-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 293-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
April 23rd, 2003
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 294-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
April 23rd, 2003
Greetings list,
Le Mon, Apr 14, 2003 at 20:01:57 -0500, Greg Norris a écrit:
On Tue, Apr 15, 2003 at 12:46:38AM +0100, Nick Boyce wrote:
The fix is in vanilla kernel 2.4.20 as I understand it, and it sounds
like some people here are downloading that source for their Woody i386
systems.
On Wed, Apr 23, 2003 at 01:07:22AM +0200, Alexander Schmehl wrote:
* Konstantin [EMAIL PROTECTED] [030422 23:03]:
can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me
an adress I can leech it from.
http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html
On Tue, Apr 22, 2003 at 08:03:45PM +0100, Hobbs, Richard wrote:
Hello,
Thanks for the reply... So does this mean it will become available in
woody when it is deemed stable enough?
theoritically, proposed-updates will be put in next release of woody (r2).
Any ideas when this might be?
On Wed, Apr 23, 2003 at 09:35:32AM +0200, Alexander Schmehl wrote:
* Adam ENDRODI [EMAIL PROTECTED] [030423 07:59]:
http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html
http://sinuspl.net/ptrace/
Can you tell me whether these patches are the ones which were
known to break
On Tue, 22 Apr 2003 at 10:32:01PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
There are several, already mentioned, and also httperf (available as a
Debian package)
This message was reported to razor by someone. Just a reminder all,
please do not use other spam filters to automatically
Have a look at the coroner toolkit from Dan Farmer and Wietse Venema.
Debian packaged : tct
It is advised *not* to turn off your box, maybe you can unplug its
network...
not sure its a good idea even.
http://www.fish.com/tct/help-when-broken-into
Chosen extract :
What to do
---
The
On 2003/04/23 04:20:16AM +, Wed, simon raven wrote:
btw, anyone know if PPC kernels have had the grsec patch apply cleanly
to mainline kernel.org source? as i use xfs fs, the patching is rather
extensive, and i haven't had much luck with it. i spent more than a week
trying to compile a
On Thu, 17 Apr 2003, Arthur van Dorp wrote:
Todays security advisory about openssl speaks about possibly breaking
existing applications:
Unfortunately, RSA blinding is not thread-safe and will cause failures
for programs that use threads and OpenSSL such as stunnel. However,
since
Hi,
I'm building a 'secure' server.
I downloaded the 2.4.20 kernel source from kernel.org and patched with
grsecurity (latest patch).
I also disabled loadable modules or any module support in the kernel for
added security - So everything is compiled in to the kernel.
However, iptables won't
On Wed, 23 Apr 2003, DEFFONTAINES Vincent wrote:
What to do
---
The first 3 basic steps to handling a situation (roughly taken from
the wonderful Criminalistics, An Introduction to Forensic Science, by
Saferstein (see the bibliography file) are:
o Secure and isolate
If so, can anyone explain how recompiling an application can help?
(There are no differences in the library interface between
openssl-0.9.6c-2.woody.2 and openssl-0.9.6c-2.woody.3)
My testing machine doesn't show any problems with stunnel and the
updated openssl. I'm not sure what the advisory
The trick is in the kernel build. When you do a make menuconfig (or your
favorite config), you neet to go under network options, and enable
network packet filtering, socket filtering, and and any options you want
under Netfilter Configuration (iptables support for example). Then save
and
On Wed, Apr 23, 2003 at 03:17:03PM +0100, David Ramsden wrote:
However, iptables won't work, saying it can't initialise iptables table
'filter' and saying do you need to insmod?.
So does iptables require module support? I don't want to use modules
though! :-)
Surely the Netfilter people would
I guess you won't get these problems when you are running stunnel in
pipe or pipe-client mode. It is supposed to run in multi-threaded mode
only when it is listening on a port.
This seems to be a very good explanation to me as I run stunnel for
pop3s via inetd.
Thanks, Arthur.
On Wed, Apr 23, 2003 at 12:22:40PM -0400, Stephen Walker wrote:
David,
You do not need modules to run netfilter, just compile the required
modules into the kernel. I have a 2.4.20 server that is iptables
enabled without loadable modules so I know it works.
Thanks for that Steve.
Works
I've been asked to post the patch below. Karsten Merker supplied
me with a patch to link woody stunnel statically against openssl.
Regards,
Joey
--
It's practically impossible to look at a penguin and feel angry.
Please always Cc to me when replying to me on the lists.
diff -Nur
On Wednesday 23 April 2003 07:17 am, David Ramsden wrote:
I'm building a 'secure' server.
I downloaded the 2.4.20 kernel source from kernel.org and patched with
grsecurity (latest patch).
I also disabled loadable modules or any module support in the kernel for
added security - So everything
Hi,
what is the best way to remotely syslog? In
RE: HELP, my Debian Server was hacked! by James Duncan he wrote to
use syslog to log locally AND remotely. This is a good idea. But I
wonder how to make it safe. Let's say I have two servers. Each could
keep a second, separate log as backup-log
On Wed, 23 Apr 2003 15:17:03 +0100
David Ramsden [EMAIL PROTECTED] wrote:
I'm building a 'secure' server.
I downloaded the 2.4.20 kernel source from kernel.org and patched with
grsecurity (latest patch).
I also disabled loadable modules or any module support in the kernel for
added
Sorry for the duplicate. I seem to be about 3 hours behind on email delivery.
- Keegan
* Robert Varga ([EMAIL PROTECTED]) [030423 18:05]:
On Thu, 17 Apr 2003, Arthur van Dorp wrote:
As I use stunnel I wonder what these problems might be. I've updated my
testing machine which is set up similar to my production server and
didn't find a problem yet. But my testing possibilities
On Wednesday 23 April 2003 13:43, Stefan Neufeind wrote:
what is the best way to remotely syslog?
If the business situation warrants the expense, then I advise my clients to
run an admin network on critical servers, with one hardened syslog server to
receive event logs from the servers. Keep
But what if you can't deploy a separate network just for syslog?
Encrypt it somehow? Or just use ip-based-security? I guess that's the
worse idea if you might be on a switch with several other machines,
right?
And do I really need a real syslog on the other machine? Or is there
any daemon so
On Wednesday 23 April 2003 17:48, Stefan Neufeind wrote:
But what if you can't deploy a separate network just for syslog?
Encrypt it somehow?
There's at least a couple options:
1) Encrypt the syslog stream.
2) Keep the syslog stream plaintext, but really harden the syslog server as
much as
this one worked fine for me:
http://sinuspl.net/ptrace/
I had no problems.
Greetz
Konstantin Filtschew
- Original Message -
From: Adam ENDRODI [EMAIL PROTECTED]
To: debian-security debian-security@lists.debian.org
Sent: Wednesday, April 23, 2003 7:59 AM
Subject: Re: ptrace patch for
Hi!
On Wednesday 23 April 2003 22:37, Kenneth R. van Wyk wrote:
If the business situation warrants the expense, then I advise my clients to
run an admin network on critical servers, with one hardened syslog server
What do you mean on admin network? Simply add plus network interfaces to each
or, if using syslog-ng, do this for each logfile type in your config file:
destination syslog { file(/var/log/serverlogs/$HOST/syslog owner(root)
group(adm) perm(0640)); };
that way, each server will have unique files in their own directories.
I'm assuming you mean maintaining a
unsubscribe
On Wednesday 23 April 2003 19:12, Litzler Mihaly wrote:
What do you mean on admin network? Simply add plus network interfaces to
each server and seperate all the traffic at lower layers?
Yes, a separate, isolated, network segment that is _only_ used for
administrative/management data. A
Hi!
On Thursday 24 April 2003 02:04, Kenneth R. van Wyk wrote:
Yes, a separate, isolated, network segment that is _only_ used for
administrative/management data. A separate NIC and hub for each cluster of
How do you think switching a separate VLAN for this would be also secure
enough? Is it
On Thu, 24 Apr 2003, Litzler Mihaly wrote:
How do you think switching a separate VLAN for this would be also secure
enough? Is it a must to use a dedicated device?
Depends on your switch. A dedicated device is a MUCH better idea.
--
One disk to rule them all, One disk to find them. One
Litzler Mihaly wrote:
How do you think switching a separate VLAN for this would be also secure
enough? Is it a must to use a dedicated device?
Switching is done for speed, not security.
Hello!
On Thursday 24 April 2003 03:09, Henrique de Moraes Holschuh wrote:
Depends on your switch. A dedicated device is a MUCH better idea.
Okey. I understand, really thanks for the advice.
However I'm also interested in that how secure is to create VLANs with for
example a Cisco29xx and
On Wed, Apr 23, 2003 at 10:09:27PM -0300, Henrique de Moraes Holschuh wrote:
How do you think switching a separate VLAN for this would be also secure
enough? Is it a must to use a dedicated device?
Depends on your switch. A dedicated device is a MUCH better idea.
Yes, there are a number
On Wednesday 23 April 2003 21:26, Jamie Heilman wrote:
Litzler Mihaly wrote:
How do you think switching a separate VLAN for this would be also secure
enough? Is it a must to use a dedicated device?
Switching is done for speed, not security.
Agreed. For a dedicated logging server, though,
37 matches
Mail list logo