Security status of orphaned woody packages when upgraded to sarge?
What happens with people that upgrade from woody to sarge that have packages in woody that are no longer in the archive wrt security? EG: libnss-pgsql The problem I see is that there is no warning that the package no longer exists, and could potentially have security problems that go unnoticed even if you check debian security advisories diligently. -- David Stanaway [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Providing secure file access on a colo-server
On Fri, 2004-10-08 at 07:54 +0200, Sels, Roger wrote: Hello Marcus, I'd recommend sticking to scp, as you can give your users winscp. Its interface resembles major ftp clients out there and is very intuitive, so they should not have any issues using it. On windows, there is a semi decent free *ftp client called FileZilla which supports sftp. It shouldn't take much to offer that for download with some screen shots etc.. DAV access on the other hand, I am not sure about. -- David Stanaway [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: telnetd vulnerability from BUGTRAQ
On Sun, 2004-09-26 at 18:58 -0600, s. keeling wrote: No-one should have to apologise for warning against bad security practices. $DEITY knows the Windows crowd doesn't care about it, but we're better than that, right? One unpatched Microsh*t box in your LAN, and one nitwit using IE, and your whole network is owned. It would be irresponsible not to warn others about it. If/when they get in, they can also get a sniffer in. If you're running telnet, you're fooling yourself. If you're using ssh ubiquitously, that's yet another vector closed to them. I don't have a lot of patience for those who think, Yes, we know the risks, but we'd rather not change. Evolution in action, indeed. This kind of attitude is not very productive. Some people still need telnet. So it should be patched, otherwise it should be removed from the archive. End of discussion. -- David Stanaway [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
CERT advisory on various mozilla components. Is debian effected?
Hi, I just got a CERT alert [1] about a number of issues with mozilla, firefox, and thunderbird. [1] http://www.us-cert.gov/cas/alerts/SA04-261A.html Are we effected? -- David Stanaway [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Patches that break stuff
On Fri, 2004-07-09 at 10:55 -0400, Noah Meyerhans wrote: On Fri, Jul 09, 2004 at 10:53:01AM -0400, Robert Brockway wrote: Are any hard stats available on how many Debian package upgrades have had to be replaced because they broke something? I'm thinking the total number of broken updates in 2.2 and 3.0 is 0 plus or minus 1 :) It's definitely greater than 0. In recent memory (earlier this year), we released a kernel image package that didn't contain any modules. Naturally it was fixed quickly, but I'm sure it lead to at least a couple of unbootable systems. Check through the DSA advisories for revisions like -2/-3 etc. Some of the updates did not fix the bug in the initial release, eg: DSA 460-2. I have never had a problem with a broken DSA update though. The problem with 479-1 would have been a problem for some people however. -- David Stanaway [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Unusual spam recently
Hi, Has anyone else been receiving unusual spam recently which contains no content? Is this some spam engine checking MTAs to see if the addresses are accepted? Here is an example: Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from host-69-145-228-124.client.bresnan.net (unknown [69.145.228.124]) by david.dialmex.net (Postfix) with SMTP id CF733146132E for [EMAIL PROTECTED]; Thu, 3 Jun 2004 09:31:35 -0500 (CDT) X-Message-Info: 8+ggs369/bIdvoHulUPnaKEY41Q[1 Message-Id: [EMAIL PROTECTED] Date: Thu, 3 Jun 2004 09:31:35 -0500 (CDT) From: [EMAIL PROTECTED] To: undisclosed-recipients:; X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on dmxnocws13.dialmex.net X-Spam-Level: X-Spam-Status: No, hits=4.8 required=5.0 tests=BAYES_80,MSGID_FROM_MTA_SHORT, NO_REAL_NAME autolearn=no version=2.63 X-Evolution-Source: imap://[EMAIL PROTECTED]/ Subject: No Subject Mime-Version: 1.0 -- David Stanaway [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm - postprocess
On Jun 3, 2004, at 3:07 PM, Alvin Oga wrote: post processing is for the birds in my limited world of 10,000+ mails per day ... most of which are spam - the original posts spam assassin didnt reject the incoming spam to undisclosed recepient - once they validate the email addy is good, you're promptly added to a new more expensive spam list - receiving spam is a bad thing My mail system has a number of users, and I prefer to let the recipient decide what is spam. The question was really about the empty spams that are showing up in the last month or so, and what they are intended for. Weather it was a prelude to an MTA exploiting worm strike, or just spammers assessing the value of their spam lists before using them to deliver their spamloads. My content filtering mostly works. It catches over 99% of spam and I have only had 1 false positive, and I think I will stick with it. Some list servers such as yahoogroups (May it rot in pieces) have the annoying behavior of deactivating your subscription on hard bounces from MTAs so whenever a list I am subscribed to with lax attachment policies gets a worm, and I hard bounce it with mime-header-checks, I get deactivated. So this is just one example of hard bouncing spam not being a great system wide policy right now (Unless you don't like your users :P). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Unusual spam recently
Hi, Has anyone else been receiving unusual spam recently which contains no content? Is this some spam engine checking MTAs to see if the addresses are accepted? Here is an example: Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from host-69-145-228-124.client.bresnan.net (unknown [69.145.228.124]) by david.dialmex.net (Postfix) with SMTP id CF733146132E for [EMAIL PROTECTED]; Thu, 3 Jun 2004 09:31:35 -0500 (CDT) X-Message-Info: 8+ggs369/bIdvoHulUPnaKEY41Q[1 Message-Id: [EMAIL PROTECTED] Date: Thu, 3 Jun 2004 09:31:35 -0500 (CDT) From: [EMAIL PROTECTED] To: undisclosed-recipients:; X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on dmxnocws13.dialmex.net X-Spam-Level: X-Spam-Status: No, hits=4.8 required=5.0 tests=BAYES_80,MSGID_FROM_MTA_SHORT, NO_REAL_NAME autolearn=no version=2.63 X-Evolution-Source: imap://[EMAIL PROTECTED]/ Subject: No Subject Mime-Version: 1.0 -- David Stanaway [EMAIL PROTECTED]
Re: Unusual spam recently - hummm - postprocess
On Jun 3, 2004, at 3:07 PM, Alvin Oga wrote: post processing is for the birds in my limited world of 10,000+ mails per day ... most of which are spam - the original posts spam assassin didnt reject the incoming spam to undisclosed recepient - once they validate the email addy is good, you're promptly added to a new more expensive spam list - receiving spam is a bad thing My mail system has a number of users, and I prefer to let the recipient decide what is spam. The question was really about the empty spams that are showing up in the last month or so, and what they are intended for. Weather it was a prelude to an MTA exploiting worm strike, or just spammers assessing the value of their spam lists before using them to deliver their spamloads. My content filtering mostly works. It catches over 99% of spam and I have only had 1 false positive, and I think I will stick with it. Some list servers such as yahoogroups (May it rot in pieces) have the annoying behavior of deactivating your subscription on hard bounces from MTAs so whenever a list I am subscribed to with lax attachment policies gets a worm, and I hard bounce it with mime-header-checks, I get deactivated. So this is just one example of hard bouncing spam not being a great system wide policy right now (Unless you don't like your users :P).
Re: XFree86 4.2 bug in Debian Testing
On Fri, 2002-11-08 at 11:42, Joseph Pingenot wrote: xhost is for working with connections coming over tcp. :0.0 uses a named socket (/tmp/Xsomething), and Debian's X servers don't listen in on a tcp socket by default (security. No chance of someone sniffing your password if nobody can connect remotely!). Thus, xhost won't work. Try.. xhost + 'local:*' -- David Stanaway -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: XFree86 4.2 bug in Debian Testing
On Fri, 2002-11-08 at 11:42, Joseph Pingenot wrote: xhost is for working with connections coming over tcp. :0.0 uses a named socket (/tmp/Xsomething), and Debian's X servers don't listen in on a tcp socket by default (security. No chance of someone sniffing your password if nobody can connect remotely!). Thus, xhost won't work. Try.. xhost + 'local:*' -- David Stanaway
Re: Permissions Required On hosts.allow ?
On Sun, 2002-09-01 at 21:57, Nick Boyce wrote: I'm constantly looking for ways of achieving the same discretionary access control stance in my personal Unix box. Humour me ? You may like to have a look at the xfs filesystem (And I think ext3 may support it as well, you will need to check) and the extentions that it supports for ACLs (Access Control Lists) to enhance the very simplistic unix {owner,group,everyone,special}+{r,w,x} permissions. Be carefull though, as use of this will require you to change your backup/recovery plan if you are using tar/cpio etc.. -- David Stanaway
Re: Are current Apache debs affected by new bug?
On Tue, 2002-06-18 at 04:07, Wichert Akkerman wrote: Previously Timm Gleason wrote: I looked through the changelogs and the changelog.Debian files, but couldn't conclusively decide if the current vulnerability in Apache has been taken care of or not. Anyone else know? Yes, it's not fixed yet. according to Florian Weimer [EMAIL PROTECTED] on bugtraq, 3) Casting to unsigned int does not help that much if the variable in question is a long. The Apache CVS repository now seems contain a correct patch. -- David Stanaway signature.asc Description: This is a digitally signed message part
Re: Fixing file system privileges
On Sat, 2002-05-11 at 01:16, martin f krafft wrote: also sprach Peter Cordes [EMAIL PROTECTED] [2002.05.11.0155 +0200]: nope, purge is a possible status too. since when? Since the last time you hit _ in dselect maybe. dstanawa@ciderbox:~$ dpkg --get-selections |grep purge aptitudepurge dstanawa@ciderbox:~$ sudo dpkg --purge aptitude (Reading database ... 98668 files and directories currently installed.) Removing aptitude ... Purging configuration files for aptitude ... dstanawa@ciderbox:~$ dpkg --get-selections |grep purge dstanawa@ciderbox:~$ So it is purges that are pending (Hence: dpkg --pending --purge which is run by dselect). -- David Stanaway signature.asc Description: This is a digitally signed message part
Re: Fixing file system privileges
On Sat, 2002-05-11 at 01:16, martin f krafft wrote: also sprach Peter Cordes [EMAIL PROTECTED] [2002.05.11.0155 +0200]: nope, purge is a possible status too. since when? Since the last time you hit _ in dselect maybe. [EMAIL PROTECTED]:~$ dpkg --get-selections |grep purge aptitudepurge [EMAIL PROTECTED]:~$ sudo dpkg --purge aptitude (Reading database ... 98668 files and directories currently installed.) Removing aptitude ... Purging configuration files for aptitude ... [EMAIL PROTECTED]:~$ dpkg --get-selections |grep purge [EMAIL PROTECTED]:~$ So it is purges that are pending (Hence: dpkg --pending --purge which is run by dselect). -- David Stanaway signature.asc Description: This is a digitally signed message part
Re: how to use -j DROPLOG in iptables?
On Wed, 2002-05-08 at 22:25, Patrick Hsieh wrote: Hello, When I use -j DROPLOG in iptables, my woody complains: iptables v1.2.6a: Couldn't load target `DROPLOG':/lib/iptables/libipt_DROPLOG.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. The Quick'n Dirty way. iptables -N DROPLOG iptables -A DROPLOG -j LOG iptables -A DROPLOG -j DROP You may want to consider: iptables -N DROPLOG iptables -A DROPLOG -j LOG iptables -A DROPLOG -p tcp -j REJECT --reject-with tcp-reset iptables -A DROPLOG -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A DROPLOG -p udp -j DROP -- David Stanaway signature.asc Description: This is a digitally signed message part
Re: possible hole in mozilla et al
On Thu, 2002-05-09 at 01:22, Tim Uckun wrote: I am not arguing for any change in the policies for determining what is stable and what is not. My feeling is (and I admit I haven't done any studies) that stable gets delayed sometimes due to obscure packages having bugs or obscure platform specific bugs. It seems to me that most commonly used packages like apache, php, postgres etc have a pretty good track record and could be considered stable a few months after they are released. Using the same criterea used the debian folks now you could have more frequent updates if you simply selected a small set of carefully chosen packages. Kind of a debian sub distro. For those that need some of the new versions of packages (EG: Being stuck with the `stable' version of postgresql would be silly if you used it heavily) it is not that difficult to get around it by having a deb-src line that points at testing. apt-get build-depends apache apt-get -b source apache It is not going to work all the time. Sometimes the build depends have to be built from testing as well... Having lots of different stable branches as suggested by someone else would make the security team pretty difficult, and it is already hard enough from what I gather. On another note... I imagine that some of the security updates for stable have caused some frustration to the security team, as the flaw is sometimes something that has been fixed in a later version, and applying that fix to the older (Read: Old version not maintained any more upstream) version could be non-trivial and seem a little futile when upgrading to a new version fixes the problem. -- David Stanaway signature.asc Description: This is a digitally signed message part
Windows ftp clients for ftpd-ssl (OpenBSD)
Hi, I was wondering if anyone could recommend freeish windows clients that support ssl ( in.ftpd -z secure ). I have tried FileZilla (Which is GPL'ed but a little flakey, at least on Win98) but it seems to have problems establishing the data socket in either normal, or passive mode. Cheers... -- David Stanaway signature.asc Description: This is a digitally signed message part
Windows ftp clients for ftpd-ssl (OpenBSD)
Hi, I was wondering if anyone could recommend freeish windows clients that support ssl ( in.ftpd -z secure ). I have tried FileZilla (Which is GPL'ed but a little flakey, at least on Win98) but it seems to have problems establishing the data socket in either normal, or passive mode. Cheers... -- David Stanaway signature.asc Description: This is a digitally signed message part