RE: [SECURITY] [DSA 3168-1] ruby-redcloth security update
N/A Pozdrawiam, Paweł Gładysz anixe technology for travel and tourism phone +48-71-3647950 fax +48-71-3390946 home http://www.anixe.pl/ -Original Message- From: Sébastien Delafond [mailto:sdelaf...@gmail.com] On Behalf Of Sebastien Delafond Sent: Sunday, February 22, 2015 7:02 PM To: debian-security-annou...@lists.debian.org Subject: [SECURITY] [DSA 3168-1] ruby-redcloth security update Importance: High -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3168-1 secur...@debian.org http://www.debian.org/security/Sebastien Delafond February 22, 2015 http://www.debian.org/security/faq - - Package: ruby-redcloth CVE ID : CVE-2012-6684 Debian Bug : 774748 Kousuke Ebihara discovered that redcloth, a Ruby module used to convert Textile markup to HTML, did not properly sanitize its input. This allowed a remote attacker to perform a cross-site scripting attack by injecting arbitrary JavaScript code into the generated HTML. For the stable distribution (wheezy), this problem has been fixed in version 4.2.9-2+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 4.2.9-4. We recommend that you upgrade your ruby-redcloth packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJU6hmvAAoJEBC+iYPz1Z1kMFIH/iPYQh1FZgyuwXQxSh19opx4 GsFlA5ev/CxiRyNoJ5feO9XTESI28kEQsXSG4wysYsc45ZcF9/K1HtSYJ0xnfV3g flRAqLs58vIwJOdvRU1rdYi3Xe4Z4N/f/9PBPnlxAzxL/bejpKy/LU+7z3H4U42e kXJHWdecSGEk/18eAYz3c2yhA9h2sqG066iB3oCjlMPYAXfwhlKpM1YRjcUzKLD+ dvuMAHWlntWxeljyEBOL/uhKKuNebAYsAdwN6O+7Gezf6HjH2uE2LA1dpBWwxdzU wcf1JmPd+IGrEDL6/Gse6Bd8OGQbG5Gkra4QTucqVcI9cMCcvumThga188Oxt/k= =GdNQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1yparg-0004mi...@centurion.befour.org anixe Polska sp. z o.o. z siedziba we Wroclawiu, ul. Grabiszynska 241a, 53-234 Wroclaw, zarejestrowana w Sadzie Rejonowym dla Wroclaw Fabryczna, VI Wydzial Gospodarczy Krajowego Rejestru Sadowego pod numerem KRS 008486, NIP: 899-24-09-480, o kapitale zakladowym wniesionym w calosci wynoszacym 105 000,00 zlotych i numerze rachunku bankowego: 06 2490 0005 4520 4818 7474. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/547c7563b70e4831ae1be4fdb417e...@satyr.intra.anixe.pl
RE: [SECURITY] [DSA 3165-1] xdg-utils security update
N/A Pozdrawiam, Paweł Gładysz anixe technology for travel and tourism phone +48-71-3647950 fax +48-71-3390946 home http://www.anixe.pl/ -Original Message- From: Michael Gilbert [mailto:mgilb...@debian.org] Sent: Sunday, February 22, 2015 6:01 AM To: debian-security-annou...@lists.debian.org Subject: [SECURITY] [DSA 3165-1] xdg-utils security update Importance: High -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3165-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert February 21, 2015 http://www.debian.org/security/faq - - Package: xdg-utils CVE ID : CVE-2015-1877 Debian Bug : 22 Jiri Horner discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely. This problem only affects /bin/sh implementations that don't sanitize local variables. Dash, which is the default /bin/sh in Debian is affected. Bash as /bin/sh is known to be unaffected. For the stable distribution (wheezy), this problem has been fixed in version 1.1.0~rc1+git20111210-6+deb7u3. For the upcoming stable (jessie) and unstable (sid) distributions, this problem will be fixed soon. We recommend that you upgrade your xdg-utils packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQQcBAEBCgAGBQJU6WG2AAoJELjWss0C1vRzmEof/3yl6xrjW+HidxZWt1gFfxE5 f7h5IvNqT3CYkR2oTUruUH8CuKqGgGDOdF3Xg62gid2C0KnK5Y67ZLKPYrxTM1EY yP5XZvBwHWO05SMx9qpyk0qCknTESXKVongIA5QVAJxfKfStnGa6igHJzNdremp+ qpm/0IpAu50RF7jWJ1RI3EFAYT0xWwFlBqhEGVEZXEE+4BSR87NL66UG5qaXuiT6 K1Tuj7s1mEPuXrL/Kg8wpFV8e6RUuHSQgeWZ3lTLB13AnMeZnOMRDG/rf8/iruhX GXl50mzReTeVzexd6CerG7lZkORWHIhPvRl4H/4UcuH5QIUrWEM/ipDgYlzvw/W/ c2gesywaO/F8b8TKy9sC/3VHQNXaFr9ar/lShkHU6z1XyqerHbFQWWZb9yc0zSwB TPOzI4YMylklkorrOm9HeFbSIrB+pfOI9ivQSapQqucrkejXy0R47bwy2FJY8QZj 4D2MkAwjhlDiRWGVyvqRges/s8+zBUzMIhlfNq54xI7ZaPlUAPEQ3fInLFZJ5v2a RDFtqvpzdi3GL3vR/ntdiu3zl+gK2OOfgHVe5CWdZIqTcGNmUa4W8Gy6KoTOJGRq UMrvp7qKI0lTF9tyQbpDi9Dq8h74foxnfrdEpcasNVLlup5SAKRgtiUnmku4I5Ts Hp81UqYWWdWjoD97U1pcy+3xgQeariDMMN5WDDYKzT5FTTcvSHEmeRtb3p88fqM/ kDiUD+Muda7j6nfWHVgsO5p9lhi8WrWpry0WAaZ7w64HXhgb8WM0/aWcn8onY+R/ jcSkKyKFEk+b71nYrgS4JWhzNATCu6kgPH0kLNvJiHZkA9rVHWxsqZfthCBrysEm aCftGyqEkGJFWVcFwxXkCb6NwN9tIE/rJj7iIi2Wp1cVSQGJA24Zyr8n8EprCnYm kMGEw33+iYo3xdTTie0XWR3yMop7R/yw/FXGGjkkptBnMS4EHizZsvTtyQskO15V q9qI4rfMAmV4AOY4U8eJoARZ++haeAbQ+JArjwtxnQUY3ZuYDIDiUFv1LHVKGM+c UXdRgiLMhz00ejTLLAD5x8MZ08MFED7E9km3zHuzKmd1QS1V0OSZc8jEquDd1IRd ivc0DIRGae55zzgqwkZV6znFIY81cmd5sFAMrtQBy4pmhp6WWFHh1W8JETc+l/t+ HcIA1FMMhUC/peWUyJkkA0o+TpDpbfnfSwOJoQAxeXgslU2XyOU8r/mc3ze2/GSu Z/zbVLr62agmh0Y44hdTHFGBlZcYPDHJiKjqcBvQSjTk5BvN0FcQ7m3HTz0lYHpb dnbBCteP/c4srJwjTwCuPVTlz2WI9mzg1NNTvVWaB/ivLSPiGky/lqKt058N0Gk= =eXk5 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1ypoed-0007aq...@alpha.psidef.org anixe Polska sp. z o.o. z siedziba we Wroclawiu, ul. Grabiszynska 241a, 53-234 Wroclaw, zarejestrowana w Sadzie Rejonowym dla Wroclaw Fabryczna, VI Wydzial Gospodarczy Krajowego Rejestru Sadowego pod numerem KRS 008486, NIP: 899-24-09-480, o kapitale zakladowym wniesionym w calosci wynoszacym 105 000,00 zlotych i numerze rachunku bankowego: 06 2490 0005 4520 4818 7474. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/0ad165f6660f407a873639b94fd3c...@satyr.intra.anixe.pl
Re: OT: how do You protect an email relay service?
On Sat, 30 May 2009, Sthu Deus wrote: Good day. If You use an email relay service, how do You protect it: VMs, iptables connections rate limit, ... ? Personally, I have a problem with email sending authorization - how I can separate the users that have not their boxes on our service and therefore I can ban their trials to pick up a password - I can not reduce it even to the local net IPs bt iptables - as port 25 is used for not only for sending our own users but for receiving it for the local users - as I understand. Consider using port 587 for submission. Allow only authenticated sessions on port 587, and port 25 use only for comunication with other MTAs. see RFC 2746, 3.1 -- Regards, Paweł Zuzelski -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Can not login as root
On czwartek, 4 września 2008, Murat Ohannes Berin wrote: Try to login as a single user and change your root password Hi, I just insralled Debian on my laptop. However, I can not login as root. It says wrong password. I am quite sure I am typing th right password. I am able to loging as the regular user. Murat -- Regards Pawel Krzywicki Debian GNU/Linux User: PawelatWartandotorg kadu:3735326 Registered Linux User : 406139 |PLUG :1966491030 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root login
On czwartek, 4 września 2008, [EMAIL PROTECTED] wrote: i too noticed a similar thing when i installed on my new laptop etch. the solution was as Cerbelle said. Login as a normal user and do sudo ( or you can activate root login from the login menu; but i personally consider it really dangerous!) I am wondering why this is dangerous? If your password is seen as strong FaG34#fCFD12drtfdg something like this for example why this is dangerous? Kishore Chalakkal -- Regards Pawel Krzywicki Debian GNU/Linux User: PawelatWartandotorg kadu:3735326 Registered Linux User : 406139 |PLUG :1966491030 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Wednesday 15 August 2007 21:19, Henri Salo wrote: On Wed, 15 Aug 2007 14:23:06 -0500 Pat [EMAIL PROTECTED] wrote: There are a few security issues I have noticed about debian's installation. 1) No firewall setup during the install process, as it would be a simple matter to run lokkit at the end of the install I fail to see why this is not done. 2) Rpfilter and tcp syncookies are not enabled by default. Again this is a simple correction, and indeed has been mentioned in several open source linux guides for years. 3) Do we really need portmap, inetd, or nfs running by default on our workstations? There shouldn't be any ports open to internal network after installation. Where do you need firewall after installation when you can make one i.e. with iptables? Yes, but not everyone is able to make one... There is a lot of people who are using Debian only as a workstation to create for example some OO documents, and they really dont need to know what iptables is or some other packages involved in security issues... - Henri 'fgeek' Salo Regards Pawel -- Proud Debian GNU/Linux User: PawelatWartandotorg kadu:3735326 Registered Linux User : 406139 |PLUG :1966491030 Home Page: http://www.wartan.org
UNSUBSCRIBE
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]