> non-free

tom> Originally I had a mirror there, but I initially thought that
maybe it
tom> was an old mirror that wasn't updated any more, so I went to
back to the
tom> main debian.org site.  I don't need the "security" line, do I?
I
tom> thought that was just for stable users who need security
updates.  Am I
tom> missing something really obvious?  Any guidance is greatly
appreciated,
tom> thanks.

tom> Tom

tom> -- 
tom> To UNSUBSCRIBE, email to
[EMAIL PROTECTED]
tom> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

-- 
A.J. RossiniRsrch. Asst. Prof. of
Biostatistics
U. of Washington Biostatistics  [EMAIL PROTECTED]   
FHCRC/SCHARP/HIV Vaccine Trials Net [EMAIL PROTECTED]
-- http://software.biostat.washington.edu/ 
FHCRC: M: 206-667-7025 (fax=4812)|Voicemail is pretty sketchy/use Email
UW:   Th: 206-543-1044 (fax=3286)|Change last 4 digits of phone to FAX
(my tuesday/wednesday/friday locations are completely unpredictable.)

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread A.J. Rossini


you need something like:

deb http://security.debian.org stable/updates main contrib non-free

or 

deb http://security.debian.org woody/updates main contrib non-free

(I think "testing/updates" ought to work, but am not sure).

 
> "tom" == Tom Dominico <[EMAIL PROTECTED]> writes:

tom> Hello,
tom> I am on testing, and when I do an apt-get update/apt-get upgrade, I do
tom> not seem to be getting the "new and improved" ssh.  I checked ssh -v,
tom> and I'm not on 3.4 yet.  I've done the "workarounds", so I shouldn't be
tom> vulnerable, but I can't figure out why I'm not getting the new version.
tom> Has it not been put into the testing packages?

tom> Here are the lines in my sources.list:

tom> deb http://http.us.debian.org/debian 
tom> testing main contrib non-free
tom> deb http://non-us.debian.org/debian-non-US
tom>   testing/non-US main contrib
tom> non-free

tom> Originally I had a mirror there, but I initially thought that maybe it
tom> was an old mirror that wasn't updated any more, so I went to back to 
the
tom> main debian.org site.  I don't need the "security" line, do I?  I
tom> thought that was just for stable users who need security updates.  Am I
tom> missing something really obvious?  Any guidance is greatly appreciated,
tom> thanks.

tom> Tom


tom> -- 
tom> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
tom> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



-- 
A.J. RossiniRsrch. Asst. Prof. of Biostatistics
U. of Washington Biostatistics  [EMAIL PROTECTED]   
FHCRC/SCHARP/HIV Vaccine Trials Net [EMAIL PROTECTED]
-- http://software.biostat.washington.edu/ 
FHCRC: M: 206-667-7025 (fax=4812)|Voicemail is pretty sketchy/use Email
UW:   Th: 206-543-1044 (fax=3286)|Change last 4 digits of phone to FAX
(my tuesday/wednesday/friday locations are completely unpredictable.)




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Moti Levy


Tom Dominico wrote:


Hello,

I am on testing, and when I do an apt-get update/apt-get upgrade, I do
not seem to be getting the "new and improved" ssh.  I checked ssh -v,
and I'm not on 3.4 yet.  I've done the "workarounds", so I shouldn't be
vulnerable, but I can't figure out why I'm not getting the new version.
Has it not been put into the testing packages?

Here are the lines in my sources.list:

deb http://http.us.debian.org/debian 
testing main contrib non-free
deb http://non-us.debian.org/debian-non-US
  testing/non-US main contrib
non-free

Originally I had a mirror there, but I initially thought that maybe it
was an old mirror that wasn't updated any more, so I went to back to the
main debian.org site.  I don't need the "security" line, do I?  I
thought that was just for stable users who need security updates.  Am I
missing something really obvious?  Any guidance is greatly appreciated,
thanks.

Tom


 


this line in /etc/apt/sources.list did it for me ...
deb http://security.debian.org testing/updates main contrib non-free
moti




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Vineet Kumar

* Tom Dominico ([EMAIL PROTECTED]) [020627 16:23]:
> Hello,
> 
> I am on testing, and when I do an apt-get update/apt-get upgrade, I do
> not seem to be getting the "new and improved" ssh.  I checked ssh -v,
> and I'm not on 3.4 yet.  I've done the "workarounds", so I shouldn't be
> vulnerable, but I can't figure out why I'm not getting the new version.
> Has it not been put into the testing packages?
> 
> Here are the lines in my sources.list:
> 
> deb http://http.us.debian.org/debian 
> testing main contrib non-free
> deb http://non-us.debian.org/debian-non-US
>   testing/non-US main contrib
> non-free
> 
> Originally I had a mirror there, but I initially thought that maybe it
> was an old mirror that wasn't updated any more, so I went to back to the
> main debian.org site.  I don't need the "security" line, do I?  I

Yes. The packages are on security.debian.org:

deb http://security.debian.org/ woody/updates main contrib non-free
deb http://security.debian.org/ potato/updates main contrib non-free

You should probably add the woody line to your sources.list.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes." -E.W. Dijkstra


pgpTlDLIiaY6G.pgp
Description: PGP signature

Ssh not upgraded when doing apt-get upgrade?

2002-06-27 Thread Tom Dominico

Hello,

I am on testing, and when I do an apt-get update/apt-get upgrade, I do
not seem to be getting the "new and improved" ssh.  I checked ssh -v,
and I'm not on 3.4 yet.  I've done the "workarounds", so I shouldn't be
vulnerable, but I can't figure out why I'm not getting the new version.
Has it not been put into the testing packages?

Here are the lines in my sources.list:

deb http://http.us.debian.org/debian 
testing main contrib non-free
deb http://non-us.debian.org/debian-non-US
  testing/non-US main contrib
non-free

Originally I had a mirror there, but I initially thought that maybe it
was an old mirror that wasn't updated any more, so I went to back to the
main debian.org site.  I don't need the "security" line, do I?  I
thought that was just for stable users who need security updates.  Am I
missing something really obvious?  Any guidance is greatly appreciated,
thanks.

Tom


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: will compression still work in this ssh release?

2002-06-27 Thread Jacques Lav!gnotte

On Thu, Jun 27, 2002 at 07:35:49PM +0200, Rolf Kutz wrote:
> * Quoting Robert Brown ([EMAIL PROTECTED]):

> It works here, with kernel-2.4 on i386. You can

 It works here, with kernel-2.2 on i386.

> - Rolf

 Jacques

-- 

0CBE 3F8A 5A77 A35C 27C7  2D42 3EC5 806B 9178 088D



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: will compression still work in this ssh release?

2002-06-27 Thread Rolf Kutz

* Quoting Robert Brown ([EMAIL PROTECTED]):

> Sorry if this has been answered elsewhere, but there did not seem to be a
> mention of whether compression works with this latest release of OpenSSH
> 3.4, particularly on the server side.  I depend upon compression in
> various scripts and would like to know whether those must be changed or
> not.

It works here, with kernel-2.4 on i386. You can
check with ssh -v.

- Rolf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

will compression still work in this ssh release?

2002-06-27 Thread Robert Brown

Sorry if this has been answered elsewhere, but there did not seem to be a
mention of whether compression works with this latest release of OpenSSH
3.4, particularly on the server side.  I depend upon compression in
various scripts and would like to know whether those must be changed or
not.

Thanks.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Amazing response (DSA-134-4)

2002-06-27 Thread Adam Warner

Dear Michael Stone and the rest of the Debian security team,

I'm very impressed at your successful demonstration of how well the new
security infrastructure can work. Getting out a response this quick for
OpenSSH 3.4 for all 11 Woody architectures is remarkable.

The chaos surrounding these unknown OpenSSH vulnerabilities has at least
provided a great test of the new infrastructure.

It's certainly possible that Debian will significantly lead other
vendors with security fixes on average in the future even though the
security team has to support many more architectures.

It will be interesting to see how soon other vendors respond to these
vulnerabilities.

Regards,
Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA-134-4] OpenSSH Remote Challenge Vulnerability

2002-06-27 Thread Raymond Wood

On Thu, Jun 27, 2002 at 02:50:54PM +0200, Michael Stone remarked:
> -BEGIN PGP SIGNED MESSAGE-
> 
> - 
> Debian Security Advisory DSA-134-4   [EMAIL PROTECTED]
> http://www.debian.org/security/Michael Stone
> June 27, 2002
> - 
> 
> Package: ssh
> Problem type   : remote exploit
> Debian-specific: no
> CERT advisory  : CA-2002-18
> 
> This advisory is an update to DSA-134-3: this advisory contains
> updated information that is relevant to all Debian installations of
> OpenSSH (the ssh package). DSA-134-4 supersedes previous versions of
> DSA-134.
[snip]
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
> 
> 
> Debian GNU/Linux 2.2 alias potato
> - -
> 
>   Potato was released for alpha, arm, i386, m68k, powerpc and sparc
[snip]
> 
> Debian GNU/Linux 3.0 alias woody
> - 
> 
>   Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips,
>   mipsel, powerpc, s390 and sparc.
[snip]

Thank you *very* much for this clarification (this SSH
vulnerability has been a bit of a nightmare for users to
follow).

One additional question: (I have asked before but so far
received no satisfactory response)

Is the recommended action for Sid users to install the Woody
OpenSSH 3.4 deb package?  If not, what?

TIA,
Raymond


pgpgoAGMocPxL.pgp
Description: PGP signature

Re: [SECURITY] [DSA-134-4] OpenSSH Remote Challenge Vulnerability

2002-06-27 Thread Phillip Hofmeister

On Thu, Jun 27, 2002 at 02:50:54PM +0200, Michael Stone wrote:
> Debian 2.2 (potato) shipped with an ssh package based on OpenSSH
> 1.2.3, and is not vulnerable to the vulnerabilities covered by this
> advisory. Users still running a version 1.2.3 ssh package do not have
> an immediate need to upgrade to OpenSSH 3.4. Users who upgraded to the
> OpenSSH version 3.3 packages released in previous iterations of
> DSA-134 should upgrade to the new version 3.4 OpenSSH packages, as the
> version 3.3 packages are vulnerable. We suggest that users running
> OpenSSH 1.2.3 consider a move to OpenSSH 3.4 to take advantage of the
> privilege separation feature. (Though, again, we have no specific
> knowledge of any vulnerability in OpenSSH 1.2.3. Please carefully read
> the caveats listed below before upgrading from OpenSSH 1.2.3.) We
> recommend that any users running a back-ported version of OpenSSH
> version 2.0 or higher on potato move to OpenSSH 3.4.
> 
> 
Will the security team continue to support 1.2.3?

Phil


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] Re: DSA-134-1

2002-06-27 Thread Phillip Hofmeister

On Thu, Jun 27, 2002 at 09:12:41AM +0100, Tim Haynes wrote:
> I'm trying not to think how many Debian policies have been bent because of
> "oh no! it's ssh!"-factor - porting a protocol-2-enabled *new feature* down
> to Stable with the resultant paragraphs on `create a proto-2 keypair' and
> `these are untested' in the DSA causes inconvenience to folks running
> Stable+Secure boxes, in addition to those of us using Testing but keeping
> an eye on DSAs.
> And we're all going to have to upgrade again when 3.4 comes out properly as
> it is...
>
Might I suggest you consider dpkg --force-downgrade 

If not you will be running around next week when our good friend Theo finds a 
vulnerability
in 3.4...just a thought


Phil 


pgpO3KyAGtmJz.pgp
Description: PGP signature

Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

2002-06-27 Thread Anthony DeRobertis

On Wed, 2002-06-26 at 14:59, Lupe Christoph wrote:

> I've spent several hours updating left and right, and now this?
> How shall I justify this to my client? I can't really charge for
> falling for Theo. Seems I took a firm stand and bent over for him.

See Wichert's message: <[EMAIL PROTECTED]>

Apparently, the advisory does not give a thorough account of what is
vulnerable.



signature.asc
Description: This is a digitally signed message part

Re: OpenSSH vuln: BSD only?

2002-06-27 Thread Wichert Akkerman

Previously Wim Fournier wrote:
> I just read this over at iss, it seems that the vuln only exists for
> default installations of BSD and only for S-KEY and BSD authentication.

That advisory sucks :). Keyboard-interactive authentication is
vulnerable, and we use that for PAM as well by default (that makes PAM
modules which use a conversation function like libpam-opie work).

Wichert.

-- 
  _
 /[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: openssh packages not vulnerable

2002-06-27 Thread John Galt


Note that Potato users actually BECAME vulnerable by installing this 
"security fix".

On Thu, 27 Jun 2002, Florian Weimer wrote:

>Paul Baker <[EMAIL PROTECTED]> writes:
>
>> So as it turns out, AFAIK, none of the versions of OpenSSH in Debian
>> were actually vulnerable to the exploit found by ISS and reported in
>> DSA-134
>
>The 3.3p1 packages are vulnerable in some configurations. :-(
>
>

-- 
 Customer:  "I'm running Windows '98"  Tech: "Yes."  Customer:
   "My computer isn't working now." Tech: "Yes, you said that."

Who is John Galt?  [EMAIL PROTECTED], that's who!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: openssh packages not vulnerable

2002-06-27 Thread Florian Weimer

Paul Baker <[EMAIL PROTECTED]> writes:

> So as it turns out, AFAIK, none of the versions of OpenSSH in Debian
> were actually vulnerable to the exploit found by ISS and reported in
> DSA-134

The 3.3p1 packages are vulnerable in some configurations. :-(

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  fax +49-711-685-5898


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH vuln: BSD only?

2002-06-27 Thread Jan-Hendrik Palic

On Thu, Jun 27, 2002 at 10:38:44AM +0200, Wim Fournier wrote:
>http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
>
>I just read this over at iss, it seems that the vuln only exists for
>default installations of BSD and only for S-KEY and BSD authentication.
>
>So need to upgrade at all.. its just a way to get everyone over to 3.x i
>guess...

For Debian it is not nessessary to upgrade in case of these
securityissues. But in ssh-3.4 are many other security fixes and
bugfixes, so it is recommended to upgrade.
But me is not hurry up for this and wait for the new deb ... :)

Regards
Jan

-- 
  .''`.Jan-Hendrik Palic |
 : :' : ** Debian GNU/ Linux **  |   ** OpenOffice.org **   ,.. ,..
 `. `'   http://www.debian.org   | http://www.openoffice.org  ,: ..`   `
   `-  [EMAIL PROTECTED] |   '  `  `


pgptCyHrkNN3n.pgp
Description: PGP signature

OpenSSH vuln: BSD only?

2002-06-27 Thread Wim Fournier

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584

I just read this over at iss, it seems that the vuln only exists for
default installations of BSD and only for S-KEY and BSD authentication.

So need to upgrade at all.. its just a way to get everyone over to 3.x i
guess...


With kind regards,

Wim Fournier




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] Re: DSA-134-1

2002-06-27 Thread Tim Haynes

Wichert Akkerman <[EMAIL PROTECTED]> writes:

> Previously Christian Hammers wrote:
>
> > Don't be too hard to him, if he'd pointed out that only default BSD is
> > vulnerable it would not have been too hard to find the exploit before
> > everybody had updated.
> 
> He could have mentioned ssh protocol 1 wasn't vulnerable..

At the very least.

I'm trying not to think how many Debian policies have been bent because of
"oh no! it's ssh!"-factor - porting a protocol-2-enabled *new feature* down
to Stable with the resultant paragraphs on `create a proto-2 keypair' and
`these are untested' in the DSA causes inconvenience to folks running
Stable+Secure boxes, in addition to those of us using Testing but keeping
an eye on DSAs.
And we're all going to have to upgrade again when 3.4 comes out properly as
it is...

Could I suggest that `until we're told what it is, there is no problem' be
considered as an approach? ;/

~Tim
-- 

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PermitRootLogin enabled by default

2002-06-27 Thread Tim Haynes

John Galt <[EMAIL PROTECTED]> writes:

> that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
> using standard security practice at that point, it's just for
> convenience's sake, the user had a few things screened, including a
> rootshell, probably because of the traditional Conventional Wisdom of not
> permitting any remote logins of root. I find this kind of ironic in
> another sense, as Dug Song is the author of a Man in the Middle tool that
> works against older SSHes

Depends.. if you manage to intercept the user's password, you can type it
into sudo just like they do and get the same level of root privelege. In
that case, not leaving screen running would have still been as bad.
No doubt this is why tightening sudo down is a good idea.

~Tim
-- 

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

[Fwd: Re: OpenSSH 3.4 released... should FIX problems]

2002-06-27 Thread Wim Fournier


> Head over to OpenSSH.com
>
> They have just released version 3.4, which should fix some overflow
> problems and adds lot's of new checks against dubious input.
>
> Advisories and updates on the various pages there.
How about the compression support and PAM? is that already fixed?

Cuz without that it isnt really going to be a decend replacement for the
other versions.



With kind regards,

Wim Fournier




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] Re: DSA-134-1

2002-06-27 Thread Wichert Akkerman

Previously Christian Hammers wrote:
> Don't be too hard to him, if he'd pointed out that only default BSD is 
> vulnerable it would not have been too hard to find the exploit before 
> everybody had updated. 

He could have mentioned ssh protocol 1 wasn't vulnerable..

Wichert.

-- 
  _
 /[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

37 matches

Mail list logo