Re: Microsoft-IIS/6.0 serves up Debian... WTF!
* Message by -Jim Popovitch- from Sun 2008-06-08: On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED] you wrote: It's mirror's like that, that make me paranoid about Debian Security. Why is that? IIS is the second most used web server on the market. And since mirrors are not a trusted part of software distribution anyway, I dont see an issue here. Here's my issue, please correct me if I am wrong. .debs and sigs both exist on the same server. If the Windows box/network is compromised, then the sigs and debs can be modified and who would know? The one who checks the 'sigs' will know that, for an attacker will not be able to forge cryptographic signatures for his modified packages. These ARE cryptographic signatures, or am I mistaken? If I am, then of course you are right, and the rationale behind the 'sigs' would have to be questioned in the first place. pgprZoblGn5Zn.pgp Description: PGP signature
Re: [SECURITY] [DSA 1548-1] New xpdf packages fix arbitrary code exitution
* Message by -Devin Carraway- from Thu 2008-04-17: Package: xpdf Vulnerability : multiple Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2008-1693 [...] For the unstable distribution (sid), these problems were fixed in version 3.02-1.2. Is that really the case? I checked the file[1] and found no traces from the fix[2] in it. [1] http://ftp.de.debian.org/debian/pool/main/x/xpdf/xpdf_3.02-1.3.diff.gz [2] http://ftp.de.debian.org/debian/pool/main/x/xpdf/xpdf_3.01-9.1+etch4.diff.gz file debian/patches/36_CVE-2008-1693_embedded-font-typesafety.patch Or maybe 3.02 does not need that fix (in contrast to 3.01)? But then, I found that the patch 36_CVE-2008-1693_embedded-font-typesafety.patch can be applied cleanly against 3.02 sources. Thank you for a clarification. Lasse pgpmq2KktvWxn.pgp Description: PGP signature