date:20060308

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Florian Weimer

* Steve Kemp:

> On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote:
>
>> > Package: tar
>> > Vulnerability  : buffer overflow
>> > Problem-Type   : local(remote)
>> 
>> What does mean 
>>  local(remote)
>> 
>> Does it means local... or remote?
>
>   Local.  But remote in the sense that you may receive a .tar file
>  from a remote source.

NVD calls this "user-initiated".  With infrastructure software like
tar, it's hard to tell how it is indirectly exposed to the network, so
the attack range classification does not make much sense (even more
difficult is zlib; tar has got at least a bit of networking support).

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

2006-03-08 Thread Florian Weimer

* Michelle Konzack:

> 1)  Download Packages.gz/Sources.gz and check for changes

I think you should look at the Release file first, at least if you
don't use If-Modified-Since or similar conditional requests.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

2006-03-08 Thread martin f krafft

also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.28.1824 +0100]:
> I can not use rsync because I have a different directory structure AND
> I do not want to kill one of the security mirrors of debian, fow often
> should I poll the Packages.gz/Sources.gz for changes daily?

Once.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
military justice is to justice what military music is to music.
   -- groucho marx


signature.asc
Description: Digital signature (GPG/PGP)

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Moritz Muehlenhoff

Mathieu Roy wrote:
>> > What does mean
>> >local(remote)
>> >
>> > Does it means local... or remote?
>>
>>   Local.  But remote in the sense that you may receive a .tar file
>>  from a remote source.
>
> Ok, thanks for the input. 
>
> Looks like oxymoron, a bit confusing though (but I have no proposal for 
> alternative wording).

This question comes from time to time. If someone wants to write a FAQ entry for
the Debian Security FAQ, please send it to [EMAIL PROTECTED]

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Mathieu Roy

Le Mercredi 8 Mars 2006 10:17, Steve Kemp a écrit :
> On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote:
> > > Package: tar
> > > Vulnerability  : buffer overflow
> > > Problem-Type   : local(remote)
> >
> > What does mean
> > local(remote)
> >
> > Does it means local... or remote?
>
>   Local.  But remote in the sense that you may receive a .tar file
>  from a remote source.
>

Ok, thanks for the input. 

Looks like oxymoron, a bit confusing though (but I have no proposal for 
alternative wording).



-- 
Mathieu Roy

  +
  | Thalie  :  
  | Clio:    
  | Euterpe : 
  |   
  +---+

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Steve Kemp

On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote:

> > Package: tar
> > Vulnerability  : buffer overflow
> > Problem-Type   : local(remote)
> 
> What does mean 
>   local(remote)
> 
> Does it means local... or remote?

  Local.  But remote in the sense that you may receive a .tar file
 from a remote source.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

2006-03-08 Thread Mathieu Roy

Le Mardi 7 Mars 2006 15:19, Moritz Muehlenhoff a écrit :
> --
> Debian Security Advisory DSA 987-1 [EMAIL PROTECTED]
> http://www.debian.org/security/ Moritz Muehlenhoff
> March 7th, 2006 http://www.debian.org/security/faq
> --
>
> Package: tar
> Vulnerability  : buffer overflow
> Problem-Type   : local(remote)

What does mean 
local(remote)

Does it means local... or remote?

Regards,

-- 
Mathieu Roy

  +-+
  | General Homepage:   http://yeupou.coleumes.org/ |
  | Computing Homepage: http://alberich.coleumes.org/   |
  | Not a native english speaker:   |
  | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english  |
  +-+

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: first A record of security.debian.org extremely slow

Re: first A record of security.debian.org extremely slow

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution

7 matches

Site Navigation

Mail list logo

Footer information