Re: security mirror out of date: 128.101.240.212
On Mon, May 14, 2007 at 11:19:32PM +0200, Martin Zobel-Helas wrote: no. Bad karma. I like this explanation the most :) This would explain a lot... Funny thing is that today when i run host security.debian.org i get alternating results exactly as it should be, so today it looks like rerunning apt-get update a few times would have worked, even if it didn't yesterday or the day before that. Oh well, bad karma it was ;) Most likely my ISP's DNS cached the IP and gave me the same IP for security.debian.org every time i did rerun apt-get update. Maybe someone hit it with a cluebat in the meantime, because it works as it should now. Thanks to everyone that answered, both here and privately. Tomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
debian.org DNSs allow unrestricted zone transfers
Hi, I thought zone transfers should only be possible between DNSs which have records for the same domain, so why are debian.org DNSs (raff, rietz, klecker) allowing zone transfers? Maybe I'm paranoid, but I think there are security issues related to this, including the possibility of suffering DoS attacks (it serves 254 records). Is there an explanation for this? You can check this with: dig -t axfr debian.org @raff.debian.org Regards, Abel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian.org DNSs allow unrestricted zone transfers
also sprach Abel Martín [EMAIL PROTECTED] [2007.05.15.1356 +0200]: I thought zone transfers should only be possible between DNSs which have records for the same domain, so why are debian.org DNSs (raff, rietz, klecker) allowing zone transfers? Maybe I'm paranoid, but I think there are security issues related to this, including the possibility of suffering DoS attacks (it serves 254 records). Is there an explanation for this? Where is the attack vector? I can DoS those servers in other ways too. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems #include signature.h signature.asc Description: Digital signature (GPG/PGP)
Re: debian.org DNSs allow unrestricted zone transfers
also sprach Giacomo A. Catenazzi [EMAIL PROTECTED] [2007.05.15.1646 +0200]: the theory: zone transfer of a DNS gives internal information about structure and IPs of internal machines. my theory: that information should be public, or at least if it were, the network should not be unsafer because of it. I think a simple scan could give the same information, and anyway the name of debian machines is listed also on the web. i see no attack vector. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems i've not lost my mind. it's backed up on tape somewhere. signature.asc Description: Digital signature (GPG/PGP)
Re: debian.org DNSs allow unrestricted zone transfers
martin f krafft wrote: also sprach Abel Martín [EMAIL PROTECTED] [2007.05.15.1356 +0200]: I thought zone transfers should only be possible between DNSs which have records for the same domain, so why are debian.org DNSs (raff, rietz, klecker) allowing zone transfers? Maybe I'm paranoid, but I think there are security issues related to this, including the possibility of suffering DoS attacks (it serves 254 records). Is there an explanation for this? Where is the attack vector? I can DoS those servers in other ways too. the theory: zone transfer of a DNS gives internal information about structure and IPs of internal machines. I think a simple scan could give the same information, and anyway the name of debian machines is listed also on the web. ciao cate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian.org DNSs allow unrestricted zone transfers
martin f krafft wrote: also sprach Giacomo A. Catenazzi [EMAIL PROTECTED] [2007.05.15.1646 +0200]: the theory: zone transfer of a DNS gives internal information about structure and IPs of internal machines. my theory: that information should be public, or at least if it were, the network should not be unsafer because of it. I think a simple scan could give the same information, and anyway the name of debian machines is listed also on the web. i see no attack vector. I agree with you. The the theory should be readed: security book write this, but ... Without zone transfer, you simplify the detection of net-scans, but an attacker could use a lot of machines, a lot of time (few packet per day), and eventually use automatic reponse as vector for an DoS. So I agree with you. ciao cate PS: on my machines, I see that only switch.ch try to transfer zones from my domains (I think for statistics, but nothing on the net). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security mirror out of date: 128.101.240.212
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip Hands wrote: Tomas Nykung wrote: On Mon, May 14, 2007 at 10:04:46AM +0200, martin f krafft wrote: FYI: weinholt one of the security.debian.org mirrors is out of date. 128.101.240.212 has a /debian-security/dists/etch/updates/Release file dated 10 May 2007 Right, it seems that /org on saens was full. I've removed saens from the debian-security.debian.org DNS round-robin, and removed a few directories in the security to free up enough space to be able to sync the main debian archive. That allowed a load of old stuff to be deleted, resulting in about 2.5 GB of free space on /org, so I've now synced the security mirror and we still have ~560MB spare, so I'll put saens back in the DNS for the moment. sadly, that's not enough to deal with the overhead involved in deleting at the end of rsync runs, so it filled again -- looks like seans will have to be dropped from the security.d.o for now. Cheers, Phil. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGShXhYgOKS92bmRARAk4bAKCcv7ddS8B8c5C7G2BLtlFcOZOwUgCfX8za 0kr+kQ44Bqacgkv8LB54zTM= =cNaR -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1291-1] New samba packages fix multiple vulnerabilities
[not subscribed to -security, so please keep me on the CC] On Tue, May 15, 2007 at 07:34:53PM +0200, Noah Meyerhans wrote: For the stable distribution (etch), these problems have been fixed in version 3.0.24-6etch1 For the testing and unstable distributions (lenny and sid, respectively), these problems have been fixed in version 3.0.25-1 What about Sarge? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: [SECURITY] [DSA 1292-1] New qt4-x11 packages fix cross-site scripting vulnerability
On Wednesday 16 May 2007 08:22, Noah Meyerhans wrote: Package: qt4-x11 snip For the stable distribution (etch), this problem has been fixed in version 4.2.1-2etch1 Etch shipped with 4.2.1-2+b1 packages. $ dpkg --compare-versions 4.2.1-2+b1 4.2.1-2etch1 echo yes yes Perhaps that should have been 4.2.1-2+etch1? Cheers Andrew V. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1291-1] New samba packages fix multiple vulnerabilities
Noah Meyerhans wrote: Debian Security Advisory DSA-1291-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans May 15, 2007 Nice work on getting this out. Is sarge going to get an update, is it even affected? I've looked into CVE-2007-2444, and http://www.securityfocus.com/bid/23974/ says that the version in sarge is affected. -- Geoff Crompton Debian System Administrator Strategic Data +61 3 9340 9000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]