Yo!
Would it make sense if new packages uploaded as part of handling a DSA
would include the DSA number in the changelog.Debian? When I do an
upgrade after seeing a DSA, it's sometimes not enirely clear to me if
it's already the version mentioned in the DSA or if my mirror did not
pick it up yet.
Hi there,
some of you suggested to remove portmap in order close some more port
and thereby increase security. Since I never really understood what the
pormapper was doing, I though I could do without it. However, once I
tried to uninstall the package with dselect, I got a dependency issue
saying
On Wed, 31 Jul 2002, Dale Amon wrote:
> Since you brought the subject up... :-)
>
> Does anyone have a good way of dealing with daemons that use unpredictable
> port
> numbers? I have particular headaches with NFS, gdomap, and just recently
> SmokePing
> started doing it.
>
> I like to start off
To my knowledge you can safely ignore it. I'm always purging
the package on every server installation I did since I know
my servers don't use rpc at all.
- Markus
On Wed, Jul 31, 2002 at 08:46:38AM +0200, Jens Hafner wrote :
> some of you suggested to remove portmap in order clos
"Jens Hafner" <[EMAIL PROTECTED]> writes:
> some of you suggested to remove portmap in order close some more port
> and thereby increase security. Since I never really understood what the
> pormapper was doing, I though I could do without it. However, once I
> tried to uninstall the package with d
Previously Adrian 'Dagurashibanipal' von Bidder wrote:
> Would it make sense if new packages uploaded as part of handling a DSA
> would include the DSA number in the changelog.Debian?
Half the time we don't know the DSA number when creating the package.
Wichert.
--
___
hello people,
i was talking to a friend, and he was describing the inability of PC
based security devices to have proper pseudo-random number generation.
This sounds to me that i needed some investigation. My general question
is: does someone ever heard about any type of cryptographic attack usi
On Wed, Jul 31, 2002 at 08:24:50AM +0900, [EMAIL PROTECTED] wrote:
> Hi,
>
> From: Rick Moen <[EMAIL PROTECTED]>
> Subject: Re: Some more port closing questions
> Date: Tue, 30 Jul 2002 16:21:18 -0700
>
> > Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
> >
> > > Kind of off-topic here, but I've
Hi,
From: Mathias Palm <[EMAIL PROTECTED]>
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 11:23:55 +0200
> On Wed, Jul 31, 2002 at 08:24:50AM +0900, [EMAIL PROTECTED] wrote:
> > Hi,
> >
> > From: Rick Moen <[EMAIL PROTECTED]>
> > Subject: Re: Some more port closing question
On 30 Jul 02 23:24:50 GMT, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Ah, that would be nice too. I know that the first thing I usually do
> when I boot my laptop is to stop a bunch of daemons that started
> up at boot (-;
# update-rc.d -f somedaemon remove
AIUI the reasoning is that if you
On Wed, Jul 31, 2002 at 07:51:03PM +1000, Jean-Francois Dive wrote:
> hello people,
>
> i was talking to a friend, and he was describing the inability of PC
> based security devices to have proper pseudo-random number generation.
> This sounds to me that i needed some investigation. My general qu
On Wed, Jul 31, 2002 at 01:37:30PM +0900, [EMAIL PROTECTED] wrote:
> Hi,
>
> For some time, I've been toying w/ the idea of putting together
> something that would allow me to trigger the starting/stopping of
> various services [1] via a mail message containing some kind of OTP.
Recently I have s
Quoting Jay Kline ([EMAIL PROTECTED]):
> I maay be wrong, but dont the SSH clients need that banner to be able to
> identify what version to use?
Yes; the major/minor combination tells the client which protocol versions
can be used. The latest phrack has some interesting information about that
a
On Wed, Jul 31, 2002 at 01:58:59PM +0200, Robert van der Meulen wrote:
>
> Quoting Jay Kline ([EMAIL PROTECTED]):
> > I maay be wrong, but dont the SSH clients need that banner to be able to
> > identify what version to use?
>
> Yes; the major/minor combination tells the client which protocol ve
Hi,
From: Frank Copeland <[EMAIL PROTECTED]>
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 10:33:37 + (UTC)
> On 30 Jul 02 23:24:50 GMT, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> > Ah, that would be nice too. I know that the first thing I usually do
> > when I
On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote:
> On Wed, Jul 31, 2002 at 01:37:30PM +0900, [EMAIL PROTECTED] wrote:
> > Hi,
> >
> > For some time, I've been toying w/ the idea of putting together
> > something that would allow me to trigger the starting/stopping of
> > various ser
On Wed, Jul 31, 2002 at 07:06:09PM +0900, [EMAIL PROTECTED] imagined:
> On a related note, I just ran dselect and noticed rcconf --
> may be that's what I want (-; I'll have to check that out.
rcconf is simple and works very well for me - FYI.
Cheers,
Raymond
--
"You deserve to be able to coope
On Wed, 31 Jul 2002 [EMAIL PROTECTED] wrote:
> Hi,
>
> From: Frank Copeland <[EMAIL PROTECTED]>
> Subject: Re: Some more port closing questions
> Date: Wed, 31 Jul 2002 10:33:37 + (UTC)
>
> > On 30 Jul 02 23:24:50 GMT, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >
> > > Ah, that would be
On Wed, Jul 31, 2002 at 09:25:40PM +0900, [EMAIL PROTECTED] wrote:
>
> I don't think that's what I want -- I want the software installed,
> just not started by default.
(...)
FYI:
http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.6
I wonder why I wrote it? :)
On Wed, Jul 24, 2002 at 08:03:44PM -0400, Phillip Hofmeister wrote:
> All,
>
> I am doing a college Honor's project on different distributions. Data on
> Debian and it's security fixes would be helpful if it is available. I would
> be looking for anythings useful in particular, the following:
>
On Wed, 31 Jul 2002 at 09:25:40PM +0900, [EMAIL PROTECTED] wrote:
> Perhaps update-rc.d or rcconf (as I posted earlier) can be used to get
> the desired behavior -- but I do think that being asked by default at
> installation time whether to start stuff up at boot time is better
> behavior than the
Here's the link to the Phrack article.
http://www.phrack.org/show.php?p=59&a=11
It's a really good read, and what they are
suggesting would affect the entire implementation
of SSH, not just OpenSSH or SSH.com.
It can't be fixed from the config file, as
they are not talking about the protocols 1
On Wednesday 31 July 2002 06:08, Adam Olsen wrote:
> Short answer: Linux mainly uses interrupt timings as an entropy
> source, from devices that are fairly unpredictable. Assuming those
> are secure, the entropy pool is protected by a SHA hash of it's state
> when something needs random bits. (a
Jean-Francois Dive <[EMAIL PROTECTED]> wrote:
> i was talking to a friend, and he was describing the inability of PC
> based security devices to have proper pseudo-random number generation.
> This sounds to me that i needed some investigation. My general question
> is: does someone ever heard ab
The most recent CERT advisory is about a vulnerability in OpenSSL. At
the end of the advisory there's a link to RedHat who already has a patch
ready.. Does anyone know what it would take to let the Debian community
in the loop? I suppose this might let information out in the open before
it was inte
This one time, S?ren Hansen wrote:
> The most recent CERT advisory is about a vulnerability in OpenSSL. At
> the end of the advisory there's a link to RedHat who already has a patch
> ready.. Does anyone know what it would take to let the Debian community
> in the loop? I suppose this might let inf
Søren, please visit http://www.debian.org/security/
More specifically: http://www.debian.org/security/2002/dsa-136
On 31 Jul 2002, Søren Hansen wrote:
> The most recent CERT advisory is about a vulnerability in OpenSSL. At
> the end of the advisory there's a link to RedHat who already has a pa
On Wed, Jul 31, 2002 at 08:12:00AM -0700, Anne Carasik wrote:
> Here's the link to the Phrack article.
>
> http://www.phrack.org/show.php?p=59&a=11
>
> It's a really good read, and what they are
> suggesting would affect the entire implementation
> of SSH, not just OpenSSH or SSH.com.
>
> It can
## Anne Carasik ([EMAIL PROTECTED]):
> $ openssl version
> OpenSSL 0.9.6e 30 Jul 2002
> $ uname -a
> Linux swamp 2.4.17 #1 Fri Feb 22 11:08:36 PST 2002 i686 unknown unknown
> GNU/Linux
> I'm running Woody on my boxes.
On that box, you are faster than security.debian.org. I have 0.9.6c
(from ope
Hi there,
This one time, Dale Amon wrote:
> Perhaps, but one should always change
>
> Protocol 1,2
>
> to just
>
> Protocol 2
>
> in both ssh_config and sshd_config. If someone
> only speaks P1, you really don't want to talk
> to them at all.
There's no debating that. The article
Søren Hansen <[EMAIL PROTECTED]> writes:
> The most recent CERT advisory is about a vulnerability in OpenSSL. At
> the end of the advisory there's a link to RedHat who already has a patch
> ready.. Does anyone know what it would take to let the Debian community
> in the loop?
There is no update f
Funny. We were just discussing about portmap, and now this:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
Is Debian vulnerable?
regards,
Thiemo Nagel
Hi,
From: "Thomas J. Zeeman" <[EMAIL PROTECTED]>
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 14:55:25 +0200 (CEST)
> On Wed, 31 Jul 2002 [EMAIL PROTECTED] wrote:
>
> > Hi,
> >
> > From: Frank Copeland <[EMAIL PROTECTED]>
> > Subject: Re: Some more port closing questions
Hi,
From: Phillip Hofmeister <[EMAIL PROTECTED]>
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 10:49:44 -0400
> On Wed, 31 Jul 2002 at 09:25:40PM +0900, [EMAIL PROTECTED] wrote:
> > Perhaps update-rc.d or rcconf (as I posted earlier) can be used to get
> > the desired behav
Hi,
From: Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 15:00:51 +0200
> On Wed, Jul 31, 2002 at 09:25:40PM +0900, [EMAIL PROTECTED] wrote:
> >
> > I don't think that's what I want -- I want the software installed,
> > jus
On Wed, Jul 31, 2002 at 10:26:36AM -0500, Orlando wrote:
> On Wednesday 31 July 2002 06:08, Adam Olsen wrote:
>
> > Short answer: Linux mainly uses interrupt timings as an entropy
> > source, from devices that are fairly unpredictable. Assuming those
> > are secure, the entropy pool is protected
Hi,
From: Raymond Wood <[EMAIL PROTECTED]>
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 07:43:07 -0400
> On Wed, Jul 31, 2002 at 07:06:09PM +0900, [EMAIL PROTECTED] imagined:
> > On a related note, I just ran dselect and noticed rcconf --
> > may be that's what I want (-;
Hi,
From: "Karl E. Jorgensen" <[EMAIL PROTECTED]>
Subject: Re: service enablement via mail and otp?
Date: Wed, 31 Jul 2002 13:47:16 +0100
> On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote:
> > On Wed, Jul 31, 2002 at 01:37:30PM +0900, [EMAIL PROTECTED] wrote:
> > > Hi,
> > >
> > >
Hi,
> - Original Message -
> From: "Thiemo Nagel" <[EMAIL PROTECTED]>
> To:
> Sent: Wednesday, July 31, 2002 4:03 PM
> Subject: SunRPC Vulnerability
>
>
> >
> > Funny. We were just discussing about portmap, and now this:
> >
> > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail
On Thu, Aug 01, 2002 at 08:09:31AM +0900, [EMAIL PROTECTED] wrote:
> Hi,
>
> From: "Karl E. Jorgensen" <[EMAIL PROTECTED]>
> Subject: Re: service enablement via mail and otp?
> Date: Wed, 31 Jul 2002 13:47:16 +0100
>
> > On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote:
> > > On Wed
41 matches
Mail list logo