-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 264-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 19th, 2003
His announcement is Slashdotted, and I'm seeing no notice of which versions
are affected! I'm running 2.4.18 on all my Debian servers, please tell me
what's going on.
same here...:(
Why most this patch does is change kernel_thread into arch_kernel_thread?
only usefull thing I see is
Am Mittwoch, 19. März 2003 00:15 schrieb Timm Gleason:
I have not seen any mention of this on this list. Is the current version
(0.9.6c-2.woody.2) vulnerable to this current RSA issue?
I've mentioned that one yesterday, too.
This raised no reaction, probably because the subject Fwd: [ADVISORY]
Networks needing a greater degree of privacy and authentication can try
AFS/Kerberos (entailing non-free server-end software). Substituting
LDAP-SSL for NIS is arguably a step forward, but then NFS remains a
problem (No Friggin' Security).
Doesn't NFS v4 answer some of these problems? Does
Rick Moen [EMAIL PROTECTED] writes:
Networks needing a greater degree of privacy and authentication can try
AFS/Kerberos (entailing non-free server-end software).
depends what you mean by free. Are you aware of openafs? http://www.openafs.org
seph
--
To UNSUBSCRIBE, email to [EMAIL
Quoting seph ([EMAIL PROTECTED]):
depends what you mean by free. Are you aware of openafs?
http://www.openafs.org
That is of course derived from the IBM Transarc software. Hmmm. Some
while back, I'd been lead to believe that only client-end software was
available in open source. A quick
On Wed, Mar 19, 2003 at 02:35:53PM +0100, Ralf Dreibrodt wrote:
Paul Hampson wrote:
You can effectively chroot php files with:
php_admin_value open_basedir /directory/where/files/are
in the Apache virtual host config. Then:
a) php4 won't let files outside that directory be accessed;
unsubscribe
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
What is OpenAFS vs CODA?
[EMAIL PROTECTED] wrote:
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote:
Quoting seph ([EMAIL PROTECTED]):
depends what you mean by free. Are you aware of openafs?
http://www.openafs.org
That is of course derived from the IBM Transarc software. Hmmm. Some
Grsecurity patch can limit ordinary user use ptrace. Can it help avoid
ptrace exploit?
Martynas
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda
was a wholely opensource project to implement AFS. Please feel free to
correct me if I'm wrong.
David.
On Wed, 19 Mar 2003, Hanasaki JiJi wrote:
What is OpenAFS vs CODA?
[EMAIL PROTECTED] wrote:
On Wed, Mar 19, 2003
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote:
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda
was a wholely opensource project to implement AFS. Please feel free to
correct me if I'm wrong.
No, CODA is not simply an AFS implementation. It is based on
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote:
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda
was a wholely opensource project to implement AFS. Please feel free to
correct me if I'm wrong.
Coda is another CMU SCS project (as was AFS, which
btw stands
On Wed, 19 Mar 2003 at 05:18:05PM +0200, Martynas Domarkas wrote:
Grsecurity patch can limit ordinary user use ptrace. Can it help avoid
ptrace exploit?
But if you are running a development system this pretty much breaks GDB
(the way I understand it).
--
Phil
PGP/GPG Key:
On Tue, 2003-03-18 at 08:04, Giacomo Mulas wrote:
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a patched source package in
the making already or
I am planning to replace a (dead) Windows 2000 computer that was used
as a web server and email server with a Debian Linux solution. This
machine is connected to the net via DSL and would run apache and
exim/qpopper and sshd. Everything else would be turned off. It is a
small church and
On Wed, Mar 19, 2003 at 01:44:13PM -0600, Jones remarked:
I am planning to replace a (dead) Windows 2000 computer that
was used as a web server and email server with a Debian Linux
solution. This machine is connected to the net via DSL and
would run apache and exim/qpopper and sshd.
Hi!
On Wednesday 19 March 2003 20:44, Jones wrote:
Am I right in assuming that iptabes is enough as a firewall solution
and that I would not need to buy any additional software.
Well, I'm primarily responding to your second question, but the way I
would do it, if I had the resources, would
On Wed, 2003-03-19 at 20:44, Jones wrote:
On a less related note, what hardware config would you recommend for
such a system? She has a number of machines that I could choose
from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10
GB IDE hard drives. After increasing the RAM
Hello,
On Wednesday 19 March 2003 11:44 am, Jones wrote:
I am planning to replace a (dead) Windows 2000 computer that was used
as a web server and email server with a Debian Linux solution. This
machine is connected to the net via DSL and would run apache and
exim/qpopper and sshd.
Imo iptables is a reasonably good stateful firewall and is fine in most
cases. However, a very wise person once said that the ideal setup is to
layer more than one implementation of packet filter and firewall between
the wild and a host/network you wish to protect. Ideally implementations
on
On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
This should be more than enough. I have been running a mailserver on a
Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
mail --- never had a problem.
Hah! Is nothing! I run a cablemodem firewall,
Quoting Kjetil Kjernsmo ([EMAIL PROTECTED]):
Well, I'm primarily responding to your second question, but the way I
would do it, if I had the resources, would be to get a small Pentium
133 MHz box, booting from a floppy and use it as a router and firewall.
No harddrive, a complete
What I find astonishing: Let's say you are running a webserver, maybe
mailserver and a DNS on a server. What rules do you want to apply to
the packets etc.?
I would suggest to keep the open ports restricted, check for all
current updates regularly (subscribe to several mailinglists etc.)
and
On Wednesday 19 March 2003 22:58, Rick Moen wrote:
You could do that with Linux Router Project floppy images -- but
booting from floppy is really cramped. Through some miracle of
economising on space, they finally migrated to libc6 and kernel
2.2.x, but God only knows how.
Hehe...
Using a
On Wednesday 19 March 2003 09:18, Martynas Domarkas wrote:
Grsecurity patch can limit ordinary user use ptrace. Can it help avoid
ptrace exploit?
Martynas
yes for the most part limiting access to /proc/self/exe breaks the exploit.
I run 2 cronjobs to apt update each machine every night and email me the
updates, if I'm happy I login and do the upgrade.
For protecting a single machine I have difficulty justifying a seperate
firewall machine, I cannot see it achieving much unless the port forwarded
ports are proxied, ie no
rest of the secure distro or floppy-based distro for
firewall grade OS -- or a hardened debian box..
http://www.Linux-Sec.net/Distro/
- but fromt he loosk of security advisories from some
distro, its just like any other linux distro .. with
more or less
On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote:
I am just asking myself how to secure our webserver with a couple of virtual hosts.
Currently we have a large installation of typo3 running. It has a feature called
fileadmin with which you can easily upload files. As it is thereby
Paul Hampson wrote:
You can effectively chroot php files with:
php_admin_value open_basedir /directory/where/files/are
in the Apache virtual host config. Then:
a) php4 won't let files outside that directory be accessed;
No:
- Hard links
- Commands executed with system can access files
Rick Moen [EMAIL PROTECTED] writes:
Quoting seph ([EMAIL PROTECTED]):
depends what you mean by free. Are you aware of openafs?
http://www.openafs.org
That is of course derived from the IBM Transarc software. Hmmm. Some
while back, I'd been lead to believe that only client-end software
Quoting seph ([EMAIL PROTECTED]):
you might be thinking of Arla, which is a completely independent
opensource afs client. http://www.stacken.kth.se/projekt/arla/
Nope.
Last I heard, Arla was going nowhere, on account of lost mindshare when
IBM/Transrc put OpenAFS under the IBM PL. Has that
Yes, but no programmer may access production servers :-)
M.
Tr, 2003-03-19 18:26, Phillip Hofmeister ra:
On Wed, 19 Mar 2003 at 05:18:05PM +0200, Martynas Domarkas wrote:
Grsecurity patch can limit ordinary user use ptrace. Can it help avoid
ptrace exploit?
But if you are running a
been trying to get the following to work for sometime input is most
appreciated
internet =25= firewall iptablerule =port#x= internalSMTPhost
how can the firewall be told to:
take all incoming tcp port 25 traffic and send it to
smtp host on port X
take all outgoing
Hi There!
Sorry about making a racket, but I am posting this for the edification
of all, as there is a work around without breaking your server for this
one.
As you can read below, I have found that the patch on 2.4.x also BREAKS
kill() 2 when executed for signal 0 on a process ID that the user
I am eating my own shorts here
kill() 2 does actually behave the way it is supposed to.
BUT these are correct:
- Debian netsaint does definitely have problems with its Web frond end
NOT being able to some see the netsaint process running as netsaint user
from the Web server running as
Apparently Apache2 has a module to do user per virtual host...
Hmm. :-) If it does group per virtual host, I might look at
upgrading...
Jep, the perchild MPM. http://httpd.apache.org/docs-2.0/mod/perchild.html
I tried that one, but the child-processes directly died. As it says, work is
ongoing
His announcement is Slashdotted, and I'm seeing no notice of which versions
are affected! I'm running 2.4.18 on all my Debian servers, please tell me
what's going on.
same here...:(
Why most this patch does is change kernel_thread into arch_kernel_thread?
only usefull thing I see is
Am Mittwoch, 19. März 2003 00:15 schrieb Timm Gleason:
I have not seen any mention of this on this list. Is the current version
(0.9.6c-2.woody.2) vulnerable to this current RSA issue?
I've mentioned that one yesterday, too.
This raised no reaction, probably because the subject Fwd: [ADVISORY]
Networks needing a greater degree of privacy and authentication can try
AFS/Kerberos (entailing non-free server-end software). Substituting
LDAP-SSL for NIS is arguably a step forward, but then NFS remains a
problem (No Friggin' Security).
Doesn't NFS v4 answer some of these problems? Does
Rick Moen [EMAIL PROTECTED] writes:
Networks needing a greater degree of privacy and authentication can try
AFS/Kerberos (entailing non-free server-end software).
depends what you mean by free. Are you aware of openafs? http://www.openafs.org
seph
Quoting seph ([EMAIL PROTECTED]):
depends what you mean by free. Are you aware of openafs?
http://www.openafs.org
That is of course derived from the IBM Transarc software. Hmmm. Some
while back, I'd been lead to believe that only client-end software was
available in open source. A quick
On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote:
I am just asking myself how to secure our webserver with a couple of virtual
hosts.
Currently we have a large installation of typo3 running. It has a feature
called
fileadmin with which you can easily upload files. As it is
On Wed, Mar 19, 2003 at 02:35:53PM +0100, Ralf Dreibrodt wrote:
Paul Hampson wrote:
You can effectively chroot php files with:
php_admin_value open_basedir /directory/where/files/are
in the Apache virtual host config. Then:
a) php4 won't let files outside that directory be accessed;
unsubscribe
What is OpenAFS vs CODA?
[EMAIL PROTECTED] wrote:
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote:
Quoting seph ([EMAIL PROTECTED]):
depends what you mean by free. Are you aware of openafs?
http://www.openafs.org
That is of course derived from the IBM Transarc software. Hmmm.
unsubscribe
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda
was a wholely opensource project to implement AFS. Please feel free to
correct me if I'm wrong.
David.
On Wed, 19 Mar 2003, Hanasaki JiJi wrote:
What is OpenAFS vs CODA?
[EMAIL PROTECTED] wrote:
On Wed, Mar 19, 2003
Hanasaki JiJi wrote:
What is OpenAFS vs CODA?
IIRC CODA has the limitation of needing 4% of volume size in RAM. And
performance is very bad (IIRC like 150 kbytes/sec max on pentium 400).
On a second thought: This was in a fully redundant setup - probably it
has better performance in other
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote:
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda
was a wholely opensource project to implement AFS. Please feel free to
correct me if I'm wrong.
No, CODA is not simply an AFS implementation. It is based on
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote:
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda
was a wholely opensource project to implement AFS. Please feel free to
correct me if I'm wrong.
Coda is another CMU SCS project (as was AFS, which
btw stands
On Wed, 19 Mar 2003 at 05:18:05PM +0200, Martynas Domarkas wrote:
Grsecurity patch can limit ordinary user use ptrace. Can it help avoid
ptrace exploit?
But if you are running a development system this pretty much breaks GDB
(the way I understand it).
--
Phil
PGP/GPG Key:
On Tue, 2003-03-18 at 08:04, Giacomo Mulas wrote:
Alan Cox apparently just made public a vulnerability in the stock
kernel which would permit a local user to gain root privileges (see e.g.
Linux Today, LWN, the LK mailing list...). Is a patched source package in
the making already or
I am planning to replace a (dead) Windows 2000 computer that was used
as a web server and email server with a Debian Linux solution. This
machine is connected to the net via DSL and would run apache and
exim/qpopper and sshd. Everything else would be turned off. It is a
small church and
Imo iptables is a reasonably good stateful firewall and is fine in most
cases. However, a very wise person once said that the ideal setup is to
layer more than one implementation of packet filter and firewall between
the wild and a host/network you wish to protect. Ideally implementations
on
On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
This should be more than enough. I have been running a mailserver on a
Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
mail --- never had a problem.
Hah! Is nothing! I run a cablemodem firewall,
What I find astonishing: Let's say you are running a webserver, maybe
mailserver and a DNS on a server. What rules do you want to apply to
the packets etc.?
I would suggest to keep the open ports restricted, check for all
current updates regularly (subscribe to several mailinglists etc.)
and
On Wednesday 19 March 2003 22:58, Rick Moen wrote:
You could do that with Linux Router Project floppy images -- but
booting from floppy is really cramped. Through some miracle of
economising on space, they finally migrated to libc6 and kernel
2.2.x, but God only knows how.
Hehe...
Using a
On Wednesday 19 March 2003 09:18, Martynas Domarkas wrote:
Grsecurity patch can limit ordinary user use ptrace. Can it help avoid
ptrace exploit?
Martynas
yes for the most part limiting access to /proc/self/exe breaks the exploit.
I am eating my own shorts here
kill() 2 does actually behave the way it is supposed to.
BUT these are correct:
- Debian netsaint does definitely have problems with its Web frond end
NOT being able to some see the netsaint process running as netsaint user
from the Web server running as
On Wed, 2003-03-19 at 22:43, Matthew Grant wrote:
I have been just digging harder, and the vulnerability is only
exploitable if you are using the kernel auto module loader, so compile
Not the case in some situations
Could I please say this to the kernel developers, please fix it
properly!
I
been trying to get the following to work for sometime input is most
appreciated
internet =25= firewall iptablerule =port#x= internalSMTPhost
how can the firewall be told to:
take all incoming tcp port 25 traffic and send it to
smtp host on port X
take all outgoing
63 matches
Mail list logo