UNSUBSCRIBE
Re: CAN-2003-0020?
On Sun, Apr 18, 2004 at 08:47:16PM +0200, Jan L?hr wrote: > Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman: > > On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > > > what about > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is > > > debian finally going to fix it? > > > > Current consensus between the security team and the Apache maintainers is > > that it is not necessary to fix this in woody. > > Ehm... why ? ;) The same issue applies to any file which contains data supplied by an untrusted source. This is a fundamental Unix feature (or flaw). Terminal control sequences may be contained in the data. > What about sarge or sid? If this were important to you, I expect you would have read the changelog already, and discovered that it has been fixed in sarge and sid for over a month. -- - mdz
Re: CAN-2003-0020?
Greetings, Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman: > On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > > what about > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is > > debian finally going to fix it? > > Current consensus between the security team and the Apache maintainers is > that it is not necessary to fix this in woody. Ehm... why ? ;) What about sarge or sid? Keep smiling yanosz
UNSUBSCRIBE
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CAN-2003-0020?
On Sun, Apr 18, 2004 at 08:47:16PM +0200, Jan L?hr wrote: > Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman: > > On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > > > what about > > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is > > > debian finally going to fix it? > > > > Current consensus between the security team and the Apache maintainers is > > that it is not necessary to fix this in woody. > > Ehm... why ? ;) The same issue applies to any file which contains data supplied by an untrusted source. This is a fundamental Unix feature (or flaw). Terminal control sequences may be contained in the data. > What about sarge or sid? If this were important to you, I expect you would have read the changelog already, and discovered that it has been fixed in sarge and sid for over a month. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CAN-2003-0020?
On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > what about http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? > Is debian finally going to fix it? Current consensus between the security team and the Apache maintainers is that it is not necessary to fix this in woody. -- - mdz
Re: suid
On Fri, Apr 16, 2004 at 11:02:56PM +0100, Mario Ohnewald wrote: > Ok, the suid is set for the crontab binary because you have to edit the root > owned file. crontab in unstable is no longer setuid root. -- - mdz
Re: CAN-2003-0020?
Greetings, Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman: > On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > > what about > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is > > debian finally going to fix it? > > Current consensus between the security team and the Apache maintainers is > that it is not necessary to fix this in woody. Ehm... why ? ;) What about sarge or sid? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security holes in 2.4.25?
On Wed, Apr 14, 2004 at 04:16:28PM -0500, Micah Anderson wrote: > With the rash of security gaffs in the kernel related to mmap and > mremap, does it make anyone else nervous to see the following in the > changelog for 2.4.26: > > o mremap NULL pointer dereference fix > > If this was a security concern, would it be noted in the changelog? Not generally, no. The kernel maintainers are notorious for obscuring such things. > Additionally, the 2.4.25 kernel seems to have a local root exploit for > CDROMs: http://lwn.net/Articles/80480/ See DSA-479. -- - mdz
Re: syslog.conf question
In article <[EMAIL PROTECTED]> you wrote: > *.*;auth,authpriv.none;mail.!* -/var/log/syslog try mail.none Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
Re: CAN-2003-0020?
On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote: > what about http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? > Is debian finally going to fix it? Current consensus between the security team and the Apache maintainers is that it is not necessary to fix this in woody. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: suid
On Fri, Apr 16, 2004 at 11:02:56PM +0100, Mario Ohnewald wrote: > Ok, the suid is set for the crontab binary because you have to edit the root > owned file. crontab in unstable is no longer setuid root. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security holes in 2.4.25?
On Wed, Apr 14, 2004 at 04:16:28PM -0500, Micah Anderson wrote: > With the rash of security gaffs in the kernel related to mmap and > mremap, does it make anyone else nervous to see the following in the > changelog for 2.4.26: > > o mremap NULL pointer dereference fix > > If this was a security concern, would it be noted in the changelog? Not generally, no. The kernel maintainers are notorious for obscuring such things. > Additionally, the 2.4.25 kernel seems to have a local root exploit for > CDROMs: http://lwn.net/Articles/80480/ See DSA-479. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: syslog.conf question
LeVA wrote: > I'm trying to exclude my mailsystem's logs from the /var/log/syslog > file. I've changed this line in /etc/syslog.conf: > *.*;auth,authpriv.none -/var/log/syslog > > to: > > *.*;auth,authpriv.none;mail.!* -/var/log/syslog Try "*.*;auth,authpriv.none;mail.none -/var/log/syslog"
syslog.conf question
Hi! I'm trying to exclude my mailsystem's logs from the /var/log/syslog file. I've changed this line in /etc/syslog.conf: *.*;auth,authpriv.none -/var/log/syslog to: *.*;auth,authpriv.none;mail.!* -/var/log/syslog After this, I have the mail log lines: mail.* -/var/log/mail/mail.log mail.info -/var/log/mail/mail.info mail.warn -/var/log/mail/mail.warn mail.err-/var/log/mail/mail.err But if I change the syslog line, then the mail system doesn't log anywhere. And if I switch it back, then it will log to the syslog and the /var/log/mail/ dir too. What did I do wrong? Thanks! Daniel -- LeVA
Re: syslog.conf question
In article <[EMAIL PROTECTED]> you wrote: > *.*;auth,authpriv.none;mail.!* -/var/log/syslog try mail.none Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: syslog.conf question
LeVA wrote: > I'm trying to exclude my mailsystem's logs from the /var/log/syslog > file. I've changed this line in /etc/syslog.conf: > *.*;auth,authpriv.none -/var/log/syslog > > to: > > *.*;auth,authpriv.none;mail.!* -/var/log/syslog Try "*.*;auth,authpriv.none;mail.none -/var/log/syslog" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
syslog.conf question
Hi! I'm trying to exclude my mailsystem's logs from the /var/log/syslog file. I've changed this line in /etc/syslog.conf: *.*;auth,authpriv.none -/var/log/syslog to: *.*;auth,authpriv.none;mail.!* -/var/log/syslog After this, I have the mail log lines: mail.* -/var/log/mail/mail.log mail.info -/var/log/mail/mail.info mail.warn -/var/log/mail/mail.warn mail.err-/var/log/mail/mail.err But if I change the syslog line, then the mail system doesn't log anywhere. And if I switch it back, then it will log to the syslog and the /var/log/mail/ dir too. What did I do wrong? Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BF kernels (was: [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386))
On Sat, Apr 17, 2004 at 10:00:23AM -0400, Michael Stone wrote: > On Thu, Apr 15, 2004 at 08:19:24PM +1000, Joshua Goodall wrote: > >In other words, people are ready to pounce, and that short gap of time > >after server installation and before installing patched code cannot be > >considered "safe". Quite the opposite. > > Note that if you're doing a network install you can point to > security.d.o and never have any vulnerable network services installed on > the machine. Let's rather say "never have any network services with known vulnerabilities installed although an upgrade already is available". But, well, that is already a little off topic. Horst -- Wenn Dein einziges Werkzeug ein Hammer ist, sieht jedes Problem aus wie ein Nagel
Re: BF kernels (was: [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386))
On Sat, Apr 17, 2004 at 10:00:23AM -0400, Michael Stone wrote: > On Thu, Apr 15, 2004 at 08:19:24PM +1000, Joshua Goodall wrote: > >In other words, people are ready to pounce, and that short gap of time > >after server installation and before installing patched code cannot be > >considered "safe". Quite the opposite. > > Note that if you're doing a network install you can point to > security.d.o and never have any vulnerable network services installed on > the machine. Let's rather say "never have any network services with known vulnerabilities installed although an upgrade already is available". But, well, that is already a little off topic. Horst -- Wenn Dein einziges Werkzeug ein Hammer ist, sieht jedes Problem aus wie ein Nagel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]