On Mon, Jun 18, 2001 at 01:38:16AM -0300, Peter Cordes wrote:
I like the package signing idea. That would be cool. That way, you
could still load and unload modules. I like being able to do that.
One obvious problem with the scheme is that an attacker could
potentially read the keys from
On Mon, Jun 18, 2001 at 03:46:13PM +1000, Ian Miller wrote:
add the line /sbin/ipchains -A input -i INTERFACE -p TCP -s !
LOCALLAN -d EXTERNAL IP 111 -l -j DENY to block the rpc statd attacks
from your external network
port 111 is portmap, not rpc.statd. all blocking portmap will do is
The new gnupg made it to security.debian.org, but it includes a
conflict with the only available mailcrypt:
Conflicts: gpg-rsa, gpg-rsaref, mailcrypt (= 3.5.5-6)
The changelog.Debian agrees:
gnupg (1.0.6-0potato1) stable; urgency=high
* Upload for stable; fixes several security holes.
*
On Mon, Jun 18, 2001 at 09:14:54AM +0200, Sebastiaan wrote:
Hi...
I have a box with something listening to flickering ports. nmap
reports various random ports open from run to run. I can't telnet to
them and ID w/ netstat, because they're gone the instant nmap finds
them.
Hi,
I have
Hello,
I found out that rlinetd seems like a great replacement for inetd, because
it lets you choose which services may be available for the outside world
and which only for the inner network. So, standard services like echo,
daytime, chargen, ftp, etc. are only available for the LAN, while it
Previously Thomas Bushnell, BSG wrote:
Ok, that's a fine reason. But then the working mailcrypt needs to be
installed, or the security fix has only been half-done.
There is a fixed mailcrypt in proposed-updates.
Wichert.
--
Wichert Akkerman [EMAIL PROTECTED] writes:
Previously Thomas Bushnell, BSG wrote:
Ok, that's a fine reason. But then the working mailcrypt needs to be
installed, or the security fix has only been half-done.
There is a fixed mailcrypt in proposed-updates.
That's great, but it doesn't
Previously Thomas Bushnell, BSG wrote:
The *security* team exists to make security updates to the current
stable release. Currently there is *not* an installable update for
gnupg. The only way (that I can think of right now) for fixing this
is to put the new mailcrypt into
On Mon, Jun 18, 2001 at 08:56:03AM +0200, Philipp Schulte wrote:
On Sun, Jun 17, 2001 at 10:42:17PM -0800, Ethan Benson wrote:
you would need to fix filesystem immutability and block device access
as well. currently lcap CAP_LINUX_IMMUTABLE is useless since there
is no way to deny
On Mon, Jun 18, 2001 at 01:04:51AM -0700, Thomas Bushnell, BSG wrote:
The *security* team exists to make security updates to the current
stable release. Currently there is *not* an installable update for
gnupg. The only way (that I can think of right now) for fixing this
is to put the new
On Mon, Jun 18, 2001 at 09:21:56AM +0200, Sebastiaan wrote:
Hello,
I found out that rlinetd seems like a great replacement for inetd, because
it lets you choose which services may be available for the outside world
and which only for the inner network. So, standard services like echo,
On Mon, 18 Jun 2001, Ethan Benson wrote:
On Mon, Jun 18, 2001 at 09:21:56AM +0200, Sebastiaan wrote:
Hello,
I found out that rlinetd seems like a great replacement for inetd, because
it lets you choose which services may be available for the outside world
and which only for the inner
On Mon, Jun 18, 2001 at 10:53:06AM +0200, Sebastiaan wrote:
Yes, that is a good question. I do not know where most of them are used
for, but because they are always installed, I assumed that these are
needed for correct system operation. But even if I would disable these
ports, I still want
On Mon, Jun 18, 2001 at 12:35:13AM -0800, Ethan Benson wrote:
chattr +i and +a cannot be set or removed if CAP_LINUX_IMMUTABLE is
removed from the bounding set. however that does not prevent root
from messing with /dev/hda* directly, niether does CAP_SYS_RAWIO.
there is no capability
On Mon, Jun 18, 2001 at 12:43:41PM +0200, Philipp Schulte wrote:
On Mon, Jun 18, 2001 at 12:35:13AM -0800, Ethan Benson wrote:
chattr +i and +a cannot be set or removed if CAP_LINUX_IMMUTABLE is
removed from the bounding set. however that does not prevent root
from messing with
On Mon, Jun 18, 2001 at 03:52:46AM -0800, Ethan Benson wrote:
On Mon, Jun 18, 2001 at 12:43:41PM +0200, Philipp Schulte wrote:
Ok, so just do make sure: http://www.lids.org/lids-howto/node53.html
is claiming that CAP_SYS_RAWIO allows access to raw block devices.
they are mistaken.
That makes a lot of assumptions about my (or anyone else) understanding of
the system. For example, I have no clue what discard is used for. So, how
do I know if I have a package installed that will not work properly if I
disable that port. Yes, I should go and research the issue but I only
Pat Moffitt [EMAIL PROTECTED] writes:
That makes a lot of assumptions about my (or anyone else) understanding
of the system. For example, I have no clue what discard is used for. So,
how do I know if I have a package installed that will not work properly
if I disable that port. Yes, I should
At 5:55 Uhr +0200 18.6.2001, Ethan Benson wrote:
On Mon, Jun 18, 2001 at 03:03:06AM +0200, Christian Jaeger wrote:
... install some special binaries to which you
grant many permissions.
the thing is once you make exceptions for the system adminsistrator to
use to maintain the you open the
On 18 Jun 2001, Tim Haynes wrote:
Pat Moffitt [EMAIL PROTECTED] writes:
That makes a lot of assumptions about my (or anyone else) understanding
of the system. For example, I have no clue what discard is used for. So,
how do I know if I have a package installed that will not work
Sebastiaan [EMAIL PROTECTED] writes:
[snip]
Again, if you don't know why you need it, you don't need it.
I know you are right, but I have become curious now: if everyone says
that you do not need them, then where are they used for? And why are they
still installed by default?
Good
On Mon, Jun 18, 2001 at 06:35:03PM +0100, Tim Haynes wrote:
b) they shouldn't be. You'll have to check if they still appear by default
in unstable; I should hope they don't. (There's been discussion of this
before if you trawl some archives somewhere.) It's possible to use them all
Wichert Akkerman [EMAIL PROTECTED] writes:
Installing mailcrypt on security.debian.org would immediately suggest
that mailcrypt itself has a security problem, which is not true.
It's a bit of a catch 22.
Well, this is a general problem then, which the security team should
think about. The
Ethan Benson [EMAIL PROTECTED] writes:
gnupg is installable, if you remove mailcrypt. ;-)
As explained in my previous mail, that is only adequate if the
security team exists to support security in packages, but not the
distribution as a whole.
--
To UNSUBSCRIBE, email to [EMAIL
I'm not adding anything new to this thread, only reiterating for those
who seem to have missed previous reiterations:
'The more ports you leave open, the greater chance you have of being
cracked.'
'If you don't know why you need it, you don't need it.'
It seems reasonable that the default
unsubscribe
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Noah Meyerhans [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 06:35:03PM +0100, Tim Haynes wrote:
b) they shouldn't be. You'll have to check if they still appear by
default
[snip]
Why not? You've not given any reason at all. Do you know of any malicious
behavior that is made possible
On Mon, Jun 18, 2001 at 11:08:49AM -0700, Vineet Kumar wrote:
The argument below is pretty bad. Have you ever heard of anybody
actually getting impaled by holding a sword poised at his belly and
walking into grand central station at 5:00pm going 'scuse me, pardon
me, 'scuse me, pardon
On Mon, Jun 18, 2001 at 07:25:37PM +0100, Tim Haynes wrote:
But that said, I gather leaking one's timestamp is not a good thing
(leaking *anything* is not really any good). I'm no Kerberos user, but I
heard you can do time-dependent auth in that a given ticket is good until
whenever. I
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of Tim Haynes
Sent: Monday, June 18, 2001 10:35 AM
To: Sebastiaan
Cc: Tim Haynes; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: rlinetd security
Sebastiaan [EMAIL PROTECTED] writes:
[snip]
Noah L. Meyerhans [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 11:08:49AM -0700, Vineet Kumar wrote:
The argument below is pretty bad. Have you ever heard of anybody
actually getting impaled by holding a sword poised at his belly and
walking into grand central station at 5:00pm
Petr Cech [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 10:55:04AM -0700 , Thomas Bushnell, BSG wrote:
Debian is about a *distribution* and not a random assemblage of
OK, distribution. That's dists/potato/main/binary-arch/Packages
If that's the *only* thing that counts as the Debian
Noah L. Meyerhans [EMAIL PROTECTED] writes:
[snip]
http://www.sans.org/infosecFAQ/malicious/naptha.htm, btw. Why bother
hooking /dev/{zero,null} onto the net with netcat when you can cause a fair
bit of traffic with standard services that do much the same thing?
Yes, but you know what?
[EMAIL PROTECTED] (Thomas Bushnell, BSG) writes:
Debian ought to offer security updates for the stable distribution, but
it doesn't. Instead, it is only offering security updates for the
packages in the stable distribution. That's an understandable oversight,
but it is an oversight, and I
On Mon, Jun 18, 2001 at 08:34:11PM +0100, Tim Haynes wrote:
Well, it depends. You can never tidy up a rooted box; the same mentality
sort of applies all the way down - if you're setting up a box, why worry
about installing this and uninstalling that, when your original
installation shouldn't
On Mon, Jun 18, 2001 at 08:45:12PM +0100, Tim Haynes wrote:
[EMAIL PROTECTED] (Thomas Bushnell, BSG) writes:
Debian ought to offer security updates for the stable distribution, but
it doesn't. Instead, it is only offering security updates for the
packages in the stable distribution. That's
[EMAIL PROTECTED] (Martin Maney) writes:
On Mon, Jun 18, 2001 at 08:34:11PM +0100, Tim Haynes wrote:
Well, it depends. You can never tidy up a rooted box; the same
mentality sort of applies all the way down - if you're setting up a
box, why worry about installing this and uninstalling
On Mon, Jun 18, 2001 at 12:11:39PM -0700 , Thomas Bushnell, BSG wrote:
Petr Cech [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 10:55:04AM -0700 , Thomas Bushnell, BSG wrote:
Debian is about a *distribution* and not a random assemblage of
OK, distribution. That's
On Mon, Jun 18, 2001 at 03:41:20PM -0500 , Martin Maney wrote:
arose in a proposed-update (non-security related), do you think that package
then it wouldn't (or a fixed conflicting package would be provided). But
because we need this security update, then we need also a proposed-update
would
Petr Cech [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 12:11:39PM -0700 , Thomas Bushnell, BSG wrote:
Petr Cech [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 10:55:04AM -0700 , Thomas Bushnell, BSG wrote:
Debian is about a *distribution* and not a random assemblage of
On Mon, Jun 18, 2001 at 10:48:27PM +0200, Petr Cech wrote:
you know, what I've ment. Debian *distribution* is main and non-US/main
Is that policy or your opinion? Last time I looked, there were still those
pesky other sections on the servers, in the bug system, and so forth.
--
You arguably
On Mon, Jun 18, 2001 at 06:41:59PM +0200, Christian Jaeger wrote:
Well, if the 'apt-get update apt-get upgrade' wrapper doesn't take
any input and resets the environment (is there anything else it
should take care of?) then even if called by the cracker it wouldn't
do anything else than
On Mon, Jun 18, 2001 at 09:06:07AM -0700, Pat Moffitt wrote:
That makes a lot of assumptions about my (or anyone else) understanding of
the system. For example, I have no clue what discard is used for. So, how
do I know if I have a package installed that will not work properly if I
disable
On Mon, Jun 18, 2001 at 01:48:50PM -0400, Noah Meyerhans wrote:
Why not? You've not given any reason at all. Do you know of any
malicious behavior that is made possible by leaving the services turned
on? The potential exists to use the chargen feature as a part of a DoS
attack, but I've
On Mon, Jun 18, 2001 at 02:30:19PM -0700, Thomas Bushnell, BSG wrote:
you know, what I've ment. Debian *distribution* is main and non-US/main
Thene where are the security releases?
security.debian.org
mailcrypt is not in debian, its in contrib. niether contrib or
non-free are part of
On Mon, Jun 18, 2001 at 06:37:00PM -0500, Martin Maney wrote:
On Mon, Jun 18, 2001 at 10:48:27PM +0200, Petr Cech wrote:
you know, what I've ment. Debian *distribution* is main and non-US/main
Is that policy or your opinion? Last time I looked, there were still those
pesky other sections
Ethan Benson [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 02:30:19PM -0700, Thomas Bushnell, BSG wrote:
you know, what I've ment. Debian *distribution* is main and non-US/main
Thene where are the security releases?
security.debian.org
mailcrypt is not in debian, its in
Hello,
In fact, the only reason mailcrypt is in contrib is that it adapts to
the patent-restricted versions of gpg/pgp software. As far as its use
with gpg, it belongs in main.
A reading of the Debian Social Contract (section 5) contains the
following concerning contrib and non-free...
On Mon, Jun 18, 2001 at 06:10:12PM -0700, Thomas Bushnell, BSG wrote:
Ethan Benson [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 02:30:19PM -0700, Thomas Bushnell, BSG wrote:
you know, what I've ment. Debian *distribution* is main and non-US/main
Thene where are the security
On Mon, Jun 18, 2001 at 07:15:55PM +0200, Sebastiaan wrote:
I know you are right, but I have become curious now: if everyone says that
you do not need them, then where are they used for? And why are they still
installed by default?
All those internal services are for testing/debugging,
On Sun, Jun 17, 2001 at 07:55:40PM -0800, Ethan Benson wrote:
a bit. lids makes system adminsitration utterly impossible. unless
you leave enough holes open which an attacker can use to bypass it
all.
well nearly...
at least you can prevent new or unknown process/files from acessing
On Mon, Jun 18, 2001 at 01:27:37AM +, Jim Breton wrote:
On Sun, Jun 17, 2001 at 02:44:48AM -0800, Ethan Benson wrote:
compiling without module support would be mostly the same as just
lcap CAP_SYS_MODULE
Fwiw, I have heard (though not tested myself) that even if you compile
On Mon, Jun 18, 2001 at 03:06:14AM +0200, Christian Jaeger wrote:
Hello,
I run a pc with potato on a cable modem line. Recently I discovered
the following in /var/log/messages:
Jun 10 20:21:16 pflanze -- MARK --
Jun 10 20:33:55 pflanze
Jun 10 20:33:55 pflanze /sbin/rpc.statd[229]:
On Sat, Jun 16, 2001 at 06:25:32AM -0800, Ethan Benson wrote:
On Sat, Jun 16, 2001 at 10:14:52AM -0400, Ehsan (Shawn) Baseri wrote:
Just saw this, thought you guys might be interested. Not sure how
damaging the exploit is though.
you get gid=utmp, which lets you corrupt the utmp
I like the package signing idea. That would be cool. That way, you
could still load and unload modules. I like being able to do that.
One obvious problem with the scheme is that an attacker could
potentially read the keys from /boot/vmlinuz-2.4.5, or whatever, and
sign their own module. This
add the line /sbin/ipchains -A input -i INTERFACE -p TCP -s !
LOCALLAN -d EXTERNAL IP 111 -l -j DENY to block the rpc statd attacks
from your external network
- Original Message -
From: Christian Jaeger [EMAIL PROTECTED]
To: debian-security@lists.debian.org
Sent: Monday, June 18, 2001
unsubscribe
On Mon, Jun 18, 2001 at 01:38:16AM -0300, Peter Cordes wrote:
I like the package signing idea. That would be cool. That way, you
could still load and unload modules. I like being able to do that.
One obvious problem with the scheme is that an attacker could
potentially read the keys from
On Mon, Jun 18, 2001 at 03:46:13PM +1000, Ian Miller wrote:
add the line /sbin/ipchains -A input -i INTERFACE -p TCP -s !
LOCALLAN -d EXTERNAL IP 111 -l -j DENY to block the rpc statd attacks
from your external network
port 111 is portmap, not rpc.statd. all blocking portmap will do is
The new gnupg made it to security.debian.org, but it includes a
conflict with the only available mailcrypt:
Conflicts: gpg-rsa, gpg-rsaref, mailcrypt (= 3.5.5-6)
The changelog.Debian agrees:
gnupg (1.0.6-0potato1) stable; urgency=high
* Upload for stable; fixes several security holes.
*
On Sun, Jun 17, 2001 at 10:42:17PM -0800, Ethan Benson wrote:
you would need to fix filesystem immutability and block device access
as well. currently lcap CAP_LINUX_IMMUTABLE is useless since there
is no way to deny root the ability to write directly to /dev/hda* and
remove the immutable
On Sun, Jun 17, 2001 at 10:42:17PM -0800, Ethan Benson wrote:
On Mon, Jun 18, 2001 at 01:38:16AM -0300, Peter Cordes wrote:
I like the package signing idea. That would be cool. That way, you
could still load and unload modules. I like being able to do that.
One obvious problem with the
Thomas Bushnell BSG writes:
In this case, there needs to be a non-older version of mailcrypt
available for potato. I don't know why conflicts were added to
mailcrypt (nothing I noticed in either the public or private security
lists mentioned it, AFAICT). But assuming the conflicts are
Tim Potter [EMAIL PROTECTED] writes:
Thomas Bushnell BSG writes:
In this case, there needs to be a non-older version of mailcrypt
available for potato. I don't know why conflicts were added to
mailcrypt (nothing I noticed in either the public or private security
lists mentioned it,
Hi...
I have a box with something listening to flickering ports. nmap
reports various random ports open from run to run. I can't telnet to
them and ID w/ netstat, because they're gone the instant nmap finds
them.
Hi,
I have this regularily too. I would like to see this explained, but
perhaps
On Mon, Jun 18, 2001 at 09:14:54AM +0200, Sebastiaan wrote:
Hi...
I have a box with something listening to flickering ports. nmap
reports various random ports open from run to run. I can't telnet to
them and ID w/ netstat, because they're gone the instant nmap finds
them.
Hi,
I have
Hello,
I found out that rlinetd seems like a great replacement for inetd, because
it lets you choose which services may be available for the outside world
and which only for the inner network. So, standard services like echo,
daytime, chargen, ftp, etc. are only available for the LAN, while it is
this stuff can also be controlled using hosts.deny and hosts.allow. so
then any inetd prog will do!
On Mon, Jun 18, 2001 at 09:21:56AM +0200, Sebastiaan wrote:
Hello,
I found out that rlinetd seems like a great replacement for inetd, because
it lets you choose which services may be available
Previously Thomas Bushnell, BSG wrote:
Ok, that's a fine reason. But then the working mailcrypt needs to be
installed, or the security fix has only been half-done.
There is a fixed mailcrypt in proposed-updates.
Wichert.
--
Wichert Akkerman [EMAIL PROTECTED] writes:
Previously Thomas Bushnell, BSG wrote:
Ok, that's a fine reason. But then the working mailcrypt needs to be
installed, or the security fix has only been half-done.
There is a fixed mailcrypt in proposed-updates.
That's great, but it doesn't
Previously Thomas Bushnell, BSG wrote:
The *security* team exists to make security updates to the current
stable release. Currently there is *not* an installable update for
gnupg. The only way (that I can think of right now) for fixing this
is to put the new mailcrypt into
On Mon, Jun 18, 2001 at 08:56:03AM +0200, Philipp Schulte wrote:
On Sun, Jun 17, 2001 at 10:42:17PM -0800, Ethan Benson wrote:
you would need to fix filesystem immutability and block device access
as well. currently lcap CAP_LINUX_IMMUTABLE is useless since there
is no way to deny root
On Mon, Jun 18, 2001 at 04:02:08AM -0300, Peter Cordes wrote:
You need to keep it somewhere if you ever want to build more modules
that that kernel will load. I don't know why I assumed it would be
stored in the kernel image.
it could be a separate file, encrpyted (like gpg private keys)
On Mon, Jun 18, 2001 at 01:04:51AM -0700, Thomas Bushnell, BSG wrote:
The *security* team exists to make security updates to the current
stable release. Currently there is *not* an installable update for
gnupg. The only way (that I can think of right now) for fixing this
is to put the new
Jason Thomas [EMAIL PROTECTED] writes upside-down:
this stuff can also be controlled using hosts.deny and hosts.allow. so
then any inetd prog will do!
No it can't. There's a difference between not listening on the interface at
all, and filtering it out by allowing them to connect to the port
On Mon, Jun 18, 2001 at 09:21:56AM +0200, Sebastiaan wrote:
Hello,
I found out that rlinetd seems like a great replacement for inetd, because
it lets you choose which services may be available for the outside world
and which only for the inner network. So, standard services like echo,
On Mon, 18 Jun 2001, Ethan Benson wrote:
On Mon, Jun 18, 2001 at 09:21:56AM +0200, Sebastiaan wrote:
Hello,
I found out that rlinetd seems like a great replacement for inetd, because
it lets you choose which services may be available for the outside world
and which only for the inner
On Mon, Jun 18, 2001 at 10:53:06AM +0200, Sebastiaan wrote:
Yes, that is a good question. I do not know where most of them are used
for, but because they are always installed, I assumed that these are
needed for correct system operation. But even if I would disable these
ports, I still want to
Ethan Benson [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 10:53:06AM +0200, Sebastiaan wrote:
Yes, that is a good question. I do not know where most of them are used
for, but because they are always installed, I assumed that these are
needed for correct system operation. But even if I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
there are known bugs like this in nmap. But this should only apear
when using nmap local.
Michael Schwarzbach
+--+
| /\ |
| \ /
On Mon, Jun 18, 2001 at 12:35:13AM -0800, Ethan Benson wrote:
chattr +i and +a cannot be set or removed if CAP_LINUX_IMMUTABLE is
removed from the bounding set. however that does not prevent root
from messing with /dev/hda* directly, niether does CAP_SYS_RAWIO.
there is no capability
unsubscribe
On Mon, Jun 18, 2001 at 12:43:41PM +0200, Philipp Schulte wrote:
On Mon, Jun 18, 2001 at 12:35:13AM -0800, Ethan Benson wrote:
chattr +i and +a cannot be set or removed if CAP_LINUX_IMMUTABLE is
removed from the bounding set. however that does not prevent root
from messing with
On Mon, Jun 18, 2001 at 03:52:46AM -0800, Ethan Benson wrote:
On Mon, Jun 18, 2001 at 12:43:41PM +0200, Philipp Schulte wrote:
Ok, so just do make sure: http://www.lids.org/lids-howto/node53.html
is claiming that CAP_SYS_RAWIO allows access to raw block devices.
they are mistaken.
Well,
That makes a lot of assumptions about my (or anyone else) understanding of
the system. For example, I have no clue what discard is used for. So, how
do I know if I have a package installed that will not work properly if I
disable that port. Yes, I should go and research the issue but I only
Pat Moffitt [EMAIL PROTECTED] writes:
That makes a lot of assumptions about my (or anyone else) understanding
of the system. For example, I have no clue what discard is used for. So,
how do I know if I have a package installed that will not work properly
if I disable that port. Yes, I should
At 5:55 Uhr +0200 18.6.2001, Ethan Benson wrote:
On Mon, Jun 18, 2001 at 03:03:06AM +0200, Christian Jaeger wrote:
... install some special binaries to which you
grant many permissions.
the thing is once you make exceptions for the system adminsistrator to
use to maintain the you open the
On 18 Jun 2001, Tim Haynes wrote:
Pat Moffitt [EMAIL PROTECTED] writes:
That makes a lot of assumptions about my (or anyone else) understanding
of the system. For example, I have no clue what discard is used for. So,
how do I know if I have a package installed that will not work properly
Sebastiaan [EMAIL PROTECTED] writes:
[snip]
Again, if you don't know why you need it, you don't need it.
I know you are right, but I have become curious now: if everyone says
that you do not need them, then where are they used for? And why are they
still installed by default?
Good
On Mon, Jun 18, 2001 at 06:35:03PM +0100, Tim Haynes wrote:
b) they shouldn't be. You'll have to check if they still appear by default
in unstable; I should hope they don't. (There's been discussion of this
before if you trawl some archives somewhere.) It's possible to use them all
Wichert Akkerman [EMAIL PROTECTED] writes:
Installing mailcrypt on security.debian.org would immediately suggest
that mailcrypt itself has a security problem, which is not true.
It's a bit of a catch 22.
Well, this is a general problem then, which the security team should
think about. The
Ethan Benson [EMAIL PROTECTED] writes:
gnupg is installable, if you remove mailcrypt. ;-)
As explained in my previous mail, that is only adequate if the
security team exists to support security in packages, but not the
distribution as a whole.
I'm not adding anything new to this thread, only reiterating for those
who seem to have missed previous reiterations:
'The more ports you leave open, the greater chance you have of being
cracked.'
'If you don't know why you need it, you don't need it.'
It seems reasonable that the default
unsubscribe
Noah Meyerhans [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 06:35:03PM +0100, Tim Haynes wrote:
b) they shouldn't be. You'll have to check if they still appear by
default
[snip]
Why not? You've not given any reason at all. Do you know of any malicious
behavior that is made possible
On Mon, Jun 18, 2001 at 11:08:49AM -0700, Vineet Kumar wrote:
The argument below is pretty bad. Have you ever heard of anybody
actually getting impaled by holding a sword poised at his belly and
walking into grand central station at 5:00pm going 'scuse me, pardon
me, 'scuse me, pardon
On Mon, Jun 18, 2001 at 10:55:04AM -0700 , Thomas Bushnell, BSG wrote:
Debian is about a *distribution* and not a random assemblage of
OK, distribution. That's dists/potato/main/binary-arch/Packages
Petr Cech
--
Debian GNU/Linux maintainer - www.debian.{org,cz}
On Mon, Jun 18, 2001 at 07:25:37PM +0100, Tim Haynes wrote:
But that said, I gather leaking one's timestamp is not a good thing
(leaking *anything* is not really any good). I'm no Kerberos user, but I
heard you can do time-dependent auth in that a given ticket is good until
whenever. I
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf
Of Tim Haynes
Sent: Monday, June 18, 2001 10:35 AM
To: Sebastiaan
Cc: Tim Haynes; [EMAIL PROTECTED]; debian-security@lists.debian.org
Subject: Re: rlinetd security
Sebastiaan [EMAIL PROTECTED] writes:
Noah L. Meyerhans [EMAIL PROTECTED] writes:
On Mon, Jun 18, 2001 at 11:08:49AM -0700, Vineet Kumar wrote:
The argument below is pretty bad. Have you ever heard of anybody
actually getting impaled by holding a sword poised at his belly and
walking into grand central station at 5:00pm going
1 - 100 of 120 matches
Mail list logo