Re: Microsoft-IIS/6.0 serves up Debian... WTF!

[Lasse Kliemann]

* Message by -Jim Popovitch- from Sun 2008-06-08:
 On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels [EMAIL PROTECTED] wrote:
  In article [EMAIL PROTECTED] you wrote:
  It's mirror's like that, that make me paranoid about Debian Security.
 
  Why is that? IIS is the second most used web server on the market. And since
  mirrors are not a trusted part of software distribution anyway, I dont see
  an issue here.
 
 Here's my issue, please correct me if I am wrong.  .debs and sigs both
 exist on the same server.  If the Windows box/network is compromised,
 then the sigs and debs can be modified and who would know?

The one who checks the 'sigs' will know that, for an attacker will not be 
able to forge cryptographic signatures for his modified packages. These ARE 
cryptographic signatures, or am I mistaken? If I am, then of course you are 
right, and the rationale behind the 'sigs' would have to be questioned in the 
first place.


pgprZoblGn5Zn.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1548-1] New xpdf packages fix arbitrary code exitution

[Lasse Kliemann]

* Message by -Devin Carraway- from Thu 2008-04-17:

 Package: xpdf
 Vulnerability  : multiple
 Problem type   : local (remote)
 Debian-specific: no
 CVE Id(s)  : CVE-2008-1693
 
[...]
 For the unstable distribution (sid), these problems were fixed in
 version 3.02-1.2.

Is that really the case?

I checked the file[1] and found no traces from the fix[2] in it.

[1] http://ftp.de.debian.org/debian/pool/main/x/xpdf/xpdf_3.02-1.3.diff.gz 
[2] http://ftp.de.debian.org/debian/pool/main/x/xpdf/xpdf_3.01-9.1+etch4.diff.gz
file debian/patches/36_CVE-2008-1693_embedded-font-typesafety.patch

Or maybe 3.02 does not need that fix (in contrast to 3.01)? But then, I found 
that the patch 36_CVE-2008-1693_embedded-font-typesafety.patch can be applied 
cleanly against 3.02 sources.

Thank you for a clarification.

Lasse


pgpmq2KktvWxn.pgp
Description: PGP signature