php4 vulnerability - is potato affected?
Hello All, Are potato php4 packages (4.0.3pl1-0potato4) affected by the sechole warned about in the recent DSA-351-1? If they are, will there be fixes for potato as well, or should we upgrade to woody? Regards, Robert Varga
php4 vulnerability - is potato affected?
Hello All, Are potato php4 packages (4.0.3pl1-0potato4) affected by the sechole warned about in the recent DSA-351-1? If they are, will there be fixes for potato as well, or should we upgrade to woody? Regards, Robert Varga -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 288-1: openssl and stunnel
On Thu, 17 Apr 2003, Arthur van Dorp wrote: > Todays security advisory about openssl speaks about possibly breaking > existing applications: > > > Unfortunately, RSA blinding is not thread-safe and will cause failures > > for programs that use threads and OpenSSL such as stunnel. However, > > since the proposed fix would change the binary interface (ABI), > > programs that are dynamically linked against OpenSSL won't run > > anymore. This is a dilemma we can't solve. > > As I use stunnel I wonder what these problems might be. I've updated my > testing machine which is set up similar to my production server and > didn't find a problem yet. But my testing possibilities are limited on > this machine. I guess you won't get these problems when you are running stunnel in pipe or pipe-client mode. It is supposed to run in multi-threaded mode only when it is listening on a port. Just my guess. Regards, Robert Varga
Re: Kernel 2.2.15 hole ?
There were some other security holes in the kernel which was corrected in 2.2.19pre9 or somewhere around that pre-release concerning the signed/unsigned usage of some int variables. I think this is a sufficient reason for upgrading. Regards, Robert Varga On Mon, 5 Mar 2001, David Wright wrote: > Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > > On Mon, Mar 05, 2001 at 03:31:07AM -0900, Ethan Benson wrote: > > > On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > > > > > Has anyone seen the announcement about a root exploit > > > > in the 2.2.15 and earlier kernel versions as posted > > > > > yes ages ago. > > > > > > Does this apply to the debian kernels? > > > > > > depends what debian kernel, i think some of them had backported > > > patches, but really there is no reason to be running anything that > > > old. upgrade to 2.2.18. > > > > I purposely have a policy of not upgrading software (including the > > kernel) unless there is a good reason to do so, either with new > > functionality that is required, or for security reasons. I have > > no objections to upgrading in this instance, but I was more > > concerned that a search on Debians archives did not show this > > as a security issue. > > Perhaps it's at http://www.uk.debian.org/security/2000/2612 ? > i.e. 2.2.15-3 is patched. > > Cheers, > > -- > Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 > Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA > Disclaimer: These addresses are only for reaching me, and do not signify > official stationery. Views expressed here are either my own or plagiarised. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Kernel 2.2.15 hole ?
There were some other security holes in the kernel which was corrected in 2.2.19pre9 or somewhere around that pre-release concerning the signed/unsigned usage of some int variables. I think this is a sufficient reason for upgrading. Regards, Robert Varga On Mon, 5 Mar 2001, David Wright wrote: > Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > > On Mon, Mar 05, 2001 at 03:31:07AM -0900, Ethan Benson wrote: > > > On Thu, Mar 01, 2001 at 03:34:21AM +, Stephen Walton wrote: > > > > > Has anyone seen the announcement about a root exploit > > > > in the 2.2.15 and earlier kernel versions as posted > > > > > yes ages ago. > > > > > > Does this apply to the debian kernels? > > > > > > depends what debian kernel, i think some of them had backported > > > patches, but really there is no reason to be running anything that > > > old. upgrade to 2.2.18. > > > > I purposely have a policy of not upgrading software (including the > > kernel) unless there is a good reason to do so, either with new > > functionality that is required, or for security reasons. I have > > no objections to upgrading in this instance, but I was more > > concerned that a search on Debians archives did not show this > > as a security issue. > > Perhaps it's at http://www.uk.debian.org/security/2000/2612 ? > i.e. 2.2.15-3 is patched. > > Cheers, > > -- > Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 > Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA > Disclaimer: These addresses are only for reaching me, and do not signify > official stationery. Views expressed here are either my own or plagiarised. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
buffer overflow in pine <= 4.21
is the debianized pine4.21 vulnerable to the long From address buffer overflow vulnerability, which is corrected in 4.30 upstream? Regards, Robert Varga
buffer overflow in pine <= 4.21
is the debianized pine4.21 vulnerable to the long From address buffer overflow vulnerability, which is corrected in 4.30 upstream? Regards, Robert Varga -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I want to try something for freedom.
Yes, but it is in every aspect similar to what the person who wrote the first letter in this thread wants to do or is advised to do, namely to reverse-engineer the operation of a working system which is developed only for win* and based on proprietary algorithms. That's exactly the same what the person writing the DeCSS has done. Hence the company creating the authentication software would probably sue the person writing the first letter and could expect that the result would be the same as the DeCSS lawsuit, and it is currently lost. If this happens before the DeCSS lawsuit is finished in the Supreme Court, then the result will be likely the same as the first stages of the DeCSS lawsuit, meaning probably lost. This is only my two-pence of course, but I could not stand not to point out the similarities between the two situation. Regards, Robert Varga On Thu, 2 Nov 2000, Alexander Hvostov wrote: > Robert, > > Keep in mind that case is in appeal, and is quite likely to wind up in the > Supreme Court. It is, in every way I can imagine, a Constitutional case, > and has every reason to be heard by the Supreme Court. I hope the Supreme > Court Justices agree... > > Regards, > > Alex. > > --- > PGP/GPG Fingerprint: > EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 > > -BEGIN GEEK CODE BLOCK- > Version: 3.12 > GCS/CM>CC/IT d- s:+ a16 C++()>$ UL>$ P--- L++>++$ E+ W+(-) N+ o? K? > w---() > !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++ > G>+++ e--> h! !r y>+++ > --END GEEK CODE BLOCK-- > > On Thu, 2 Nov 2000, Robert Varga wrote: > > > > > > > On Wed, 1 Nov 2000, Patrick Maheral wrote: > > > > > On Wed, 1 Nov 2000, Alexander Hvostov wrote: > > > > Penguin, > > > > > > > > Because the patents and IP on your radio expired a long time ago. The > > > > ones > > > > on the algorithms haven't. :) > > > > > > > > Regards, > > > > > > Isn't there a provision in American (or Canadian) law that allows reverse > > > engineering (not disassembling code) for interoperability purposes? > > > > > > Patrick > > > > In the DeCSS (2600.org vs. MPAA) lawsuit this law did not protect the > > author of DeCSS and 2600.org from losing the suit, no matter that they > > tried to defend referring on this law. > > > > Regards, > > > > Robert Varga > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > >
Re: I want to try something for freedom.
On Wed, 1 Nov 2000, Patrick Maheral wrote: > On Wed, 1 Nov 2000, Alexander Hvostov wrote: > > Penguin, > > > > Because the patents and IP on your radio expired a long time ago. The ones > > on the algorithms haven't. :) > > > > Regards, > > Isn't there a provision in American (or Canadian) law that allows reverse > engineering (not disassembling code) for interoperability purposes? > > Patrick In the DeCSS (2600.org vs. MPAA) lawsuit this law did not protect the author of DeCSS and 2600.org from losing the suit, no matter that they tried to defend referring on this law. Regards, Robert Varga
Re: I want to try something for freedom.
Yes, but it is in every aspect similar to what the person who wrote the first letter in this thread wants to do or is advised to do, namely to reverse-engineer the operation of a working system which is developed only for win* and based on proprietary algorithms. That's exactly the same what the person writing the DeCSS has done. Hence the company creating the authentication software would probably sue the person writing the first letter and could expect that the result would be the same as the DeCSS lawsuit, and it is currently lost. If this happens before the DeCSS lawsuit is finished in the Supreme Court, then the result will be likely the same as the first stages of the DeCSS lawsuit, meaning probably lost. This is only my two-pence of course, but I could not stand not to point out the similarities between the two situation. Regards, Robert Varga On Thu, 2 Nov 2000, Alexander Hvostov wrote: > Robert, > > Keep in mind that case is in appeal, and is quite likely to wind up in the > Supreme Court. It is, in every way I can imagine, a Constitutional case, > and has every reason to be heard by the Supreme Court. I hope the Supreme > Court Justices agree... > > Regards, > > Alex. > > --- > PGP/GPG Fingerprint: > EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 > > -BEGIN GEEK CODE BLOCK- > Version: 3.12 > GCS/CM>CC/IT d- s:+ a16 C++()>$ UL>$ P--- L++>++$ E+ W+(-) N+ o? K? w---() > !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++ > G>+++ e--> h! !r y>+++ > --END GEEK CODE BLOCK-- > > On Thu, 2 Nov 2000, Robert Varga wrote: > > > > > > > On Wed, 1 Nov 2000, Patrick Maheral wrote: > > > > > On Wed, 1 Nov 2000, Alexander Hvostov wrote: > > > > Penguin, > > > > > > > > Because the patents and IP on your radio expired a long time ago. The ones > > > > on the algorithms haven't. :) > > > > > > > > Regards, > > > > > > Isn't there a provision in American (or Canadian) law that allows reverse > > > engineering (not disassembling code) for interoperability purposes? > > > > > > Patrick > > > > In the DeCSS (2600.org vs. MPAA) lawsuit this law did not protect the > > author of DeCSS and 2600.org from losing the suit, no matter that they > > tried to defend referring on this law. > > > > Regards, > > > > Robert Varga > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I want to try something for freedom.
On Wed, 1 Nov 2000, Patrick Maheral wrote: > On Wed, 1 Nov 2000, Alexander Hvostov wrote: > > Penguin, > > > > Because the patents and IP on your radio expired a long time ago. The ones > > on the algorithms haven't. :) > > > > Regards, > > Isn't there a provision in American (or Canadian) law that allows reverse > engineering (not disassembling code) for interoperability purposes? > > Patrick In the DeCSS (2600.org vs. MPAA) lawsuit this law did not protect the author of DeCSS and 2600.org from losing the suit, no matter that they tried to defend referring on this law. Regards, Robert Varga -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
su vulnerability
There is a su exploit discussed at SecurityPortal which is working on RedHat 6.2 (http://www.securityportal.com/research/exploits/linux/20001003-linux-su.txt) Is debian vulnerable to it? And there is another regarding ssh. Regards, Robert Varga
su vulnerability
There is a su exploit discussed at SecurityPortal which is working on RedHat 6.2 (http://www.securityportal.com/research/exploits/linux/20001003-linux-su.txt) Is debian vulnerable to it? And there is another regarding ssh. Regards, Robert Varga -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
