On 02/09/2017 02:55 PM, John R Pierce wrote:
you realize noone on this email list has anything to do with the
source code for this pkcheck thing?CentOS uses the code exactly as
is that Red Hat releases.You're tilting at windmills in the wrong
country here.
Yes, I do. And I tried
On 2/9/2017 2:40 PM, Gordon Messmer wrote:
My larger concern is that there *does* seem to be a security issue
with pkexec that has at least two very simple fixes, and that issue
isn't being addressed because of the noise involved in arguing about
pkcheck. There's no security problem in pkche
On 02/09/2017 02:27 PM, Warren Young wrote:
I’m with Gordon: someone certainly should fix this problem for its own sake,
but don’t try to strong-arm Red Hat into doing it for you because Security.
Way too many bad things are done Because Security.
My larger concern is that there *does* seem
On Thu, February 9, 2017 3:39 pm, Leonard den Ottolander wrote:
> Hello Warren,
Leonard,
I'm sure, the only way you can make your point so that others will listen
to you is by providing an example of bad thing done through the flaw you
have discovered. Which may be:
1. overwriting portions of m
On Feb 9, 2017, at 2:39 PM, Leonard den Ottolander
wrote:
>
> On Thu, 2017-02-09 at 14:22 -0700, Warren Young wrote:
>> There are two serious problems with this argument:
>>
>> 1. Give me a scenario where this attacker can execute *only* pkcheck
>
> On many systems local users cannot execute
On 02/09/2017 04:51 PM, Gordon Messmer wrote:
On 02/09/2017 01:36 PM, Robert Moskowitz wrote:
So what SELinux magic do I need here
restorecon /etc/named.conf
Thanks
that did the trick.
I have added this to my long list of 'things to check out'
__
On 02/09/2017 01:03 PM, Leonard den Ottolander wrote:
Not necessarily. Suppose the adversary is aware of a root
exploit/privilege escalation in a random library.
There is no such thing as a root exploit in a library. A "root exploit"
is one that ends with the attacker executing code as root.
Another option is pick the recent source package and run it with "mock"
- The sanbox equiment is "the current release" and binaries in the new
rpm shoud be "fixed".
This can be be done every where virtual...
Sincerely
Andy
Am Donnerstag, den 09.02.2017, 21:35 + schrieb Styma, Robert (Nok
On 02/09/2017 01:36 PM, Robert Moskowitz wrote:
So what SELinux magic do I need here
restorecon /etc/named.conf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Hello Warren,
On Thu, 2017-02-09 at 14:22 -0700, Warren Young wrote:
> There are two serious problems with this argument:
>
> 1. Give me a scenario where this attacker can execute *only* pkcheck
> in order to exploit this hypothetical library’s flaw, but where the
> attacker cannot simply provid
Well, actually it is me cp-ing files and SELinux yelling at me later...
I had named working, but detected that I had a couple clean ups to do in
/etc/named.conf and an include file in /etc/named.
I made the changes, scp to my user id from my notebook, 'su' in my ssh
session and cp the named.c
> This is a known issue:
>https://www.centos.org/forums/viewtopic.php?f=13&t=58168
>I would recommend filing a bug with Red Hat to have them fix it.
I am going to see if I can find someone in the organization with a Red Hat
account to open the bug. In the meantime, I came up with a workaround
On Feb 9, 2017, at 2:03 PM, Leonard den Ottolander
wrote:
>
> On Thu, 2017-02-02 at 13:40 -0800, Gordon Messmer wrote:
>> Escalation *requires* attacking a program in a security context other
>> than your own.
>
> Not necessarily. Suppose the adversary is aware of a root
> exploit/privilege es
On 2/9/2017 1:03 PM, Leonard den Ottolander wrote:
Not necessarily. Suppose the adversary is aware of a root
exploit/privilege escalation in a random library. Then the heap spraying
allows this attacker to easily trigger this exploit because he is able
to initialize the entire contents of the hea
On Feb 9, 2017, at 1:26 PM, Leonard den Ottolander
wrote:
>
> On Thu, 2017-02-09 at 14:12 -0600, Johnny Hughes wrote:
>> The patch files are in git as text files, right? Why would you need
>> checksums of those? That is the purpose of git, right?
>
> Checksums are there to make sure that you g
On Thu, 2017-02-02 at 13:40 -0800, Gordon Messmer wrote:
> Escalation *requires* attacking a program in a security context other
> than your own.
Not necessarily. Suppose the adversary is aware of a root
exploit/privilege escalation in a random library. Then the heap spraying
allows this attacker
Hi,
amavisd is adding the following header to my mails :
Authentication-Results: my.example.com (amavisd-new); dkim=neutral
reason="invalid (public key: DNS query timeout for
their._domainkey.example.com)" header.d=example.com
The problem is that this is not quite true !
I have no DNS problems,
Hello Gordon,
On Thu, 2017-02-09 at 12:38 -0800, Gordon Messmer wrote:
> Git already has the protection you're looking for. As part of its core
> design, git uses a hash chain to verify the integrity of its history.
> Every change and every file is thus protected. It's impossible to
> insert
On 02/09/2017 10:50 AM, Leonard den Ottolander wrote:
SRPMS are signed which allows the integrity of the contents to be
checked. Such an integrity check is missing from the git repo.
Git already has the protection you're looking for. As part of its core
design, git uses a hash chain to veri
On Thu, 2017-02-09 at 14:12 -0600, Johnny Hughes wrote:
> The patch files are in git as text files, right? Why would you need
> checksums of those? That is the purpose of git, right?
Checksums are there to make sure that you get what you are supposed to
get. That is also true for text files. (A s
On 02/09/2017 01:11 PM, Leonard den Ottolander wrote:
> On Thu, 2017-02-09 at 12:58 -0600, Johnny Hughes wrote:
>> At the time of extraction, the .metadata file is created (again,
>> not by us, but by the Red Hat team that distributes source), and all the
>> non-text sha1sums are in there as well a
Good day,
I initially posted this issue on CentOS-mirror a week ago but did not
receive any response.
I'm looking for a resolution to a small issue with the cloud image
repository for the latest CentOS-7 image.
As far as I understand, the latest release of the CentOS-7 image should
always be pos
On Thu, 2017-02-09 at 12:58 -0600, Johnny Hughes wrote:
> At the time of extraction, the .metadata file is created (again,
> not by us, but by the Red Hat team that distributes source), and all the
> non-text sha1sums are in there as well as all the text sources.
Aha, .metadata, well, for f.e. bc
On 02/09/2017 12:53 PM, Johnny Hughes wrote:
> On 02/09/2017 12:50 PM, Leonard den Ottolander wrote:
>> Hello John,
>>
>> On Thu, 2017-02-09 at 16:33 +, John Hodrien wrote:
>>> On Thu, 9 Feb 2017, Leonard den Ottolander wrote:
>>>
How about my request for checksums in the git repo?
>>>
>>>
On Thu, 2017-02-09 at 12:53 -0600, Johnny Hughes wrote:
> Red Hat exports the source code to the repo, I don't think they are
> going to change what the put in. It is an extracted SRPM.
It shouldn't be hard to generate a checksum file. Or should this request
be directed at Red Hat?
Regards,
Leon
On 02/09/2017 12:50 PM, Leonard den Ottolander wrote:
> Hello John,
>
> On Thu, 2017-02-09 at 16:33 +, John Hodrien wrote:
>> On Thu, 9 Feb 2017, Leonard den Ottolander wrote:
>>
>>> How about my request for checksums in the git repo?
>>
>> What checksums would you actually want in git?
>
> S
Hello John,
On Thu, 2017-02-09 at 16:33 +, John Hodrien wrote:
> On Thu, 9 Feb 2017, Leonard den Ottolander wrote:
>
> > How about my request for checksums in the git repo?
>
> What checksums would you actually want in git?
SRPMS are signed which allows the integrity of the contents to be
c
On 09/02/17 17:44, Styma, Robert (Nokia - US) wrote:
Styma, Robert (Nokia - US) wrote:
looks like, the driver isn't rebuilt, take the centos 6.8 ISO and look
how it goes.
I download the ISO's and started the reinstall. It went through all
the normal setup up to outputting the message
Styma, Robert (Nokia - US) wrote:
>>
>>> looks like, the driver isn't rebuilt, take the centos 6.8 ISO and look
>>> how it goes.
>> I download the ISO's and started the reinstall. It went through all
>> the normal setup up to outputting the message that it was starting
>> Anaconda. Then t
On Thu, 9 Feb 2017, Leonard den Ottolander wrote:
How about my request for checksums in the git repo?
What checksums would you actually want in git?
jh
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Hello Johnny,
On Thu, 2017-02-09 at 09:07 -0600, Johnny Hughes wrote:
> Yes .. that content will be republished. It was an accident.
How about my request for checksums in the git repo?
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
__
> Am 09.02.2017 um 16:10 schrieb Johnny Hughes :
>
> On 02/04/2017 06:55 AM, Leon Fauster wrote:
>> I known its lower prioritized but any signs of the centosplus
>> version of firefox? Just asking because of the severity class.
>>
>
> The CentOS Plus version of Firefox was released because of t
On 02/04/2017 06:55 AM, Leon Fauster wrote:
> I known its lower prioritized but any signs of the centosplus
> version of firefox? Just asking because of the severity class.
>
The CentOS Plus version of Firefox was released because of the decision
upstream to disable ffmpeg.
The newest upstream
On 02/09/2017 06:30 AM, Leonard den Ottolander wrote:
> Hi all,
>
> Since the vault for 7.3.1611 has been cleared out last sunday (20170207)
> - why is that? - I'm using git to download a "SRPM", or more accurately,
> its contents.
>
> However, using git has one major drawback: It is missing chec
Styma, Robert (Nokia - US) wrote:
>
>> looks like, the driver isn't rebuilt, take the centos 6.8 ISO and look
>> how it goes.
> I download the ISO's and started the reinstall. It went through all
> the normal setup up to outputting the message that it was starting
> Anaconda. Then the scree
> Hello Bob,
> looks like, the driver isn't rebuilt, take the centos 6.8 ISO and look
> how it goes.
> Sincerely
> AndyBe
Hello AndyBe,
I download the ISO's and started the reinstall. It went through all the
normal setup up to outputting the message that it was starting Anaconda. Then
Hi all,
Since the vault for 7.3.1611 has been cleared out last sunday (20170207)
- why is that? - I'm using git to download a "SRPM", or more accurately,
its contents.
However, using git has one major drawback: It is missing checksums for
the files.
Are there any plans to provide checksums for t
Thx, this is very clear and helpful.
My question is, what is needed to build rpms against such scl packages?
Any documentation or examples somewhere?
Am 06.02.2017 um 18:38 schrieb Paul Heinlein:
On Sun, 5 Feb 2017, Gordon Messmer wrote:
Yes. Use the software collections.
https://www.softwa
> >
> > That's the very problem that Software Collections endeavors to solve. If
> > you install a non-standard package that conflicts with OS defaults,
> > install it as a collection so that end users can choose whether to use
> > the enhancement or the default, on a per-session basis.
>
> Does
39 matches
Mail list logo
