Re: Proposal for update of http://debian.org/CD/faq/#verify

2011-01-26 Thread Naja Melan 
I just noticed that in hashtab sha256 is not enabled by default, so I would
further add the following sentence to the windows/mac instructions:

"SHA256 is not enabled by default in HashTab, so you will have to
click *options
*and enable it."


Török Edwin  wrote:

What if you already have an older Debian install, or an older Debian CD
> (that you already verified/trust by other means)?
> There should be a chain of trust from the signing keys used on the old CDs
> all the way to the signing key used on the new CD, right?
>
> Is there an easy way to check the signing key, given an older Debian CD?
> (besides booting from it, and checking the new key with gpg)?
>

I have thought about this, but I don't have a debian box available here to
test that, and so I don't know which keys are available in the keyring. I
can thus not write instructions for this. Another option I thought about is
that debian includes itself as a trusted CA in the browsers it ships. That
might allow someone to download a key through https from
https://db.debian.org.

The reason I have not mentioned this is because as far as I can tell the CD
signing key is not on there, so it would be indirect if people would have to
download keys from people signing the Debian cd signing key. This would make
the "chain" already quite a bit longer (thus unsafer) and would seriously
complicate the instructions and make them less accessible.

If you can cook up good instructions to do such things though, go ahead. A
safe way of downloading from an older debian box would probably be
worthwhile, even if the initial Debian box has not been downloaded in a safe
way because it allows people to minimize the potential for tampering to only
the first time ever they download debian, and if an attacker missed that
chance they would be fine in the future.

greets

Re: [SECURITY] [DSA 2151-1] New OpenOffice.org packages fix several vulnerabilities

2011-01-26 Thread Rene Engelhard 
Hi,

On Wed, Jan 26, 2011 at 09:27:05PM +0100, Kurt Roeckx wrote:
> 1:3.2.1-11+squeeze1 has been on security-master for a few days
> now, but it's not visible yet.

It seems it didn't even end up in t-s but directly propagated  to t-p-u..
I at least did get the propagation mails but yes, it doesn't appear in
squeeze-security.

Grüße/Regards,

René
-- 
 .''`.  René Engelhard -- Debian GNU/Linux Developer
 : :' : http://www.debian.org | http://people.debian.org/~rene/
 `. `'  r...@debian.org | GnuPG-Key ID: D03E3E70
   `-   Fingerprint: E12D EA46 7506 70CF A960 801D 0AA0 4571 D03E 3E70


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110126210409.gk1...@rene-engelhard.de

Re: [SECURITY] [DSA 2151-1] New OpenOffice.org packages fix several vulnerabilities

2011-01-26 Thread Kurt Roeckx 
On Wed, Jan 26, 2011 at 07:49:48PM +, Adam D. Barratt wrote:
> On Wed, 2011-01-26 at 19:06 +0100, Kurt Roeckx wrote:
> > On Wed, Jan 26, 2011 at 05:18:12PM +0100, Martin Schulze wrote:
> > > 
> > > For the upcoming stable distribution (squeeze) these problems have
> > > been fixed in version 3.2.1-11+squeeze1.
> > > 
> > > For the unstable distribution (sid) these problems have been fixed in
> > > version 3.2.1-11+squeeze1.
> > 
> > When will those versions be available?
> > 
> > Squeeze and sis have 1:3.2.1-11
> 
> sid has 1:3.2.1-11+squeeze2, at least on amd64 and pending dinstall and
> a mirror push; it's unblocked already so will be in squeeze by the
> weekend assuming it's built / uploaded everywhere in time.

1:3.2.1-11+squeeze1 has been on security-master for a few days
now, but it's not visible yet.


Kurt


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110126202705.ga30...@roeckx.be

Re: [SECURITY] [DSA 2151-1] New OpenOffice.org packages fix several vulnerabilities

2011-01-26 Thread Adam D. Barratt 
On Wed, 2011-01-26 at 19:06 +0100, Kurt Roeckx wrote:
> On Wed, Jan 26, 2011 at 05:18:12PM +0100, Martin Schulze wrote:
> > 
> > For the upcoming stable distribution (squeeze) these problems have
> > been fixed in version 3.2.1-11+squeeze1.
> > 
> > For the unstable distribution (sid) these problems have been fixed in
> > version 3.2.1-11+squeeze1.
> 
> When will those versions be available?
> 
> Squeeze and sis have 1:3.2.1-11

sid has 1:3.2.1-11+squeeze2, at least on amd64 and pending dinstall and
a mirror push; it's unblocked already so will be in squeeze by the
weekend assuming it's built / uploaded everywhere in time.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1296071388.31957.227.ca...@hathi.jungle.funky-badger.org

Re: Proposal for update of http://debian.org/CD/faq/#verify

2011-01-26 Thread Török Edwin 

On 01/26/2011 02:04 AM, Naja Melan wrote:
*3. Could a malicious attacker that feeds me an altered iso image not 
also feed me an altered SHA256SUMS file? Yes, they could! Http is very 
easy to intercept. This is where SHA256SUMS.sign comes in. This file 
is the pgp signature of the ***SHA256SUMS file. It is signed with the 
Debian CD signing key which can be obtained from 
hkp://keyring.debian.org/ .* The transport 
from the keyserver is *not *secured, and the only way to verify you 
have not been fed a bogus key is through the web of trust 
 if you 
are connected to enough people to make a path to the Debian CD signing 
key.

*

*What should I do if I am not connected through the web of trust?
There is no easy answer to this.*




What if you already have an older Debian install, or an older Debian CD 
(that you already verified/trust by other means)?
There should be a chain of trust from the signing keys used on the old 
CDs all the way to the signing key used on the new CD, right?


Is there an easy way to check the signing key, given an older Debian CD? 
(besides booting from it, and checking the new key with gpg)?


Best regards,
--Edwinb


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4d406b34.7060...@gmail.com

Re: [SECURITY] [DSA 2151-1] New OpenOffice.org packages fix several vulnerabilities

2011-01-26 Thread Kurt Roeckx 
On Wed, Jan 26, 2011 at 05:18:12PM +0100, Martin Schulze wrote:
> 
> For the upcoming stable distribution (squeeze) these problems have
> been fixed in version 3.2.1-11+squeeze1.
> 
> For the unstable distribution (sid) these problems have been fixed in
> version 3.2.1-11+squeeze1.

When will those versions be available?

Squeeze and sis have 1:3.2.1-11
squeeze-security has 1:3.1.1-15+squeeze1


Kurt


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110126180655.ga22...@roeckx.be