Use apt-get -u upgrade to show what packages are being upgraded, then
apt-get install them to fetch the dependencies as well, or just use
apt-get dist-upgrade, which gets additional dependencies (And removed
conflicting packages), automatically.
On Thu, 2002-06-27 at 19:14, Howland, Curtis wrote:
On Fri, 28 Jun 2002, Howland, Curtis wrote:
> Too bad you didn't copy all the other lists with this one.
>
> At this point, I'm out of ideas. Time for someone else to take you further.
>
> However, I can point out something: You're using ssh 3.4, which is very new.
> Make sure that it has worked
On Thu, Jun 27, 2002 at 10:10:27PM +0700, [EMAIL PROTECTED] wrote:
> On Fri, 28 Jun 2002, Howland, Curtis wrote:
>
> > Try connecting in verbose mode for debugging, I think it's "ssh -v" or even
> > "-v -v" as I saw someone suggest recently.
>
> I try using ssh -v and get a message :
>
> ~$ ssh
On Fri, 28 Jun 2002, Howland, Curtis wrote:
> Try connecting in verbose mode for debugging, I think it's "ssh -v" or even
> "-v -v" as I saw someone suggest recently.
I try using ssh -v and get a message :
~$ ssh -v yans xxx.xxx.xxx.xxx
OpenSSH_3.4p1 Debian 1:3.4p1-0.0potato1, SSH protocols 1.5
Try connecting in verbose mode for debugging, I think it's "ssh -v" or even "-v
-v" as I saw someone suggest recently.
Something changed. The goal is to find out what.
Also try "ssh -1 ..." to force version 1 access and see if that works.
Curt-
> > First question:
> >
> > Has it worked before
On Fri, 28 Jun 2002, Howland, Curtis wrote:
> First question:
>
> Has it worked before now?
Yes.
>
> Second question:
>
> What did you change between then and now?
no, i did not change anything with my configuration (ssh client or
ssh server)
-Ryansimon aku
>
> Curt-
>
> > Dear All,
> >
> > I
On Thu, 27 Jun 2002 21:25:52 +0700 (JAVT)
<[EMAIL PROTECTED]> wrote:
> Dear All,
>
> I have a problem with my ssh, when i try to connect to our server
> using ssh have an error like this :
>
> ssh -l [EMAIL PROTECTED]
> 2f65 7463 2f73 7368
> Disconnecting: Bad packet length 795178083.
>
>
> Wh
First question:
Has it worked before now?
Second question:
What did you change between then and now?
Curt-
> Dear All,
>
> I have a problem with my ssh, when i try to connect to our
> server using
> ssh have an error like this :
>
> ssh -l [EMAIL PROTECTED]
> 2f65 7463 2f73 7368
> Disconnec
Dear All,
I have a problem with my ssh, when i try to connect to our server using
ssh have an error like this :
ssh -l [EMAIL PROTECTED]
2f65 7463 2f73 7368
Disconnecting: Bad packet length 795178083.
What's Wrong with my server or my ssh client. And how to solve them.
Thank's
Ryansimon Aku
* Howland, Curtis ([EMAIL PROTECTED]) [020627 17:15]:
> I noticed the same thing when doing the 3.3 thing two days ago that I
> commented on on this list.
>
> The security server is in my apt.sources list, but when I executed
> "apt-get upgrade", it said "0 new, 0 to be removed, 1 package(s) not
Not "security updates" as such, but since the software has been changed,
doesn't testing have its package replaced with the new version?
I can't imagine that a known hole would be deliberately left in a
package when an update has already been compiled. This is "testing", not
Hamm".
> Testing does
On Thu, Jun 27, 2002 at 04:55:31PM -0700, Tom Dominico wrote:
> When woody goes stable, though, I want to move on to whatever "testing"
> is at that point. That's why I had been using "testing" in my
> sources.list rather than explicitly saying "woody"; I thought it would
> make it easier to stay
I noticed the same thing when doing the 3.3 thing two days ago that I commented
on on this list.
The security server is in my apt.sources list, but when I executed "apt-get
upgrade", it said "0 new, 0 to be removed, 1 package(s) not updated".
Dselect showed the ssh package as ready to be update
When woody goes stable, though, I want to move on to whatever "testing"
is at that point. That's why I had been using "testing" in my
sources.list rather than explicitly saying "woody"; I thought it would
make it easier to stay current. Is it better to explicitly state
"woody" in your sources.lis
On Thu, Jun 27, 2002 at 07:35:21PM -0400, Moti Levy wrote:
> this line in /etc/apt/sources.list did it for me ...
> deb http://security.debian.org testing/updates main contrib non-free
You should probably use 'woody', not 'testing'. After all, testing
doesn't normally get security updates. Once
Thanks for all the rapid replies folks, apparently I was mixed up there.
Adding the security line for "testing" did the trick.
Tom
-Original Message-
From: A.J. Rossini [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 27, 2002 4:29 PM
To: Tom Dominico
Cc: debian-security@lists.debian.org
S
you need something like:
deb http://security.debian.org stable/updates main contrib non-free
or
deb http://security.debian.org woody/updates main contrib non-free
(I think "testing/updates" ought to work, but am not sure).
> "tom" == Tom Dominico <[EMAIL PROTECTED]> writes:
tom> H
Tom Dominico wrote:
Hello,
I am on testing, and when I do an apt-get update/apt-get upgrade, I do
not seem to be getting the "new and improved" ssh. I checked ssh -v,
and I'm not on 3.4 yet. I've done the "workarounds", so I shouldn't be
vulnerable, but I can't figure out why I'm not getting
* Tom Dominico ([EMAIL PROTECTED]) [020627 16:23]:
> Hello,
>
> I am on testing, and when I do an apt-get update/apt-get upgrade, I do
> not seem to be getting the "new and improved" ssh. I checked ssh -v,
> and I'm not on 3.4 yet. I've done the "workarounds", so I shouldn't be
> vulnerable, but
Hello,
I am on testing, and when I do an apt-get update/apt-get upgrade, I do
not seem to be getting the "new and improved" ssh. I checked ssh -v,
and I'm not on 3.4 yet. I've done the "workarounds", so I shouldn't be
vulnerable, but I can't figure out why I'm not getting the new version.
Has it
On Thu, Jun 27, 2002 at 07:35:49PM +0200, Rolf Kutz wrote:
> * Quoting Robert Brown ([EMAIL PROTECTED]):
> It works here, with kernel-2.4 on i386. You can
It works here, with kernel-2.2 on i386.
> - Rolf
Jacques
--
0CBE 3F8A 5A77 A35C 27C7 2D42 3EC5 806B 91
* Quoting Robert Brown ([EMAIL PROTECTED]):
> Sorry if this has been answered elsewhere, but there did not seem to be a
> mention of whether compression works with this latest release of OpenSSH
> 3.4, particularly on the server side. I depend upon compression in
> various scripts and would like
Sorry if this has been answered elsewhere, but there did not seem to be a
mention of whether compression works with this latest release of OpenSSH
3.4, particularly on the server side. I depend upon compression in
various scripts and would like to know whether those must be changed or
not.
Thanks
Dear Michael Stone and the rest of the Debian security team,
I'm very impressed at your successful demonstration of how well the new
security infrastructure can work. Getting out a response this quick for
OpenSSH 3.4 for all 11 Woody architectures is remarkable.
The chaos surrounding these unknow
On Thu, Jun 27, 2002 at 02:50:54PM +0200, Michael Stone remarked:
> -BEGIN PGP SIGNED MESSAGE-
>
> -
> Debian Security Advisory DSA-134-4 [EMAIL PROTECTED]
> http://www.debian.org/security/
On Thu, Jun 27, 2002 at 02:50:54PM +0200, Michael Stone wrote:
> Debian 2.2 (potato) shipped with an ssh package based on OpenSSH
> 1.2.3, and is not vulnerable to the vulnerabilities covered by this
> advisory. Users still running a version 1.2.3 ssh package do not have
> an immediate need to upgr
On Thu, Jun 27, 2002 at 09:12:41AM +0100, Tim Haynes wrote:
> I'm trying not to think how many Debian policies have been bent because of
> "oh no! it's ssh!"-factor - porting a protocol-2-enabled *new feature* down
> to Stable with the resultant paragraphs on `create a proto-2 keypair' and
> `these
On Wed, 2002-06-26 at 14:59, Lupe Christoph wrote:
> I've spent several hours updating left and right, and now this?
> How shall I justify this to my client? I can't really charge for
> falling for Theo. Seems I took a firm stand and bent over for him.
See Wichert's message: <[EMAIL PROTECTED]>
Previously Wim Fournier wrote:
> I just read this over at iss, it seems that the vuln only exists for
> default installations of BSD and only for S-KEY and BSD authentication.
That advisory sucks :). Keyboard-interactive authentication is
vulnerable, and we use that for PAM as well by default (tha
Note that Potato users actually BECAME vulnerable by installing this
"security fix".
On Thu, 27 Jun 2002, Florian Weimer wrote:
>Paul Baker <[EMAIL PROTECTED]> writes:
>
>> So as it turns out, AFAIK, none of the versions of OpenSSH in Debian
>> were actually vulnerable to the exploit found by I
Paul Baker <[EMAIL PROTECTED]> writes:
> So as it turns out, AFAIK, none of the versions of OpenSSH in Debian
> were actually vulnerable to the exploit found by ISS and reported in
> DSA-134
The 3.3p1 packages are vulnerable in some configurations. :-(
--
Florian Weimer[EMAI
On Thu, Jun 27, 2002 at 10:38:44AM +0200, Wim Fournier wrote:
>http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
>
>I just read this over at iss, it seems that the vuln only exists for
>default installations of BSD and only for S-KEY and BSD authentication.
>
>So need to upgra
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
I just read this over at iss, it seems that the vuln only exists for
default installations of BSD and only for S-KEY and BSD authentication.
So need to upgrade at all.. its just a way to get everyone over to 3.x i
guess...
Wichert Akkerman <[EMAIL PROTECTED]> writes:
> Previously Christian Hammers wrote:
>
> > Don't be too hard to him, if he'd pointed out that only default BSD is
> > vulnerable it would not have been too hard to find the exploit before
> > everybody had updated.
>
> He could have mentioned ssh prot
John Galt <[EMAIL PROTECTED]> writes:
> that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
> using standard security practice at that point, it's just for
> convenience's sake, the user had a few things screened, including a
> rootshell, probably because of the traditional Co
> Head over to OpenSSH.com
>
> They have just released version 3.4, which should fix some overflow
> problems and adds lot's of new checks against dubious input.
>
> Advisories and updates on the various pages there.
How about the compression support and PAM? is that already fixed?
Cuz without th
Previously Christian Hammers wrote:
> Don't be too hard to him, if he'd pointed out that only default BSD is
> vulnerable it would not have been too hard to find the exploit before
> everybody had updated.
He could have mentioned ssh protocol 1 wasn't vulnerable..
Wichert.
--
_
37 matches
Mail list logo