Re: harbian-audit v0.2 for Debian "Stretch" 9 is released
On Thu, 2018-12-27 at 09:32 +0800, Shawn wrote: > Hi Jim, > > On Thu, Dec 27, 2018 at 1:06 AM Jim Popovitch wrote: > > > > On Wed, 2018-12-26 at 23:57 +0800, Samson wrote: > > > https://github.com/hardenedlinux/harbian-audit/blob/master/docs/CI > > > S_De > > > bian_Linux_8_Benchmark_v1.0.0.pdf > > > > I'm curious, > > > > Does CIS know that you are distributing their published work? > > > > Maybe not. We neither didn't notify them nor are CIS-suppoerts > according to the definition: > > https://www.cisecurity.org/cis-controls-supporters/ > > Maybe we should remove it from the repo. Do you have any suggestions? IANAL, but I think the best course of action would be to contact the CIS legal counsel and explain the situation and ask for their advice. I'm sure they will want to work with you to come to a mutually beneficial agreement. https://www.cisecurity.org/about-us/leadership/deirdre-ocallaghan/ -Jim P.
Re: harbian-audit v0.2 for Debian "Stretch" 9 is released
On Wed, 2018-12-26 at 23:57 +0800, Samson wrote: > https://github.com/hardenedlinux/harbian-audit/blob/master/docs/CIS_De > bian_Linux_8_Benchmark_v1.0.0.pdf I'm curious, Does CIS know that you are distributing their published work? -Jim P.
Re: AUTO: Steve Bownas is out of the office. (returning 06/09/2011)
On Sat, Jun 4, 2011 at 23:08, Steven Bownas wrote: > > I am out of the office until 06/09/2011. X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on liszt.debian.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=4.0 tests=AUTOGENERATE,AUTOREBOD,FOURLA, LDO_WHITELIST,OUTOFOFFICE,RCVD_IN_DNSWL_MED autolearn=no version=3.2.5 Somebody has some work to do tweaking the rules I volunteer if nobody else steps forward. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTi=oygwecrqxqgkgjqksa2zmm8y...@mail.gmail.com
Re: AUTO: Breyer, Mark is out of the office. (Rückkehr am 21.02.2011)
Auto-Submitted: auto-generated. EOM -Jim P. 2011/1/27 : > > Ich bin bis 21.02.2011 abwesend. > > > > > Hinweis: Dies ist eine automatische Antwort auf Ihre Nachricht "[SECURITY] > [DSA 2152-1] hplip security update" gesendet am 27.01.2011 23:35:07. > > Diese ist die einzige Benachrichtigung, die Sie empfangen werden, während > diese Person abwesend ist. > > > --- > CreditPlus Bank AG ist ein Unternehmen der Credit Agricole Consumer Finance. > --- > > CreditPlus Bank AG | Sitz: Stuttgart | Amtsgericht Stuttgart HRB 15624 | > Vorstand: Jan W. Wagner (Vors.), Michael Euler, Heinz Tschernisch > Aufsichtsratsvorsitzender: Alain Breuils > > Bitte beachten Sie, dass der Inhalt dieser E-Mail vertraulich ist. Falls Sie > nicht > der angegebene Empfänger sind oder falls diese E-Mail irrtümlich an Sie > adressiert wurde, verständigen Sie bitte den Absender durch eine > Rückantwort oder telefonisch unter der Telefonnummer 0711 6606-60. > Löschen Sie bitte die E-Mail anschließend. Vielen Dank. Die Sicherheit von > Übermittlungen per E-Mail ist nicht garantiert. Der Absender übernimmt daher > keine Gewähr! > > > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: > http://lists.debian.org/OF4883271E.09EB8833-ONC1257826.00108C15-C1257826.00108C15@LocalDomain > > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinrj0ojppybmvn0zgjmq9vp-kqreebbd1fzn...@mail.gmail.com
Re: Bind security announce
On Thu, Dec 30, 2010 at 14:07, Jim Popovitch wrote: > On Thu, Dec 30, 2010 at 13:57, Adam D. Barratt > wrote: >> On Tue, 2010-12-28 at 18:34 -0800, Account for Debian group mail wrote: >>> >>> Well I waited to see if someone came our with a solution to this problem, >>> none seen. So I'm updating another machine, here is what "dselect" is >>> showing me: >> >> What that output doesn't include, which it should, is that there should >> be two *new* packages to install - namely libdns58 and libisc50; were >> those mentioned at any point in the process of selecting the updated >> bind9 packages for installation? > > I used dselect to do the bind libs updates. The dependency mismatch > was handled by dselect, and I had to approve what appeared a downgrade > to libisc/dns. I really don't remember why, but my thought at the > time was that I needed to find a way to purge all libdns and libisc > packages because I don't run bind and only need dig/host/nslookup > functionality on those boxes. > > Seriously though, dnsutils needs some overhaul and cleanup Further, it's worth pointing out that after the bind libs update, the libbind9-40* libdns45* libisc45* libisccc40* libisccfg40* liblwres40* libs were not removed by a simple apt-get autoremove. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikhytlto1z82jgvqtgcvjw0zhf8vdptok3aw...@mail.gmail.com
Re: Bind security announce
On Thu, Dec 30, 2010 at 13:57, Adam D. Barratt wrote: > On Tue, 2010-12-28 at 18:34 -0800, Account for Debian group mail wrote: >> >> Well I waited to see if someone came our with a solution to this problem, >> none seen. So I'm updating another machine, here is what "dselect" is >> showing me: > > What that output doesn't include, which it should, is that there should > be two *new* packages to install - namely libdns58 and libisc50; were > those mentioned at any point in the process of selecting the updated > bind9 packages for installation? I used dselect to do the bind libs updates. The dependency mismatch was handled by dselect, and I had to approve what appeared a downgrade to libisc/dns. I really don't remember why, but my thought at the time was that I needed to find a way to purge all libdns and libisc packages because I don't run bind and only need dig/host/nslookup functionality on those boxes. Seriously though, dnsutils needs some overhaul and cleanup -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinwan1re0v12thi6b_uomoggbhg3yekjt2cj...@mail.gmail.com
Re: Lenny version info
On Wed, Dec 15, 2010 at 07:00, John Keimel wrote: > On Wed, Dec 15, 2010 at 6:49 AM, Ashley Taylor wrote: >> Hi, >> >> Does anyone have any decent filter rules for Gmail so I can stop receiving >> this nonsense without unsubscribing? >> Thanks. > > http://tinyurl.com/2b3g2l4 > > Also, since you need it: > > http://tinyurl.com/ybpctcz > > Please particularly note items on "jeopardy reply" or "Top posting" > and "trimming". +1 -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktim5ex3epwnvhx_dmy4dbhd+jxud8clor8vha...@mail.gmail.com
Re: Lenny version info
On Mon, Dec 13, 2010 at 23:33, Andrew McGlashan wrote: > Chris Wadge wrote: >>> >>> PS: I've solved my problem. Thanks to those that actually helped. > > Besides all the noise, the "version of Lenny" can be directly relevant to > the security of the installation ... and therefore it could technically and > possibly correctly (don't care for the debate on this though) be sent to > debian-security list Well, if that's the case, then so could "how do I logon and logoff my debian system". To each his/her own. I'm still on the side of keeping Debian security issues on debian-security@, and Debian user questions on debian-us...@. ymmv. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimzkjd0yqhv45revb4xyqmzwonpko+naez3n...@mail.gmail.com
Re: Lenny version info
On Mon, Dec 13, 2010 at 22:50, Mike Mestnik wrote: > From what I can tell debian-security is listed under [2]User and not under > [3]Developer lists, so it stands to reason that users should be encouraged > to seek assistance from this list's members. > > 2. http://lists.debian.org/users.html >From that page: debian-security: Security in Debian What part of "which version am I running" falls under "Security in Debian" ? -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktin+odkf23rsms46jpcbk9ykvef2pyt2+kcvq...@mail.gmail.com
Re: Lenny version info
On Mon, Dec 13, 2010 at 20:12, Ash Narayanan wrote: > Can you imagine stepping in to a pet *security* store with a question about > your > pets *health* symptoms to be abused by the store attendant for not going to a > vet instead? ^ There, I fixed it for you. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinfovokiq8be6rnd_jmtaeoyzwm3==kxi-vb...@mail.gmail.com
Re: Lenny version info
On Mon, Dec 13, 2010 at 02:18, Andrew McGlashan wrote: > Hi, > > Chris Bannister wrote: >> Naturally, I assume you would do a google first!!! Just think, in a few >> years time if someone googles your name, will they think you >> ignorant/lazy and not able to use a search engine? > > I don't understand why everyone thinks a personal attack is in order > here??? I don't see that as a personal attack, it was a question not a statement. Consider that some people actually believe the best course of education is to teach a person to fish for themselves. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimidi3owe7ga9seiuybn33dbakphqbyb3po1...@mail.gmail.com
Re: Lenny version info
On Sun, Dec 12, 2010 at 21:38, Michael Cassano wrote: > No, this is not the right place to ask. A better place is Google, for > instance. > > http://www.google.com/search?hl=en&q=how%20do%20I%20tell%20what%20version%20of%20debian%20I%20am%20running&btnG=Search Oh, come on. We can do better than that. http://tinyurl.com/2vbtw7b :-) -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktiktftg8kzceptx8sjbq_zhk4rd=dlmdhknqa...@mail.gmail.com
Re: AUTO: Breyer, Mark is out of the office. (Rückk ehr am 29.11.2010)
2010/11/22 : > > Ich bin bis 29.11.2010 abwesend. Header "Auto-Submitted: auto-generated" existed.Why can't the Debian lists simply discard these? -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlkti=al1xqjzdzelkfagemtaq-qe6-pdrw784lw...@mail.gmail.com
Re: Michael Baumgartner/bam/SFS ist außer Haus.
When is Debian going to learn how to filter out OoO messages? I'm willing to train/educate for free. Who's willing to listen and learn? -Jim P. 2010/10/8 Michael Baumgartner : > Ich werde ab 07.10.2010 nicht im Büro sein. Ich kehre zurück am 11.10.2010. > > Ich werde Ihre Nachricht nach meiner Rückkehr beantworten. > In dringenden Fällen wenden Sie sich an Markus Spirig m...@sfsintec.biz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktin3vunqdpoahfmqhjjaissjo-hdpjtkqrw+k...@mail.gmail.com
Re: Spam fighting
On Mon, Jul 5, 2010 at 17:38, Arthur Machlas wrote: > Forward all mail to a gmail account, then forward back to Debian's > list-servs. Spam problem solved. except Debian pushes hard for their outbound mail host to be whitelisted... which is also a reason the default Spamassassin will generally not block spam that comes via Debian. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinncdurb-luvwj8uuaxmarc8cwmxfgqcwh9z...@mail.gmail.com
Re: Spam fighting
On Mon, Jul 5, 2010 at 09:49, Roger Hanna wrote: > Ok Folks, really, your mails about the spam are starting to actually spam! > > Wait, this email is then also considered a spam about spamming. > > You just can't win. Good thing the FOSS ppl don't think like that. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktil_c5pupz-xx-z0jvy2hxjw_6kwidfp8k4rm...@mail.gmail.com
Re: ...
On Sun, Jul 4, 2010 at 20:08, Russ Allbery wrote: > Jim Popovitch writes: >> On Sun, Jul 4, 2010 at 19:31, Stephen Gran wrote: > >>> No, Russ implied that reality occasionally intrudes on fantasies of >>> spam-free inboxes. > >> Russ stated: > >> It's unlikely to get substantially better than it is (I believe >> we're already rejecting something like 95% of the incoming mail), so >> if it's still not good enough for you, you should probably consider >> unsubscribing. > >> I beleive that 99% is achieveable, and I believe his final >> "unsubscribe" sentence is akin to walking away from the problem. > > Rejecting 99% of the incoming mail would be very bad if 5% of the incoming > mail were legitimate. I meant exactly what I said: Debian rejects > something like 95% of the incoming mail to the mailing lists according to > the latest message from the listmasters. If I'd meant that we reject 95% > of the *spam*, I would have said that. Well, there are two ways to read what you originally wrote, and since the thread discussion was on rejecting spam I took your 95% statement to mean d.o was blocking 95% of spam. I beleive d.o can (and should) attempt to block 100% of spam. You did say the part about "unsubscribe". -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktilulzpflwathup7ve6ubf5skcc3d6dtyh5se...@mail.gmail.com
Re: ...
On Sun, Jul 4, 2010 at 19:31, Stephen Gran wrote: > > No, Russ implied that reality occasionally intrudes on fantasies of > spam-free inboxes. Russ stated: It's unlikely to get substantially better than it is (I believe we're already rejecting something like 95% of the incoming mail), so if it's still not good enough for you, you should probably consider unsubscribing. I beleive that 99% is achieveable, and I believe his final "unsubscribe" sentence is akin to walking away from the problem. > If, as you imply, you're a professional mail admin familiar with environments > of vastly divergent requirements in a single ruleset, catering to users who > speak every language on Earth, submitting legitimate mail from every corner > of the globe, you will understand some of the challenges. I am exactly that person, and I have 10+ years experience doing exactly that. > If you couple that with prizing getting good bug reports and user feedback > over eliminating every single spam, you might begin to get an idea of the > difficulty of the task. Just like there are different roles in the *...@l.d.o lists, there can (and should) be different inbound policies. In the past I've personally unsubscribed from several l.d.o lists due spam on lists not even associated with bug/user feedback. > It's not as if we can just ditch mail based on presence in a DNSBL or > non-ascii character sets, or even a wildly misconfigured mail server > (that may be what the bug report is about, after all). If corporations, governments, policy bodies, heck even the U.N can do it, so can Debian. Again, different policies for different list addresses (just like abuse@ and postmaster@ are generally handled differently than support@) > Don't get me wrong, I would welcome new blood to contribute fresh ideas > and energy. It's just that very frequently the spam issue seems to be > one of those where people are very interested in telling you about what > works for them in a very different environment to what there is in Debian, While there is no such thing as one-solution-fits-all, Debian is not so unique. > and it is energy draining to keep having the same discussions over and > over about something that seems to be both a hot button issue and largely > irrelevant. Perhaps it's time to look into addressing the hot button issue and not just ignoring it. I'll remind you that this thread started due to an easily identifyable spam slipping through. > I think that, at present, Debian accepts something like > less than 1% of all mail offered to it across our various mail servers. > Yes, it is possible to do better, but probably not significantly better, > mathematically speaking. I think that that may be a pretty good place > to strike a bargain between openness and spam fighting. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikklidqdxodxich4sft3-njqrja2la_obgvc...@mail.gmail.com
Re: ...
On Sun, Jul 4, 2010 at 15:13, Stephen Frost wrote: > * Jim Popovitch (jim...@gmail.com) wrote: >> How about I volunteer to tackle that remaining 5% rather than giving >> up so easily? > > Erm, seriously? Yes. Esp based on the last 2 paragraphs on this page: http://www.debian.org/MailingLists/disclaimer > I don't think any of the mail team has "given up easily" That's not the point. Russ implied that 95% was good enough, and if anyone wanted better than it was best to unsubscribe. I disagree. > and dealing with spam is something which requires constant time > and attention. Also, pretty sure the 5% above was inclusive of > legitimate mail. And, last but not least, if you don't have any clue > how spam is being handled today, you probably have a long learning > period to go through before you would be able to constructivly help. I think I have the background and experience to handle the task, and don't easily assume that I don't know what I am talking about. > If you really want to help, start learning about what's being done > already. I would very much like to. Looking at http://lists.debian.org/misc.html I don't see a mailinglist devoted to spam/mail issues (other than debian-ad...@d.o). What communication method is used for that "constant time and attention" ? -Jim P. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimttvse-m8045nisfwt8hqgp4c4cqtvuuadm...@mail.gmail.com
Re: ...
On Sun, Jul 4, 2010 at 13:48, Russ Allbery wrote: > Multiple people already spend lots of time working on the spam filtering > for this list, and it's about as good as it can get given the requirements > the Debian project has for openness for its mailing lists. It's unlikely > to get substantially better than it is (I believe we're already rejecting > something like 95% of the incoming mail), so if it's still not good enough > for you, you should probably consider unsubscribing. How about I volunteer to tackle that remaining 5% rather than giving up so easily? -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktin_7bxdxigobyug9ct-b7egn-8fdqwkq7s0s...@mail.gmail.com
Re: ...
On Sun, Jul 4, 2010 at 04:17, Yves-Alexis Perez wrote: > On sam., 2010-07-03 at 23:37 -0400, Jim Popovitch wrote: >> WTF? Come on folks. who's running this list? > > Please don't reply to spam, especially not quoting them. Please quit allowing your systems to send me spam for Microsoft applications :-) -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktil-z1okpqrtx0_krsxtmzbifrqaejvgx1ygj...@mail.gmail.com
Re: New Version of Adobe PDF for all Windows platforms
WTF? Come on folks. who's running this list? -Jim P. On Sat, Jul 3, 2010 at 22:14, Adobe PDF wrote: > > New Version of Adobe PDF Reader for all Windows platforms > Dear valued customers, > > 50%-60% of your daily office works requires document handling. > 70% of your documents requires extra editing. > 80% of your documents requires exchanging with your peers, customers or > partners. > 20%-30% of these documents are in PDF formats with different version, created > by various engines. > > We are proud to introduce the new and proved Adobe Acrobat Reader, version > 2010 with enhanced features for viewing, creating, editing, printing and > internet-sharing PDF documents. > > To learn more about new features and how to install this best-of-breed > application, you can: > > + Go to Adobe Acrobat Reader or copy and paste this link to your web > browser: http://wl3.peer360.com/b/Z1Z28nqE7qcKMZ0dm4Z1/mle.asp?hl=11991430&CID=141820 > + Get your options, download and boost your works productivity. > > A full version of Office suite is also available for your download. > > DOWNLOAD ADOBE ACROBAT READER 2010 TODAY > > Thanks and best regards, > > John Draks > > Adobe Acrobat Reader > > 54 Pestersam | CA 96745 | USA | Hotline 1800 845 845| > website: http://www.adobe-v2010.com/ > [Send to a Friend] > > This message is powered by Peer360°. > > This email was sent to debian-secur...@lists.debian.org. > This email was sent from 54 Pestersam | CA 96745 | USA | Hotline 1800 845 > 845| USA > > Unsubscribe from this publication. Manage your subscriptions. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinwmg2z3v5yifu8gncensrrf3qyreqidhbgy...@mail.gmail.com
Re: Debian and CVE-2010-0624
On Wed, Mar 10, 2010 at 08:32, Nico Golde wrote: > No and as this is no serious issue we also decided to not release a DSA for > this. We will encourage the maintainer to provide updated packages through > stable-proposed-updates. I, for one, Thank you for decisions like that. There doesn't need to be a DSA for every buggy app IMHO. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f971bab41003100737y525425eftfdc199e8217ab...@mail.gmail.com
Re: HEAD's UP: possible 0day SSH exploit in the wild
On Wed, Jul 8, 2009 at 09:33, Roger Bumgarner wrote: > ALLOW rules and SSH-keys. Is there a way to force keys AND passwd verification? -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Out of office replies
On Sat, Jan 17, 2009 at 08:14, Dusty Wilson wrote: > Sometimes you have a situation where the recipient is > f...@someplace.com, but that is forwarded to f...@someotherplace.com. Ahhh, but that is the recipient's problem (user generated) and therefore not the realm of Sender: or ML. Let those people, with those convoluted setups, solve their own problems as opposed to inflicting spam on the rest of the world (and yes, mis-guided OoO replies are spam, IMHO). > I believe that the easiest thing is to say is "Precedence: bulk" in What about fred's man-in-the-middle Exchange that might clean up "extra" headers? Honestly if fred is fowarding email from Exchange box to Exchange box it's easily possible that fred is removing headers. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Out of office replies
On Sat, Jan 17, 2009 at 07:29, Frank Lanitz wrote: > On Sat, 17 Jan 2009 07:15:30 -0500 "Jim Popovitch" wrote: >> Bah!! Headers change over time. The simple and easy way to solve >> OoO problems is for vacation responders to only reply to From:/Sender: >> if (and only if) To: == $recipient. > > This will not work since you got e.g. in Exchange virtuell recipients Virtual recipients shouldn't be a problem. The vacation responder (no matter where it exist in the process) shouldn't respond if To: != $recipient (virtual recipient or not). > and I know people that really likes to register on ML etc. with these > addresses on the one hand and setting these messages on the other side. I fail to see how that figures into the OoO equation. MLs *don't* want OoO replies. ;-) > To avoid such things the first step needs to be done on user side e.g. > forcing them to create folders for lists and setting such rules only > folder wide. Huh!?!?!? -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Out of office replies
On Sat, Jan 17, 2009 at 12:50 AM, Izak Burger wrote: > our own auto-reply exim router (as requested by clients) checks for about 16 > different headers On Sat, Jan 17, 2009 at 06:44, Dusty Wilson wrote: [snip] > I understand that it takes both sides to fix the problem: mailing > list software to send the headers to be obvious that there shouldn't > be an auto-reply, mailserver software to read the headers and > therefore not auto-reply. Bah!! Headers change over time. The simple and easy way to solve OoO problems is for vacation responders to only reply to From:/Sender: if (and only if) To: == $recipient. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: AUTO: Ross Willman is out of the office (returning 29/09/2008)
On Thu, Jan 15, 2009 at 19:10, Stephen Vaughan wrote: > > When will people learn not to set auto replies all people? never. You can only do so much education before you have to give up. The real solution is to fix bad email clients. A proper email client, or vacation subsystem, should never send an ooo response to an email that doesn't contain the users address in To: or Cc:. It's all really pretty simple, yet getting email vendors to implement this is just as futile as trying to get everyone to properly set auto replies. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: [VUA 51-1] Updated clamav version
On Thu, Dec 11, 2008 at 00:55, Andreas Barth <[EMAIL PROTECTED]> wrote: > --- > Debian Volatile Update Announcement VUA 51-1 http://volatile.debian.org > [EMAIL PROTECTED] Stephen Gran > Dec 11, 2008 > --- > > Package : clamav > Version : 0.94.dfsg.2-1~volatile1 > Importance : medium > CVE IDs : CVE-2008-5050 CVE-2008-5314 [snip] > and install them with dpkg, or add > > deb http://volatile.debian.org/debian-volatile etch/volatile main > deb-src http://volatile.debian.org/debian-volatile etch/volatile main > FAIL! -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
On Wed, Dec 10, 2008 at 15:10, Michael Tautschnig <[EMAIL PROTECTED]> wrote: > I guess only the volatile archive maintainers can help out. Yet they have been silent for several days now on this issue. Are they overloaded? Do we need new volatile maintainers? Who's in the know here? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
On Wed, Dec 10, 2008 at 13:21, Dominic Hargreaves <[EMAIL PROTECTED]> wrote: > I don't really understand your question. There is no separate security > archive for volatile, as I understand it. Oddly enough I understood Tony, yet I don't understand the Volative+ClamAV situation. Can someone definatively state what is the holdup/situation/reasoning for why the latest ClamAV release has been pushed to all the mirrors but not updating via apt. Thank you, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
On Wed, Dec 10, 2008 at 07:27, Dominic Hargreaves <[EMAIL PROTECTED]> wrote: > I don't think that's relevant to volatile versions though. To Volatile or Not to Volatile. That is the question (now).Is volatile a dead thing and security now back to real-time updates? I'm ok with manually downloading, even custom compiling, one or two apps. I'm just looking toward the future to better understand how clam/SA/etc app updates should best be applied to Stable. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
On Tue, Dec 9, 2008 at 17:44, Mapper ict department <[EMAIL PROTECTED]> wrote: > We have Debian Etch with the volatile clamav installed. This is > the version: > > 0.94.dfsg.1-1~volatile1 > > That is the one affected if i am not mistaking. > > We have the volatile archive in the apt-get sources list: > > http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free > > But the fix is nor queued nor downloaded. I am seeing the same thing. The fix is on volatile.d.o as clamav_0.94.dfsg.2-1~volatile1, but apt-get upgrade is not recognizing it. I don't see it in the Releases file either. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
moin 1.5.3-1.2etch1 and CVE-2006-0658
I'm seeing some inconsistencies floating around and reaching out here for some clarification ;-) According to this source http://idssi.enyo.de/tracker/CVE-2006-0658 Etch "package moin is vulnerable". However there is no mention of it here: http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=moin. Further, apt reports: Package moin is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source However the following packages replace it: moinmoin-common Is there a vulnerable bug or not? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Misunderstanding about normal (stable) and security channels
On Mon, Jul 28, 2008 at 12:19 PM, Riku Valli <[EMAIL PROTECTED]> wrote: > May be debsecan is suitable for you? Hold crap Batman! That's a lot of "low urgency" issues open in Etch. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
17 updates for Etch?!?!
Ok, this is the weekend for DNS strangeness... so my suspicions are easily raised by the following: ~$ apt-get update .. ~$ apt-get upgrade Reading package lists... Done Building dependency tree... Done The following packages will be upgraded: apache2-mpm-worker apache2-utils apache2.2-common debconf debconf-i18n debconf-utils grub initramfs-tools initscripts libc6 libc6-dev libkrb53 linux-image-2.6.18-6-686 locales sysv-rc sysvinit sysvinit-utils 17 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. WTF?!?!? Were all those apps + kernel updated today? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1615-1] New xulrunner packages fix several vulnerabilities
On Wed, Jul 23, 2008 at 7:36 PM, Michael Gilbert <[EMAIL PROTECTED]> wrote: > wouldn't it be better to send this person a warning? i'm sure it was > just an honest mistake. it seems rather harsh to purge them from the > mailing list without giving them a fair chance to remedy their > mistake. Honest or not, they can re-sub when they get back to important things. Also, IMHO (since this post will possibly generate more) un-subs should also occur for people who use reply-all to a list, such as this one, that almost guarantees the poster being replied to will receive two copies. ;-) -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Study: Attacks on package managers (inclusing apt)
On Thu, Jul 17, 2008 at 3:43 PM, Goswin von Brederlow <[EMAIL PROTECTED]> wrote: > The simple solution would be to create a Timestamp.gpg file that is > signed daily (as oppsoed to Release.gpg being signed only on updates) > and have apt-get warn if it gets old. But as long as Release.gpg/Timestamp.gpg are local to the mirror(s), and not only on a master, the various .gpg files and packages can, even though difficult, be modified on the single mirror. IMHO, verification needs to have an alternate channel than the downloads. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Find installed contrib and non-free packages
On Thu, Jun 12, 2008 at 5:58 PM, Jim Popovitch <[EMAIL PROTECTED]> wrote:
> grep -v '^Filename: pool\/main\/' will get everything not in main,
> which is the OP's intention, IIRC.
Just to be clear, this cmd shows me all pkgs not in main:
for pkg in `dpkg -l | grep ii | awk '{print $2}'` ; do if [ `apt-cache
show $pkg | grep '^Filename: pool/main/' | wc -l` -eq 0 ]; then echo
$pkg; fi; done
-Jim P.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Find installed contrib and non-free packages
On Thu, Jun 12, 2008 at 4:06 PM, W. Martin Borgert <[EMAIL PROTECTED]> wrote:
> On Thu, Jun 12, 2008 at 11:38:33AM +0200, Filip Husak wrote:
>> I think the following command resolves your problem:
>>
>> for pkg in `dpkg -l | grep ii | awk '{print $2}'` ; do if [ `apt-cache
>> show $pkg | grep 'contrib\|non-free' | wc -l` -ne 0 ]; then echo $pkg;
>> fi; done
>
> You should grep for "^Filename: pool/\(contrib\|non-free\)/" to
> prevent false positives. And: Packages that have been installed
> from non-Debian apt sources or via dpkg --install are missed.
grep -v '^Filename: pool\/main\/' will get everything not in main,
which is the OP's intention, IIRC.
(unless backports is supported by Debian security)
-Jim P.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Find installed contrib and non-free packages
On Thu, Jun 12, 2008 at 11:23 AM, Martin Bartenberger <[EMAIL PROTECTED]> wrote: > Thanks a lot guys, I like all of your suggestions (the "virtual RMS" made me > laugh, never heard of this before). > Seems like TIMTOWTDI, reminds me of PERL ;-) > > I will play around with all of them and find out which one I'll use in > future. Keep in mind that only looking for nonfree|contrib will not reveal pkgs that were manually installed via dpkg -i -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 7:00 PM, Jacob Appelbaum <[EMAIL PROTECTED]> wrote: > Your thoughts on this subject are really fascinating. Because while I > agree that the idea of "security by obscurity" as the only line of > defense is flawed, you're making assumptions and value judgments that > seem beyond your abilities. I question your security knowledge and > capabilities. Yeah, yeah. Whatever dude. > [snip, snip] > Have you found some actual security issue with the mirror? Are the > packages tampered with? Are the signatures invalid? No, I haven't found an actual security issue with the mirror. And I don't believe in waiting for someone to raise a security issue to determine the actual security of a system. Surely you would agree that there are acceptable minimums. I do think that it would be prudent for the Debian Security and Mirror teams to know the specifics about their mirror ops. And I say that as former v.d.o mirror op, where my experience revealed little concern over mirror operators. The mirror in this instance seems to fall into one of two cases: 1) Security by Obscurity plus possible unknown foo. 2) Bored opers having fun. I would think that neither of those cases immediately passes muster with concerned security minded folks. And, just because you are OK with it, it doesn't mean I have to be. ;-) -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 5:30 PM, Simon Valiquette <[EMAIL PROTECTED]> wrote: > Jim Popovitch un jour écrivit: >> >> If they want to do this, fine. But should they continue to be in >> rotation for ftp.us.debian.org? > > Personnaly, I would have chosen to impersonate another web server than > IIS, but except for that I see no problem with what they have done. > > > I don't see why you want them to be removed from ftp.us.debian.org, > except that you don't like to see them lying about the server application > and version they use, which is something done by a lot of people on > production systems that directly face the Internet. The reason is this: *if* they are using "security by obscurity", then that raises the bigger question of their security knowledge and capabilities. That would be enough for me to remove them from distributing software to others from my domain (ftp.us.debian.org). -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 7:02 AM, Nico Golde <[EMAIL PROTECTED]> wrote: > Yep this is lighttpd and it's mod_status. OK (if true), I still question the need for posing as IIS, and therefore I question the mirror operator's intent/reasons/capabilities/interests/ as well as security capabilites. Are they playing around by posing as IIS. Is it meant to deflect interest in a Linux box being on their network? What is the reason behind masquerading as something they aren't? If they want to do this, fine. But should they continue to be in rotation for ftp.us.debian.org? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > In article <[EMAIL PROTECTED]> you wrote: >> It's mirror's like that, that make me paranoid about Debian Security. > > Why is that? IIS is the second most used web server on the market. And since > mirrors are not a trusted part of software distribution anyway, I dont see > an issue here. Here's my issue, please correct me if I am wrong. .debs and sigs both exist on the same server. If the Windows box/network is compromised, then the sigs and debs can be modified and who would know? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 2:05 AM, <[EMAIL PROTECTED]> wrote: > this is weird. but, somehow it is hard to believe. it is possible to change > the identification string to anything right? maybe it is apache but trying > to be IIS??? That would be nice if true... but I seriously doubt that to be the case. >From : http://ike.egr.msu.edu/debian/pool/main/3/3ddesktop/ 3ddesktop_0.2.8-1.diff.gz 2005-Apr-08 05:32:087.1K application/x-gzip 3ddesktop_0.2.8-1.dsc 2005-Apr-08 05:32:080.7Kapplication/octet-stream 3ddesktop_0.2.8-1_alpha.deb 2005-Apr-09 14:02:0278.8K application/octet-stream Everything other than .gz is type "application/octet-stream", I bet if we could see permissions they'd be 0777. And then there is this: http://ike.egr.msu.edu/server-status It's mirror's like that, that make me paranoid about Debian Security. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Microsoft-IIS/6.0 serves up Debian... WTF!
Well, I thought I had seen it all... but this takes the cake. http://ike.egr.msu.edu/debian/pool/ -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: clamav.* package versions (etch)
NOTE: adding debian-security to the mix... On Thu, May 29, 2008 at 6:04 PM, Mike Dornberger <[EMAIL PROTECTED]> wrote: > maybe there are build issues. If you count the binary versions, you'll see > there are 7 archs on which e. g. clamav-daemon 0.93 got built, but 10 for > 0.92-something. Perhaps one of the master servers has become hacked again perhaps blah, perhaps foo, etc. The real issue is the Debian build team has a broken process and that needs some highly visible attention as who knows what is behind this, or what else is broken. NOTE: To be clear, I would not be saying the above is the missing update was for bash or ctags. But since this missing update is for critical, public facing, applications... it needs proper attention. My experience, from when I ran a volatile mirror, was that the team/person responsible had too many other priorities (hey, that's life). If Debian needs some assistance in pushing releases to mirrors, then please please let someone know. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: openssh remote upgrade procedure?
On Tue, May 20, 2008 at 6:38 PM, Kim N. Lesmer <[EMAIL PROTECTED]> wrote: > On Tue, 20 May 2008 20:45:20 +0100 > "Alexandros Papadopoulos" <[EMAIL PROTECTED]> wrote: > >> 3. Testing to see if you can still get on to a server is exactly what >> I would have done, if my connection had not been killed by the server >> itself a few seconds after upgrading the packages. This happened on >> two servers running different versions of debian (etch & lenny). > > This is not normal. I have upgraded two of my servers where I have also > only SSH access, and I didn't experience any breakage of the > connection. Since you have experienced this on both an etch and a lenny > machine, something points in the direction of, that you have done > something wrong, perhaps with you initial setup. I too have not experienced any problems (on Etch) with the update. Sshd restarted fine. You might want to check your startup script to be sure it is only shutting down the the PID it started, instead of doing a killall/pkill/etc. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is oldstable security support duration something to be proud of?
On Mon, Mar 10, 2008 at 4:13 PM, Filipus Klutiero <[EMAIL PROTECTED]> wrote: > Debian is somewhat better than openSUSE, equal or slightly worst than Ubuntu > and definitely worst than RHEL and derivatives. So on average, Debian is > somewhat worst than its main alternatives in this aspect. On what data do you base the above claims? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is oldstable security support duration something to be proud of?
On Mon, Mar 10, 2008 at 4:14 PM, Filipus Klutiero <[EMAIL PROTECTED]> wrote: > Le March 10, 2008 03:15:04 pm Jim Popovitch, vous avez écrit : > > > On Mon, Mar 10, 2008 at 3:01 PM, Filipus Klutiero <[EMAIL PROTECTED]> wrote: > > > Le March 10, 2008 02:57:56 pm Jim Popovitch, vous avez écrit : > > > > On Mon, Mar 10, 2008 at 2:36 PM, Filipus Klutiero <[EMAIL PROTECTED]> > wrote: > > > > > This statement is in a security announcement. Martin Schulze > > > > > confirmed that he wrote the statement. Does the security team think > > > > > that oldstable security support duration is something to be proud > > > > > of? > > > > > > > > Yes. > > > > > > If you don't mind, how did you get the opinion of the security team on > > > this? > > > > I read their text. > Which one? Their public one, the one you referenced. Why do you perceive that they shouldn't be proud? Where is your basis that they don't deserve to be proud? -Jim P.
Re: Is oldstable security support duration something to be proud of?
On Mon, Mar 10, 2008 at 3:01 PM, Filipus Klutiero <[EMAIL PROTECTED]> wrote: > Le March 10, 2008 02:57:56 pm Jim Popovitch, vous avez écrit : > > > On Mon, Mar 10, 2008 at 2:36 PM, Filipus Klutiero <[EMAIL PROTECTED]> wrote: > > > This statement is in a security announcement. Martin Schulze confirmed > > > that he wrote the statement. Does the security team think that oldstable > > > security support duration is something to be proud of? > > > > Yes. > If you don't mind, how did you get the opinion of the security team on this? I read their text. Additionally, I was keen enough not to read too much into their text. -Jim P.
Re: Is oldstable security support duration something to be proud of?
On Mon, Mar 10, 2008 at 2:36 PM, Filipus Klutiero <[EMAIL PROTECTED]> wrote: > This statement is in a security announcement. Martin Schulze confirmed that > he > wrote the statement. Does the security team think that oldstable security > support duration is something to be proud of? Yes. This issue can now be put to rest. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Recent updates
On Feb 17, 2008 3:48 PM, Alexander Schmehl <[EMAIL PROTECTED]> wrote: > Yes, as the last couple of announcement did. The problem is, that if we > announce a new release before it is send to the mirrors, mirrors are hit > very hard hindering the sync of our mirror network. > > So in general we first push upgrade to the mirrors, and then sent out > announcements. That does make good sense, for the masses (of which I am one) I suppose. > Well, a rogue hacker would need to be quite skilled to add some kind of > "bad" package. > > Let's assume he has created a bad package and got control over a mirror > (since he can't upload the package himself that's the only way to > include it). Of course he could add his package to the Debian archive > he has on that mirror, but since packages and releases are signed with > gpg he couldn't benefit from that, since as soon as someone tries to > install his bad package, package management would detect the wrong > signature. Thanks for the explaination Alexander, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Recent updates
On Feb 17, 2008 3:17 PM, Noah Meyerhans <[EMAIL PROTECTED]> wrote: >glibc Fix sunrpc memory leak Ahhh, glibc and libc6 are the same thing. I forgot about that. (why is that?) Thx, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Recent updates
On Feb 17, 2008 8:18 AM, Alexander Schmehl <[EMAIL PROTECTED]> wrote: > http://lists.debian.org/debian-announce/debian-announce-2008/msg0.html One additional thing that is not clear to me is that I see pending updates for libc6 and libc6-dev that are NOT mentioned in that announcement. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Recent updates
On Feb 17, 2008 8:18 AM, Alexander Schmehl <[EMAIL PROTECTED]> wrote: > * Jim Popovitch <[EMAIL PROTECTED]> [080217 06:46]: > > I haven't seen any other news about this, I show 7 pending updates for > > which no DSA or notices have gone out. Given that d.o servers have > > been hacked in the past, are these updates valid and where can I find > > official info about them? > > Subscribe to debian-announce: > http://lists.debian.org/debian-announce/debian-announce-2008/msg0.html I hope you are teasing, or perhaps you didn't see my first sentence where I stated that I had not seen any other news about this. I have been subscribed to d-a, as well as d-s, and d-i, and d-v. the problem was the updates hit the mirrors before the announcement hit the wire. Normally this wouldn't be much of an issue, but the formal signed announcement is the only way for most of us to know that the updates are legit and not a nefarious action by some rogue hacker. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Recent updates
I haven't seen any other news about this, I show 7 pending updates for which no DSA or notices have gone out. Given that d.o servers have been hacked in the past, are these updates valid and where can I find official info about them? apache2-mpm-worker: Installed: 2.2.3-4+etch3 Candidate: 2.2.3-4+etch4 Version table: 2.2.3-4+etch4 0 500 http://ftp.us.debian.org stable/main Packages *** 2.2.3-4+etch3 0 100 /var/lib/dpkg/status apache2-utils: Installed: 2.2.3-4+etch3 Candidate: 2.2.3-4+etch4 Version table: 2.2.3-4+etch4 0 500 http://ftp.us.debian.org stable/main Packages *** 2.2.3-4+etch3 0 100 /var/lib/dpkg/status apache2.2-common: Installed: 2.2.3-4+etch3 Candidate: 2.2.3-4+etch4 Version table: 2.2.3-4+etch4 0 500 http://ftp.us.debian.org stable/main Packages *** 2.2.3-4+etch3 0 100 /var/lib/dpkg/status cpio: Installed: 2.6-17 Candidate: 2.6-18 Version table: 2.6-18 0 500 http://ftp.us.debian.org stable/main Packages *** 2.6-17 0 100 /var/lib/dpkg/status libc6: Installed: 2.3.6.ds1-13etch4 Candidate: 2.3.6.ds1-13etch5 Version table: 2.3.6.ds1-13etch5 0 500 http://ftp.us.debian.org stable/main Packages *** 2.3.6.ds1-13etch4 0 100 /var/lib/dpkg/status libc6-dev: Installed: 2.3.6.ds1-13etch4 Candidate: 2.3.6.ds1-13etch5 Version table: 2.3.6.ds1-13etch5 0 500 http://ftp.us.debian.org stable/main Packages *** 2.3.6.ds1-13etch4 0 100 /var/lib/dpkg/status locales: Installed: 2.3.6.ds1-13etch4 Candidate: 2.3.6.ds1-13etch5 Version table: 2.3.6.ds1-13etch5 0 500 http://ftp.us.debian.org stable/main Packages *** 2.3.6.ds1-13etch4 0 100 /var/lib/dpkg/status Thx, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: help
On Tue, Feb 12, 2008 at 6:10 PM, Robert Shadowen <[EMAIL PROTECTED]> wrote: > help > > == > Robert Shadowen > Simulation/Verification Tools [EMAIL PROTECTED] > IBM Austin (512) 838-7603 Help is available. Press 1 to continue, 2 to disconnect. ;-) -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: www.juniorguide.com
On Mon, 2007-12-31 at 16:38 -0500, Pls check this new site wrote: > Please see this site in Subject SO... is someone at d.o doing something constructive about all these The risk is that d.o might eventually start getting blocked elsewhere. For instance, if I people telling gmail/yahoo/aol/elink/att/comcast/etc that these is spam... they will eventually block d.o (the spam relay), not the spam origin. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote: > On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote: > > However, I cannot see any security announcement for most of these. Were > > they > > updated because of the security fix for tar? If yes, why doesn’t the > > security announcement mention that updated versions are available also for > > those packages? > > see http://lists.debian.org/debian-announce/debian-announce-2007/msg4.html Martin, First, I (and many others) appreciate your and everyone else's work on Debian. That said, I too am confused by the latest Debian 4.0 release. It seems to me that, in the past, all Debian patches were released with DSAs (why patch w/o a DSA?), and that further updates to the core release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of previously issued DSAs. I don't recall new functionality ever being added in a core release update bundle (although I could be wrong). Consider that some people, such as myself, only update servers based on review of public DSA statements. Yet now we find ourselves with multiple days of updates to multiple pkgs, but no corresponding DSA announcements to cross reference for validity (which can easily make one suspect a mirror has been hacked). Since I'm not the only one confused by the recent updates, can we get some clarification on this process please. Specifically, is it currently Debian policy to release non-critical pkg updates, i.e. releases without DSAs, in periodic core release rollups? (is this new or has it been so in the past?) Could Debian be better served by calling the rollup (including new non-critical updates) a new release (i.e 4.1)? Thank you for helping to clarify. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: new updates, no recent DSAs.... Hmmmm
On Thu, 2007-12-27 at 17:55 -0500, Jim Popovitch wrote: > On Thu, 2007-12-27 at 22:42 +, Alexander Wirt wrote: > > Yes > > :-) > > > http://www.us.debian.org/News/2007/20071227 > > Actually I didn't miss that, or rather I did get that email today > but in the past I seem to recall the process was individual DSAs and > releases, followed by a bundled new release rollup. Perhaps I am wrong. Oh, and thank you Alex for connecting the dots for me. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: new updates, no recent DSAs.... Hmmmm
On Thu, 2007-12-27 at 22:42 +, Alexander Wirt wrote: > Yes :-) > http://www.us.debian.org/News/2007/20071227 Actually I didn't miss that, or rather I did get that email today but in the past I seem to recall the process was individual DSAs and releases, followed by a bundled new release rollup. Perhaps I am wrong. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
new updates, no recent DSAs.... Hmmmm
I've got one etch box complaining, for 18 hours now, about new pending updates. Specifically: apache2-mpm-worker apache2-utils apache2.2-common debconf debconf-i18n findutils klibc-utils libc6 libc6-i686 libklibc libpam-modules libpam-runtime libpam0g libpq4 linux-image-2.6.18-5-686 locales lvm2 Did I miss something? Why now, why no DSAs? (apt-get update/upgrade didn't indicate any packages last weekend, and sources.list hasn't changed). The notification of new packages was triggered 23:15 EST. Sources: deb http://ftp.us.debian.org/debian/ etch main deb http://security.debian.org/ etch/updates main deb http://volatile.debian.org/debian-volatile/ etch/volatile main deb http://volatile.debian.org/debian-volatile/ etch/volatile-sloppy main Hiccup on a mirror in the rotation? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1435-1] New clamav packages fix several vulnerabilities
On Thu, 2007-12-20 at 20:07 +, J. Santos wrote: > So, i would like to thank all those who toke the time to clarify this > matter. > Thank you all. I would also like to add my Thanks to everyone involved. Thank you, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1435-1] New clamav packages fix several vulnerabilities
On Thu, 2007-12-20 at 01:12 +, Stephen Gran wrote: > This one time, at band camp, Dominic Hargreaves said: > > > > Are there any updates planned for sarge in volatile.debian.org? > > Yes, and they're uploaded. Where? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Distro to rule them all (was: secure installation)
Why not add 3 deb packages (deb-user, deb-workstation, deb-server) and prompt the user during install for which "style" box they are setting up. Then the selected package could have (or not have) necessary dependencies for the system "style". For instance, deb-user could depend on lokkit as well as disable inted boot scripts. This would make it easier for lusers while still not pushing stuff onto experienced Debiani. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security idea - bootable CD to check your system
On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote: > The difference is that: > > a) These all run on the live system they are trying to protect, Unless you configure them to only write to an offline mount point that is normally ro and only rw through external effort which is in Tripwire's best practices. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1304-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
On Sun, 2007-06-17 at 03:43 -0600, dann frazier wrote: > On Sat, Jun 16, 2007 at 03:49:16PM -0400, Jim Popovitch wrote: > > On Sat, 2007-06-16 at 10:26 -0700, Thomas Bushnell BSG wrote: > > > This release was quite confusing, because it applies only to sarge, > > > > I'm still not seeing this release on security.debian.org using > > > > deb http://security.debian.org/ sarge/updates main > > > > Any ideas why? > > Looks fine to me, what problem are you seeing? > Are you sure you have the proper meta packages installed to deal with > ABI changing updates (e.g., kernel-image-2.6-686)? yep, figured that out yesterday. I had removed kernel-image-2.6-686 last week after the craziness that I can only describe as it being pushed to the mirrors before the new kernel images... yet having a dependency on the new kernel. (at least that was the symptoms at the time). Thanks, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1304-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
On Sat, 2007-06-16 at 10:26 -0700, Thomas Bushnell BSG wrote: > This release was quite confusing, because it applies only to sarge, I'm still not seeing this release on security.debian.org using deb http://security.debian.org/ sarge/updates main Any ideas why? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: kernel-image-2.6.8-4-386 (2.6.8-16sarge7)
On Fri, 2007-06-15 at 18:08 +0200, Willi Mann wrote: > Hi! > > Since yesterday, a new kernel for sarge seems to be available. However, > the kernel-image meta package 101sarge2 was only available yesterday. > Today, it's no longer available. > > What has happened here? Something strange is certainly afoot. I noticed this a few days ago too. No official work or FD notice so I say wait until the package maintainers have issued their notices. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: where'd security.debian.org go?
On Thu, 2007-06-14 at 00:32 -0400, Jim Popovitch wrote: > What's up with security.debian.org? Apt is missing it. ;-) Of course, as soon as I send the email disregard previous email, apologies. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
where'd security.debian.org go?
What's up with security.debian.org? Apt is missing it. ;-) -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PERSONAL LOAN - KTA
On Sun, 2007-06-03 at 03:41 +, Pascal Hakim wrote: > The spam email you're complaining about was sent by a subscriber. Does > that mean it's not spam? No, it still is spam. It's not requested by any other list members. The solution is to auto-mod new subscribers. Do that and all this mess every month won't be delivered to any legit subscribers who use the lists to offer and receive help. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PERSONAL LOAN - KTA
On Sat, 2007-06-02 at 11:23 -0400, Roberto C. Sánchez wrote: > In any case, I really would be interested in hearing from people who > have managed to get a spam filtering setup going that allows only a > 0.66% false negative rate. I think you will have better success discussing that over on SPAM-L. Back to the Debian lists who can implement posts by subscribers only? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security mirror out of date: 128.101.240.212
On Tue, 2007-05-15 at 00:14 +0300, Tomas Nykung wrote: > What I don't understand is why I always got the bad mirror, regardless > how many times I tried to rerun aptitude/apt-get update both yesterday > and today (and on two computers while the first one I upgraded did get > the upgrade without any problem). > > The only way I could get the upgraded kernel version was to wget it > and install i by hand. > > Not that I will lose any sleep because of this ;) but if someone have > time to shed some light on this I would be grateful. it's pre-defined in /etc/hosts? local (or upstream) cache is stale? random luck? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security Debian Questions
On Mon, 2007-04-23 at 19:15 +1100, Russell Coker wrote: > On Sunday 22 April 2007 01:58, Jim Popovitch <[EMAIL PROTECTED]> wrote: > > On Fri, 2007-04-20 at 20:30 -0500, George P Boutwell wrote: > > > I don't remember the exact details, but the problem I think revolved > > > around not being able to properly boot-up since the /tmp and/or the > > > /var/tmp where needed during the boot, but not being mounted yet. > > > > Actually in order for /tmp to even be mounted their needs to be a /tmp > > directory on the root filesystem. Chances are, that it's not the lack > > of mounting /tmp, but rather the permissions of /tmp (mounted and/or > > unmounted). > > The permissions of the mount point don't matter. Mount runs as root with > capability DAC_OVERRIDE so a mode 0 mount point will do fine. > > If the mount-point doesn't exist or is not a directory then the mount > operation will fail. If you say so. ;-) (please re-read what I wrote and the comment I was replying to.) -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Undelivered Mail Returned to Sender
On Mon, 2007-04-23 at 00:42 +0200, David Martínez Moreno wrote: > This is getting slightly annoying... > > This time murphy.debian.org said NO to relaying. > > Best regards, Even worse... murphy is still passing on spam. The latest one I got has a received header of: Received: from localhost.localdomain (unknown [201.240.185.92]) by murphy.debian.org (Postfix) with SMTP id 1D0AF2E031 for ; Sun, 22 Apr 2007 22:01:14 This means that postfix on murphy is MIS-CONFIGURED. It accepted an email from 201.240.185.92 (which is listed in dnsbl.sorbs.net) and also allowed that it said it was from localhost.localdomain. Postfix on murphy needs some reject statements like these: smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, Ahh, the simple things.. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security Debian Questions
On Fri, 2007-04-20 at 20:30 -0500, George P Boutwell wrote: > I don't remember the exact details, but the problem I think revolved > around not being able to properly boot-up since the /tmp and/or the > /var/tmp where needed during the boot, but not being mounted yet. Actually in order for /tmp to even be mounted their needs to be a /tmp directory on the root filesystem. Chances are, that it's not the lack of mounting /tmp, but rather the permissions of /tmp (mounted and/or unmounted). -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: tripwire's default policy
On Sun, 2007-03-04 at 21:56 -0300, Felipe Figueiredo wrote: > Hello all, > > tripwire's default policy includes /proc. Why, what's the point? At least in > my systems, its files change more often than my logs rotate (which despite my > efforts insist on rotating on a daily basis). > > So, is it safe to just remove /proc from the policy? I have on all my public systems. I did this quite some time ago. No problems, no worries. > If so, why is it included by default? There are probably a host of reasons, I point the finger at the pack maintainer leaning more towards the side of security than insecurity. -Jim P. signature.asc Description: This is a digitally signed message part
Re: ProFTPD still vulnerable (Sarge)
On Thu, 2006-12-07 at 10:26 +0100, Francesco P. Lovergine wrote: > On Wed, Dec 06, 2006 at 09:21:34PM -0500, Jim Popovitch wrote: > > On Thu, 2006-11-30 at 12:28 -0500, Jim Popovitch wrote: > > > On Thu, 2006-11-30 at 15:10 +0100, Francesco P. Lovergine wrote: > > > > This is unfortunately an effect of an issue with the old mod_delay > > > > patch. > > > > It's not an exploiting of the known issue. You have to either disable > > > > mod_delay or use > > > > 1.2.10-20sarge1 which is available at > > > > http://people.debian.org/~frankie/debian/sarge > > > > That is in use successfully since ages on high-load server like alioth. > > > > The sarge1 version also manages the 3 recent security issues. > > > > > > So, should we use 1.2.10-20sarge1 or the just released 1.2.10-15sarge3? > > > > My suggestion is using the not-official 1.2.10-20sarge1 iff you are > experiencing segfaults on high-load servers and you wouldn't > to set mod_delay use off for security concerns. Now that official proftpd_1.2.10-15sarge4 has been released, should we continue to use 1.2.10-20sarge1? Thanks, -Jim P. signature.asc Description: This is a digitally signed message part
Re: ProFTPD still vulnerable (Sarge)
On Thu, 2006-11-30 at 12:28 -0500, Jim Popovitch wrote: > On Thu, 2006-11-30 at 15:10 +0100, Francesco P. Lovergine wrote: > > This is unfortunately an effect of an issue with the old mod_delay patch. > > It's not an exploiting of the known issue. You have to either disable > > mod_delay or use > > 1.2.10-20sarge1 which is available at > > http://people.debian.org/~frankie/debian/sarge > > That is in use successfully since ages on high-load server like alioth. > > The sarge1 version also manages the 3 recent security issues. > > So, should we use 1.2.10-20sarge1 or the just released 1.2.10-15sarge3? ?? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFTPD still vulnerable (Sarge)
On Thu, 2006-11-30 at 15:10 +0100, Francesco P. Lovergine wrote: > This is unfortunately an effect of an issue with the old mod_delay patch. > It's not an exploiting of the known issue. You have to either disable > mod_delay or use > 1.2.10-20sarge1 which is available at > http://people.debian.org/~frankie/debian/sarge > That is in use successfully since ages on high-load server like alioth. > The sarge1 version also manages the 3 recent security issues. So, should we use 1.2.10-20sarge1 or the just released 1.2.10-15sarge3? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
kernel.panic (was: Re: DD machine mysterious reboot)
On Sun, 2006-10-29 at 23:54 +0100, martin f krafft wrote: > Do you set kernel.panic in /etc/sysctl.conf? I'm curious, what does that do? Tia, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: GPG errors from apt update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Dobbs wrote: > I'm surprised more people haven't reported these problems. Maybe they > were ignored because they did resemble the older problem with the > signing key so closely. I do recall seeing something similar to what you describe, but it was only once and it was some time ago. Have you tried sniffing the network traffic to see what is occurring? - -Jim P. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE+HQsMyG7U7lo69MRAi8WAKC2c+1qDAH2Q3ScnNr6medBs2pa/wCgkFPV hKLK7l/S8lXcMYlqPWBopm4= =K2Q9 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why is portmap installed by default?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 kevin bailey wrote: > Why is portmap installed by default on a vanilla basic Debian Sarge install? Because someone thinks that *every* Debian uses NFS. Granted, it's not worth going back to change Sarge's installer, however if Sid or Etch have this same "anomaly".. - -Jim P. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE6KNjMyG7U7lo69MRAvUrAJ9mZaGjv8N41uVytRKqH9k9B0EmrACcDa6j e7CaONYjf55GoInDHii37wA= =ipnQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: execute permissions in /tmp
> -Original Message- > From: Matt Zimmerman > Sent: Sunday, 13 July, 2003 23:56 > > If the user can read files in /tmp, they can execute the code in > them. What problem is noexec /tmp supposed to solve? Microsoft did a related thing a few years ago, they moved the TEMP directory to the users home directory in Win2K, etc. Is it time for Debian to do this? Note: I am not in any way implying that Debian is behind Microsoft. ;) -Jim P.
RE: execute permissions in /tmp
> -Original Message- > From: Matt Zimmerman > Sent: Sunday, 13 July, 2003 23:56 > > If the user can read files in /tmp, they can execute the code in > them. What problem is noexec /tmp supposed to solve? Microsoft did a related thing a few years ago, they moved the TEMP directory to the users home directory in Win2K, etc. Is it time for Debian to do this? Note: I am not in any way implying that Debian is behind Microsoft. ;) -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: execute permissions in /tmp
Well now, that is interesting. You are absolutely correct about the sticky bit. It is the noexec flag that this is happening with, and I agree that it alone is not a total security solution. However, it is a piece of a much bigger pie and really should be enforced. -Jim P. > -Original Message- > From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Behalf Of Noah L. > Meyerhans > Sent: Saturday, 12 July, 2003 21:34 > To: debian-security@lists.debian.org > Subject: Re: execute permissions in /tmp > > > On Sat, Jul 12, 2003 at 09:22:45PM -0400, Jim Popovitch wrote: > > I have a complaint/opinion/statement to express. It seems that > every now > > and then when I run 'apt-get upgrade' i get a lot of errors about "Can't > > exec "/tmp/config.x": Permission denied at...". I like to keep my > > Debian boxen nice and secure, so I 'chmod +t /tmp' to prevent temp files > > from being executed. It seems to me that some package > maintainers aren't > > aware of issues such as these and are assuming that anything > can be done in > > temp. > > Couple of things in response to this. First of all, the +t flag on > /tmp/ has nothing to do with whether you can execute files there. From > chmod(1): > STICKY DIRECTORIES >When the sticky bit is set on a directory, files in that >directory may only be unlinked or renamed by root or their >owner. (Without the sticky bit, anyone able to write to >the directory can delete or rename files.) The sticky bit >is commonly found on directories, such as /tmp, which are >world-writable. > > Note that +t is the default on /tmp. > > Second of all, mounting a filesystem with the noexec flag (assuming > /tmp is a separate filesystem on your system and this is, in fact, what > you're doing) has been shown many many times to not provide any level of > protection. Try this on your noexec mounted /tmp: > # cp /bin/ls /tmp/ > # /lib/ld-linux.so.2 /bin/ls > > Basically, what it comes down to is that you *can not* prevent files > from being executed. Even if you remove the execute bits from /tmp/ls > in the above example, you'll still be able to run it. > > So, save yourself the headache and just remove noexec from /tmp/ > > noah > > -- > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html >
execute permissions in /tmp
I have a complaint/opinion/statement to express. It seems that every now and then when I run 'apt-get upgrade' i get a lot of errors about "Can't exec "/tmp/config.x": Permission denied at...". I like to keep my Debian boxen nice and secure, so I 'chmod +t /tmp' to prevent temp files from being executed. It seems to me that some package maintainers aren't aware of issues such as these and are assuming that anything can be done in temp. Note these errors from a recent 'apt-get upgrade' Preconfiguring packages ... Can't exec "/tmp/config.39341": Permission denied at /usr/share/perl/5.8.0/IPC/Open3.pm line 159. open2: exec of /tmp/config.39341 configure 1.64 failed at /usr/share/perl5/Debconf/ConfModule.pm line 44 base-config failed to preconfigure, with exit status 255 Can't exec "/tmp/config.39343": Permission denied at /usr/share/perl/5.8.0/IPC/Open3.pm line 159. open2: exec of /tmp/config.39343 configure 2.2.3a-12 failed at /usr/share/perl5/Debconf/ConfModule.pm line 44 samba failed to preconfigure, with exit status 255 Can't exec "/tmp/config.39345": Permission denied at /usr/share/perl/5.8.0/IPC/Open3.pm line 159. open2: exec of /tmp/config.39345 configure 2.2.3a-12 failed at /usr/share/perl5/Debconf/ConfModule.pm line 44 samba-common failed to preconfigure, with exit status 255 (Reading database ... 24169 files and directories currently installed.) Preparing to replace base-passwd 3.5.3 (using .../base-passwd_3.5.4_i386.deb) ... Unpacking replacement base-passwd ... Setting up base-passwd (3.5.4) ... -Jim P.
RE: execute permissions in /tmp
Well now, that is interesting. You are absolutely correct about the sticky bit. It is the noexec flag that this is happening with, and I agree that it alone is not a total security solution. However, it is a piece of a much bigger pie and really should be enforced. -Jim P. > -Original Message- > From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Behalf Of Noah L. > Meyerhans > Sent: Saturday, 12 July, 2003 21:34 > To: [EMAIL PROTECTED] > Subject: Re: execute permissions in /tmp > > > On Sat, Jul 12, 2003 at 09:22:45PM -0400, Jim Popovitch wrote: > > I have a complaint/opinion/statement to express. It seems that > every now > > and then when I run 'apt-get upgrade' i get a lot of errors about "Can't > > exec "/tmp/config.x": Permission denied at...". I like to keep my > > Debian boxen nice and secure, so I 'chmod +t /tmp' to prevent temp files > > from being executed. It seems to me that some package > maintainers aren't > > aware of issues such as these and are assuming that anything > can be done in > > temp. > > Couple of things in response to this. First of all, the +t flag on > /tmp/ has nothing to do with whether you can execute files there. From > chmod(1): > STICKY DIRECTORIES >When the sticky bit is set on a directory, files in that >directory may only be unlinked or renamed by root or their >owner. (Without the sticky bit, anyone able to write to >the directory can delete or rename files.) The sticky bit >is commonly found on directories, such as /tmp, which are >world-writable. > > Note that +t is the default on /tmp. > > Second of all, mounting a filesystem with the noexec flag (assuming > /tmp is a separate filesystem on your system and this is, in fact, what > you're doing) has been shown many many times to not provide any level of > protection. Try this on your noexec mounted /tmp: > # cp /bin/ls /tmp/ > # /lib/ld-linux.so.2 /bin/ls > > Basically, what it comes down to is that you *can not* prevent files > from being executed. Even if you remove the execute bits from /tmp/ls > in the above example, you'll still be able to run it. > > So, save yourself the headache and just remove noexec from /tmp/ > > noah > > -- > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
execute permissions in /tmp
I have a complaint/opinion/statement to express. It seems that every now and then when I run 'apt-get upgrade' i get a lot of errors about "Can't exec "/tmp/config.x": Permission denied at...". I like to keep my Debian boxen nice and secure, so I 'chmod +t /tmp' to prevent temp files from being executed. It seems to me that some package maintainers aren't aware of issues such as these and are assuming that anything can be done in temp. Note these errors from a recent 'apt-get upgrade' Preconfiguring packages ... Can't exec "/tmp/config.39341": Permission denied at /usr/share/perl/5.8.0/IPC/Open3.pm line 159. open2: exec of /tmp/config.39341 configure 1.64 failed at /usr/share/perl5/Debconf/ConfModule.pm line 44 base-config failed to preconfigure, with exit status 255 Can't exec "/tmp/config.39343": Permission denied at /usr/share/perl/5.8.0/IPC/Open3.pm line 159. open2: exec of /tmp/config.39343 configure 2.2.3a-12 failed at /usr/share/perl5/Debconf/ConfModule.pm line 44 samba failed to preconfigure, with exit status 255 Can't exec "/tmp/config.39345": Permission denied at /usr/share/perl/5.8.0/IPC/Open3.pm line 159. open2: exec of /tmp/config.39345 configure 2.2.3a-12 failed at /usr/share/perl5/Debconf/ConfModule.pm line 44 samba-common failed to preconfigure, with exit status 255 (Reading database ... 24169 files and directories currently installed.) Preparing to replace base-passwd 3.5.3 (using .../base-passwd_3.5.4_i386.deb) ... Unpacking replacement base-passwd ... Setting up base-passwd (3.5.4) ... -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Peace is not off topic
> -Original Message- > From: Steve Hagerman [mailto:[EMAIL PROTECTED] > Sent: Monday, March 10, 2003 10:43 PM > > These people and their treasonist attitudes make me wish > that our nation would Enforce the laws against treason. Right now I would settle for the Debian.org admins to enforce the mailinglist "laws". :-/ -Jim P.
RE: Peace is not off topic
Can we bring some peace to this list? Please? -Jim P.
RE: Peace is not off topic
> -Original Message- > From: Steve Hagerman [mailto:[EMAIL PROTECTED] > Sent: Monday, March 10, 2003 10:43 PM > > These people and their treasonist attitudes make me wish > that our nation would Enforce the laws against treason. Right now I would settle for the Debian.org admins to enforce the mailinglist "laws". :-/ -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Peace is not off topic
Can we bring some peace to this list? Please? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
