Re: Stack-smashing protection
A Saturday 07 December 2002 2:37, David B Harris va escriure: On Sat, 7 Dec 2002 01:09:59 +0100 Albert Cervera Areny [EMAIL PROTECTED] wrote: So it isn't really that the hole system runs 8% slower. Sorry for my first explanation... Now I think it is an overhead which is afordable seeing its benefits. For your purposes, anyways. As has been said, this will likely never be a Debian-wide thing; I imagine that if anything there will be an option for it. Well... then I don't think It could be an option as It would require recompile almost every package again for each architecture and then I don't think it'd be possible :-( That was just an idea... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Too make a long story short...
I attempted to setup my cd read write so that I could do backups, and I hosed my Debian server. You know, kernel panic well I passed some init options and I got it back up. I still would like to get my cd readwrite to work for redundantcy, Are there Debian white papers on how to do this for an IDE cd burner? I apologize in advance, I know this is a security mailing list... -- Daniel J. Rychlik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating Snort Signatures In Stable ?
On Sat, Dec 07, 2002 at 01:51:11PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. That won't happen sorry. That's just not the way Debian works, 3.0r1 will have no new code, just important bug (and security) fixes. Well, a case could be made for the presense of an old, unmaintained, unusable snort being a security bug. The problem is that if the snort people change the engine _and_ the rulebase then Debian can never support new rules for old (stable) releases (which could be asked for point releases). Obviously this is a problem that will face other distributors, as well as Debian. Our policy WRT stable revisions, though, may be unique. Situations such as this do expose weaknesses in our policy, and warrant further thought. I don't believe we should leave our users in the state that they're in with the woody version of snort being the only supported version available. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08067/pgp0.pgp Description: PGP signature
Pop mail virtual user security [LONG]
Hi all,
Inspired by a recent thread on this list I decided to set up a
mailserver with pop3 access over ssl. It's working now, but I'd
appreciate some comments on its security. My setup is as follows:
- I'm using stunnel+popa3d for pop3-ssl
(/usr/sbin/stunnel -d pop3s -p /etc/ssl/certs/pop3s.pem -l \
/usr/sbin/popa3d)
with Exim as my MTA.
- I've recompiled popa3d to support virtual users. It uses one
authentication file per user to control
1) the system user that popa3d will use to fetch mail for the user
2) the password for the user (like in /etc/shadow)
I've set it up to run as the user for real users and as 'mail' for
virtual users. It fetches mail from the mailboxes configured in exim
(see below).
- I've changed the local_delivery transport in /etc/exim/exim.conf to
deliver to /home/virtual/popa3d/127.0.0.1/mail/${local_part} for real
users
and I've added a new transport called local_virtual_delivery for
virtual users:
local_virtual_delivery:
driver = appendfile
user = mail
check_owner = false
group = mail
mode = 0660
mode_fail_narrower = false
envelope_to_add = true
return_path_add = true
file = /home/virtual/popa3d/127.0.0.1/mail/${local_part}
This new transport is used by the director virtualuser that I've also
added as the last director in the file:
virtualuser:
driver = aliasfile
transport = local_virtual_delivery
file = /etc/virtualusers
search_type = lsearch
/etc/virtualusers just contains the names of the virtual users I want
to allow.
- The current permissions for the mailboxes
/home/virtual/popa3d/127.0.0.1/mail/${local_part} are like:
-rw-rw1 mail mail0 Dec 7 17:33 test
-rw-rw1 tve mail0 Dec 7 17:30 tve
where tve is a normal system user and test is a virtual user. These
are just examples of course.
What I'd like to know is:
1) What do you think of the permissions for the mail files?
2) How are the passwordhashes in /etc/shadow generated from the
salt+password? I can't use 'passwd' to update popa3d's auth files, so
I need to generate them some other way.
3) Any other comments?
Thanks,
Tim
--
Tim van Erven [EMAIL PROTECTED]
OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5
BBF8 6310 D557 712C B811
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Too make a long story short...
On Sat, Dec 07, 2002 at 09:45:30AM -0600, Daniel Rychlik wrote: I attempted to setup my cd read write so that I could do backups, and I hosed my Debian server. You know, kernel panic well I passed some init options and I got it back up. I still would like to get my cd readwrite to work for redundantcy, Are there Debian white papers on how to do this for an IDE cd burner? The CD-Writing-HOWTO? Mathias I apologize in advance, I know this is a security mailing list... -- Daniel J. Rychlik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
Ted Cabeen [EMAIL PROTECTED] writes: If we disregarded software that has had problems in the past, sendmail would be dead and buried by now. s/would/should I haven't looked at the code of either sendmail or qpopper myself, but all people I trust to be competent on the issue say that sendmail (or bind to name another example) has a bloated, crappy codebase that is impossible to manage with regard to security. Security problems don't just happen, they depend on the way you program. If a piece of software has had security issues in the past due to the code being bloated, unstructured, and messy, chances are it will have problems in the future. If a program is well-written, nicely structured, lean, and concentrates on the specific task it is supposed to accomplish (sendmail.conf is said to be a turing-complete programming language ;) you have a much better chance of security. Ciao, Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pop mail virtual user security [LONG]
On 12/07/02 12:54, Tim van Erven wrote:
[much stuff I didn't read]
/etc/virtualusers just contains the names of the virtual users I want
to allow.
- The current permissions for the mailboxes
/home/virtual/popa3d/127.0.0.1/mail/${local_part} are like:
-rw-rw1 mail mail0 Dec 7 17:33 test
-rw-rw1 tve mail0 Dec 7 17:30 tve
I did something similar using solid-pop3d and virtual hosts. I created
a master account, akin to root, but not, that owns everything, and
each vhost has its own list of users as a standard Exim alias. Ie:
domain: fooboy.com
username: fooboy
aliases: /etc/mail/fooboy.com
spool:/var/mail/fooboy.com/*
Each file in /var/mail is owned by 'fooboy.mail' and then each
'administrator' for fooboy.com can log in as fooboy and maintain their
own email aliases, forwarders, responders, mailing lists, etc.
2) How are the passwordhashes in /etc/shadow generated from the
salt+password? I can't use 'passwd' to update popa3d's auth files, so
I need to generate them some other way.
Solid-pop3d (CVS only for VHosting) comes with spadm for this, but if
you're using standard /etc/shadow type crypt() entries, use htpasswd.
Chris
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pop mail virtual user security [LONG]
On Sat, Dec 07, 2002 at 04:39:54PM -0500, Christopher W. Curtis [EMAIL PROTECTED] wrote: On 12/07/02 12:54, Tim van Erven wrote: 2) How are the passwordhashes in /etc/shadow generated from the salt+password? I can't use 'passwd' to update popa3d's auth files, so I need to generate them some other way. Solid-pop3d (CVS only for VHosting) comes with spadm for this, but if you're using standard /etc/shadow type crypt() entries, use htpasswd. I can't find spadm in the solid-pop3d source. Are you sure it's there? I'm currently considering using chpwdfile[1]. Unfortunately it isn't packaged for Debian and it's the author's first C program. 1. http://eclipse.che.uct.ac.za/chpwdfile/ -- Tim van Erven [EMAIL PROTECTED] OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5 BBF8 6310 D557 712C B811 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Javier Fernández-Sanguino Peña wrote: Please file and appropiate bug against the package (the maintainer needs not read this list) and contact the security team ([EMAIL PROTECTED]) so they can evaluate this and prepare a fix. I informed the security team by mail just a few seconds ago and I will generate a bugreport for suck now. Thanks for your help. Regards, Marcus - -- Fickle minds, pretentious attitudes and ugly | PGP-Key: [DH/DSS] 4096-bit make-up on ugly faces... The Gothgoose | Key-ID: 0xE10F502E Of The Week: http://www.gothgoose.net| Encrypted mails welcome! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1-nr1 (Windows NT 4.0) - GPGshell v2.65 Comment: GPG/PGP [DH/DSS): 4096bit KeyID: 0xE10F502E iD8DBQE98pJ4lI/WoOEPUC4RAjO5AKCVyhehwIn5d6kK/Ynam8VeJKNURgCg+l8e QkZg/aRIRCKCBH5ZsUja9Ho= =aYer -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Helas wrote: I would agree giving anyone else the posibility of reading the passwords of your upstream-newsserver wont be a good idea :) That should be definetifly fixed. Thanks for your answer. As Javi suggested I have informed the Debian security team. A bug report for suck will be generated in some minutes... :-) Regards, Marcus - -- Fickle minds, pretentious attitudes and ugly | PGP-Key: [DH/DSS] 4096-bit make-up on ugly faces... The Gothgoose | Key-ID: 0xE10F502E Of The Week: http://www.gothgoose.net| Encrypted mails welcome! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1-nr1 (Windows NT 4.0) - GPGshell v2.65 Comment: GPG/PGP [DH/DSS): 4096bit KeyID: 0xE10F502E iD8DBQE98pMelI/WoOEPUC4RAiR8AJ9Sjsxw2t0jorFVq4uqMFVBdd3dDQCcCNIF F7xoiOVyd4mFFFXmA+4GMZk= =u0X+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible security violation in the suck-package?
Marcus Frings wrote: I informed the security team by mail just a few seconds ago and I will generate a bugreport for suck now. Thanks for your help. I noticed that this bug has already been reported by Martin Helas: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172126 Regards, Marcus -- Fickle minds, pretentious attitudes and ugly | PGP-Key: [DH/DSS] 4096-bit make-up on ugly faces... The Gothgoose | Key-ID: 0xE10F502E Of The Week: http://www.gothgoose.net| Encrypted mails welcome! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Marcus Frings [EMAIL PROTECTED] [021208 01:32]: Martin Helas wrote: I would agree giving anyone else the posibility of reading the passwords of your upstream-newsserver wont be a good idea :) That should be definetifly fixed. Thanks for your answer. As Javi suggested I have informed the Debian security team. A bug report for suck will be generated in some minutes... :-) I have allready reported a bug and filed a patch against this bug. look at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172126 greetings Martin - -- | | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE98pUSeSmrkPesOvARArwJAJ4w8Ii+jlfOkCTR+kWakMtMFRI/EwCgleoL eZ1Myeknfw/1ePTxHRtK4yM= =MBnu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Helas wrote: I have allready reported a bug and filed a patch against this bug. look at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172126 Yes, I saw your report a few minutes ago when I searched for already known bug reports for the suck-package. :-) Regards, Marcus - -- Fickle minds, pretentious attitudes and ugly | PGP-Key: [DH/DSS] 4096-bit make-up on ugly faces... The Gothgoose | Key-ID: 0xE10F502E Of The Week: http://www.gothgoose.net| Encrypted mails welcome! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1-nr1 (Windows NT 4.0) - GPGshell v2.65 Comment: GPG/PGP [DH/DSS): 4096bit KeyID: 0xE10F502E iD8DBQE98plHlI/WoOEPUC4RAjwZAJ9cu/826wpLOPGpAto6WDm4x4y/KQCeOmlh Ay9A/zkWhdKJmO0SUcSY5/s= =vDZN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
exploit for (Debian's?) pfinger (fwd)
oops, wrong address. -- Forwarded message -- Date: Wed, 4 Dec 2002 08:06:00 -0600 (CST) From: Drew Scott Daniels [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: exploit for (Debian's?) pfinger I found an exploit on Packetstorm described as Pfinger v0.7.8 and below local root exploit. Tested on Red Hat 7.2 - 8.0, Debian 3.0, Slackware 8.0, FreeBSD-4.6 and OpenBSD-3.1. I cannot find pfinger in Debian. The exploit executes finger and not a program called pfinger so it's not the Pascal finger program. Does this exploit effect Debian? Is/was there a bug report for this? Drew Daniels -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Stack-smashing protection
A Saturday 07 December 2002 2:37, David B Harris va escriure: On Sat, 7 Dec 2002 01:09:59 +0100 Albert Cervera Areny [EMAIL PROTECTED] wrote: So it isn't really that the hole system runs 8% slower. Sorry for my first explanation... Now I think it is an overhead which is afordable seeing its benefits. For your purposes, anyways. As has been said, this will likely never be a Debian-wide thing; I imagine that if anything there will be an option for it. Well... then I don't think It could be an option as It would require recompile almost every package again for each architecture and then I don't think it'd be possible :-( That was just an idea...
Re: Updating Snort Signatures In Stable ?
On Sat, Dec 07, 2002 at 02:46:01AM +, Nick Boyce wrote: I'd suggest maybe a note about V1.8.4 being useless should be added to http://packages.debian.org/stable/net/snort.html, along with some advice about getting signature updates (i.e. roll your own). Why not file a bug? IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. That won't happen sorry. That's just not the way Debian works, 3.0r1 will have no new code, just important bug (and security) fixes. And I still think it'd be nice if we could find a way to package up and push out stable signature updates - but I can see why that would be difficult to set policy for. The problem is that if the snort people change the engine _and_ the rulebase then Debian can never support new rules for old (stable) releases (which could be asked for point releases). Regards Javi pgpph7ZWOeKAZ.pgp Description: PGP signature
Re: Possible security violation in the suck-package?
On Sat, Dec 07, 2002 at 12:52:02AM +0100, Marcus Frings wrote: Any comments concerning this are very welcome. Please file and appropiate bug against the package (the maintainer needs not read this list) and contact the security team ([EMAIL PROTECTED]) so they can evaluate this and prepare a fix. Regards Javi pgpGT5yCpaVui.pgp Description: PGP signature
Too make a long story short...
I attempted to setup my cd read write so that I could do backups, and I hosed my Debian server. You know, kernel panic well I passed some init options and I got it back up. I still would like to get my cd readwrite to work for redundantcy, Are there Debian white papers on how to do this for an IDE cd burner? I apologize in advance, I know this is a security mailing list... -- Daniel J. Rychlik
Re: Updating Snort Signatures In Stable ?
On Sat, Dec 07, 2002 at 01:51:11PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. That won't happen sorry. That's just not the way Debian works, 3.0r1 will have no new code, just important bug (and security) fixes. Well, a case could be made for the presense of an old, unmaintained, unusable snort being a security bug. The problem is that if the snort people change the engine _and_ the rulebase then Debian can never support new rules for old (stable) releases (which could be asked for point releases). Obviously this is a problem that will face other distributors, as well as Debian. Our policy WRT stable revisions, though, may be unique. Situations such as this do expose weaknesses in our policy, and warrant further thought. I don't believe we should leave our users in the state that they're in with the woody version of snort being the only supported version available. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpGrKFu2Agtc.pgp Description: PGP signature
Pop mail virtual user security [LONG]
Hi all,
Inspired by a recent thread on this list I decided to set up a
mailserver with pop3 access over ssl. It's working now, but I'd
appreciate some comments on its security. My setup is as follows:
- I'm using stunnel+popa3d for pop3-ssl
(/usr/sbin/stunnel -d pop3s -p /etc/ssl/certs/pop3s.pem -l \
/usr/sbin/popa3d)
with Exim as my MTA.
- I've recompiled popa3d to support virtual users. It uses one
authentication file per user to control
1) the system user that popa3d will use to fetch mail for the user
2) the password for the user (like in /etc/shadow)
I've set it up to run as the user for real users and as 'mail' for
virtual users. It fetches mail from the mailboxes configured in exim
(see below).
- I've changed the local_delivery transport in /etc/exim/exim.conf to
deliver to /home/virtual/popa3d/127.0.0.1/mail/${local_part} for real
users
and I've added a new transport called local_virtual_delivery for
virtual users:
local_virtual_delivery:
driver = appendfile
user = mail
check_owner = false
group = mail
mode = 0660
mode_fail_narrower = false
envelope_to_add = true
return_path_add = true
file = /home/virtual/popa3d/127.0.0.1/mail/${local_part}
This new transport is used by the director virtualuser that I've also
added as the last director in the file:
virtualuser:
driver = aliasfile
transport = local_virtual_delivery
file = /etc/virtualusers
search_type = lsearch
/etc/virtualusers just contains the names of the virtual users I want
to allow.
- The current permissions for the mailboxes
/home/virtual/popa3d/127.0.0.1/mail/${local_part} are like:
-rw-rw1 mail mail0 Dec 7 17:33 test
-rw-rw1 tve mail0 Dec 7 17:30 tve
where tve is a normal system user and test is a virtual user. These
are just examples of course.
What I'd like to know is:
1) What do you think of the permissions for the mail files?
2) How are the passwordhashes in /etc/shadow generated from the
salt+password? I can't use 'passwd' to update popa3d's auth files, so
I need to generate them some other way.
3) Any other comments?
Thanks,
Tim
--
Tim van Erven [EMAIL PROTECTED]
OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5
BBF8 6310 D557 712C B811
Re: Too make a long story short...
On Sat, Dec 07, 2002 at 09:45:30AM -0600, Daniel Rychlik wrote: I attempted to setup my cd read write so that I could do backups, and I hosed my Debian server. You know, kernel panic well I passed some init options and I got it back up. I still would like to get my cd readwrite to work for redundantcy, Are there Debian white papers on how to do this for an IDE cd burner? The CD-Writing-HOWTO? Mathias I apologize in advance, I know this is a security mailing list... -- Daniel J. Rychlik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
Ted Cabeen [EMAIL PROTECTED] writes: If we disregarded software that has had problems in the past, sendmail would be dead and buried by now. s/would/should I haven't looked at the code of either sendmail or qpopper myself, but all people I trust to be competent on the issue say that sendmail (or bind to name another example) has a bloated, crappy codebase that is impossible to manage with regard to security. Security problems don't just happen, they depend on the way you program. If a piece of software has had security issues in the past due to the code being bloated, unstructured, and messy, chances are it will have problems in the future. If a program is well-written, nicely structured, lean, and concentrates on the specific task it is supposed to accomplish (sendmail.conf is said to be a turing-complete programming language ;) you have a much better chance of security. Ciao, Jens
Re: Pop mail virtual user security [LONG]
On 12/07/02 12:54, Tim van Erven wrote:
[much stuff I didn't read]
/etc/virtualusers just contains the names of the virtual users I want
to allow.
- The current permissions for the mailboxes
/home/virtual/popa3d/127.0.0.1/mail/${local_part} are like:
-rw-rw1 mail mail0 Dec 7 17:33 test
-rw-rw1 tve mail0 Dec 7 17:30 tve
I did something similar using solid-pop3d and virtual hosts. I created
a master account, akin to root, but not, that owns everything, and
each vhost has its own list of users as a standard Exim alias. Ie:
domain: fooboy.com
username: fooboy
aliases: /etc/mail/fooboy.com
spool:/var/mail/fooboy.com/*
Each file in /var/mail is owned by 'fooboy.mail' and then each
'administrator' for fooboy.com can log in as fooboy and maintain their
own email aliases, forwarders, responders, mailing lists, etc.
2) How are the passwordhashes in /etc/shadow generated from the
salt+password? I can't use 'passwd' to update popa3d's auth files, so
I need to generate them some other way.
Solid-pop3d (CVS only for VHosting) comes with spadm for this, but if
you're using standard /etc/shadow type crypt() entries, use htpasswd.
Chris
Re: Pop mail virtual user security [LONG]
On Sat, Dec 07, 2002 at 04:39:54PM -0500, Christopher W. Curtis [EMAIL PROTECTED] wrote: On 12/07/02 12:54, Tim van Erven wrote: 2) How are the passwordhashes in /etc/shadow generated from the salt+password? I can't use 'passwd' to update popa3d's auth files, so I need to generate them some other way. Solid-pop3d (CVS only for VHosting) comes with spadm for this, but if you're using standard /etc/shadow type crypt() entries, use htpasswd. I can't find spadm in the solid-pop3d source. Are you sure it's there? I'm currently considering using chpwdfile[1]. Unfortunately it isn't packaged for Debian and it's the author's first C program. 1. http://eclipse.che.uct.ac.za/chpwdfile/ -- Tim van Erven [EMAIL PROTECTED] OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5 BBF8 6310 D557 712C B811
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Javier Fernández-Sanguino Peña wrote: Please file and appropiate bug against the package (the maintainer needs not read this list) and contact the security team ([EMAIL PROTECTED]) so they can evaluate this and prepare a fix. I informed the security team by mail just a few seconds ago and I will generate a bugreport for suck now. Thanks for your help. Regards, Marcus - -- Fickle minds, pretentious attitudes and ugly | PGP-Key: [DH/DSS] 4096-bit make-up on ugly faces... The Gothgoose | Key-ID: 0xE10F502E Of The Week: http://www.gothgoose.net| Encrypted mails welcome! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1-nr1 (Windows NT 4.0) - GPGshell v2.65 Comment: GPG/PGP [DH/DSS): 4096bit KeyID: 0xE10F502E iD8DBQE98pJ4lI/WoOEPUC4RAjO5AKCVyhehwIn5d6kK/Ynam8VeJKNURgCg+l8e QkZg/aRIRCKCBH5ZsUja9Ho= =aYer -END PGP SIGNATURE-
Re: Possible security violation in the suck-package?
Marcus Frings wrote: I informed the security team by mail just a few seconds ago and I will generate a bugreport for suck now. Thanks for your help. I noticed that this bug has already been reported by Martin Helas: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172126 Regards, Marcus -- Fickle minds, pretentious attitudes and ugly | PGP-Key: [DH/DSS] 4096-bit make-up on ugly faces... The Gothgoose | Key-ID: 0xE10F502E Of The Week: http://www.gothgoose.net| Encrypted mails welcome!
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Marcus Frings [EMAIL PROTECTED] [021208 01:32]: Martin Helas wrote: I would agree giving anyone else the posibility of reading the passwords of your upstream-newsserver wont be a good idea :) That should be definetifly fixed. Thanks for your answer. As Javi suggested I have informed the Debian security team. A bug report for suck will be generated in some minutes... :-) I have allready reported a bug and filed a patch against this bug. look at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172126 greetings Martin - -- | | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE98pUSeSmrkPesOvARArwJAJ4w8Ii+jlfOkCTR+kWakMtMFRI/EwCgleoL eZ1Myeknfw/1ePTxHRtK4yM= =MBnu -END PGP SIGNATURE-
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Helas wrote: I have allready reported a bug and filed a patch against this bug. look at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172126 Yes, I saw your report a few minutes ago when I searched for already known bug reports for the suck-package. :-) Regards, Marcus - -- Fickle minds, pretentious attitudes and ugly | PGP-Key: [DH/DSS] 4096-bit make-up on ugly faces... The Gothgoose | Key-ID: 0xE10F502E Of The Week: http://www.gothgoose.net| Encrypted mails welcome! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1-nr1 (Windows NT 4.0) - GPGshell v2.65 Comment: GPG/PGP [DH/DSS): 4096bit KeyID: 0xE10F502E iD8DBQE98plHlI/WoOEPUC4RAjwZAJ9cu/826wpLOPGpAto6WDm4x4y/KQCeOmlh Ay9A/zkWhdKJmO0SUcSY5/s= =vDZN -END PGP SIGNATURE-
exploit for (Debian's?) pfinger (fwd)
oops, wrong address. -- Forwarded message -- Date: Wed, 4 Dec 2002 08:06:00 -0600 (CST) From: Drew Scott Daniels [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: exploit for (Debian's?) pfinger I found an exploit on Packetstorm described as Pfinger v0.7.8 and below local root exploit. Tested on Red Hat 7.2 - 8.0, Debian 3.0, Slackware 8.0, FreeBSD-4.6 and OpenBSD-3.1. I cannot find pfinger in Debian. The exploit executes finger and not a program called pfinger so it's not the Pascal finger program. Does this exploit effect Debian? Is/was there a bug report for this? Drew Daniels
