Re: Wrong checksum on security.debian.org Squeeze source?
On Mon, Apr 25, 2011 at 11:19:25AM +0200, Yves-Alexis Perez wrote: > W: Failed to fetch > http://security.debian.org/dists/squeeze/updates/main/binary-amd64/Packages.bz2 > Hash Sum mismatch Agreed. I see http://security.debian.org/dists/squeeze/updates/Release.new with a timestamp more like Packages.bz2; the Release and Release.gpg files have timestamps eight hours or so earlier. It looks to me as if the archive run was interrupted part-way through, or failed. CCing ftpmaster. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110425092704.ga20...@master.debian.org
Re: zip sarge's package vulnerable to CAN-2004-1010
On Fri, Nov 26, 2004 at 05:21:03PM -0200, Otavio Salvador wrote: > Current CAN-2004-1010 was fixed on zip 2.30-8 but current sarge > version still vulnerable. This package need to be included on sarge to > solve it. zip 2.30-8 is already in sarge: zip | 2.30-8 | testing | source, alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390, sparc zip | 2.30-8 | unstable | source, alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390, sparc Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 09:51:43PM +0200, Matthias Merz wrote: > So only one problem remains: The version in woody-proposed-updates is > 1:3.4p1-1.woody.1 which is "newer" than the patched version. So I had to > manually "downgrade" my proposed-updates-version to get the fix. > (apt-get dist-upgrade didn't show any packages to upgrade) > When will there be a "new" version in proposed-updates for apt-getting > the fix? This will be sorted out soon: I believe the next version in security will include the changes in proposed-updates and so will have a higher version number. -- Colin Watson [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote: > On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote: > > The new version has already been installed. This was quick. Good work, > > security team. > > > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > > > * NMU by the security team. > > * Merge patch from OpenBSD to fix a security problem in buffer handling > > > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > will this security fix be applied to sarge as well? It's not routine practice, but assuming glibc doesn't suddenly get fixed in the next couple of days, I expect to upload a fixed openssh to testing-proposed-updates once the dust settles. That should be able to get into testing fairly quickly. -- Colin Watson [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 09:51:43PM +0200, Matthias Merz wrote: > So only one problem remains: The version in woody-proposed-updates is > 1:3.4p1-1.woody.1 which is "newer" than the patched version. So I had to > manually "downgrade" my proposed-updates-version to get the fix. > (apt-get dist-upgrade didn't show any packages to upgrade) > When will there be a "new" version in proposed-updates for apt-getting > the fix? This will be sorted out soon: I believe the next version in security will include the changes in proposed-updates and so will have a higher version number. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote: > On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote: > > The new version has already been installed. This was quick. Good work, > > security team. > > > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > > > * NMU by the security team. > > * Merge patch from OpenBSD to fix a security problem in buffer handling > > > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > will this security fix be applied to sarge as well? It's not routine practice, but assuming glibc doesn't suddenly get fixed in the next couple of days, I expect to upload a fixed openssh to testing-proposed-updates once the dust settles. That should be able to get into testing fairly quickly. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OpenSSH
On Wed, Sep 03, 2003 at 11:20:45AM +0200, Matthias Faulstich wrote: > Hello, > > does anybody know, whether the chroot-patch will be included in future > versions of the official ssh package? Very unlikely unless you get it accepted by upstream. Doing this is the right thing to do anyway. -- Colin Watson [EMAIL PROTECTED]
Re: sshd, pam and expired passwords
On Fri, Sep 12, 2003 at 03:47:32PM +0300, Juha J?ykk? wrote: > It seems I have managed to hit the ages-old problem of not being able to > enforce changing of expired passwords when logging in via ssh. > > This problem existed years ago in potato but I cannot seem to find any > mention of its existence or non-existence in woody. What is the situation > at the moment? As far as I know it is not possible to do this in any of stable, testing, and unstable at the moment. OpenSSH 3.7 should fix it. -- Colin Watson [EMAIL PROTECTED]
Re: OpenSSH
On Wed, Sep 03, 2003 at 11:20:45AM +0200, Matthias Faulstich wrote: > Hello, > > does anybody know, whether the chroot-patch will be included in future > versions of the official ssh package? Very unlikely unless you get it accepted by upstream. Doing this is the right thing to do anyway. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd, pam and expired passwords
On Fri, Sep 12, 2003 at 03:47:32PM +0300, Juha J?ykk? wrote: > It seems I have managed to hit the ages-old problem of not being able to > enforce changing of expired passwords when logging in via ssh. > > This problem existed years ago in potato but I cannot seem to find any > mention of its existence or non-existence in woody. What is the situation > at the moment? As far as I know it is not possible to do this in any of stable, testing, and unstable at the moment. OpenSSH 3.7 should fix it. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Man-db problem
On Fri, Aug 15, 2003 at 07:34:33AM +0200, Per Tenggren wrote: > I updateed my Woody a few days ago and every night I receive the following > mail from Cron: > > Subject: > Cron <[EMAIL PROTECTED]> test -e /usr/sbin/anacron || run-parts --report > /etc/cron.daily > > Message: > run-parts: /etc/cron.daily/man-db exited with return code 3 This was reported a few days ago and is being fixed (second try ...). By the way, in future please always give the version number of the package in which you're reporting a problem. If I didn't already know that 2.3.20-18.woody.3 still had problems I would have assumed that you were talking about 2.3.20-18.woody.2 and probably discounted your mail. Also, you might want to mail the maintainer rather than a mailing list. Cheers, -- Colin Watson (man-db maintainer) [EMAIL PROTECTED]
Re: Man-db problem
On Fri, Aug 15, 2003 at 07:34:33AM +0200, Per Tenggren wrote: > I updateed my Woody a few days ago and every night I receive the following > mail from Cron: > > Subject: > Cron <[EMAIL PROTECTED]> test -e /usr/sbin/anacron || run-parts --report > /etc/cron.daily > > Message: > run-parts: /etc/cron.daily/man-db exited with return code 3 This was reported a few days ago and is being fixed (second try ...). By the way, in future please always give the version number of the package in which you're reporting a problem. If I didn't already know that 2.3.20-18.woody.3 still had problems I would have assumed that you were talking about 2.3.20-18.woody.2 and probably discounted your mail. Also, you might want to mail the maintainer rather than a mailing list. Cheers, -- Colin Watson (man-db maintainer) [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: -changes/PTS -style notification
On Wed, Oct 16, 2002 at 05:07:06PM -0500, Nathan A. Ferch wrote: > is there a means to recieve email notifications of security-related > packages in the same format as the -changes mailing lists or the emails > that the PTS sends out? or is this not possible due to the way that the > security archive is managed? PTS mails are per-source-package, so that isn't possible unless it's only a few specific packages you're interested in. -changes ... well, there's debian-changes@lists.debian.org which receives notices of stable uploads, but I don't recall offhand whether security uploads are always pushed into the main proposed-updates archive quickly enough for this to be what you want. Maybe somebody could confirm or deny. -- Colin Watson [EMAIL PROTECTED]
Re: -changes/PTS -style notification
On Wed, Oct 16, 2002 at 05:07:06PM -0500, Nathan A. Ferch wrote: > is there a means to recieve email notifications of security-related > packages in the same format as the -changes mailing lists or the emails > that the PTS sends out? or is this not possible due to the way that the > security archive is managed? PTS mails are per-source-package, so that isn't possible unless it's only a few specific packages you're interested in. -changes ... well, there's [EMAIL PROTECTED] which receives notices of stable uploads, but I don't recall offhand whether security uploads are always pushed into the main proposed-updates archive quickly enough for this to be what you want. Maybe somebody could confirm or deny. -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mutt security update
On Wed, Jan 02, 2002 at 01:38:09PM +0100, Marco d'Itri wrote: > On Jan 02, Patrick Hsieh <[EMAIL PROTECTED]> wrote: > >There is a security announcement of mutt at > >http://marc.theaimsgroup.com/?l=mutt-users&m=100991780311807&w=2 > > > >Is there new mutt update .deb package available? > > Yes. > Next time please at least look at incoming before bothering hundred of > developers. Since non-US incoming isn't readable to non-developers that's rather unfair. -- Colin Watson [EMAIL PROTECTED]
Re: mutt security update
On Wed, Jan 02, 2002 at 01:38:09PM +0100, Marco d'Itri wrote: > On Jan 02, Patrick Hsieh <[EMAIL PROTECTED]> wrote: > >There is a security announcement of mutt at > >http://marc.theaimsgroup.com/?l=mutt-users&m=100991780311807&w=2 > > > >Is there new mutt update .deb package available? > > Yes. > Next time please at least look at incoming before bothering hundred of > developers. Since non-US incoming isn't readable to non-developers that's rather unfair. -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On Mon, Oct 22, 2001 at 06:46:19PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > I just made an empty package with dh_make with only a postinst > having 'rm -rf /'. Lintian says: > > $ lintian test-rm*deb > E: test-rm: description-is-dh_make-template > E: test-rm: helper-templates-in-copyright > W: test-rm: readme-debian-is-debmake-template > W: test-rm: unknown-section unknown Lintian only checks for mistakes. If you make it try to check for maliciousness, then the malicious packager will just make his/her trojan more obscure to foil it - thus making it harder for the casual observer to tell that there's a trojan there. This is a social problem. I don't think a purely technical solution is appropriate. -- Colin Watson [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On Mon, Oct 22, 2001 at 06:46:19PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > I just made an empty package with dh_make with only a postinst > having 'rm -rf /'. Lintian says: > > $ lintian test-rm*deb > E: test-rm: description-is-dh_make-template > E: test-rm: helper-templates-in-copyright > W: test-rm: readme-debian-is-debmake-template > W: test-rm: unknown-section unknown Lintian only checks for mistakes. If you make it try to check for maliciousness, then the malicious packager will just make his/her trojan more obscure to foil it - thus making it harder for the casual observer to tell that there's a trojan there. This is a social problem. I don't think a purely technical solution is appropriate. -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 08:23:24AM -0600, John Galt wrote: > On Mon, 22 Oct 2001, Colin Phipps wrote: > >The "barriers" to becoming a developer are mainly commitment to the > >project and to the social contract, both of which should be > >requirements for any security secretary. It doesn't imply package > >maintenance (IIRC). > > Actually, it does. No. *Most* developers maintain packages, sure, but they don't have to. http://nm.debian.org/newnm.html (I think that's the URL, I'm looking at it in CVS because pandora seems inaccessible): If you intend to package software, do you have a Debian package you have adopted or created ready to show your AM? And if you intend to do other things (e.g. port Debian to other architectures, help with documentation, Quality Assurance or Security), do you have experience in those things which you can tell your AM about? -- Colin Watson [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Mon, Oct 22, 2001 at 08:23:24AM -0600, John Galt wrote: > On Mon, 22 Oct 2001, Colin Phipps wrote: > >The "barriers" to becoming a developer are mainly commitment to the > >project and to the social contract, both of which should be > >requirements for any security secretary. It doesn't imply package > >maintenance (IIRC). > > Actually, it does. No. *Most* developers maintain packages, sure, but they don't have to. http://nm.debian.org/newnm.html (I think that's the URL, I'm looking at it in CVS because pandora seems inaccessible): If you intend to package software, do you have a Debian package you have adopted or created ready to show your AM? And if you intend to do other things (e.g. port Debian to other architectures, help with documentation, Quality Assurance or Security), do you have experience in those things which you can tell your AM about? -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]