-BEGIN PGP SIGNED MESSAGE-
The patch released for Microsoft Security Bulletin MS01-016 resolves
this issue.
Regards,
[EMAIL PROTECTED]
- -Original Message-
From: Georgi Guninski [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 16, 2001 12:09 PM
To: [EMAIL PROTECTED]
Subject:
The problem with releasing this information is that an attacker can see how
long the system has been online and possibly correlate that with what
patches are installed on the system telling whether it is likely to be
vulnerable to certain exploit(s).
'uname' is a little different in that it only
On Fri, 16 Mar 2001, Emre Yildirim wrote:
I might be completely wrong here but what about
sysctl -w net.inet.tcp.rfc1323=0
no, that disables timestamps. rfc1323 support is needed (or will be) for
high speed networks, where the sequence numbers can roll over. then
delayed packets might
Darren Reed said:
Why do you think all timestamps should not reveal uptime information ?
Well, not to speak on Bret's behalf per se, but personally, I've seen
plenty of software (the quality of which may be in question) that uses
uptime (or clock-ticks-since-boot, whatever) for a variety of
-BEGIN PGP SIGNED MESSAGE-
On 15-Mar-2001 Darren Reed wrote:
So when do we change things like "uname" such that they no longer
report
the system "identity" (OS, OS rev) to anyone but root ?
Why do you think all timestamps should not reveal uptime
information ?
What do you think
In some mail from [EMAIL PROTECTED], sie said:
Actually, the logic is "This has been up for 300 days. It probably is not
being maintained so it likely has that unpatched exploit avaialable".
I thought about this before I posted that email but decided against any
inclusion of it. Why ?
There
On Wed, Mar, 2001, Bret wrote:
either by creating a new 'timestamp clock' for
each TCP session (that uses timestamps)
You can't do this .. it breaks the use of such timestamps for things
like TCP Sequence number wrap-around protection on fast networks
(gigabit).
or by starting the timestamp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --
PACKAGE : cups
SUMMARY : Several vulnerabilities in
I am posting this in the hopes that this thread can die on bugtraq and go where
it is most likely more appropriate (nmap-dev perhaps). Anyway, since I have
gotten so many different people saying so many different things to me, I
in response to my previous comments about nmap and linux 2.4 I
The FTP specification doesn't require servers to support .. and *. In
fact, it doesn't even mention .. and *. Naturally, publicfile's ftpd
treats * as just another character, and converts . to : after slashes.
FTP does, however, include an NLST command that lists all files in the
current
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --
PACKAGE : icecast
SUMMARY : Remote buffer overflow
Jeffrey Seaton [EMAIL PROTECTED] writes:
Yeah I took a look at this but it is not a problem at all. If a system
administrator is worried about someone logging in as a print server just
extend the objects attributes and add a simultaneous login attribute. You
can set this to 1 and only the
|---|
/Product: Aspseek Search Engine.
/
\Vendor URL: www.aspseek.org
-BEGIN PGP SIGNED MESSAGE-
OW-003-ssh-traffic-analysis, revision 1
March 19, 2001
Passive Analysis of SSH (Secure Shell) Traffic
--
This advisory demonstrates several weaknesses in implementations of
SSH (Secure Shell) protocols. When
Anybody, who get login and password to mysql can use it as DoS or r00t
exploit because mysql accepts '../blah-blah' as valid database name and
each table represented by 3 files tablename.ISD, tablename.ISM and
tablename.frm, But, when mysqld checks table already exists or not
exists, it checks
Usual question - anyone know how bad this one is ? The words "buffer
overflow" scare me :-)
=== cut ===
[...]
Digest Name: daily security bulletins digest
Created: Mon Mar 19 3:00:03 PST 2001
Document ID Title
--- ---
oops, fixed version attached...
lost myself in details sorry.
--
Stefan Laudat - Network Security Engineer
CCNA,CCAI
RoEduNet - THE Romanian Education Network
---
If you're not part of the solution then you're part of the problem.
muci.pl
This does work on FreeBSD 4-stable as well (ftp announces itself
as(Version 6.00LS)).
This should probably work on any ftp that uses an external ls command,
and other than making ftpd friendly for use by login.conf (which would
mean what? ftpd dropping privileges to the user once a connection is
18 matches
Mail list logo
