Re: Vulnerable PHP version according to nessus
Depending on your aim with your www-serv, check out suhosin.org. Some patches that harden PHP when used in multi-user envs. Sent from my iPhone On 28 Dec 2011, at 13:45, Dave Henley wrote: thanks Dave > Date: Wed, 28 Dec 2011 15:31:53 +0200 > From: he...@nerv.fi > To: dhenl...@live.com > CC: j.andra...@gmail.com; j...@debian.org; debian-security@lists.debian.org > Subject: Re: Vulnerable PHP version according to nessus > > On Wed, Dec 28, 2011 at 12:53:13PM +, Dave Henley wrote: > > Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. > > Is there a website of some sort to check what kind of CVE`s have been patched? > > If nessus does not provide a reliable report, what is the best next step to take here? > > Are there any howto`s or tutorials on howto secure a php installation on a debian system? > > Any suggestions would be very helpful. > > Update all software in your www-server. Some useful links: > > http://security-tracker.debian.org/tracker/ > http://www.debian.org/doc/manuals/securing-debian-howto/ > > - Henri Salo
Re: tonight
On Tue, Nov 29, 2011 at 9:02 PM, Joe Bouchard wrote: > I'm going to give Jim Drake a ride to Biddeford to pick up his Jeep which > is getting a new windshield. I expect to be home by 6. It it looks like > we are running late I will call. > > Thank you, > > Joe Bouchard > Factory Automation Engineer > and Unix Support > CSC/P&W North Berwick, Maine > Phone: (207)676-4100 x2255 > > > > > - > This is a PRIVATE message. If you are not the intended recipient, please > delete without copying and kindly advise us by e-mail of the mistake in > delivery. > NOTE: Regardless of content, this e-mail shall not operate to bind CSC to > any order or other contract unless pursuant to explicit written agreement > or government initiative expressly permitting the use of e-mail for such > purpose. > > - > • > Computer Sciences Corporation > Registered Office: 3170 Fairview Park Drive, Falls Church, Virginia 22042, > USA > Registered in Nevada, USA No: C-489-59 Hi Joe, Thanks for letting us know. I will sit by the phone just in case you call. Drive carefully tonight and if you get hungry make sure you stop for a KFC or something else thats quick and easy with high protein. Thanks, Ash
Re: crappy mouse patch from security perspective
Hi, If you are too paranoid to accept someones help after you've submitted a bug, then perhaps buying a new mouse might be the easiest option for you considering you're already aware of the hardware you're using as being pretty sub-par. Mouses are cheap these days, unless you want an all-singing and all-dancing one with 6000dpi and flashing lights etc. The code he has submitted doesn't contain any "rm -f /" or tries making connections to the Internet so it's pretty safe. May not be the most fantastic code ever written, but if it fixes your problem then whats the issue? Ashley 2011/1/9 shirish शिरीष > Hi all, > I'm no programmer and nor technically too advanced. Hence > looking for people's guidance. > > I have a mouse which is crappy and for which I had filed a bug > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607242 > > A gentleman, Mr. Jim Hill pursued the bug and posted a patch for the > same which he seems to also have put up upstream. > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607242#107 > > He has asked me to try a new kernel and patch it with the above patch. > > While I'm quite sure that Mr. Jim Hill has the noblest of intentions > otherwise he wouldn't have put the code in public domain on a bug. > > But as I'm not a programmer hence would like the debian community to > take a look at that , see if there are any inadverant goof-ups or > anything before I take the plunge of applying the patch. > > Looking forward for guidance. > -- > Regards, > Shirish Agarwal शिरीष अग्रवाल > My quotes in this email licensed under CC 3.0 > http://creativecommons.org/licenses/by-nc/3.0/ > http://flossexperiences.wordpress.com > 065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17 > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/aanlktikcuj8lazkg0s25wyporanjvae7bh9o2v6o...@mail.gmail.com > >
Re: Lenny version info
tl;dr stfu and stop replying to this chain. This is debian-security, not debian-childish-trolling. My email earlier was to give a hint on where this was heading, and yet it continues. If you have a problem with the way I handle my email, I'd rather you'd reply personally to me rather than dragging the whole mailing list into it. On Wed, Dec 15, 2010 at 3:52 PM, John Keimel wrote: > On Wed, Dec 15, 2010 at 7:10 AM, Ashley Taylor > wrote: > > Sorry, this is the way Gmail handles replies. > > > > No, it's the way YOU handle replies. Gmail happens to place the cursor > at the top of the email, setting you up for a jeopardy reply. It's > trivial to scroll down a little and type within the message in the > proper location and avoid top-posting. > > I know this is the case because I'm doing it right now. And I even > managed to delete the extraneous text that doesn't pertain to the > conversation. Don't blame gmail for your laziness. > > > I hope it's annoying for you like these pointless e-peen stroking bitch > > replies are agitating me (and yes, this is one of those replies). > > I don't do it because it's annoying to you, that's just an added bonus. > > Since the thread has already devolved and because anyone with a decent > email client who doesn't want to see the thread continue has marked it > dead, I thought that it wouldn't matter too much to reply and add to > it. Match on a bonfire, as it were. > > I'd much rather see security discussions on this list, rather than > having to educate people in the ways of how the intarwebs works, how > to google and how to write a proper reply on a technical mailing list. > > Cheers! > > j >
Re: Lenny version info
Sorry, this is the way Gmail handles replies. I hope it's annoying for you like these pointless e-peen stroking bitch replies are agitating me (and yes, this is one of those replies). On Wed, Dec 15, 2010 at 12:00 PM, John Keimel wrote: > On Wed, Dec 15, 2010 at 6:49 AM, Ashley Taylor > wrote: > > Hi, > > > > Does anyone have any decent filter rules for Gmail so I can stop > receiving > > this nonsense without unsubscribing? > > Thanks. > > http://tinyurl.com/2b3g2l4 > > Also, since you need it: > > http://tinyurl.com/ybpctcz > > Please particularly note items on "jeopardy reply" or "Top posting" > and "trimming". > > > j >
Re: Lenny version info
Hi, Does anyone have any decent filter rules for Gmail so I can stop receiving this nonsense without unsubscribing? Thanks. On Wed, Dec 15, 2010 at 9:13 AM, Davide Mirtillo wrote: > Il 15/12/2010 08:46, Dörfler Andreas ha scritto: > > > > > > To the rest of youwhat is wrong with you? > > If you don't want to help, don't. Stop wasting time. Did it ever ocur to > you that not everyone out there likes using a search engine? I was directed > to debian-security by an ex-colleague since one of our servers uses debian. > So I used it to ask a question that wasn't exactly related to security > (although if you must know, it stemmed from another discussion on > debian-security that did relate to security and one of my concerns was the > version number of my system). So what? The responses I've received from you > make me feel like I've committed a crime against humanity! > > > > > > dear ash, > > > > well, isn't that a basic problem inside the web community? > > i see it nearly every day: > > > > "use google" > > "use the search function" > > "my parents failed at breeding, and my education stopped since > kindergarten" > > > > ppl out there so damn bored about their daily life, they have nothing > better todo then to troll and flame others because of a "stupid question" > (there are no stupid questions (mostly), only stupid answers) - that way > they can prove their supreme intelligence (<- thats sarcasm, google wiki for > it ... ). > > > > i tell my "real life" friends to google for problems from time to time > too, but thats because they are just to lazy (mostly windows users ;-)). > > > > i think it's ok to tell ppl to user google, but in the same time: tell > them the answer to their questions too. > > search engines are based on search tags, when someone searches with the > "wrong" words, it can take hours to find an answer. > > > > maybe i will ask a "stupid apache question" this week, be ready for > impact! > > Please, stop crying about it. I hate people who do that. They're either > fundamentally lazy or just 13 years old kids who like to troll on the > internet. > > I'll go ahead and explain to you why giving you an answer to such a > simple question has generated some harsh responses, by quoting one of > the most useful how-to that i've come across: > > > > Before asking a technical question by e-mail, or in a newsgroup, or on a > website chat board, do the following: > > > > 1.Try to find an answer by searching the archives of the forum you > plan to post to. > > 2.Try to find an answer by searching the Web. > > 3.Try to find an answer by reading the manual. > > 4.Try to find an answer by reading a FAQ. > > 5.Try to find an answer by inspection or experimentation. > > 6.Try to find an answer by asking a skilled friend. > > 7.If you're a programmer, try to find an answer by reading the source > code. > > > > When you ask your question, display the fact that you have done these > things first; this will help establish that you're not being a lazy sponge > and wasting people's time. Better yet, display what you have learned from > doing these things. We like answering questions for people who have > demonstrated they can learn from the answers. > > > > Use tactics like doing a Google search on the text of whatever error > message you get (searching Google groups as well as Web pages). This might > well take you straight to fix documentation or a mailing list thread > answering your question. Even if it doesn't, saying “I googled on the > following phrase but didn't get anything that looked promising” is a good > thing to do in e-mail or news postings requesting help, if only because it > records what searches won't help. It will also help to direct other people > with similar problems to your thread by linking the search terms to what > will hopefully be your problem and resolution thread. > > > > Take your time. Do not expect to be able to solve a complicated problem > with a few seconds of Googling. Read and understand the FAQs, sit back, > relax and give the problem some thought before approaching experts. Trust > us, they will be able to tell from your questions how much reading and > thinking you did, and will be more willing to help if you come prepared. > Don't instantly fire your whole arsenal of questions just because your first > search turned up no answers (or too many). > > > > Prepare your question. Think it through. Hasty-sounding questions get > hasty answers, or none at all. The more you do to demonstrate that having > put thought and effort into solving your problem before seeking help, the > more likely you are to actually get help. > > > > Beware of asking the wrong question. If you ask one that is based on > faulty assumptions, J. Random Hacker is quite likely to reply with a > uselessly literal answer while thinking “Stupid question...”, and hoping the > experience of getting what you asked for rather than what you needed will > teach you a
Re: scans in my hosts. (Debian 5.0 and Apache 2.2.9)
If your phpMyAdmin installations are safe and protected and you wish to remove these from your log files for vanity reasons, please see this guide with a cool fail2ban config that should help you: http://foosel.org/blog/2008/04/banning_phpmyadmin_bots_using_fail2ban Ash. On Thu, Jul 29, 2010 at 3:49 PM, Sjors Gielen wrote: > > Op 29 jul 2010, om 16:34 heeft OLCESE, Marcelo Oscar. het volgende > geschreven: > > > Estimated: > > I am taking these scans in my hosts. (Debian 5.0 and Apache 2.2.9) > > This has been repeating since a weeks. > > Know what can be? What can I do to eliminate? > > > > Thanks. > > > > Marcelo Olcese. > > Someone is scanning your system for vulnerable PHPMyAdmin installations, > and other possibly vulnerable stuff. As long as you watch your PHPMyAdmin > installations if you have any and make sure nobody can abuse them, nothing's > wrong. Try, for example, requiring http authentication to access the > directories, or turning off your webserver if you didn't need it anyway. > > Sjors
Re: ... FLAME WAR... invalid: BADSIG 9AA38DCD55BE302B Debian Archive
Why isn't all this nonsense bring treated as spam? On 5 Jul 2010, at 01:23, Don Gould wrote: > Man what a load of crap on this list this morning! > > aa. I never get spam in my debian folder because I run two spam filters of > my own. Come on, we have to give some of the job to the user as well as the > server. > > bb. A week ago I asked about a real problem that I'm having and got nothing > on two lists and the forum. > > How about putting some effort into stuff that helps users truck on rather > than a flame about stupid spam?! > > Cheers Don > > On 5/07/2010 12:13 p.m., Jim Popovitch wrote: >> On Sun, Jul 4, 2010 at 20:08, Russ Allbery wrote: >>> Jim Popovitch writes: On Sun, Jul 4, 2010 at 19:31, Stephen Gran wrote: >>> > No, Russ implied that reality occasionally intrudes on fantasies of > spam-free inboxes. >>> Russ stated: >>> It's unlikely to get substantially better than it is (I believe we're already rejecting something like 95% of the incoming mail), so if it's still not good enough for you, you should probably consider unsubscribing. >>> I beleive that 99% is achieveable, and I believe his final "unsubscribe" sentence is akin to walking away from the problem. >>> >>> Rejecting 99% of the incoming mail would be very bad if 5% of the incoming >>> mail were legitimate. I meant exactly what I said: Debian rejects >>> something like 95% of the incoming mail to the mailing lists according to >>> the latest message from the listmasters. If I'd meant that we reject 95% >>> of the *spam*, I would have said that. >> >> Well, there are two ways to read what you originally wrote, and since >> the thread discussion was on rejecting spam I took your 95% statement >> to mean d.o was blocking 95% of spam. I beleive d.o can (and should) >> attempt to block 100% of spam. >> >> You did say the part about "unsubscribe". >> >> -Jim P. >> >> > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/4c31260f.8030...@bowenvale.co.nz > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4998546223716940...@unknownmsgid
