Re: [SECURITY] [DSA 2896-1] openssl security update
On 11.04.2014, at 17:26, daniel wrote: > > We are very concerned about the 'Heartbeat' security problem which has > been discovered with OpenSSL. Thanks to our out-of-date old-stable > version of debian, we are using: > > openssl 0.9.8o-4squeeze14 > > This page also claims debian 6 (which we use) is unaffected: > https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability > > as does the text of the DSA below. > > However, both of the heartbeat vulnerability checkers we have used have > told us that they were able to successfully exploit this vulnerability > against our site: > > http://filippo.io/Heartbleed/#noflag.org.uk > https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk > > What could be going on here? you are not using the squeeze-Apache but a newer one compiled with a newer openssl. If you do a dpkg -l openssl and don’t get a higher version than 0.9.8 you are probably running one of these “all in one” website packages that provides it’s own apache and applications. Dirk -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/fefc911f-53ca-48b6-8c75-201bee204...@morticah.net
Re: flashplugin-nonfree : newer Flash Player
Hi Bart, On Wed, Nov 7, 2012 at 8:39 AM, Bart Martens wrote: Maybe I should do announcements like this : > > | Users of the Debian package "flashplugin-nonfree" can now run > | "update-flashplugin-nonfree --install", since I've now updated the > download url > | and checkums to match the newest Flash Player version. See also > | http://wiki.debian.org/FlashPlayer for more information about the > package > | "flashplugin-nonfree" and http://www.adobe.com/support/security/ for > security > | updates by Adobe. > > Should this go on debian-security-announce ? Or is that a no-go because > this is > non-free software, therefor not officially part of Debian ? I could post > this > on debian-user and debian-backports instead. > if it isn't desired on security-announce I would like to see this at least on security. Dirk
Re: idea: switch default MTA from exim4 to postfix (wheezy+1)
Am 01.11.2012 um 18:40 schrieb Oleg : > On Thu, Nov 01, 2012 at 05:31:07PM +0100, Maurizio Cimaschi wrote: > A usual end user (not an admin) doesn't know anything about MTA. He > just want that simple thing works right without his intervention. He > has no time and interest to study several MTAs to choose a favourite. > Or this actual only for Ubuntu :-)?.. > The simple enduser gets a MTA installed that only listens on localhost and hasn't to bother with any of this. I think the security-ML should not be used to discuss default package selections. There are others that fit better for this. Dirk -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6499173401114983284@unknownmsgid
Grave apache dos possible through byterange requests
Hi, it is possible to dos a actual squeeze-apache2 with easy to forge rage-requests: http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html Apache-devs are working on a solution: http://www.gossamer-threads.com/lists/apache/dev/401638 But because the situation seems serious I thought I give you a heads up. Running this script against a squeeze machine with 8 Cores and 24GB Ram you only need 200 threads to kick it out of memory. Cheers Dirk
Mailing lists and auto replies
Hi, just two things because it happens to frequently. 1. If you set up an auto reply, please consider this words: http://wiki.exim.org/EximAutoReply "How To Do Autoreplies Without The World Hating You". 2. If you receive an auto reply via a mailing list because a member is unable to set up his notifications correctly, please complain to him directly if you have to. Please don't reply to the whole list. Thank you for your time. Dirk
Re: Fwd: Password leaks are security holes
--On Thursday, August 28, 2008 09:03:05 +0200 Johan Walles <[EMAIL PROTECTED]> wrote: Let's keep debian-security in the discussion to see what others have to say about this. you try to solve a non-technical problem in a technical way. Dirk -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security update of libpng[23]
Hi, --On Thursday, August 01, 2002 16:50:16 +0200 Martin Hermanowski <[EMAIL PROTECTED]> wrote: an apt-get update && apt-get upgrade -dy today brought me new libpng[23]-Packages from security.debian.org for woody/stable, but I can't find an advisory for them. What changes were made? maybe you should subscribe to debian-security-announce too. Here the Head of the Advisory: - --- --- Debian Security Advisory DSA 140-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 1st, 2002 - --- --- Package: libpng2, libpng3 Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no Developers of the PNG library have fixed a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications which could potentially allow an attacker to execute malicious code. Programs such as Galeon, Konquerer and various others make use of these libraries. ----- Dirk -- Dirk Hartmann, Netzworkadministration #PGP-Key available Verlag Heinz Heise GmbH & Co KG, Helstorferstr. 7, D-30625 Hannover E-Mail: [EMAIL PROTECTED] - Tel.: +49 511 5352 494 - FAX: +49 511 5352 479 -