Re: [SECURITY] [DSA 3074-1] php5 security update
/usr/lib/php5/sessionclean in the update uses the -z option of sed, but sed in wheezy doesn't have that option. In the update, the critical change: [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | sed -zne "s/^n//p" | xargs -0i echo touch -c -h "'{}'" previous version: [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" | awk -- '{ if (NR > 1) { print $9; } }' | xargs -i touch -c {} Regards, Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/546bc1f5.1060...@mega.co.nz
Re: Any Account Logs In With Any Password
On Wed, Oct 27, 2010 at 05:22:26PM -0400, Brad Tilley wrote: > I felt the same way. I understand that I removed authentication by > accidentally commenting out that line, but I thought that would cause > authentication to fail. Obviously, authentication is not succeeding, > it's just that authentication is not happening at all and you can type > anything and get a shell on the remote system (provided you know a user > name). In short, that behavior surprised me. I disagree: if authentication was removed from a system (regardless of whether by accident or not), I would expect the result to be a system with no authentication. Not a system in which authentication had become impossible. Perhaps a comment above the line, warning that removing that line removes the requirement of authentication? Regards, Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101027220013.go13...@markv.18londonst.co.nz
Re: proftpd amd64 binaries for DSA-1925?
Hi, On Fri, Nov 13, 2009 at 10:04:01AM +1100, Steffen Joeris wrote: > I just installed proftpd-dfsg version 1.3.0-19etch3 for amd64 into the > security archive. Excellent, thank you. Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: proftpd amd64 binaries for DSA-1925?
On Wed, Nov 11, 2009 at 11:31:46AM +0100, Sven Hoexter wrote: > On Wed, Nov 11, 2009 at 10:58:58AM +1300, Mark van Walraven wrote: > > Greetings, > > > > "Binaries for the amd64 architecture will be released once they are > > available." > > > > Has this been overlooked, or just taking a while? > > Looks like the links are still missing in the DSA on the website but the > packages are on security.d.o since Nov. 2. > proftpd-basic_1.3.1-17lenny4_amd64.deb Nov 02 23:40 Ah yes, but no proftpd_1.3.0-19etch3_amd64.deb (nor powerpc). Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
proftpd amd64 binaries for DSA-1925?
Greetings, "Binaries for the amd64 architecture will be released once they are available." Has this been overlooked, or just taking a while? Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: rootkit not found by rkhunter
> AFAIK, the best way to know if you're running a stale kernel is to > compare the uptime of the machine against the mtime of the actual kernel > (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686"). If the uptime of the > machine places the last reboot sometime before the kernel was updated, > you're not up to date. If there's a better way to test this, I'd love > to know about it. Comparing the outputs of: sed -n 's/[^(]*(Debian \([^)]*\)).*/\1/p' /proc/version and: dpkg -s $(dpkg -S $(readlink /vmlinuz) | cut -d: -f1) | awk '/^Version: / {print $2}' has worked well for me - thanks to the kernel team for including the version and revision! Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#311772: Fwd: Password leaks are security holes
On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote: > On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote: > > auth.log was invented for this reason, and separated to standard log: > > it should be readable only by root, > > Then there is a bug in another package if this is what "should" be, because > /var/log/auth.log is readable by group adm on all my systems. I see the same (and a sarge box I checked also has that). I'm surprised enough by it that I think it must have changed at some point in the past. I don't think 'readable by group adm' is a reasonable default for /var/log/auth.log. It makes the adm group much less useful. Regards, Mark. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]