date:20030924

Re: The same debian - different packages

2003-09-24 Thread przemolicc

On Wed, Sep 24, 2003 at 10:08:36PM +0700, Jean Christophe ANDR? wrote:
> Could you please show us a apt-cache policy ssh on both servers?
> 
> Here is mine:
> 
>   # apt-cache policy ssh
>   ssh:
> Installed: 1:3.4p1-1.woody.3
> Candidate: 1:3.4p1-1.woody.3
> Version Table:
>*** 1:3.4p1-1.woody.3 0
>   500 http://security.debian.org woody/updates/main Packages
>   100 /var/lib/dpkg/status
>1:3.4p1-1 0
>   500 http://ftp.us.debian.org woody/main Packages

Here you are:
serverA:~# apt-cache policy ssh
ssh:
  Installed: 1:3.4p1-1.woody.3
  Candidate: 1:3.4p1-1.woody.3
  Version Table:
 *** 1:3.4p1-1.woody.3 0
500 http://security.debian.org woody/updates/main Packages
100 /var/lib/dpkg/status
 1:3.4p1-1 0
500 http://http.us.debian.org woody/main Packages

serverB:~# apt-cache policy ssh
ssh:
  Installed: 1:3.4p1-2
  Candidate: 1:3.4p1-2
  Version Table:
 *** 1:3.4p1-2 0
100 /var/lib/dpkg/status
 1:3.4p1-1.woody.3 0
500 http://security.debian.org woody/updates/main Packages
 1:3.4p1-1 0
500 http://http.us.debian.org woody/main Packages

We can see the differences. But how to change it ?

przemol


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Watch out! vsftpd anonymous access always enabled!

2003-09-24 Thread Dariush Pietrzak

On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > Why do you think there's anything wrong with ftp?
> 
> FTP is a firewal nightmare,
 You think? Firewalls are nightmare, and the only result of prefering
http-only protocols is what you'll see in nearest future: 
 Every single new protocol is http and work via 80/443 port.
How's that for a firewall nightmare? 
 Now you've got www traffic, file transfer, instant messaging, REMOTE
PROCEDURE CALLS (soap/xml-rpc for example), all going through your precious
firewall. 
 
> it is unsecure (plaintext),
 since when? It's only plaintext if you want it. 
 You can choose/negotiate 'authentication, confidentiality and message
 integrity'.
  You can even change securelevels in runtime - encrypt only authentication
 ( cool for transferring non-sensitive bulk data like movies/allready
 encrypted backups ), encrypt selected files, etc etc.. Check:
  RFC 959 (FTP)
  RFC 2246 (TLS)
  RFC 1579 (Firewall-friendly data exchange)
  RFC 2228 (FTP security extensions)
  ( ftp://ftp.rfc-editor.org/in-notes/rfc2228.txt )
That RFC is from 1997...
Of course there are servers that will let you in only if you present them
with correct client certificate, and force you to use encryption. 
 Nice thing is that I'm in control, when I need to transfer something big off
the 486, I could choose to encrypt only authentication if the data is not
sensitive. 

>the more advanced
> features are not standadized.
 Nooo? Which 'advanced features'?
Although you've got a point - there are way to many standards and advanced
features in FTP. There are some ~two decades old RFC that describe how FTP
is supposed to enable starting jobs on mainframes. 
 And this 'advanced feature' is disabled on most FTP servers I've seen.

Which other transfer method is better standardized? SFTP?
Which SFTP? SFTP from RFC 913 from 1984?


> Even parsing the directory output is terror to
> the programmer.
 I found ftp protocol trivial to implement for programmer. Show me transfer
method that easier to implement.

greetings,
-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Guido Lorenzutti




On Thu, 2003-09-25 at 03:19, Stefano Salvi wrote:
> At 22.16 24/09/03 -0400, Noah L. Meyerhans wrote:
> >How 'bout this idea: We can create a user-definable policy as to whether
> >or not newly installed packages that provide init scripts actually have
> >these init scripts run during their postinst.  So, we have a file in
> >/etc/defaults or something that is sourced by postinst.  If a variable
> >(START_ON_INSTALL, or something) is set, then the service will be run if
> >this is a new install.  If it's an upgrade, then the service will be
> >restarted as usual.  If START_ON_INSTALL is not set, however, the
> >postinst will continue with its tasks but exit without actually starting
> >the service.  In the default installation, START_ON_INSTALL would be
> >unset, and services wouldn't get started.
> I think thisi is not wise:
> - Why I must have services installed that I cannot use (are not started by 
> default)?
> - Why I must have services installed that I don't need?
> - If I have a security choice as you suggest, I have a great probability to 
> set high security and next not be able to have services running (how about 
> selecting which services I want to be run by default?)
> 
> I think the best choice is to leave in the default installation (where I 
> select nothing in Tasksel and don't run dselect) the very minimum services 
> needed, leaving to the user (tasksel is made for this) the choice to add 
> the requested services.
> 
> A nice suggestion to package maintainers is to add in the postscript a 
> question on running the service bu default (as an example, I seldom use the 
> netatalk service to share files with a MAC - normally I disable it as it 
> slows down the statrup a lot and I start it by hans when needed; on every 
> upgrade it gets started by default again)
> 
> Ciao
>  Stefano Salvi
> 

What about the article on ibm developers group? The one that talks about
parallel loading of services that don't have dependencies? I read it and
I buy it :) I don't try it yet! but im going to... and i like the idea
of such...
On the other side, and keeping with the conversation, i like the
approach on the default install of Debian.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Stefano Salvi

At 22.16 24/09/03 -0400, Noah L. Meyerhans wrote:
How 'bout this idea: We can create a user-definable policy as to whether
or not newly installed packages that provide init scripts actually have
these init scripts run during their postinst.  So, we have a file in
/etc/defaults or something that is sourced by postinst.  If a variable
(START_ON_INSTALL, or something) is set, then the service will be run if
this is a new install.  If it's an upgrade, then the service will be
restarted as usual.  If START_ON_INSTALL is not set, however, the
postinst will continue with its tasks but exit without actually starting
the service.  In the default installation, START_ON_INSTALL would be
unset, and services wouldn't get started.
I think thisi is not wise:
- Why I must have services installed that I cannot use (are not started by 
default)?
- Why I must have services installed that I don't need?
- If I have a security choice as you suggest, I have a great probability to 
set high security and next not be able to have services running (how about 
selecting which services I want to be run by default?)

I think the best choice is to leave in the default installation (where I 
select nothing in Tasksel and don't run dselect) the very minimum services 
needed, leaving to the user (tasksel is made for this) the choice to add 
the requested services.

A nice suggestion to package maintainers is to add in the postscript a 
question on running the service bu default (as an example, I seldom use the 
netatalk service to share files with a MAC - normally I disable it as it 
slows down the statrup a lot and I start it by hans when needed; on every 
upgrade it gets started by default again)

Ciao
Stefano Salvi
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Adam Lydick

I haven't done more then look at the screen shots for it, but the
"personal firewall" (eg: iptables frontend) that comes with RH9 looks to
be default deny for most incoming traffic while providing a nice (read:
graphical and straightforward) way to punch essential holes through it
as needed. (and only as needed)

Don't get me wrong, I like powerful CLI interfaces to my firewall as
much as the next fellow, but it is fairly easy to make a mistake that
can leave you vulnerable. For the common cases, I think it makes a lot
of sense to provide a dead simple way to configure it.

I recall seeing a firewall.sh script in init.d, but it was plastered
with warnings not to actually use it, so I didn't ;) Anyone know if more
work has been done in this area? 

On Wed, 2003-09-24 at 18:01, Michael Stone wrote:
> On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote:
> >Basically, I think that "security levels" don't gain you anything over
> >"don't install the package".  
> 
> Until installing a package has the side effect of installing a network
> service. Having a default-deny-incoming firewall or some such would go a
> long way toward preventing accidental vulnerability exposure.
> 
> Mike Stone
> 

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Adam Lydick

I like that idea, and it sounds fairly simple - packages just check
/etc/secure_level (or something similar) and do the "right thing". The
tricky part is convincing every package maintainer to adopt it ;)

There are some "hardening" packages available, but I haven't had a
chance to play with them yet. (and I didn't want them breaking my setup
while I didn't have time to fix things)

On Wed, 2003-09-24 at 16:12, Steve Wray wrote:
> For what its worth, and without wanting a distro-religious war about it,
> Mandrake has a variety of security levels, which can be locally configured,
> and which can allow exactly this sort of behavior;
> 
> At high security levels, any new services that get installed (from RPMs)
> are only allowed from localhost or even, IIRC, services may not even
> be started by default, neither post-install nor on reboot: you have to
> set them up manually.
> 
> Might be worth a look to see how they did it to see if it can be easily
> implemented on debian?
> 
> 
> On Thu, 25 Sep 2003 10:04, Florian Weimer wrote:
> > On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> > > Is there any effort to reduce the number of services running on a
> > > default debian install? For example: a typical workstation user doesn't
> > > really need to have inetd enabled, nor portmap (unless they are running
> > > fam or nfs -- which isn't enabled by default)
> >
> > I think it's more important that services only bind to localhost after
> > installation (in the default configuration).
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Versign has hijacked www.xmms.org

2003-09-24 Thread Noah L. Meyerhans

On Tue, Sep 23, 2003 at 02:08:29AM +0200, Michelle Konzack wrote:
> I was surfing the Website  for new skins and 
> at one klick...
> 
> ...xmms was hijacked !!!
> 
> No access on xmms posibel. Can anyone confirm this please...
> Please Cc: me.

Nope.  Worked just fine for me.  I disabled proxy use and blew away my
mozilla cache to be sure, and also tried it in w3m.  No problems at all.

noah

pgp0tMuljsqK0.pgp
Description: PGP signature

Re: services installed and running "out of the box"

2003-09-24 Thread Adam Lydick

Agreed. The X maintainers (as one example) started doing that a while
back. I run exim and a few other services like this (manually
configured, sadly). 

On Wed, 2003-09-24 at 15:04, Florian Weimer wrote:
> On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> 
> > Is there any effort to reduce the number of services running on a
> > default debian install? For example: a typical workstation user doesn't
> > really need to have inetd enabled, nor portmap (unless they are running
> > fam or nfs -- which isn't enabled by default)
> 
> I think it's more important that services only bind to localhost after
> installation (in the default configuration).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Versign has hijacked www.xmms.org

2003-09-24 Thread Michelle Konzack

Hello All, 

I was surfing the Website  for new skins and 
at one klick...

...xmms was hijacked !!!

No access on xmms posibel. Can anyone confirm this please...
Please Cc: me.

Three other .org Domains (my own) are hijacked this afternoon too.

Thanks
Michelle

-- 
Registered Linux-User #280138 with the Linux Counter, http://counter.li.org.

RE: services installed and running "out of the box"

2003-09-24 Thread Jones, Steven

There is a debian security manual I believe. I agree with you, leaving
services running by default in this day and age is really a no no.

regards

Steven

-Original Message-
From: Adam Lydick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 24 September 2003 11:42 PM
To: debian-security@lists.debian.org
Subject: services installed and running "out of the box"


Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which isn't enabled by default)

Is this something that needs to be taken up with individual package
maintainers? Or is there a single point of contact that helps choose
which packages are present in the base install?

Is this already documented somewhere that I should have already read? :)
If so, isn't it better to have to RTFM to turn something on as you need
it, rather then to need to remember to turn something off that you
aren't using?

Thanks,

Adam Lydick


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Noah L. Meyerhans

On Wed, Sep 24, 2003 at 09:52:07PM -0400, Michael Stone wrote:
> Except, what is "default"? If you install a workstation task should you
> assume that you'll get open ports? (As the task packages pull in
> dependencies, etc.) I think it makes more sense to provide a safety net
> then to try to predict which packages the user is going to install "by
> default" and fix only those packages.

By "default" I was thinking the set of packages that you get if you
don't select any.  That is, if you don't select anything in tasksel
during installation (but you *do* run tasksel, per the default) and you
do not run dselect (again, per the default).

Granted, I'm basing that definition on woody's installer.  Sarge may end
up presenting things differently.  Unfortunately, none of my attempts at
trying out the new installer met with any success.

You're right, though.  Network services may be installed by things like
tasksel without the user actually explicitly asking for them.  A safety
net of some sort would be nice.  I don't know that I like the firewall
approach, though.  I'd be happy if the service simply didn't start by
default.  A port with nothing listening on it is basically just as
secure as a port with a firewall in front of it.

How 'bout this idea: We can create a user-definable policy as to whether
or not newly installed packages that provide init scripts actually have
these init scripts run during their postinst.  So, we have a file in
/etc/defaults or something that is sourced by postinst.  If a variable
(START_ON_INSTALL, or something) is set, then the service will be run if
this is a new install.  If it's an upgrade, then the service will be
restarted as usual.  If START_ON_INSTALL is not set, however, the
postinst will continue with its tasks but exit without actually starting
the service.  In the default installation, START_ON_INSTALL would be
unset, and services wouldn't get started.

It would require changing a whole mess of postinst scripts to implement,
but really shouldn't be hard to do.  I suppose it would be wise to limit
this functionality to daemons that provide networks services.  Things
like cron or at or whatever should probably be started after
installation, as they don't open a network port and don't require much
if any configuration to be useful.

noah

pgptHZWR8DCJC.pgp
Description: PGP signature

Re: services installed and running "out of the box"

2003-09-24 Thread Michael Stone


On Wed, Sep 24, 2003 at 09:39:32PM -0400, Noah L. Meyerhans wrote:

Well, remember that the scope of this discussion is the default Debian
installation.


Except, what is "default"? If you install a workstation task should you
assume that you'll get open ports? (As the task packages pull in
dependencies, etc.) I think it makes more sense to provide a safety net
then to try to predict which packages the user is going to install "by
default" and fix only those packages.

Mike Stone

Re: services installed and running "out of the box"

2003-09-24 Thread Noah L. Meyerhans

On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote:
> Until installing a package has the side effect of installing a network
> service. Having a default-deny-incoming firewall or some such would go a
> long way toward preventing accidental vulnerability exposure.

Well, remember that the scope of this discussion is the default Debian
installation.  I agree that there may be issues elsewhere, and that
services (particularly complex ones like Squid, Apache, DBMS packages,
etc) need to be configured before they can be usefully and securely run.

I think that the default installation, which will be seen by all users,
really should see an improvement.  I'll put some effort into getting it
done, but I'm not entirely clear on the process.  Should the matter be
brought up on -policy?

noah

pgpD39LqvY916.pgp
Description: PGP signature

Re: Versign has hijacked www.xmms.org

2003-09-24 Thread Noah L. Meyerhans

On Tue, Sep 23, 2003 at 02:08:29AM +0200, Michelle Konzack wrote:
> I was surfing the Website  for new skins and 
> at one klick...
> 
> ...xmms was hijacked !!!
> 
> No access on xmms posibel. Can anyone confirm this please...
> Please Cc: me.

Nope.  Worked just fine for me.  I disabled proxy use and blew away my
mozilla cache to be sure, and also tried it in w3m.  No problems at all.

noah

pgp0.pgp
Description: PGP signature

Versign has hijacked www.xmms.org

2003-09-24 Thread Michelle Konzack

Hello All, 

I was surfing the Website  for new skins and 
at one klick...

...xmms was hijacked !!!

No access on xmms posibel. Can anyone confirm this please...
Please Cc: me.

Three other .org Domains (my own) are hijacked this afternoon too.

Thanks
Michelle

-- 
Registered Linux-User #280138 with the Linux Counter, http://counter.li.org.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MS BS

2003-09-24 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> I am looking for a same solution. However, I am getting 40 to 70 of such
> mails within 2 hours. There should be a possibility with > exim-4.1, but
> nothing for exim-3.X

i am using clamscan with exiscan on exim-3 and it works well, beside the
fact that it supresed all bounces, of course to not annoy innocent.

It is not a smtp-level reject solution, I will do that with exim-scl after
upgrade wich i am just not ready yet.

I first tried to use exim's system-filter to match on subjects but this
turned out to be too cmplicated. And since i have not found a way to pipe a
mail to a filter and decide on its return code if the mail should be
forwarded, i am using the exiscan solution (which is basically configuring
two queues).

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: OpenSSH in Woody

2003-09-24 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> and what's about ssh/potato ?
> I don't see any thing about a new upgrade foir ssh in potato ?

Potato is not anymore supported by debian security team, as you can read in
the faq. t is unfortunate, I still have some systems running.. well.. thanks
god no accessable sh daemon.

I did not managed to build the woody pacages on my boxes yet, missing some
dependencies and I did not yet find a good aptget archive which still works.
IS archive.debian.org supposed to be apt-getable for source and binaries?

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: services installed and running "out of the box"

2003-09-24 Thread Steve Wray

On Thu, 25 Sep 2003 12:16, Noah L. Meyerhans wrote:
> On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
> > For what its worth, and without wanting a distro-religious war about it,
> > Mandrake has a variety of security levels, which can be locally
> > configured, and which can allow exactly this sort of behavior;
>
> Honestly, I think we can get away with something vastly less complex:

I wasn't suggesting that debian should take the Mandrake methodology onboard 
in a wholesale fashion... I think my boss would take issue with that!
;)

> Just don't install network services by default.  I don't see any need
> for "security levels" or anything like that.  Really, just about any
> network service is going to require some amount of configuration before
> it can be used.

And yet most distros and package management systems seem to do
so by default...

Re: services installed and running "out of the box"

2003-09-24 Thread Michael Stone


On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote:

Basically, I think that "security levels" don't gain you anything over
"don't install the package".  


Until installing a package has the side effect of installing a network
service. Having a default-deny-incoming firewall or some such would go a
long way toward preventing accidental vulnerability exposure.

Mike Stone

Re: MS BS

2003-09-24 Thread Michael Stone


On Mon, Sep 22, 2003 at 10:14:43PM +0100, Thomas Horsten wrote:

guess they are out there. Anyway, if you are truly security conscious you
should consider switching to qmail in any case.


Not. Postfix is just as good, but without an obnoxious license.

Mike Stone

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

2003-09-24 Thread Michael Stone


On Wed, Sep 24, 2003 at 04:37:30PM -0700, Rick Moen wrote:

I should have defined my terms:  When I said ftp transfers are more
reliable than are ftp ones (in my experience), I meant that, once


Thank you for clearing that up.

Mike Stone

RE: services installed and running "out of the box"

2003-09-24 Thread Jones, Steven

There is a debian security manual I believe. I agree with you, leaving
services running by default in this day and age is really a no no.

regards

Steven

-Original Message-
From: Adam Lydick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 24 September 2003 11:42 PM
To: [EMAIL PROTECTED]
Subject: services installed and running "out of the box"


Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which isn't enabled by default)

Is this something that needs to be taken up with individual package
maintainers? Or is there a single point of contact that helps choose
which packages are present in the base install?

Is this already documented somewhere that I should have already read? :)
If so, isn't it better to have to RTFM to turn something on as you need
it, rather then to need to remember to turn something off that you
aren't using?

Thanks,

Adam Lydick


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Noah L. Meyerhans

On Wed, Sep 24, 2003 at 09:52:07PM -0400, Michael Stone wrote:
> Except, what is "default"? If you install a workstation task should you
> assume that you'll get open ports? (As the task packages pull in
> dependencies, etc.) I think it makes more sense to provide a safety net
> then to try to predict which packages the user is going to install "by
> default" and fix only those packages.

By "default" I was thinking the set of packages that you get if you
don't select any.  That is, if you don't select anything in tasksel
during installation (but you *do* run tasksel, per the default) and you
do not run dselect (again, per the default).

Granted, I'm basing that definition on woody's installer.  Sarge may end
up presenting things differently.  Unfortunately, none of my attempts at
trying out the new installer met with any success.

You're right, though.  Network services may be installed by things like
tasksel without the user actually explicitly asking for them.  A safety
net of some sort would be nice.  I don't know that I like the firewall
approach, though.  I'd be happy if the service simply didn't start by
default.  A port with nothing listening on it is basically just as
secure as a port with a firewall in front of it.

How 'bout this idea: We can create a user-definable policy as to whether
or not newly installed packages that provide init scripts actually have
these init scripts run during their postinst.  So, we have a file in
/etc/defaults or something that is sourced by postinst.  If a variable
(START_ON_INSTALL, or something) is set, then the service will be run if
this is a new install.  If it's an upgrade, then the service will be
restarted as usual.  If START_ON_INSTALL is not set, however, the
postinst will continue with its tasks but exit without actually starting
the service.  In the default installation, START_ON_INSTALL would be
unset, and services wouldn't get started.

It would require changing a whole mess of postinst scripts to implement,
but really shouldn't be hard to do.  I suppose it would be wise to limit
this functionality to daemons that provide networks services.  Things
like cron or at or whatever should probably be started after
installation, as they don't open a network port and don't require much
if any configuration to be useful.

noah

pgp0.pgp
Description: PGP signature

Re: services installed and running "out of the box"

2003-09-24 Thread Noah L. Meyerhans

On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
> For what its worth, and without wanting a distro-religious war about it,
> Mandrake has a variety of security levels, which can be locally configured,
> and which can allow exactly this sort of behavior;

Honestly, I think we can get away with something vastly less complex:
Just don't install network services by default.  I don't see any need
for "security levels" or anything like that.  Really, just about any
network service is going to require some amount of configuration before
it can be used.

Basically, I think that "security levels" don't gain you anything over
"don't install the package".  And since, as I said, just about any
network service is going to need configuration attention in order to be
useful, the additional small step of "apt-get install " is not a
lot to ask.

noah

pgpB5NvCp9vOw.pgp
Description: PGP signature

Re: services installed and running "out of the box"

2003-09-24 Thread Michael Stone

On Wed, Sep 24, 2003 at 09:39:32PM -0400, Noah L. Meyerhans wrote:
Well, remember that the scope of this discussion is the default Debian
installation.
Except, what is "default"? If you install a workstation task should you
assume that you'll get open ports? (As the task packages pull in
dependencies, etc.) I think it makes more sense to provide a safety net
then to try to predict which packages the user is going to install "by
default" and fix only those packages.
Mike Stone

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Noah L. Meyerhans

On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote:
> Until installing a package has the side effect of installing a network
> service. Having a default-deny-incoming firewall or some such would go a
> long way toward preventing accidental vulnerability exposure.

Well, remember that the scope of this discussion is the default Debian
installation.  I agree that there may be issues elsewhere, and that
services (particularly complex ones like Squid, Apache, DBMS packages,
etc) need to be configured before they can be usefully and securely run.

I think that the default installation, which will be seen by all users,
really should see an improvement.  I'll put some effort into getting it
done, but I'm not entirely clear on the process.  Should the matter be
brought up on -policy?

noah

pgp0.pgp
Description: PGP signature

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

2003-09-24 Thread Rick Moen

Quoting Bernd Eckenfels ([EMAIL PROTECTED]):

> Actually HTTP is much more reliable than FTP.

I should have defined my terms:  When I said ftp transfers are more
reliable than are ftp ones (in my experience), I meant that, once
started, they are much less prone to dying.  That is observed fact.

> It features mesage digest, restart, SSL. IT allows paralle fetching of
> blocks. It handles encodings and charset more transparently.

Cavil:  Restart and SSL can and do occur in both.  However, more
important to the matter at hand, none of these observations is the least
bit relevant to what I was referring to.

-- 
Cheers,Linux:  It is now safe to turn on your computer.
Rick Moen
[EMAIL PROTECTED]

Re: MS BS

2003-09-24 Thread Thomas Horsten

On Mon, 22 Sep 2003, Ted Roby wrote:

> My secalert account for these lists is being drenched with 40 to 70 of
> these fake Microsoft Update emails per day.
> My filters on my client dump them to a Junk folder, but I would prefer
> it if my Exim filter would do the job at the server level instead. I am
> running Nigel Metheringham's system_filter.exim.
>
> The single part MIME filter doesn't seem to catch it though. What are
> others on this list using or doing to blatently block this stuff? There
> is no valid .exe I could receive, ever.

I got my mailbox and others on my server filled with these, over the
weekend it was as high as 20MB/day in one mailbox with these worms. I'm
surprised the press coverage hasn't been higher, since this must be the
most spreading MS-worm to date. But I guess people are getting fed up with
reading about these..

Since HD space is an issue on my server I needed to block these at the
SMTP level, to that end I found a qmail patch from Russell Nelson that
works wonders. It does block any executable base64, which may be a bit
over the top, but people will just have to learn to zip such files if they
want to send them through my server.

The patch for qmail can be found here:
http://www.qmail.org/qmail-smtpd-viruscan-1.1.patch

"This patch changes qmail-smtpd so that it parses incoming emails.  It
looks at the first line of MIME attachments to see if they're Windows
executables which are base64-encoded.  This catches nearly all current
Microsoft viruses."

I don't know the status of any similar patches for other MTA's, but I
guess they are out there. Anyway, if you are truly security conscious you
should consider switching to qmail in any case.

Regards,

Thomas

Re: MS BS

2003-09-24 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> I am looking for a same solution. However, I am getting 40 to 70 of such
> mails within 2 hours. There should be a possibility with > exim-4.1, but
> nothing for exim-3.X

i am using clamscan with exiscan on exim-3 and it works well, beside the
fact that it supresed all bounces, of course to not annoy innocent.

It is not a smtp-level reject solution, I will do that with exim-scl after
upgrade wich i am just not ready yet.

I first tried to use exim's system-filter to match on subjects but this
turned out to be too cmplicated. And since i have not found a way to pipe a
mail to a filter and decide on its return code if the mail should be
forwarded, i am using the exiscan solution (which is basically configuring
two queues).

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH in Woody

2003-09-24 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> and what's about ssh/potato ?
> I don't see any thing about a new upgrade foir ssh in potato ?

Potato is not anymore supported by debian security team, as you can read in
the faq. t is unfortunate, I still have some systems running.. well.. thanks
god no accessable sh daemon.

I did not managed to build the woody pacages on my boxes yet, missing some
dependencies and I did not yet find a good aptget archive which still works.
IS archive.debian.org supposed to be apt-getable for source and binaries?

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Steve Wray

For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally configured,
and which can allow exactly this sort of behavior;

At high security levels, any new services that get installed (from RPMs)
are only allowed from localhost or even, IIRC, services may not even
be started by default, neither post-install nor on reboot: you have to
set them up manually.

Might be worth a look to see how they did it to see if it can be easily
implemented on debian?

On Thu, 25 Sep 2003 10:04, Florian Weimer wrote:
> On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> > Is there any effort to reduce the number of services running on a
> > default debian install? For example: a typical workstation user doesn't
> > really need to have inetd enabled, nor portmap (unless they are running
> > fam or nfs -- which isn't enabled by default)
>
> I think it's more important that services only bind to localhost after
> installation (in the default configuration).

Re: services installed and running "out of the box"

2003-09-24 Thread Steve Wray

On Thu, 25 Sep 2003 12:16, Noah L. Meyerhans wrote:
> On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
> > For what its worth, and without wanting a distro-religious war about it,
> > Mandrake has a variety of security levels, which can be locally
> > configured, and which can allow exactly this sort of behavior;
>
> Honestly, I think we can get away with something vastly less complex:

I wasn't suggesting that debian should take the Mandrake methodology onboard 
in a wholesale fashion... I think my boss would take issue with that!
;)

> Just don't install network services by default.  I don't see any need
> for "security levels" or anything like that.  Really, just about any
> network service is going to require some amount of configuration before
> it can be used.

And yet most distros and package management systems seem to do
so by default...



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Michael Stone

On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote:
Basically, I think that "security levels" don't gain you anything over
"don't install the package".  
Until installing a package has the side effect of installing a network
service. Having a default-deny-incoming firewall or some such would go a
long way toward preventing accidental vulnerability exposure.
Mike Stone

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MS BS

2003-09-24 Thread Michael Stone

On Mon, Sep 22, 2003 at 10:14:43PM +0100, Thomas Horsten wrote:
guess they are out there. Anyway, if you are truly security conscious you
should consider switching to qmail in any case.
Not. Postfix is just as good, but without an obnoxious license.

Mike Stone

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

2003-09-24 Thread Michael Stone

On Wed, Sep 24, 2003 at 04:37:30PM -0700, Rick Moen wrote:
I should have defined my terms:  When I said ftp transfers are more
reliable than are ftp ones (in my experience), I meant that, once
Thank you for clearing that up.

Mike Stone

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Watch out! vsftpd anonymous access always enabled!

2003-09-24 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> Why do you think there's anything wrong with ftp?

FTP is a firewal nightmare, it is unsecure (plaintext), the more advanced
features are not standadized. Even parsing the directory output is terror to
the programmer.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

2003-09-24 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> I _do_ love lftp, and will have to mention it in the referenced document.
> (Thanks.)  It certainly is fast and easy (as is wget), but "reliable" is
> somewhat precluded by the http protocol itself.  (Admittedly, this is
> being picky, and "wget -c" fixes many ills.)

Actually HTTP is much more reliable than FTP. It features mesage digest,
restart, SSL. IT allows paralle fetching of blocks. It handles encodings and
charset more transparently.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: services installed and running "out of the box"

2003-09-24 Thread Noah L. Meyerhans

On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
> For what its worth, and without wanting a distro-religious war about it,
> Mandrake has a variety of security levels, which can be locally configured,
> and which can allow exactly this sort of behavior;

Honestly, I think we can get away with something vastly less complex:
Just don't install network services by default.  I don't see any need
for "security levels" or anything like that.  Really, just about any
network service is going to require some amount of configuration before
it can be used.

Basically, I think that "security levels" don't gain you anything over
"don't install the package".  And since, as I said, just about any
network service is going to need configuration attention in order to be
useful, the additional small step of "apt-get install " is not a
lot to ask.

noah

pgp0.pgp
Description: PGP signature

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

2003-09-24 Thread Rick Moen

Quoting Bernd Eckenfels ([EMAIL PROTECTED]):

> Actually HTTP is much more reliable than FTP.

I should have defined my terms:  When I said ftp transfers are more
reliable than are ftp ones (in my experience), I meant that, once
started, they are much less prone to dying.  That is observed fact.

> It features mesage digest, restart, SSL. IT allows paralle fetching of
> blocks. It handles encodings and charset more transparently.

Cavil:  Restart and SSL can and do occur in both.  However, more
important to the matter at hand, none of these observations is the least
bit relevant to what I was referring to.

-- 
Cheers,Linux:  It is now safe to turn on your computer.
Rick Moen
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MS BS

2003-09-24 Thread Thomas Horsten

On Mon, 22 Sep 2003, Ted Roby wrote:

> My secalert account for these lists is being drenched with 40 to 70 of
> these fake Microsoft Update emails per day.
> My filters on my client dump them to a Junk folder, but I would prefer
> it if my Exim filter would do the job at the server level instead. I am
> running Nigel Metheringham's system_filter.exim.
>
> The single part MIME filter doesn't seem to catch it though. What are
> others on this list using or doing to blatently block this stuff? There
> is no valid .exe I could receive, ever.

I got my mailbox and others on my server filled with these, over the
weekend it was as high as 20MB/day in one mailbox with these worms. I'm
surprised the press coverage hasn't been higher, since this must be the
most spreading MS-worm to date. But I guess people are getting fed up with
reading about these..

Since HD space is an issue on my server I needed to block these at the
SMTP level, to that end I found a qmail patch from Russell Nelson that
works wonders. It does block any executable base64, which may be a bit
over the top, but people will just have to learn to zip such files if they
want to send them through my server.

The patch for qmail can be found here:
http://www.qmail.org/qmail-smtpd-viruscan-1.1.patch

"This patch changes qmail-smtpd so that it parses incoming emails.  It
looks at the first line of MIME attachments to see if they're Windows
executables which are base64-encoded.  This catches nearly all current
Microsoft viruses."

I don't know the status of any similar patches for other MTA's, but I
guess they are out there. Anyway, if you are truly security conscious you
should consider switching to qmail in any case.

Regards,

Thomas

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Florian Weimer

On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:

> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs -- which isn't enabled by default)

I think it's more important that services only bind to localhost after
installation (in the default configuration).

Re: services installed and running "out of the box"

2003-09-24 Thread Steve Wray

For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally configured,
and which can allow exactly this sort of behavior;

At high security levels, any new services that get installed (from RPMs)
are only allowed from localhost or even, IIRC, services may not even
be started by default, neither post-install nor on reboot: you have to
set them up manually.

Might be worth a look to see how they did it to see if it can be easily
implemented on debian?


On Thu, 25 Sep 2003 10:04, Florian Weimer wrote:
> On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> > Is there any effort to reduce the number of services running on a
> > default debian install? For example: a typical workstation user doesn't
> > really need to have inetd enabled, nor portmap (unless they are running
> > fam or nfs -- which isn't enabled by default)
>
> I think it's more important that services only bind to localhost after
> installation (in the default configuration).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Watch out! vsftpd anonymous access always enabled!

2003-09-24 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> Why do you think there's anything wrong with ftp?

FTP is a firewal nightmare, it is unsecure (plaintext), the more advanced
features are not standadized. Even parsing the directory output is terror to
the programmer.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: FTP in general (Re: Watch out! vsftpd anonymous access always enabled!)

2003-09-24 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> I _do_ love lftp, and will have to mention it in the referenced document.
> (Thanks.)  It certainly is fast and easy (as is wget), but "reliable" is
> somewhat precluded by the http protocol itself.  (Admittedly, this is
> being picky, and "wget -c" fixes many ills.)

Actually HTTP is much more reliable than FTP. It features mesage digest,
restart, SSL. IT allows paralle fetching of blocks. It handles encodings and
charset more transparently.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Florian Weimer

On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:

> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs -- which isn't enabled by default)

I think it's more important that services only bind to localhost after
installation (in the default configuration).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: services installed and running "out of the box"

2003-09-24 Thread Dale Amon

On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> For starters, I think portmap, rpc.statd, and inetd should not run by
> default.  Not running a mail server (or perhaps only running one on the
> loopback interface) would be nice, too.

It can be damnably difficult to dump the web server... I've ended
up downloading dhttpd and then removing links or changing the
init.d/dhttpd file name.

Why on earth must every server have a web server? It's silly.

Re: Newest OpenSSH advisory

2003-09-24 Thread Matt Zimmerman

On Wed, Sep 24, 2003 at 12:12:54PM +0300, Riku Anttila wrote:

> According to http://www.openssh.com/txt/sshpam.adv there are multiple 
> vulnerabilities in the "new PAM code of Portable OpenSSH".
> 
> It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought 
> I'd ask if anyone knows for a fact that the older version in Woody does 
> not have this code.

The old version in woody does not have this code.

-- 
 - mdz

Re: services installed and running "out of the box"

2003-09-24 Thread Noah L. Meyerhans

On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote:
> > Is there any effort to reduce the number of services running on a
> > default debian install? For example: a typical workstation user doesn't
> > really need to have inetd enabled, nor portmap (unless they are running
> > fam or nfs -- which isn't enabled by default)
> 
> What about a package like the harden-* package, but one that conflicts
> with packages that are pointless for a client/desktop system?

Unless such a package is part of the standard installation, it's really
of no use.  The original poster specifically mentioned the "default
debian install".

Personally, I think we really do need to reduce the number of open ports
by default.  Even Redhat has learned to do this, and Microsoft is
quickly learning (the hard way, of course).  It's quickly becoming best
practice for operating system vendors.

For starters, I think portmap, rpc.statd, and inetd should not run by
default.  Not running a mail server (or perhaps only running one on the
loopback interface) would be nice, too.

Users that need these services know it.  Users that don't shouldn't be
bothered by them, whether that be to turn them off or to get compromised
due to some newly discovered vulnerability.

noah

pgppZCtSNFhN7.pgp
Description: PGP signature

Re: services installed and running "out of the box"

2003-09-24 Thread Dale Amon

On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> For starters, I think portmap, rpc.statd, and inetd should not run by
> default.  Not running a mail server (or perhaps only running one on the
> loopback interface) would be nice, too.

It can be damnably difficult to dump the web server... I've ended
up downloading dhttpd and then removing links or changing the
init.d/dhttpd file name.

Why on earth must every server have a web server? It's silly.

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Newest OpenSSH advisory

2003-09-24 Thread Matt Zimmerman

On Wed, Sep 24, 2003 at 12:12:54PM +0300, Riku Anttila wrote:

> According to http://www.openssh.com/txt/sshpam.adv there are multiple 
> vulnerabilities in the "new PAM code of Portable OpenSSH".
> 
> It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought 
> I'd ask if anyone knows for a fact that the older version in Woody does 
> not have this code.

The old version in woody does not have this code.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The same debian - different packages

2003-09-24 Thread Angus D Madden

Yogesh Sharma, Wed, Sep 24, 2003 at 09:14:52AM -0700: 
> As far as my understanding goes, ssh was patched recently for security 
> fixes, so it should be coming from security.debian.org not us.debian.org.
> Now security.debian.org is not at all mirrored for security reason than 
> how he has 2 different versions of ssh ?
> 1 Does he has proper /etc/apt/sources.list which includes ssh also
> 2 what are the dependencies for for versions of ssh
> 

Good point about the fixes coming from security.debian.org.  

The sources.list and preferences were the same on both machines, ie there
was no pinning.

I no longer have the wron version of ssh installed, so I cannot check on
dependencies.

g





pgpDkEl22r7nD.pgp
Description: PGP signature

Re: The same debian - different packages

2003-09-24 Thread Jan Niehusmann

On Wed, Sep 24, 2003 at 01:04:20PM +, [EMAIL PROTECTED] wrote:
> ii  ssh3.4p1-2Secure rlogin/rsh/rcp replacement 
> (OpenSSH)

This version of ssh is neither directly from woody (which still has
3.4p1-1) nor from security.debian.org (which has 1:3.4p1-1.woody.3, and
probably never had 3.4p1-2 because that would be a bigger version number
than the current one). 

So I assume you got this package from somewhere else (early testing,
proposed-updates or some 3rd party archive?)

What's the output of apt-cache policy ssh on that system? What's the
latest entry in ssh's debian changelog?

Jan

signature.asc
Description: Digital signature

Re: services installed and running "out of the box"

2003-09-24 Thread Ryan Underwood


Hi,

On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs -- which isn't enabled by default)

What about a package like the harden-* package, but one that conflicts
with packages that are pointless for a client/desktop system?

-- 
Ryan Underwood, , icq=10317253

Re: services installed and running "out of the box"

2003-09-24 Thread Noah L. Meyerhans

On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote:
> > Is there any effort to reduce the number of services running on a
> > default debian install? For example: a typical workstation user doesn't
> > really need to have inetd enabled, nor portmap (unless they are running
> > fam or nfs -- which isn't enabled by default)
> 
> What about a package like the harden-* package, but one that conflicts
> with packages that are pointless for a client/desktop system?

Unless such a package is part of the standard installation, it's really
of no use.  The original poster specifically mentioned the "default
debian install".

Personally, I think we really do need to reduce the number of open ports
by default.  Even Redhat has learned to do this, and Microsoft is
quickly learning (the hard way, of course).  It's quickly becoming best
practice for operating system vendors.

For starters, I think portmap, rpc.statd, and inetd should not run by
default.  Not running a mail server (or perhaps only running one on the
loopback interface) would be nice, too.

Users that need these services know it.  Users that don't shouldn't be
bothered by them, whether that be to turn them off or to get compromised
due to some newly discovered vulnerability.

noah

pgp0.pgp
Description: PGP signature

Re: The same debian - different packages

2003-09-24 Thread Angus D Madden

Yogesh Sharma, Wed, Sep 24, 2003 at 09:14:52AM -0700: 
> As far as my understanding goes, ssh was patched recently for security 
> fixes, so it should be coming from security.debian.org not us.debian.org.
> Now security.debian.org is not at all mirrored for security reason than 
> how he has 2 different versions of ssh ?
> 1 Does he has proper /etc/apt/sources.list which includes ssh also
> 2 what are the dependencies for for versions of ssh
> 

Good point about the fixes coming from security.debian.org.  

The sources.list and preferences were the same on both machines, ie there
was no pinning.

I no longer have the wron version of ssh installed, so I cannot check on
dependencies.

g





pgp0.pgp
Description: PGP signature

Re: The same debian - different packages

2003-09-24 Thread Jan Niehusmann

On Wed, Sep 24, 2003 at 01:04:20PM +, [EMAIL PROTECTED] wrote:
> ii  ssh3.4p1-2Secure rlogin/rsh/rcp replacement (OpenSSH)

This version of ssh is neither directly from woody (which still has
3.4p1-1) nor from security.debian.org (which has 1:3.4p1-1.woody.3, and
probably never had 3.4p1-2 because that would be a bigger version number
than the current one). 

So I assume you got this package from somewhere else (early testing,
proposed-updates or some 3rd party archive?)

What's the output of apt-cache policy ssh on that system? What's the
latest entry in ssh's debian changelog?

Jan



signature.asc
Description: Digital signature

Re: MS BS + Sorting out the virii

2003-09-24 Thread Tomasz Papszun

[ I'm resending it because yesterday try didn't appear on the list.
Thomas Ritter has already answered to the copy which I sent directly to
him. ]

On Wed, 24 Sep 2003 at  1:54:42 +0200, Thomas Ritter wrote:
> 
> Just a note: Open Antivirus programs like clamav are not perfect, because the 
> open virus database [1] is still too small... but for _sorting_ mail, clamav 
> (it's in sid) is really good. It gives you
[...]
> [1] http://www.openantivirus.org/

Sorry but I must say that this is an incorrect claim.

Only in the very beginning, ClamAV had used just openantivirus.org's
database.  openantivirus.org hasn't been updated for months now.

Currently ClamAV's own database is quite big and is updated even a
couple of times a day if needed. It's quite good at new viruses caught
"in the wild", e.g. we had the signature for Gibe.F (alias Swen) at the
same day that the virus appeared.

Older viruses are gradually added to the database.

Everyone is encouraged to submit samples of viruses unknown for ClamAV
( http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi ).

It's a GPLed project and each of us can benefit of it, so developing it
(among others by submitting samples of new viruses) is a "Good Thing".

ClamAV is supported in Debian and it's very well integrated with
amavisd-new (which, in turn, can be used also with spamassassin).

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.

Re: services installed and running "out of the box"

2003-09-24 Thread Ryan Underwood


Hi,

On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs -- which isn't enabled by default)

What about a package like the harden-* package, but one that conflicts
with packages that are pointless for a client/desktop system?

-- 
Ryan Underwood, , icq=10317253


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The same debian - different packages

2003-09-24 Thread Yogesh Sharma

As far as my understanding goes, ssh was patched recently for security 
fixes, so it should be coming from security.debian.org not us.debian.org.
Now security.debian.org is not at all mirrored for security reason than 
how he has 2 different versions of ssh ?

1 Does he has proper /etc/apt/sources.list which includes ssh also
2 what are the dependencies for for versions of ssh

Angus D Madden wrote:

[EMAIL PROTECTED], Wed, Sep 24, 2003 at 01:04:20PM +: 
 


Why the two servers, upgraded from the same server have different ssh
packages ? The same is with some other packages, e.g.: xfree86-common

   



I noticed the exact same behavior on one of my machines.  After a number
of updates apt was able to see the new version of ssh and install it.

Possible explanations:

1.  One of the servers in the round robin dns for http.us.debian.org is
not being updated, and has a different version of ssh in its archive.

2.  Someone has placed a transparent proxy upstream from your machine and
is caching (or poisoning) the debian archive.

No other explanations come to mind at this point.

g

Re: MS BS + Sorting out the virii

2003-09-24 Thread Tomasz Papszun

[ I'm resending it because yesterday try didn't appear on the list.
Thomas Ritter has already answered to the copy which I sent directly to
him. ]

On Wed, 24 Sep 2003 at  1:54:42 +0200, Thomas Ritter wrote:
> 
> Just a note: Open Antivirus programs like clamav are not perfect, because the 
> open virus database [1] is still too small... but for _sorting_ mail, clamav 
> (it's in sid) is really good. It gives you
[...]
> [1] http://www.openantivirus.org/

Sorry but I must say that this is an incorrect claim.

Only in the very beginning, ClamAV had used just openantivirus.org's
database.  openantivirus.org hasn't been updated for months now.

Currently ClamAV's own database is quite big and is updated even a
couple of times a day if needed. It's quite good at new viruses caught
"in the wild", e.g. we had the signature for Gibe.F (alias Swen) at the
same day that the virus appeared.

Older viruses are gradually added to the database.

Everyone is encouraged to submit samples of viruses unknown for ClamAV
( http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi ).

It's a GPLed project and each of us can benefit of it, so developing it
(among others by submitting samples of new viruses) is a "Good Thing".

ClamAV is supported in Debian and it's very well integrated with
amavisd-new (which, in turn, can be used also with spamassassin).

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The same debian - different packages

2003-09-24 Thread Manfred Schmitt

[EMAIL PROTECTED] wrote:

> On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote:
> > 
> > And /etc/apt/preferences? Sounds like they're using different pinning
> > settings.
> 
> serverA:~# cat /etc/apt/preferences
> cat: /etc/apt/preferences: No such file or directory
> 
> The same on server B.
> 
Maybe it's pinned in /etc/apt/apt.conf on one of the servers?

Und wech,
Manne

Re: MS BS + Sorting out the virii

2003-09-24 Thread Michel Messerschmidt

On Wed, Sep 24, 2003 at 01:54:42AM +0200, Thomas Ritter wrote:
> And... a mail with a positive virus recognition can be deleted without having 
> to fear it's a false positive, against which a mail found to be Spam by 
> Spamassassin may be a real mail. 

This is not true. 
There's always the possibility of a "false negative" (a innocent file
reported as infected), if the virus definition is poorly choosen. 
Although this is occurs rarely, it is not impossible.
For example there are products out there that "detect" a virus only by 
a single line in a email.

Michel

-- 
Michel Messerschmidt   [EMAIL PROTECTED]
antiVirusTestCenter, Computer Science, University of Hamburg

Re: MS BS + Sorting out the virii

2003-09-24 Thread Michel Messerschmidt

On Wed, Sep 24, 2003 at 03:23:35PM +0200, Thomas Ritter wrote:
> Yes, I don't know the name, but there's a reference standard virus list. 

I think you're talking about the Wildlist (www.wildlist.org). That's
not a reference list, but simply a list of viruses reported as
"currently active" by at least two independant reporters.
There is no such thing as a standard list for viruses or virus names.

Michel

-- 
Michel Messerschmidt   [EMAIL PROTECTED]
antiVirusTestCenter, Computer Science, University of Hamburg

Re: The same debian - different packages

2003-09-24 Thread Yogesh Sharma

As far as my understanding goes, ssh was patched recently for security 
fixes, so it should be coming from security.debian.org not us.debian.org.
Now security.debian.org is not at all mirrored for security reason than 
how he has 2 different versions of ssh ?
1 Does he has proper /etc/apt/sources.list which includes ssh also
2 what are the dependencies for for versions of ssh

Angus D Madden wrote:

[EMAIL PROTECTED], Wed, Sep 24, 2003 at 01:04:20PM +: 
 

Why the two servers, upgraded from the same server have different ssh
packages ? The same is with some other packages, e.g.: xfree86-common
   

I noticed the exact same behavior on one of my machines.  After a number
of updates apt was able to see the new version of ssh and install it.
Possible explanations:

1.  One of the servers in the round robin dns for http.us.debian.org is
not being updated, and has a different version of ssh in its archive.
2.  Someone has placed a transparent proxy upstream from your machine and
is caching (or poisoning) the debian archive.
No other explanations come to mind at this point.

g

 





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The same debian - different packages

2003-09-24 Thread Angus D Madden

[EMAIL PROTECTED], Wed, Sep 24, 2003 at 01:04:20PM +: 
> 
> Why the two servers, upgraded from the same server have different ssh
> packages ? The same is with some other packages, e.g.: xfree86-common
> 

I noticed the exact same behavior on one of my machines.  After a number
of updates apt was able to see the new version of ssh and install it.

Possible explanations:

1.  One of the servers in the round robin dns for http.us.debian.org is
not being updated, and has a different version of ssh in its archive.

2.  Someone has placed a transparent proxy upstream from your machine and
is caching (or poisoning) the debian archive.

No other explanations come to mind at this point.

g



pgpWQvOHhAd1U.pgp
Description: PGP signature

Re: The same debian - different packages

2003-09-24 Thread Manfred Schmitt

[EMAIL PROTECTED] wrote:

> On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote:
> > 
> > And /etc/apt/preferences? Sounds like they're using different pinning
> > settings.
> 
> serverA:~# cat /etc/apt/preferences
> cat: /etc/apt/preferences: No such file or directory
> 
> The same on server B.
> 
Maybe it's pinned in /etc/apt/apt.conf on one of the servers?

Und wech,
Manne


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The same debian - different packages

2003-09-24 Thread przemolicc

On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote:
> On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote:
> > I have strange result on two our debian servers - both are woody. The
> > first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server
> > is almost daily checked against new packages, the B server was upgraded
> > yesterday. Both have the same sources.list
> 
> And /etc/apt/preferences? Sounds like they're using different pinning
> settings.

serverA:~# cat /etc/apt/preferences
cat: /etc/apt/preferences: No such file or directory

The same on server B.

przemol

Re: MS BS + Sorting out the virii

2003-09-24 Thread Thomas Ritter

Am Mittwoch, 24. September 2003 02:34 schrieb Tomasz Papszun:
> Sorry but I must say that this is an incorrect claim.

okay, not exclusively

> Currently ClamAV's own database is quite big and is updated even a
> couple of times a day if needed. It's quite good at new viruses caught
> "in the wild", e.g. we had the signature for Gibe.F (alias Swen) at the
> same day that the virus appeared.
>
> Older viruses are gradually added to the database.

Yes, I don't know the name, but there's a reference standard virus list. Heise 
ran some tests and found it as "not usable" because of not enough virii.

... But I am sure it will soon grow big enough. 

Greetings,
-- 
Thomas Ritter

"Those who would give up essential liberty, to purchase a little temporary 
safety, deserve neither liberty nor safety."  - Benjamin Franklin

Re: MS BS + Sorting out the virii

2003-09-24 Thread Michel Messerschmidt

On Wed, Sep 24, 2003 at 01:54:42AM +0200, Thomas Ritter wrote:
> And... a mail with a positive virus recognition can be deleted without having 
> to fear it's a false positive, against which a mail found to be Spam by 
> Spamassassin may be a real mail. 

This is not true. 
There's always the possibility of a "false negative" (a innocent file
reported as infected), if the virus definition is poorly choosen. 
Although this is occurs rarely, it is not impossible.
For example there are products out there that "detect" a virus only by 
a single line in a email.

Michel

-- 
Michel Messerschmidt   [EMAIL PROTECTED]
antiVirusTestCenter, Computer Science, University of Hamburg

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MS BS + Sorting out the virii

2003-09-24 Thread Michel Messerschmidt

On Wed, Sep 24, 2003 at 03:23:35PM +0200, Thomas Ritter wrote:
> Yes, I don't know the name, but there's a reference standard virus list. 

I think you're talking about the Wildlist (www.wildlist.org). That's
not a reference list, but simply a list of viruses reported as
"currently active" by at least two independant reporters.
There is no such thing as a standard list for viruses or virus names.

Michel

-- 
Michel Messerschmidt   [EMAIL PROTECTED]
antiVirusTestCenter, Computer Science, University of Hamburg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: The same debian - different packages

2003-09-24 Thread J.H.M. Dassen (Ray)

On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote:
> I have strange result on two our debian servers - both are woody. The
> first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server
> is almost daily checked against new packages, the B server was upgraded
> yesterday. Both have the same sources.list

And /etc/apt/preferences? Sounds like they're using different pinning
settings.

HTH,
Ray
-- 
To this day we are still wondering what exactly it is, besides prices, that
Microsoft has innovated.
Seen on segfault.org

Re: ProFTPD ASCII File Remote Compromise Vulnerability

2003-09-24 Thread Sven Hoexter

On Tue, Sep 23, 2003 at 04:26:14PM -0400, Matt Zimmerman wrote:
> On Tue, Sep 23, 2003 at 02:45:24PM -0500, Bender, Jeff wrote:

Hi,

> > Looking for the Debian Woody patch.  Anyone know if it is available or if
> > this version is exploitable?
> 
> According to the maintainer, the version in woody is not affected by this
> bug.
Quoting TJ Saunders from
http://sourceforge.net/mailarchive/forum.php?thread_id=3173947&forum_id=2637

byg>BTW, How about version prior 1.2.7?

They are believed to not have this bug.  I would recommend upgrading to
one of the patched releases, just to be certain.

TJ
=
Hmmm that's why I hate advisorys without PoC Code or detailed descriptions.

diffing the source code might help ...

Sven
-- 
http://www.comboguano.de
http://sven.linux-ist-pleite.de
I'm root, if you see me laughing you better have a backup!

Re: The same debian - different packages

2003-09-24 Thread Angus D Madden

[EMAIL PROTECTED], Wed, Sep 24, 2003 at 01:04:20PM +: 
> 
> Why the two servers, upgraded from the same server have different ssh
> packages ? The same is with some other packages, e.g.: xfree86-common
> 

I noticed the exact same behavior on one of my machines.  After a number
of updates apt was able to see the new version of ssh and install it.

Possible explanations:

1.  One of the servers in the round robin dns for http.us.debian.org is
not being updated, and has a different version of ssh in its archive.

2.  Someone has placed a transparent proxy upstream from your machine and
is caching (or poisoning) the debian archive.

No other explanations come to mind at this point.

g



pgp0.pgp
Description: PGP signature

Re: Newest OpenSSH advisory

2003-09-24 Thread Ramon Kagan

My understanding and look at the changelog is that there has been a
significant amount of work in the pam components of openssh from version
3.6.x to 3.7x.  It is this new code, that has the vulnerability.

Ramon Kagan
York University, Computing and Network Services
Unix Team -  Senior Unix Systems Administrator
(416)736-2100 #20263
[EMAIL PROTECTED]

---   
I have not failed.  I have justI don't know the secret to success,
found 10,000 ways that don't work. but the secret to failure is
   trying to please everybody.
- Thomas Edison - Bill Cosby
---   

On Wed, 24 Sep 2003, Riku Anttila wrote:

> According to http://www.openssh.com/txt/sshpam.adv there are multiple
> vulnerabilities in the "new PAM code of Portable OpenSSH".
>
> It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought
> I'd ask if anyone knows for a fact that the older version in Woody does
> not have this code.
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>

services installed and running "out of the box"

2003-09-24 Thread Adam Lydick

Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which isn't enabled by default)

Is this something that needs to be taken up with individual package
maintainers? Or is there a single point of contact that helps choose
which packages are present in the base install?

Is this already documented somewhere that I should have already read? :)
If so, isn't it better to have to RTFM to turn something on as you need
it, rather then to need to remember to turn something off that you
aren't using?

Thanks,

Adam Lydick

Re: The same debian - different packages

2003-09-24 Thread przemolicc

On Wed, Sep 24, 2003 at 02:46:44PM +0200, J.H.M. Dassen (Ray) wrote:
> On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote:
> > I have strange result on two our debian servers - both are woody. The
> > first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server
> > is almost daily checked against new packages, the B server was upgraded
> > yesterday. Both have the same sources.list
> 
> And /etc/apt/preferences? Sounds like they're using different pinning
> settings.

serverA:~# cat /etc/apt/preferences
cat: /etc/apt/preferences: No such file or directory

The same on server B.

przemol


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MS BS + Sorting out the virii

2003-09-24 Thread Thomas Ritter

Am Mittwoch, 24. September 2003 02:34 schrieb Tomasz Papszun:
> Sorry but I must say that this is an incorrect claim.

okay, not exclusively

> Currently ClamAV's own database is quite big and is updated even a
> couple of times a day if needed. It's quite good at new viruses caught
> "in the wild", e.g. we had the signature for Gibe.F (alias Swen) at the
> same day that the virus appeared.
>
> Older viruses are gradually added to the database.

Yes, I don't know the name, but there's a reference standard virus list. Heise 
ran some tests and found it as "not usable" because of not enough virii.

... But I am sure it will soon grow big enough. 

Greetings,
-- 
Thomas Ritter

"Those who would give up essential liberty, to purchase a little temporary 
safety, deserve neither liberty nor safety."  - Benjamin Franklin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

The same debian - different packages

2003-09-24 Thread przemolicc

I have strange result on two our debian servers - both are woody.
The first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22.
The A server is almost daily checked against new packages, the B
server was upgraded yesterday. Both have the same sources.list

But server A:

serverA:~# dpkg -l ssh
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name   VersionDescription
+++-==-==-
ii  ssh3.4p1-1.woody.3Secure rlogin/rsh/rcp replacement 
(OpenSSH)

While server B:

serverB:~# dpkg -l ssh
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name   VersionDescription
+++-==-==-
ii  ssh3.4p1-2Secure rlogin/rsh/rcp replacement 
(OpenSSH)

Why the two servers, upgraded from the same server have different ssh
packages ? The same is with some other packages, e.g.: xfree86-common

przemol

Re: The same debian - different packages

2003-09-24 Thread J.H.M. Dassen (Ray)

On Wed, Sep 24, 2003 at 13:04:20 +, [EMAIL PROTECTED] wrote:
> I have strange result on two our debian servers - both are woody. The
> first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22. The A server
> is almost daily checked against new packages, the B server was upgraded
> yesterday. Both have the same sources.list

And /etc/apt/preferences? Sounds like they're using different pinning
settings.

HTH,
Ray
-- 
To this day we are still wondering what exactly it is, besides prices, that
Microsoft has innovated.
Seen on segfault.org


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ProFTPD ASCII File Remote Compromise Vulnerability

2003-09-24 Thread Sven Hoexter

On Tue, Sep 23, 2003 at 04:26:14PM -0400, Matt Zimmerman wrote:
> On Tue, Sep 23, 2003 at 02:45:24PM -0500, Bender, Jeff wrote:

Hi,

> > Looking for the Debian Woody patch.  Anyone know if it is available or if
> > this version is exploitable?
> 
> According to the maintainer, the version in woody is not affected by this
> bug.
Quoting TJ Saunders from
http://sourceforge.net/mailarchive/forum.php?thread_id=3173947&forum_id=2637

byg>BTW, How about version prior 1.2.7?
 
They are believed to not have this bug.  I would recommend upgrading to
one of the patched releases, just to be certain.
 
TJ
=
Hmmm that's why I hate advisorys without PoC Code or detailed descriptions.

diffing the source code might help ...

Sven
-- 
http://www.comboguano.de
http://sven.linux-ist-pleite.de
I'm root, if you see me laughing you better have a backup!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Newest OpenSSH advisory

2003-09-24 Thread Ramon Kagan

My understanding and look at the changelog is that there has been a
significant amount of work in the pam components of openssh from version
3.6.x to 3.7x.  It is this new code, that has the vulnerability.

Ramon Kagan
York University, Computing and Network Services
Unix Team -  Senior Unix Systems Administrator
(416)736-2100 #20263
[EMAIL PROTECTED]

---   
I have not failed.  I have justI don't know the secret to success,
found 10,000 ways that don't work. but the secret to failure is
   trying to please everybody.
- Thomas Edison - Bill Cosby
---   

On Wed, 24 Sep 2003, Riku Anttila wrote:

> According to http://www.openssh.com/txt/sshpam.adv there are multiple
> vulnerabilities in the "new PAM code of Portable OpenSSH".
>
> It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought
> I'd ask if anyone knows for a fact that the older version in Woody does
> not have this code.
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

services installed and running "out of the box"

2003-09-24 Thread Adam Lydick

Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which isn't enabled by default)

Is this something that needs to be taken up with individual package
maintainers? Or is there a single point of contact that helps choose
which packages are present in the base install?

Is this already documented somewhere that I should have already read? :)
If so, isn't it better to have to RTFM to turn something on as you need
it, rather then to need to remember to turn something off that you
aren't using?

Thanks,

Adam Lydick


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Newest OpenSSH advisory

2003-09-24 Thread Riku Anttila

According to http://www.openssh.com/txt/sshpam.adv there are multiple 
vulnerabilities in the "new PAM code of Portable OpenSSH".


It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought 
I'd ask if anyone knows for a fact that the older version in Woody does 
not have this code.

The same debian - different packages

2003-09-24 Thread przemolicc

I have strange result on two our debian servers - both are woody.
The first one (A) has kerenel 2.4.19, the other one (B) - 2.4.22.
The A server is almost daily checked against new packages, the B
server was upgraded yesterday. Both have the same sources.list

But server A:

serverA:~# dpkg -l ssh
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name   VersionDescription
+++-==-==-
ii  ssh3.4p1-1.woody.3Secure rlogin/rsh/rcp replacement (OpenSSH)

While server B:

serverB:~# dpkg -l ssh
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name   VersionDescription
+++-==-==-
ii  ssh3.4p1-2Secure rlogin/rsh/rcp replacement (OpenSSH)

Why the two servers, upgraded from the same server have different ssh
packages ? The same is with some other packages, e.g.: xfree86-common

przemol


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Newest OpenSSH advisory

2003-09-24 Thread Riku Anttila

According to http://www.openssh.com/txt/sshpam.adv there are multiple 
vulnerabilities in the "new PAM code of Portable OpenSSH".

It sounds as if it's limited to versions 3.7p1 and3.7.1p1, but I thought 
I'd ask if anyone knows for a fact that the older version in Woody does 
not have this code.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ProFTPD ASCII File Remote Compromise Vulnerability

2003-09-24 Thread Dariush Pietrzak

On Tue, Sep 23, 2003 at 04:13:02PM -0500, Jeff Bender wrote:
> Thanks.  Do you happen to have a link where this might be posted?
 Well.. Advisory talks about version higher then the one in woody.
-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

86 matches

Mail list logo