Re: [SECURITY] [DSA 3074-1] php5 security update

2014-11-18 Thread Mark van Walraven 
/usr/lib/php5/sessionclean in the update uses the -z option of sed, but 
sed in wheezy doesn't have that option.


In the update, the critical change:

[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | sed -zne 
"s/^n//p" | xargs -0i echo touch -c -h "'{}'"


previous version:

[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" | awk -- '{ if (NR 
> 1) { print $9; } }' | xargs -i touch -c {}


Regards,

Mark.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/546bc1f5.1060...@mega.co.nz

Re: Any Account Logs In With Any Password

2010-10-27 Thread Mark van Walraven 
On Wed, Oct 27, 2010 at 05:22:26PM -0400, Brad Tilley wrote:
> I felt the same way. I understand that I removed authentication by
> accidentally commenting out that line, but I thought that would cause
> authentication to fail. Obviously, authentication is not succeeding,
> it's just that authentication is not happening at all and you can type
> anything and get a shell on the remote system (provided you know a user
> name). In short, that behavior surprised me.

I disagree: if authentication was removed from a system (regardless of
whether by accident or not), I would expect the result to be a system
with no authentication.  Not a system in which authentication had become
impossible.

Perhaps a comment above the line, warning that removing that line removes
the requirement of authentication?

Regards,

Mark.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101027220013.go13...@markv.18londonst.co.nz

Re: proftpd amd64 binaries for DSA-1925?

2009-11-12 Thread Mark van Walraven 
Hi,

On Fri, Nov 13, 2009 at 10:04:01AM +1100, Steffen Joeris wrote:
> I just installed proftpd-dfsg version 1.3.0-19etch3 for amd64 into the 
> security archive.

Excellent, thank you.

Mark.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: proftpd amd64 binaries for DSA-1925?

2009-11-12 Thread Mark van Walraven 
On Wed, Nov 11, 2009 at 11:31:46AM +0100, Sven Hoexter wrote:
> On Wed, Nov 11, 2009 at 10:58:58AM +1300, Mark van Walraven wrote:
> > Greetings,
> > 
> > "Binaries for the amd64 architecture will be released once they are 
> > available."
> > 
> > Has this been overlooked, or just taking a while?
> 
> Looks like the links are still missing in the DSA on the website but the
> packages are on security.d.o since Nov. 2.
>   proftpd-basic_1.3.1-17lenny4_amd64.deb  Nov 02 23:40

Ah yes, but no proftpd_1.3.0-19etch3_amd64.deb (nor powerpc).

Mark.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

proftpd amd64 binaries for DSA-1925?

2009-11-10 Thread Mark van Walraven 
Greetings,

"Binaries for the amd64 architecture will be released once they are available."

Has this been overlooked, or just taking a while?

Mark.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: rootkit not found by rkhunter

2009-10-04 Thread Mark van Walraven 
> AFAIK, the best way to know if you're running a stale kernel is to
> compare the uptime of the machine against the mtime of the actual kernel
> (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686").  If the uptime of the
> machine places the last reboot sometime before the kernel was updated,
> you're not up to date.  If there's a better way to test this, I'd love
> to know about it.

Comparing the outputs of:

sed -n 's/[^(]*(Debian \([^)]*\)).*/\1/p' /proc/version

and:

dpkg -s $(dpkg -S $(readlink /vmlinuz) | cut -d: -f1) |
awk '/^Version: / {print $2}'

has worked well for me - thanks to the kernel team for including the
version and revision!

Mark.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Bug#311772: Fwd: Password leaks are security holes

2008-08-28 Thread Mark van Walraven 
On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote:
> On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
> > auth.log was invented for this reason, and separated to standard log:
> > it should be readable only by root,
> 
> Then there is a bug in another package if this is what "should" be, because
> /var/log/auth.log is readable by group adm on all my systems.

I see the same (and a sarge box I checked also has that).  I'm surprised
enough by it that I think it must have changed at some point in the past.

I don't think 'readable by group adm' is a reasonable default for 
/var/log/auth.log.  It makes the adm group much less useful.

Regards,

Mark.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]