Re: Sendmail vulnerability : is Debian falling behind?
Rich Puhek schrieb: Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Woah... easy on Jor-el, everyone. He wasn't slamming Debian's schedule on security updates so much as being concerned about whether Debian was being given the same early notification of vulnerabilities as RedHat, SuSe, and other vendors. As mentioned in another thread, Debian didn't appear to be on the list of vendors notified by CERT (see http://www.cert.org/advisories/CA-2003-07.html). -- Rich Hmm , I don't think so. Debian WAS notified by CERT (see http://www.kb.cert.org/vuls/id/JPLA-5K6Q3L). Cya Arnd
Re: Sendmail vulnerability : is Debian falling behind?
It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Hi, In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. What about Debian? I just looked at http://security.debian.org and see no mention of this vulnerability. I dont use Sendmail myself. Nevertheless I am still concerned that the people who notify vendors are not notifying Debian ahead of time before vulnerabilities are publicly announced. Is that the case? Can someone in the know comment? Thanks, Jor-el -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. Mandrake released patched versions for all of their versions a few hours ago too... -- (°- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ * http://www.portalinux.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
Quoting Bernard Lheureux [EMAIL PROTECTED]: On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. Mandrake released patched versions for all of their versions a few hours ago too... Put a little faith in Dedian developers. I have no reason to believe they would leave this vulnerability unpatched. Cheers, Joost. -- (2*b) || !(2*b) == 1 - Support open source software like - Linux - Apache - PHP - MySQL - Horde and many others -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Sendmail vulnerability : is Debian falling behind?
Debian co-ordinates between quite a few hardware types, that takes time. If at the end of the day you believe Mandrake is better go install Mandrake. Before you do take a look at how many bugs/patches Mandrake has announced v Debian over say the last year. I wouldnt be surprised if 1) Debian is on average quicker, 2) the packaging system and pre-work the developers do means some of these bugs are already ironed out so are never exploitable, so Debian never needs to release an advisory. regards Thing -Original Message- From: Bernard Lheureux [mailto:[EMAIL PROTECTED] Sent: Tuesday, 4 March 2003 12:35 To: [EMAIL PROTECTED] Cc: Jeremy T. Bouse Subject: Re: Sendmail vulnerability : is Debian falling behind? On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. Mandrake released patched versions for all of their versions a few hours ago too... -- (?- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ * http://www.portalinux.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Woah... easy on Jor-el, everyone. He wasn't slamming Debian's schedule on security updates so much as being concerned about whether Debian was being given the same early notification of vulnerabilities as RedHat, SuSe, and other vendors. As mentioned in another thread, Debian didn't appear to be on the list of vendors notified by CERT (see http://www.cert.org/advisories/CA-2003-07.html). -- Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Hi, In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. What about Debian? I just looked at http://security.debian.org and see no mention of this vulnerability. I dont use Sendmail myself. Nevertheless I am still concerned that the people who notify vendors are not notifying Debian ahead of time before vulnerabilities are publicly announced. Is that the case? Can someone in the know comment? Thanks, Jor-el -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. Mandrake released patched versions for all of their versions a few hours ago too... -- (°- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ * http://www.portalinux.org/
Re: Sendmail vulnerability : is Debian falling behind?
Quoting Bernard Lheureux [EMAIL PROTECTED]: On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. Mandrake released patched versions for all of their versions a few hours ago too... Put a little faith in Dedian developers. I have no reason to believe they would leave this vulnerability unpatched. Cheers, Joost. -- (2*b) || !(2*b) == 1 - Support open source software like - Linux - Apache - PHP - MySQL - Horde and many others
RE: Sendmail vulnerability : is Debian falling behind?
Debian co-ordinates between quite a few hardware types, that takes time. If at the end of the day you believe Mandrake is better go install Mandrake. Before you do take a look at how many bugs/patches Mandrake has announced v Debian over say the last year. I wouldnt be surprised if 1) Debian is on average quicker, 2) the packaging system and pre-work the developers do means some of these bugs are already ironed out so are never exploitable, so Debian never needs to release an advisory. regards Thing -Original Message- From: Bernard Lheureux [mailto:[EMAIL PROTECTED] Sent: Tuesday, 4 March 2003 12:35 To: debian-security@lists.debian.org Cc: Jeremy T. Bouse Subject: Re: Sendmail vulnerability : is Debian falling behind? On Monday 03 March 2003 23:06, Jeremy T. Bouse wrote: In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. Mandrake released patched versions for all of their versions a few hours ago too... -- (?- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ * http://www.portalinux.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
Jeremy T. Bouse wrote: It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Woah... easy on Jor-el, everyone. He wasn't slamming Debian's schedule on security updates so much as being concerned about whether Debian was being given the same early notification of vulnerabilities as RedHat, SuSe, and other vendors. As mentioned in another thread, Debian didn't appear to be on the list of vendors notified by CERT (see http://www.cert.org/advisories/CA-2003-07.html). -- Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _