testing/Release not signed by the same key than non-US/testing/Release
Hi, Can someone explain why testing/Release is signed with the key id : 30B34DD5 (which I can't trust because I can't find any valid/trustable source for it) whereas non-US/testing/Release is correctly signed with ftp-master 2003 key ? Thanks, SEb P.S : sorry if it was ask there before I do not have access to my last 24 hours debian-security archives. -- Sebastien Chaumat <[EMAIL PROTECTED]>
testing/Release not signed by the same key than non-US/testing/Release
Hi, Can someone explain why testing/Release is signed with the key id : 30B34DD5 (which I can't trust because I can't find any valid/trustable source for it) whereas non-US/testing/Release is correctly signed with ftp-master 2003 key ? Thanks, SEb P.S : sorry if it was ask there before I do not have access to my last 24 hours debian-security archives. -- Sebastien Chaumat <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
Le mar 18/03/2003 à 13:04, Giacomo Mulas a écrit : > On Tue, 18 Mar 2003, Giacomo Mulas wrote: > > > Alan Cox apparently just made public a vulnerability in the stock > > kernel which would permit a local user to gain root privileges (see e.g. > > Linux Today, LWN, the LK mailing list...). Is a patched source package in > > the making already or should we humble users, in the meantime, take the > > original patch and apply it, while the "official" thing gets worked out? > > Apparently the kernel source debian package maintainer already answered my > previous question in the best possible way, making available the patched > package immediately. The responsivity of the Debian community is really > something to be proud about: thanks Herbert! Hi, what packages are available *exactly* and where? I don't see any upgrade in security nor any DSA... Thanks, SEb > > Bye > Giacomo > > -- > _ > > Giacomo Mulas <[EMAIL PROTECTED]> > _ > > OSSERVATORIO ASTRONOMICO DI CAGLIARI > Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) > > Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 > Tel. (UNICA): +39 070 675 4916 > _ > > "When the storms are raging around you, stay right where you are" > (Freddy Mercury) > _ -- Sebastien Chaumat <[EMAIL PROTECTED]>
Re: ptrace vulnerability?
Le mar 18/03/2003 à 13:04, Giacomo Mulas a écrit : > On Tue, 18 Mar 2003, Giacomo Mulas wrote: > > > Alan Cox apparently just made public a vulnerability in the stock > > kernel which would permit a local user to gain root privileges (see e.g. > > Linux Today, LWN, the LK mailing list...). Is a patched source package in > > the making already or should we humble users, in the meantime, take the > > original patch and apply it, while the "official" thing gets worked out? > > Apparently the kernel source debian package maintainer already answered my > previous question in the best possible way, making available the patched > package immediately. The responsivity of the Debian community is really > something to be proud about: thanks Herbert! Hi, what packages are available *exactly* and where? I don't see any upgrade in security nor any DSA... Thanks, SEb > > Bye > Giacomo > > -- > _ > > Giacomo Mulas <[EMAIL PROTECTED]> > _ > > OSSERVATORIO ASTRONOMICO DI CAGLIARI > Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) > > Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 > Tel. (UNICA): +39 070 675 4916 > _ > > "When the storms are raging around you, stay right where you are" > (Freddy Mercury) > _ -- Sebastien Chaumat <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
kernel ptrace bug
Hi, Are there already Debian style counter measures for http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html ?? SEb -- Sebastien Chaumat <[EMAIL PROTECTED]>
kernel ptrace bug
Hi, Are there already Debian style counter measures for http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html ?? SEb -- Sebastien Chaumat <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
scrollkeeper loading external (online) DTD
Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb
scrollkeeper loading external (online) DTD
Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: (fwd) OpenSSH trojan!
Le jeu 01/08/2002 à 15:16, Paul Hampson a écrit : > On Thu, Aug 01, 2002 at 02:31:07PM +0200, Sebastien Chaumat wrote: > > Is there any source signing mechanism available in Debian? > > There is, in that the MD5 sum of the .orig.tar.gz goes into > the .dsc file. > > Not that it would affect this case, since the trojan would have > been in the tar.gz which had it's MD5 recorded. Although it > would only affect people who built the package anyway. > I guess in the future (see the apt-src and co threads on devel) more and more people will auto-build packages localy. This will become a serious issue then. SEb
Re: (fwd) OpenSSH trojan!
Hi, Here's the real(tm) question : Is there any source signing mechanism available in Debian? SEb P.S: I didn't found the trojan into the source at fpt.de.debian.org. Le jeu 01/08/2002 à 14:23, Dale Amon a écrit : > On Thu, Aug 01, 2002 at 08:06:21AM -0400, Raymond Wood wrote: > > Hi, > > > > I have no idea if this affects Debian in any way, shape, or form > > -- but better safe than sorry, so here it is FYI... > > > > Cheers, > > Raymond > > It's the same version as current sid, but are we talking > a source coded trojan? It would have to be if it were to > slip through to Debian I should think. Anyone talk to the > debian ssh packager? > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
