Re: [expert] Security Lists
On Thu Jan 18, 2001 at 05:35:50PM -0500, b5dave wrote: > Okay, well the Security Announce is working for me gain; just got the > glibc advisory. Thanks for the work Vincent, and sorry if I was overly > critical. I understand the concern, Dave, believe me! Especially in light of this worm (talk about timing, eh?). No worries, and I'm just happy the list is back in working order. For those who are concerned about any missed advisories, please visit www.linux-mandrake.com/en/security and select the distribution you are using. Or you can view the mdk-security archive at www.freezer-burn.org/lists/mdk-security/ which also contains the missed advisories. Or you can fire up MandrakeUpdate and update everything that needs to be updated. -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux uptime: 2 days 3 hours 50 minutes.
Re: [expert] Security Lists
On Wed Jan 17, 2001 at 01:47:49PM -0600, duane voth wrote: > My intention is not to critizise but to offer an idea and > help balance the sense of urgency. I understand. > >> One expects to be the first notified > >> of Mandrake security issues when one is subscribed to > >> Mandrake's security-announce. There's an implied if not explicit > >> expectancy that the list should be sufficient for being alerted to > >> Mandrake security issues. ... It is analogous to some virus or > >> trojan disabling my system's local security warnings. > > > While I think your comparison is ridiculous, I do agree that the list > > needs to be fixed. > > Extreme maybe but not ridiculous. With mass mailing of security > problems the game becomes a race to see who can a) explot the weakness > or b) fix the weakness first. I fully support the idea of posting > security problems because this gives sysadmins at least a fighting > chance. But the information IS timely and communication lines must > be "fast" and reliable. Well, it is ridiculous. It's a silly comparison. A broken mailing list similar to a virus? I don't think so. It's not like that mailing list is the *only* avenue for becoming aware of updates. There are other means just as easy, convenient, and simple as the mailing list (which, FYI, is fixed now). > > However, I became aware of this problem two days > > ago. If this has been going on for a month, then someone should have > > said something. > > Agreed - except people on the receiving and of the list don't know > when they have not received a message. Perhaps for those who need > up-to-the-minute reports, there could be a version of the list that > sends out a "deadman" message once per day. Folks who need this info, > and check their email constantly, would feel more secure about receiving > up-to-date reports, and thus then could also provide feedback sooner. I don't think that's necessary. If people want that kind of redundancy, they can subscribe to mdk-security (a mailing list I run from my Freezer Burn website) or bugtraq (securityfocus) or linuxlist (securityportal). I cc the advisories to those three lists in addition to security-announce. If anyone is interested in subscribing to mdk-security, you can do so by emailing [EMAIL PROTECTED] For the others, visit www.securityfocus.com or www.securityportal.com for instructions on how to subscribe to those lists. Your best bet is either the securityportal list or mdk-security... messages to mdk-security go out about 10 seconds after I post to the list since the server is 2 feet from me. Messages to linuxlist (from securityportal) are received in my mailbox within 10 minutes (more often than not). > Many users might not want this much traffic, but I think it is desireable > for sysadmins with a lot of responsibility. I think the above idea (redundancy in mailing lists by subscribing to another of the three previously mentioned) is a better idea than creating a new "security-announce-deadman" list. > > At this point the going is slow to find a fix because that individual > > is gone for the week, but rest assured we are trying to get this fixed > > ASAP. > > Great, thanks for the extra effort. You're welcome. And it's fixed now (thanks to jloup for that!) -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux uptime: 2 days 3 hours 43 minutes.
Re: [expert] Security Lists
Okay, well the Security Announce is working for me gain; just got the glibc advisory. Thanks for the work Vincent, and sorry if I was overly critical. Dave. Vincent wrote: > At this point the going is slow to find a fix because that individual > is gone for the week, but rest assured we are trying to get this fixed > ASAP.
Re: [expert] Security Lists
My intention is not to critizise but to offer an idea and help balance the sense of urgency. Vincent Danen wrote: > On Tue Jan 16, 2001 at 04:23:15PM -0500, b5dave wrote: >> One expects to be the first notified >> of Mandrake security issues when one is subscribed to >> Mandrake's security-announce. There's an implied if not explicit >> expectancy that the list should be sufficient for being alerted to >> Mandrake security issues. ... It is analogous to some virus or >> trojan disabling my system's local security warnings. > While I think your comparison is ridiculous, I do agree that the list > needs to be fixed. Extreme maybe but not ridiculous. With mass mailing of security problems the game becomes a race to see who can a) explot the weakness or b) fix the weakness first. I fully support the idea of posting security problems because this gives sysadmins at least a fighting chance. But the information IS timely and communication lines must be "fast" and reliable. > However, I became aware of this problem two days > ago. If this has been going on for a month, then someone should have > said something. Agreed - except people on the receiving and of the list don't know when they have not received a message. Perhaps for those who need up-to-the-minute reports, there could be a version of the list that sends out a "deadman" message once per day. Folks who need this info, and check their email constantly, would feel more secure about receiving up-to-date reports, and thus then could also provide feedback sooner. Many users might not want this much traffic, but I think it is desireable for sysadmins with a lot of responsibility. > At this point the going is slow to find a fix because that individual > is gone for the week, but rest assured we are trying to get this fixed > ASAP. Great, thanks for the extra effort. duane
Re: [expert] Security Lists
Vincent, Vincent Danen wrote: > ago. If this has been going on for a month, then someone should have > said something. However, on the same token, two individuals now have > indicated that they did in fact recieve messages, so it makes it even > more unclear. Unfortunately, the timing is very bad as our "mailing > list guru" is gone for the week and I don't know anything about sympa > nor have access to fix anything if it is indeed broken. Some have already noted that the last security message was Dec 18th... interestingly, it was on Dec 19th that I posted my analysis of message replication. Denis responded privately and we exchanged some ideas; though I'm not sure if he made any changes at that time. Also coincidentally, on Jan 10, he sent me this: > I added something really nasty to .procmailrc: > > :O Wh: dupes.lock > | formail -D 8192 dupes.cache > > No cross posting of qny kind cqn get trough this anymore ;-> The exchanges match the dates others have mentioned... HTH, Pierre
Re: [expert] Security Lists
On Tue Jan 16, 2001 at 04:23:15PM -0500, b5dave wrote: > > No, that is not the case at all. It's not useless and it's not > > dangerous. We're just having some difficulty with it. > > Sorry, but I must disagree. One expects to be the first notified > of Mandrake security issues when one is subscribed to > Mandrake's security-announce. There's an implied if not explicit > expectancy that the list should be sufficient for being alerted to > Mandrake security issues. I'm not saying the list has always been > useless and dangerous, and I'm not saying the list will always be > such. But the list has been down for just about a month, and as far as I > can tell, is still down. So at present, assuming the list is still > down, it is indeed useless and dangerous simply because people expect > it to be both functional and current. It is analogous to some virus or > trojan disabling my system's local security warnings. While I think your comparison is ridiculous, I do agree that the list needs to be fixed. However, I became aware of this problem two days ago. If this has been going on for a month, then someone should have said something. However, on the same token, two individuals now have indicated that they did in fact recieve messages, so it makes it even more unclear. Unfortunately, the timing is very bad as our "mailing list guru" is gone for the week and I don't know anything about sympa nor have access to fix anything if it is indeed broken. At this point the going is slow to find a fix because that individual is gone for the week, but rest assured we are trying to get this fixed ASAP. But comparing the list being down to a virus or trojan is probably the worst analogy I've ever heard. -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux uptime: 5 hours 17 minutes.
Re: [expert] Security Lists
Vincent, > No, that is not the case at all. It's not useless and it's not > dangerous. We're just having some difficulty with it. Sorry, but I must disagree. One expects to be the first notified of Mandrake security issues when one is subscribed to Mandrake's security-announce. There's an implied if not explicit expectancy that the list should be sufficient for being alerted to Mandrake security issues. I'm not saying the list has always been useless and dangerous, and I'm not saying the list will always be such. But the list has been down for just about a month, and as far as I can tell, is still down. So at present, assuming the list is still down, it is indeed useless and dangerous simply because people expect it to be both functional and current. It is analogous to some virus or trojan disabling my system's local security warnings. peace, dave.
Re: [expert] Security Lists
On Tue Jan 16, 2001 at 06:52:58PM +, bascule wrote: > fwiw i had a whole a load on jan11th plus one today and others previous, does > this mean that may be some i have missed or are only some folk not seeming to > get them? You got a whole bunch? Do you recall what they were for? I posted a number on the 10th that may been sent out on the 11th if there was a significant delay. Do you know what advisory numbers you received? -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux uptime: 6 days 1 hour 14 minutes.
Re: [expert] Security Lists
fwiw i had a whole a load on jan11th plus one today and others previous, does this mean that may be some i have missed or are only some folk not seeming to get them? bascule On Tuesday 16 January 2001 4:45 pm, you wrote: > On Tue Jan 16, 2001 at 11:01:45AM -0500, Matthew Micene wrote: > > Has anyone else been seeing traffic on the Security lists? I have seen > > several posts on Bugtraq from Mandrake Security about updates but nothing > > on the Mandrake lists. Anyone have any ideas? > > We're looking into it. I have my suspicions that something has > changed with sympa and it is rejecting the mails silently so this > didn't actually come to my attention until about two days ago. We > hope to have it fixed ASAP.
Re: [expert] Security Lists
On Tue Jan 16, 2001 at 11:32:02AM -0500, b5dave wrote: > > Has anyone else been seeing traffic on the Security lists? > > I joined both the Mandrake security announce and security discuss lists > just before the new year, and there was some brief traffic. Since then, > however, nothing. Last week linuxtoday (http://www.linuxtoday.com/) was > full of Mandrake security updates, and there has yet to be a peep about > these on the Mandrake security lists. It seems that these lists are > pretty useless, if not dangerous. No, that is not the case at all. It's not useless and it's not dangerous. We're just having some difficulty with it. security-discuss works fine, but security-announce is causing us some problems that we hope to resolve ASAP. Unfortunately, Denis (our main mailing-list man) is on holidays for a week which kinda limits what I can do, but I will attempt to fix this ASAP. In the meantime, MandrakeUpdate will tell if you if there are new packages to update, and if you visit the website at www.linux-mandrake.com/en/security you will also see the advisories posted. You will also see them on the forum website as well. -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux uptime: 5 days 23 hours 29 minutes.
Re: [expert] Security Lists
On Tue Jan 16, 2001 at 12:10:49PM -0500, b5dave wrote: > if it's any help, the last advisory I got was the "slocate" one of > Dec 18/2000. Yeah, that's what I've been told. I think it's sympa rejecting mail based on "no-no" words like un_subsc_ribe (underscores are there to prevent this message from being rejected). The problem seems to be that the announcements contain information on how (un)sub_scri_be from the security mailing lists and sympa is silently rejecting them (which is why I didn't notice this earlier). If you want to see what advisories were posted, I always cc the messages to my mandrake security list at [EMAIL PROTECTED], and you can view the archive at www.freezer-burn.org/lists/mdk-security.php. I will probably set up an archive for security and security-discuss mailing lists there as well in the very near future. -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux uptime: 5 days 23 hours 31 minutes.
Re: [expert] Security Lists
if it's any help, the last advisory I got was the "slocate" one of Dec 18/2000. dave. > We're looking into it. I have my suspicions that something has > changed with sympa and it is rejecting the mails silently so this > didn't actually come to my attention until about two days ago. We > hope to have it fixed ASAP.
Re: [expert] Security Lists
On Tue Jan 16, 2001 at 11:01:45AM -0500, Matthew Micene wrote: > Has anyone else been seeing traffic on the Security lists? I have seen > several posts on Bugtraq from Mandrake Security about updates but nothing > on the Mandrake lists. Anyone have any ideas? We're looking into it. I have my suspicions that something has changed with sympa and it is rejecting the mails silently so this didn't actually come to my attention until about two days ago. We hope to have it fixed ASAP. -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux uptime: 5 days 22 hours 1 minutes.
RE: [expert] Security Lists
Matthew, > Has anyone else been seeing traffic on the Security lists? I joined both the Mandrake security announce and security discuss lists just before the new year, and there was some brief traffic. Since then, however, nothing. Last week linuxtoday (http://www.linuxtoday.com/) was full of Mandrake security updates, and there has yet to be a peep about these on the Mandrake security lists. It seems that these lists are pretty useless, if not dangerous. dave.