Re: When are security updates effective?
On Tue, Aug 29, 2006 at 10:54:45PM +0200, Moritz Muehlenhoff wrote: > Mikko Rapeli wrote: > > Could Debian security advisories help a bit, since the people making the > > packaging changes propably know how to make the changes effective on a > > running installation too? > > If there's anything special to do (e.g. kernel or glibc) we alredy add this > to the DSA text. Yes, that's great, but some of the non-special cases are not that obvious. Should I reboot or at least restart kdm after libtiff4 update? On one host I get the feeling I don't since 'lsof 2>/dev/null | grep libtiff' returns nothing. Then again this would suggest, that at least kde/kdm needs to be restarted: # apt-cache rdepends libtiff4|grep kde kdelibs4 kdegraphics-kfile-plugins So which one is it? update-notifier seems nice, but how does it know what to do? I looked at the code but couldn't see how it knows when to reboot and when package upgrade is enough. -Mikko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1156-1] New kdebase packages fix information disclosure
* Nick Boyce: > For interest, can anyone explain why a problem with kdm leads to the > need to reissue so many KDE packages ? Security updates a performed on per source package (after all, we need to ship an updated source package to comply with the DFSG and various licenses). The source package building KDE also builds tons of other packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1156-1] New kdebase packages fix information disclosure
Regarding : > - -- > Debian Security Advisory DSA 1156-1[EMAIL PROTECTED] > http://www.debian.org/security/ Moritz Muehlenhoff > August 27th, 2006 http://www.debian.org/security/faq > - -- > > Package: kdebase > Vulnerability : programming error > Problem-Type : local > Debian-specific: no > CVE ID : CVE-2006-2449 > Debian Bug : 374002 > > Ludwig Nussel discovered that kdm, the X display manager for KDE, handles > access to the session type configuration file insecurely, which may lead > to the disclosure of arbitrary files through a symlink attack. For interest, can anyone explain why a problem with kdm leads to the need to reissue so many KDE packages ? Neither http://bugs.debian.org/374002, nor http://www.kde.org/info/security/advisory-20060614-1.txt shed any light e.g. > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/k/kdebase/kappfinder_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 238552 3315f3726ec7bcc2b2336264ee1d6113 > > http://security.debian.org/pool/updates/main/k/kdebase/kate_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 582412 58f81b8e2a85b4ac2590d04c339d57b5 > > http://security.debian.org/pool/updates/main/k/kdebase/kcontrol_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 7662460 90981f72d4368fc940a4fa1a7e4f64f9 > > http://security.debian.org/pool/updates/main/k/kdebase/kdebase-bin_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 954376 0d21ac76ee892b4801720136a0b33900 > > http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_3.3.2-1sarge3_i386.deb > Size/MD5 checksum:57230 ec1cb3381a3f4afe7b382c5f8ff55199 > > http://security.debian.org/pool/updates/main/k/kdebase/kdebase-kio-plugins_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 697440 5efafc13c4ce1614666158bd570ec74d > > http://security.debian.org/pool/updates/main/k/kdebase/kdepasswd_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 223118 3bebac40feaeb0e466af26f7067b1fab > > http://security.debian.org/pool/updates/main/k/kdebase/kdeprint_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 1063596 c73e53fe6e2374184af490c79a07eb99 > > http://security.debian.org/pool/updates/main/k/kdebase/kdesktop_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 680672 a7ac569bad33ed7bc8419c33aaef8996 > > http://security.debian.org/pool/updates/main/k/kdebase/kdm_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 417326 1c502f75f0661242ddbeac4791f1b7f8 > > http://security.debian.org/pool/updates/main/k/kdebase/kfind_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 178908 65dddbcbccd904145e4020e64d942ff3 > > http://security.debian.org/pool/updates/main/k/kdebase/khelpcenter_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 711378 e9ea7945ee02963a7c916a3e545e62b0 > > http://security.debian.org/pool/updates/main/k/kdebase/kicker_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 2175624 4008eb9c4bbd5360a4eeb8e46b4e50c2 > > http://security.debian.org/pool/updates/main/k/kdebase/klipper_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 205020 165b654e57f1d35a31fa152a24afa0cb > > http://security.debian.org/pool/updates/main/k/kdebase/kmenuedit_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 200970 abc1503a3850d65f6ff91f880acf348d > > http://security.debian.org/pool/updates/main/k/kdebase/konqueror_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 2239890 91e2886a7e2e420a0d8f3eb95fb27f6d > > http://security.debian.org/pool/updates/main/k/kdebase/konqueror-nsplugins_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 123316 079c71fbc6ccd53960d019e41fbf6ad2 > > http://security.debian.org/pool/updates/main/k/kdebase/konsole_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 568180 ef6532f854c54bfcc50acd3f0569e0b8 > > http://security.debian.org/pool/updates/main/k/kdebase/kpager_3.3.2-1sarge3_i386.deb > Size/MD5 checksum:94712 8f71942e5f28d466b1e1bec4844619f0 > > http://security.debian.org/pool/updates/main/k/kdebase/kpersonalizer_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 468770 289a16d56ac2df3bc0f5a6b5d30db912 > > http://security.debian.org/pool/updates/main/k/kdebase/ksmserver_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 121494 e368bade4131851262de00f57453645c > > http://security.debian.org/pool/updates/main/k/kdebase/ksplash_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 802022 64e6b973ac208ec943d2e2cc45a16ce9 > > http://security.debian.org/pool/updates/main/k/kdebase/ksysguard_3.3.2-1sarge3_i386.deb > Size/MD5 checksum: 479926 6dd986c5507b79bbe6c0cdb560752a70 > > http://security.debian.org/pool/updates/main/k/kdebase/ksysguardd_3.3.2-1sarge3_i386.deb > Size/MD5 checksum
Re: When are security updates effective?
On Wed, Aug 30, 2006 at 03:45:04PM -0400, Noah Meyerhans wrote: > I haven't come up with a really good solution to this problem. I > actually sort of like the Windows method of incessantly nagging the user > to reboot their machine (it literally pops up a dialog box every few > minutes). I like the idiot-proof factor. Yes, they can ignore the > popups, but they come so quickly that even the most stubborn user will > get sick of them and reboot. I'd hate it if I was a Windows user, > though, I'm sure! Would this help? http://lists.debian.org/debian-devel/2006/08/msg00629.html -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: When are security updates effective?
Noah Meyerhans wrote: On Tue, Aug 29, 2006 at 10:54:45PM +0200, Moritz Muehlenhoff wrote: If there's anything special to do (e.g. kernel or glibc) we alredy add this to the DSA text. I don't think that's quite enough. I have a few hundred Debian workstations for which I'm responsible, and it's difficult for me to make sure that the users e.g. restart firefox when we release an update. Daemons automatically get restarted, but desktop apps require intervention. In my case, the desktop apps aren't being run by the people installing the updates (the updates are typically installed either remotely or fully automatically) and that makes things even more difficult. I haven't come up with a really good solution to this problem. I actually sort of like the Windows method of incessantly nagging the user to reboot their machine (it literally pops up a dialog box every few minutes). I like the idiot-proof factor. Yes, they can ignore the popups, but they come so quickly that even the most stubborn user will get sick of them and reboot. I'd hate it if I was a Windows user, though, I'm sure! noah Just write a script what closes all firefoxes after update. Haha that wouldn't be so disturbing. -- Henri Salo | [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: When are security updates effective?
On Tue, Aug 29, 2006 at 10:54:45PM +0200, Moritz Muehlenhoff wrote: > If there's anything special to do (e.g. kernel or glibc) we alredy add this > to the DSA text. I don't think that's quite enough. I have a few hundred Debian workstations for which I'm responsible, and it's difficult for me to make sure that the users e.g. restart firefox when we release an update. Daemons automatically get restarted, but desktop apps require intervention. In my case, the desktop apps aren't being run by the people installing the updates (the updates are typically installed either remotely or fully automatically) and that makes things even more difficult. I haven't come up with a really good solution to this problem. I actually sort of like the Windows method of incessantly nagging the user to reboot their machine (it literally pops up a dialog box every few minutes). I like the idiot-proof factor. Yes, they can ignore the popups, but they come so quickly that even the most stubborn user will get sick of them and reboot. I'd hate it if I was a Windows user, though, I'm sure! noah signature.asc Description: Digital signature
Re: When are security updates effective?
Mikko Rapeli wrote: > Could Debian security advisories help a bit, since the people making the > packaging changes propably know how to make the changes effective on a > running installation too? If there's anything special to do (e.g. kernel or glibc) we alredy add this to the DSA text. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: apt-check-sigs and apt-get sig errors
> -Original Message- > From: Christoph Auer [mailto:[EMAIL PROTECTED] > > Today I got this error message too > > W: GPG error: http://security.debian.org etch/updates > Release: The following signatures were invalid: NODATA 2 > W: You may want to run apt-get update to correct these problems At least it's not only me. I just wait until it works again. Sometimes I switch to a direct url to klecker and that works better than villa or unm, but not today. PLEASE IGNORE THE CORPORATE SIGNATURE BELOW. THE PUBLIC IS THE INTENDED RECIPIENT(S). Mark This email message is for the sole use of the intended recipient(s) and may contain privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
RE: apt-check-sigs and apt-get sig errors
> -Original Message- > From: Martin Reising [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 30, 2006 11:18 AM > To: Hedges, Mark > Subject: Re: apt-check-sigs and apt-get sig errors > > On Wed, Aug 30, 2006 at 10:13:40AM -0700, Hedges, Mark wrote: > > > > > > This email message is for the sole use of the intended recipient(s) > > and may contain privileged information. Any unauthorized > review, use, > > disclosure or distribution is prohibited. If you are not > the intended > > recipient, please contact the sender by reply email and destroy all > > copies of the original message. > > What is the idea behind using that nonsens in an email body, > especially in mailinglist like this, where every email will > be found by google? > > -- > Nicht Absicht unterstellen, wenn auch Dummheit ausreicht! > That's a good question. It's tagged on by our outbound mail server. I can't do anything about it. But I have no choice, I can only use this mail from here. What is the idea behind flaming me for something I have no control over? A cover for having no intelligent response? I suppose for you, "stupidity is sufficient," as your sig says. If someone happens to know anything about my question, I would really appreciate the advice. I always wait until later to do apt-get update again, when I no longer get signature errors. It is just confusing. Mark This email message is for the sole use of the intended recipient(s) and may contain privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Re: apt-check-sigs and apt-get sig errors
> Like this. What does this mean? I get a lot of bad sig messages too, > with key sigs that don't seem to be on any keyring. I get these at work > and at home, so I figure it's actually the server, not a MITM. > > Fetched 42.4kB in 8s (4768B/s) > Reading package lists... Done > W: GPG error: http://security.debian.org stable/updates Release: The > following signatures were invalid: NODATA 2 > W: GPG error: http://security.debian.org testing/updates Release: The > following signatures were invalid: NODATA 2 > W: You may want to run apt-get update to correct these problems Today I got this error message too W: GPG error: http://security.debian.org etch/updates Release: The following signatures were invalid: NODATA 2 W: You may want to run apt-get update to correct these problems Regards, -- Christoph Auer <[EMAIL PROTECTED]> GnuPG Key ID: 1082227A Encrypted e-mail preferred. Powered by Debian GNU/Linux signature.asc Description: OpenPGP digital signature
RE: apt-check-sigs and apt-get sig errors
> From: Hedges, Mark > Sent: Monday, August 28, 2006 11:19 AM > To: debian-security@lists.debian.org > Subject: apt-check-sigs and apt-get sig errors > > > Is apt-check-sigs supposed to work with etch these days? > Does this mean nothing works right, or am I compromised? > > I get sporadic complaints from `apt-get update` as well > saying that the packages are not signed with the right key. Like this. What does this mean? I get a lot of bad sig messages too, with key sigs that don't seem to be on any keyring. I get these at work and at home, so I figure it's actually the server, not a MITM. Fetched 42.4kB in 8s (4768B/s) Reading package lists... Done W: GPG error: http://security.debian.org stable/updates Release: The following signatures were invalid: NODATA 2 W: GPG error: http://security.debian.org testing/updates Release: The following signatures were invalid: NODATA 2 W: You may want to run apt-get update to correct these problems This email message is for the sole use of the intended recipient(s) and may contain privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Re: Why is portmap installed by default?
Am 2006-08-25 10:16:17, schrieb Dominic Hargreaves: > How are you doing your installs? > > The sarge installer, even if you deselect all tasks, installs all > Priority: standard (and above) packages. This includes portmap. I have only a 180 MByte installation after using the Netinstall-CD and had problems get a connection to my ${HOME} which is on NFS. Since all other packages are there... > Doubtless you could use expert mode in the install to avoid this, but > that should hardly be necesary. It certainly seems to be like portmap > should be made Priority: optional. Maybe. Currently it is standard. > As others, along with nfs-common and lpr, removing it is one of the > first things I do for a new install. You are using the predefined tasks? Never had autoinstalled nfs-common and lpr... I install a realy selected Workststion or Server by hand or a selfmade META package. Greetings Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/6/6192519367100 Strasbourg/France IRC #Debian (irc.icq.com) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]