libsnmp security update
Hi I have noticed the latest libsnmp15 update, but I have been unable to install, because this has dependancies on perl >= 5.10 which eventual leads me to ldap-utils. ldap-utils version 2.3.38-1+lenny1 is the last (that I have) version compiled against the openssl libraries, the ones after that as compiled against the gnutls libraries. The difference is that with the gnutls libraries is that they don't handle encrypted (password protected x509 private key). Seems a bit silly to be leaving privvate keys lying around unprotected any one got any suggestions how to get around this impasse. my only solution right now is to build ldap-utils statically against the openssl libraries Alex -- "And, again, I don't know where he is. I --I'll repeat what I said. I truly am not that concerned about him." - George W. Bush 03/13/2002 Washington, DC White House Press Conference signature.asc Description: Digital signature
Re: [SECURITY] [DSA 1587-1] New mtr packages fix execution of arbitrary code
Hi, * urug <[EMAIL PROTECTED]> [2008-05-27 19:43]: > On Mon, 26 May 2008 13:37:48 +0100 > > For the stable distribution (etch), this problem has been fixed in [...] > > version 0.71-2etch1. > > > > For the unstable distribution (sid), this problem has been fixed in > > version 0.73-1. > > > > We recommend that you upgrade your mtr package. > > mtr-tiny in Etch is still vulnerable? (0.71-2) As noted above mtr is fixed in 0.71-2etch1 (stable-security). mtr-tiny is part of this source package so it is fixed in the same version. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpbB3LlzImzs.pgp Description: PGP signature
Re: [SECURITY] [DSA 1587-1] New mtr packages fix execution of arbitrary code
On Mon, 26 May 2008 13:37:48 +0100 Steve Kemp <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - > > Debian Security Advisory DSA-1587-1 > [EMAIL PROTECTED] > http://www.debian.org/security/ Steve > Kemp May 26, 2008 > http://www.debian.org/security/faq > - > > > Package: mtr > Vulnerability : buffer overflow > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2008-2357 > > Adam Zabrocki discovered that under certain circumstances mtr, a full > screen ncurses and X11 traceroute tool, could be tricked into > executing arbitrary code via overly long reverse DNS records. > > For the stable distribution (etch), this problem has been fixed in > version 0.71-2etch1. > > For the unstable distribution (sid), this problem has been fixed in > version 0.73-1. > > We recommend that you upgrade your mtr package. mtr-tiny in Etch is still vulnerable? (0.71-2) -- Pozdrawiam, Tomek - www http://www.urug.net http://urug.gnu.pl - GnuPG KeyID: 0x70F9CEDD @ pgp.mit.edu Fingerprint: 7CD2 C47F CBD7 D15D 2D91 0E89 ADD7 CD4F 70F9 CEDD -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DSA-1571 and GSSAPI
> yet confirmed whether that includes using it for the generation of random > session keys, but that would be the conservative assumption. Given that, Has this been investigated further by you or anyone else? Or should I bother the heimdal guys about this? -Juha -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | --- signature.asc Description: This is a digitally signed message part.
Re: lm-sensors update for sarge
On Tuesday 27 of May 2008, dann frazier wrote: > On Mon, May 26, 2008 at 03:56:21PM +0200, Vladislav Kurz wrote: > > Hello all, > > > > A few days ago I was surprised that there is an update for lm-sensors > > (and libsensors3) for sarge. It is available from security.debian.org. I > > know that sarge does not have any security support any more, and there > > was no DSA about lm-sensors this year. So I ask - does anyone know what > > is going on? > > lm-sensors was updated recently for compatability with the 2.4.27 > kernel update which had an ABI change (DSA 1503). Aurelien Jarno > discovered that this updated had a problem (#475164) that resulted in > missing binary modules. It is true that sarge is no longer security > supported, but since this was a regression caused by a security update > we went ahead and released the fix. > > -- > dann frazier Thanks for explanation. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: lm-sensors update for sarge
On Mon, May 26, 2008 at 03:56:21PM +0200, Vladislav Kurz wrote: > Hello all, > > A few days ago I was surprised that there is an update for lm-sensors (and > libsensors3) for sarge. It is available from security.debian.org. I know that > sarge does not have any security support any more, and there was no DSA about > lm-sensors this year. So I ask - does anyone know what is going on? lm-sensors was updated recently for compatability with the 2.4.27 kernel update which had an ABI change (DSA 1503). Aurelien Jarno discovered that this updated had a problem (#475164) that resulted in missing binary modules. It is true that sarge is no longer security supported, but since this was a regression caused by a security update we went ahead and released the fix. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]