Re: [SECURITY] [DSA 733-1] New crip packages fix insecure temporary files
Sir, I use Woody and i upgrade to Sarge a new stable version. Can you tell me, what must i do to configurate a new source in /etc/apt/source.list. I not sure of my source configuration. Best Regards Le 30/06/05 at 10:44, Martin Schulze a ecrit: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >- -- >Debian Security Advisory DSA 733-1 [EMAIL PROTECTED] >http://www.debian.org/security/ Martin Schulze >June 30th, 2005 http://www.debian.org/security/faq >- -- > >Package: crip >Vulnerability : insecure temporary files >Problem-Type : local >Debian-specific: no >CVE ID : CAN-2005-0393 >CERT advisory : >BugTraq ID : >Debian Bug : > >Justin Rye discovered that crip, a terminal-based ripper, encoder and >tagger tool, utilises temporary files in an insecure fashion in its >helper scripts. > >The old stable distribution (woody) does not provide the crip package. > >For the stable distribution (sarge) this problem has been fixed in >version 3.5-1sarge2. > >For the unstable distribution (sid) this problem has been fixed in >version 3.5-1sarge2. > >We recommend that you upgrade your crip package. > > >Upgrade Instructions >- > >wget url >will fetch the file for you >dpkg -i file.deb >will install the referenced file. > >If you are using the apt-get package manager, use the line for >sources.list as given below: > >apt-get update >will update the internal database >apt-get upgrade >will install corrected packages > >You may use an automated update by adding the resources from the >footer to the proper configuration. > > >Debian GNU/Linux 3.1 alias sarge >- > > Source archives: > >http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2.dsc > Size/MD5 checksum: 572 8586b5bc06ec3a314e4f9920061fb061 > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2.diff.gz > Size/MD5 checksum: 4427 01c4f0a2b1af58ba1c26828399f3c641 >http://ftp.debian.org/debian/pool/main/c/crip/crip_3.5.orig.tar.gz > Size/MD5 checksum:31935 e0b93d38ce19fbdb8c8d7c1d3f2a8676 > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_alpha.deb > Size/MD5 checksum:45134 ecf643d9d598eaa200af474d2084 > > ARM architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_arm.deb > Size/MD5 checksum:44436 52ff32d6ace120ef28d778127f6b624e > > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_i386.deb > Size/MD5 checksum:43710 639c9586b54d2d4538352c3f0a84fd17 > > Intel IA-64 architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_ia64.deb > Size/MD5 checksum:45582 a3e8b6645fbcc5fbe95ba78cb7aa308d > > HP Precision architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_hppa.deb > Size/MD5 checksum:45298 62be35e7881ad4d1b32b33d213361dee > > Motorola 680x0 architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_m68k.deb > Size/MD5 checksum:44562 08ce1cfa8fdeb0cae763f18dcdf53320 > > Big endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_mips.deb > Size/MD5 checksum:47086 e20d2a33a94d3153b10d3adb8f09a9d7 > > Little endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_mipsel.deb > Size/MD5 checksum:47088 55f8284e194dd8593e5486daa24e1851 > > PowerPC architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_powerpc.deb > Size/MD5 checksum:44830 bf5bb457f8363c76374ec1141db324e7 > > IBM S/390 architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_s390.deb > Size/MD5 checksum:44810 8ff12262a45ff8a7602f965c240689ed > > Sun Sparc architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_sparc.deb > Size/MD5 checksum:44538 fc5feb3258717d56f48b1be034faf164 > > > These files will probably be moved into the stable distribution on > its next update. > >- >- >For apt-get: deb http://security.debian.org/ stable/updates main >For dpkg-ftp: ftp://security.debian.org/debian-security >dists/stable/updates/main >Mailing list: debian-security-announce@lists.debian.org >Package info: `apt-cache show ' and http://packages.debian.org/ > >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.4.1 (GNU/Linux) > >iD8DBQFCw7DYW5ql+IAeqTIRAsCIAJsFiiLWcFa/d0cY1
Any Software.. get rush undr $15-$99..
Shopping for software? Now in your language & currency! http://ysjcql.v2zaguv6s5v2awd.zorromf.info All things are difficult before they are easy. The only thing that comes from a sleeping man are dreams. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ferie / Vacation
Ferie / Vacation Jeg er på ferie frem til mandag den 18. juli. Din mail vil ikke blive læst før. Ved hastesager: Kontakt Sune Vestergaard([EMAIL PROTECTED]) eller Thomas Lorenzen ([EMAIL PROTECTED]). I'm on vacation until monday 18th of July. Your e-mail will not be read before that. On urgent cases contact Sune Vestergaard([EMAIL PROTECTED]) or Thomas Lorenzen ([EMAIL PROTECTED]). Med venlig hilsen / Best Regards Mogens Christensen, TypoConsult A/S -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Away from my mail
I am on vaction from the 9th of June until the 2nd of July and will have only very limited email access. If you have a question regarding Textpresso or the Wormbase Literature Search, you can direct your question to Hans-Michael Mueller (mueller at its.caltech.edu). If you have a question regarding ?Paper objects in Wormbase (journal/meeting abstracts), you can direct your question to Ranjana Kishore (scientific curator at Wormbase - ranjana at its.caltech.edu) If you urgently need to contact me, you can call my cell at (626) 419 3081. Otherwise, I will be back on-line in the beginning of July. Cheers, Eimear -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ferie / Vacation
Ferie / Vacation Jeg er på ferie frem til mandag den 18. juli. Din mail vil ikke blive læst før. Ved hastesager: Kontakt Sune Vestergaard([EMAIL PROTECTED]) eller Thomas Lorenzen ([EMAIL PROTECTED]). I'm on vacation until monday 18th of July. Your e-mail will not be read before that. On urgent cases contact Sune Vestergaard([EMAIL PROTECTED]) or Thomas Lorenzen ([EMAIL PROTECTED]). Med venlig hilsen / Best Regards Mogens Christensen, TypoConsult A/S -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question about Debian security policy
Greetings, Am Donnerstag, 30. Juni 2005 12:57 schrieb Paul Haesler: > > Hi everybody. I hope this question won't be too stupid. > > When I perform a standard installation (i.e minimal), the installer > > installs many servers, and launches them (like portmap, ssh, exim, > > etc). Why? I think that OpenBSD and FreeBSD, for example, don't launch > > any daemon at all, or at least prompt you before doing that. There > > must be a reason, but I don't see it (I'm not a networking/security > > guru, so please forgive me if the answer is obvious). > > I think you'll find OpenBSD launches at least sshd and sendmail > in the default install (although sendmail only listens on > loopback interface by default). I've always wondered about > portmap in debian myself - I presume it's to do with NFS. Perhaps > it has to be part of the base system to support network installs. When I last installed OpenBSD I was asked on whether I want so use ssh. It doesn't start automatically. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 733-1] New crip packages fix insecure temporary files
Danke dass Sie weitermachen ! Martin Schulze ([EMAIL PROTECTED]) wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA 733-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > June 30th, 2005 http://www.debian.org/security/faq > - -- > > Package: crip > Vulnerability : insecure temporary files > Problem-Type : local > Debian-specific: no > CVE ID : CAN-2005-0393 > CERT advisory : > BugTraq ID : > Debian Bug : > > Justin Rye discovered that crip, a terminal-based ripper, encoder and > tagger tool, utilises temporary files in an insecure fashion in its > helper scripts. > > The old stable distribution (woody) does not provide the crip package. > > For the stable distribution (sarge) this problem has been fixed in > version 3.5-1sarge2. > > For the unstable distribution (sid) this problem has been fixed in > version 3.5-1sarge2. > > We recommend that you upgrade your crip package. > > > Upgrade Instructions > - > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.1 alias sarge > - > > Source archives: > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2.dsc > Size/MD5 checksum: 572 8586b5bc06ec3a314e4f9920061fb061 > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2.diff.gz > Size/MD5 checksum: 4427 01c4f0a2b1af58ba1c26828399f3c641 > http://ftp.debian.org/debian/pool/main/c/crip/crip_3.5.orig.tar.gz > Size/MD5 checksum:31935 e0b93d38ce19fbdb8c8d7c1d3f2a8676 > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_alpha.deb > Size/MD5 checksum:45134 ecf643d9d598eaa200af474d2084 > > ARM architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_arm.deb > Size/MD5 checksum:44436 52ff32d6ace120ef28d778127f6b624e > > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_i386.deb > Size/MD5 checksum:43710 639c9586b54d2d4538352c3f0a84fd17 > > Intel IA-64 architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_ia64.deb > Size/MD5 checksum:45582 a3e8b6645fbcc5fbe95ba78cb7aa308d > > HP Precision architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_hppa.deb > Size/MD5 checksum:45298 62be35e7881ad4d1b32b33d213361dee > > Motorola 680x0 architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_m68k.deb > Size/MD5 checksum:44562 08ce1cfa8fdeb0cae763f18dcdf53320 > > Big endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_mips.deb > Size/MD5 checksum:47086 e20d2a33a94d3153b10d3adb8f09a9d7 > > Little endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_mipsel.deb > Size/MD5 checksum:47088 55f8284e194dd8593e5486daa24e1851 > > PowerPC architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_powerpc.deb > Size/MD5 checksum:44830 bf5bb457f8363c76374ec1141db324e7 > > IBM S/390 architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_s390.deb > Size/MD5 checksum:44810 8ff12262a45ff8a7602f965c240689ed > > Sun Sparc architecture: > > > http://security.debian.org/pool/updates/main/c/crip/crip_3.5-1sarge2_sparc.deb > Size/MD5 checksum:44538 fc5feb3258717d56f48b1be034faf164 > > > These files will probably be moved into the stable distribution on > its next update. > > - > - > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: debian-security-announce@lists.debian.org > Package info: `apt-cache show ' and http://packages.debian.org/ > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFCw7DYW5ql+IAeqTIRAsCIAJsFiiLWcFa/d0cY1w8PpKFcDmGzDgCfXubx > huFjZTHlgKYHwrngTEoNkdg= > =2DCX > -END PGP SIGNATURE- >
Re: Can (non-embargoed) uploads be downloaded from somewhere ?
Mike, thanks for your quick response on this one. On Thu, Jun 30, 2005 at 03:45:27PM -0400, Michael Stone wrote: > On Thu, Jun 30, 2005 at 07:49:50PM +0100, paddy wrote: > >Is there a standard way to download such a package ? > > No. > > Mike Stone Is this a bug or a feature ? (I don't immediately see anything against pseudopackage security.debian.org) Regards, Paddy -- Perl 6 will give you the big knob. -- Larry Wall -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Can (non-embargoed) uploads be downloaded from somewhere ?
On Thu, Jun 30, 2005 at 07:49:50PM +0100, paddy wrote: Is there a standard way to download such a package ? No. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ferie / Vacation
Ferie / Vacation Jeg er på ferie frem til mandag den 18. juli. Din mail vil ikke blive læst før. Ved hastesager: Kontakt Sune Vestergaard([EMAIL PROTECTED]) eller Thomas Lorenzen ([EMAIL PROTECTED]). I'm on vacation until monday 18th of July. Your e-mail will not be read before that. On urgent cases contact Sune Vestergaard([EMAIL PROTECTED]) or Thomas Lorenzen ([EMAIL PROTECTED]). Med venlig hilsen / Best Regards Mogens Christensen, TypoConsult A/S -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Abwesenheitsnachricht
Ich bin in der Zeit vom 27.06.2005 - 01.07.2005 nicht im Büro und habe nur sporadisch Zugang zu meinen E-Mails. In dringenden Fällen können Sie sich gern an Jens Gräfe ([EMAIL PROTECTED]) wenden. -- Mit freundlichen Grüßen Sascha Mieth --- subsist GmbH Fiedlerstraße 4 01307 Dresden Fon +49 351 44 00 92-0 Fax +49 351 44 00 92-9 http://www.subsist.de http://palm.subsist.de --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Away from my mail
I am on vaction from the 9th of June until the 2nd of July and will have only very limited email access. If you have a question regarding Textpresso or the Wormbase Literature Search, you can direct your question to Hans-Michael Mueller (mueller at its.caltech.edu). If you have a question regarding ?Paper objects in Wormbase (journal/meeting abstracts), you can direct your question to Ranjana Kishore (scientific curator at Wormbase - ranjana at its.caltech.edu) If you urgently need to contact me, you can call my cell at (626) 419 3081. Otherwise, I will be back on-line in the beginning of July. Cheers, Eimear -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Can (non-embargoed) uploads be downloaded from somewhere ?
Hi, Apologies if this is FAQ. Twice today I've tried to answer this question, and got it wrong each time. In http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314447 Duncan says "A fixed package has already been given to the security team" Is there a standard way to download such a package ? Regards, Paddy -- Perl 6 will give you the big knob. -- Larry Wall -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question about Debian security policy
> Hi everybody. I hope this question won't be too stupid. > When I perform a standard installation (i.e minimal), the installer > installs many servers, and launches them (like portmap, ssh, exim, > etc). Why? I think that OpenBSD and FreeBSD, for example, don't launch > any daemon at all, or at least prompt you before doing that. There > must be a reason, but I don't see it (I'm not a networking/security > guru, so please forgive me if the answer is obvious). I think you'll find OpenBSD launches at least sshd and sendmail in the default install (although sendmail only listens on loopback interface by default). I've always wondered about portmap in debian myself - I presume it's to do with NFS. Perhaps it has to be part of the base system to support network installs. -- Paul Haesler[EMAIL PROTECTED] Neutrons are wormholes. And if Blanca's dead clone was right, the Transmuters had all the degrees of freedom they could need to make Swift's neutrons unique. - Yatima, in Greg Egan's "Diaspora". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
net unavailable
Hi all, we have a firewall with debian 3.0 running with a 2.4.27 kernel. The problem is that one of our nets was completly unavailable from the internet.. The interface is a SOEKRIS 4 port NIC with ... kernel module NATSEMI in the log: " Jun 28 14:35:12 fw1 kernel: eth3: Oversized(?) Ethernet frame spanned multiple buffers, entry 0x366c575 status 0xd600 " does anyone knows more about this problem ? many thanks bye -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Question about Debian security policy
Hi everybody. I hope this question won't be too stupid. When I perform a standard installation (i.e minimal), the installer installs many servers, and launches them (like portmap, ssh, exim, etc). Why? I think that OpenBSD and FreeBSD, for example, don't launch any daemon at all, or at least prompt you before doing that. There must be a reason, but I don't see it (I'm not a networking/security guru, so please forgive me if the answer is obvious). And I'd like to thank all Debian people: you're achieving an incredible work ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question about Debian security policy
On Thu, Jun 30, 2005 at 11:16:18AM +0200, neologix wrote: > Hi everybody. I hope this question won't be too stupid. > When I perform a standard installation (i.e minimal), the installer installs > many servers, and launches them (like portmap, ssh, exim, etc). Why? > I think that OpenBSD and FreeBSD, for example, don't launch any daemon at all, > or at least prompt you before doing that. There must be a reason, but I don't > see it (I'm not a networking/security guru, so please forgive me if the answer > is obvious). It's not obvious, but it is docummented, please read: http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.6 and http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html Short answer: - exim - (important priority) required for local mail delivery, if you don't configure it to act as a MTA it will only be accesible through 127.0.0.1 (i.e it will not be exposed) - sshd - part of the 'standard' installation. If you don't want standard you need to do a minimal install (using the 'expert' mode) - portmap - standard, needed for some RPC services such as NFS (uncommon) or FAM (common in desktop environments). It can be easily configured to listen only for localhost queries to reduce exposure (check /etc/default/portmap, there is a debconf question to enable/disable in etch and sid). You can also prevent it from installing if using expert mode (i.e. if you don't install nfs-common either, which is also of 'standard' priority) That's more or less what you will have in a stock standard installation. If you use a minimal installation through expert mode you can end up with 0 network services, if you install some task you might end up with _more_ network services (printer service, FAM, web server, etc.). So what you have actually depends on your choices through the installation process. Regards Javier signature.asc Description: Digital signature
