Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
On Thu, 28 Jan 2010 10:40:06 pm Willi Mann wrote: > Hi! > > Did anybody check whether courier-maildrop is also affected by this > issue? This should be the same codebase (same author), except maybe some > different compile time options / different version. courier-maildrop is not vulnerable to this issue as it sets certain variables that trigger the right code. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Re: On publishing/announcing end of security support
On Wed, 20 Jan 2010 23:22:04 +0100 Alexander Reichle-Schmehl wrote: > >> Security Support for Debian GNU/Linux 4.0 to be discontinued on > >> February 15th > > The website doesn't support publishing package-less DSA (or it will > > looks *very* ugly). > > > > Though such announce could be sent to both debian-announce and > > -security-announce, I guess it doesn't need a DSA number since it's not > > related to any vuln. > > Yes it should be announced on -announce, too. This was originally > scheduled to be done this weekend. Don't know, why it has already been > send out... > > I'll send it to -announce tomorrow and will ad it to the webpage. So, DSA-1975 web page will not appear? Anyway, it should be there, I think. -- Regards, Hideki Yamane henrich @ debian.or.jp/iijmio-mail.jp http://wiki.debian.org/HidekiYamane -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
Hi! Did anybody check whether courier-maildrop is also affected by this issue? This should be the same codebase (same author), except maybe some different compile time options / different version. WM -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
RFH: ia32-libs security update
Hi, I've prepared a ia32-libs update [1] ment for the pending Lenny point release but was too slow and missed the cut. Given the number of security fixes * Incudes security fixes for: CVE-2008-3529 CVE-2008-3639 CVE-2008-3640 CVE-2008-3641 CVE-2008-3834 CVE-2008-3964 CVE-2008-4225 CVE-2008-4226 CVE-2008-4311 CVE-2008-4311 CVE-2008-4989 CVE-2008-5077 CVE-2008-5286 CVE-2008-5824 CVE-2008-5907 CVE-2009-0040 CVE-2009-0163 CVE-2009-0581 CVE-2009-0590 CVE-2009-0688 CVE-2009-0723 CVE-2009-0733 CVE-2009-0844 CVE-2009-0845 CVE-2009-0846 CVE-2009-0847 CVE-2009-0887 CVE-2009-0946 CVE-2009-1189 CVE-2009-1364 CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-1894 CVE-2009-2285 CVE-2009-2347 CVE-2009-2347 CVE-2009-2409 CVE-2009-2414 CVE-2009-2625 CVE-2009-2730 CVE-2009-2820 CVE-2009-3560 CVE-2009-3560 CVE-2009-3720 CVE-2009-3736 CVE-2009-4212 CVE-2009-4355 CVE-2010-0015 STR #2911 STR #2974 STR #2918 STR #2919 STR #2966 GNUTLS-SA-2008-3 GNUTLS-SA-2009-4 MIT-KRB5-SA-2009-004 MITKRB5-SA-2009-0001 MITKRB5-SA-2009-002 I wanted to let you know about it. It might be a good idea to add this to security.debian.org. The package has been uploaded (src + amd64 + ia64) to stable-proposed-updates and source is always availbale on mentors.d.n[2]. MfG Goswin [1] http://lists.debian.org/debian-release/2010/01/msg00271.html [2] http://mentors.debian.net/debian/pool/main/i/ia32-libs/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
On Thu, 28 Jan 2010 02:27:38 pm Konstantin Filtschew wrote: > The behavior of the etch package changed too. Do not install the package > on production system yet. > > > The limit in /etc/postfix/main.cf stopped working: > maildrop_destination_recipient_limit= 1 > > Almost all E-Mails are rejected and sender get errors like this: > > : user unknown. Command output: ERR: authdaemon: > s_connect() failed: Permission denied Invalid user specified. > > I've tried to change the permission for common files, but this won't fix > the problem. Something is wrong with the behavior to the previous > version. I can't really see the problem so far, are you sure that downgrading to 2.0.2-11 fixes the issue? To downgrade just use: 'apt-get install --reinstall maildrop=2.0.2-11' I've checked the differences between the version again and there aren't any build-time breakages. As already suggested via private mail, please feel free to ping me on IRC or answer in private for debugging. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
On Thu, 28 Jan 2010 01:10:19 pm Antti-Juhani Kaijanaho wrote: > On Thu, Jan 28, 2010 at 12:37:52PM +0100, Steffen Joeris wrote: > > For the stable distribution (lenny), this problem has been fixed in > > version 2.0.4-3+lenny1. > > This update appears to have dropped the hard dependency on courier-authlib. > As a result, mail starts bouncing. Discussed with Antti-Juhani and the issue is caused by #554788. New packages that add the dependency are in preparation. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
The behavior of the etch package changed too. Do not install the package on production system yet. The limit in /etc/postfix/main.cf stopped working: maildrop_destination_recipient_limit= 1 Almost all E-Mails are rejected and sender get errors like this: : user unknown. Command output: ERR: authdaemon: s_connect() failed: Permission denied Invalid user specified. I've tried to change the permission for common files, but this won't fix the problem. Something is wrong with the behavior to the previous version. On Thu, 2010-01-28 at 14:10 +0200, Antti-Juhani Kaijanaho wrote: > On Thu, Jan 28, 2010 at 12:37:52PM +0100, Steffen Joeris wrote: > > For the stable distribution (lenny), this problem has been fixed in > > version 2.0.4-3+lenny1. > > This update appears to have dropped the hard dependency on courier-authlib. > As > a result, mail starts bouncing. > -- Building an operation system without source code, is like buying a self assemble space shuttle without instructions. signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
On Thu, Jan 28, 2010 at 12:37:52PM +0100, Steffen Joeris wrote: > For the stable distribution (lenny), this problem has been fixed in > version 2.0.4-3+lenny1. This update appears to have dropped the hard dependency on courier-authlib. As a result, mail starts bouncing. -- Antti-Juhani Kaijanaho, Jyväskylä, Finland http://antti-juhani.kaijanaho.fi/newblog/ http://www.flickr.com/photos/antti-juhani/ signature.asc Description: Digital signature
