t; ftp: Login failed.
> ftp> quit
> 221 Goodbye.
> 22:36:39:toxa $
>
> I use vsftpd.user_list with users allowed to acces to my box, ofcourse
> there's
> no 'ftp' user in it.
If that's built for FreeBSD then it probably doesn't use PAM. This is
a bug in the Debian PAM configuration.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
e.
If you're running something in situations that could be "quite a
disaster", I suggest you immediately rething using the version of
vsftpd from _unstable_.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
ata
> on his box), this could have been quite a disaster.
>
> 'funny':
> |Description: The Very Secure FTP Daemon
> | A lightweight, efficient FTP server written from the ground up with
> | security in mind.
>
> Ahem.
I'm working on it.
Something is wrong with the PAM config...
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
t; ftp: Login failed.
> ftp> quit
> 221 Goodbye.
> 22:36:39:toxa $
>
> I use vsftpd.user_list with users allowed to acces to my box, ofcourse there's
> no 'ftp' user in it.
If that's built for FreeBSD then it probably doesn't use PAM. This is
a b
e.
If you're running something in situations that could be "quite a
disaster", I suggest you immediately rething using the version of
vsftpd from _unstable_.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ata
> on his box), this could have been quite a disaster.
>
> 'funny':
> |Description: The Very Secure FTP Daemon
> | A lightweight, efficient FTP server written from the ground up with
> | security in mind.
>
> Ahem.
I'm working on it.
Something is wrong w
On Tue, Jan 22, 2002 at 01:11:18AM +0100, Christian Jaeger wrote:
> This can be a real security hole, at least when you are not aware of
> it (I have just discovered a working way to exploit it on one of my
> machines).
And isn't that a bug in the package in question? :)
--
Dan
On Tue, Jan 22, 2002 at 01:11:18AM +0100, Christian Jaeger wrote:
> This can be a real security hole, at least when you are not aware of
> it (I have just discovered a working way to exploit it on one of my
> machines).
And isn't that a bug in the package in question? :)
--
Dan
On Mon, Dec 31, 2001 at 09:11:41PM +0100, David Gestel wrote:
> What is this? I don't think anyone got in though, everything seems to be
> fine.
> I'm running woody and rpc.statd version 0.3.3
Yep. The fact that it was logged in this particular case means you're
fine
On Mon, Dec 31, 2001 at 09:11:41PM +0100, David Gestel wrote:
> What is this? I don't think anyone got in though, everything seems to be
> fine.
> I'm running woody and rpc.statd version 0.3.3
Yep. The fact that it was logged in this particular case means you're
fine
security is especially important to you, run stable with security
updates, or track unstable daily and hope maintainers are responsive.
We try to see that woody is in coherent shape just before release, but
we can't supply fixes for it on any more urgent basis. It moves too
fast.
--
Daniel Jac
You're safe. It was fixed before potato; it would not have been logged
if it had succeeded.
--
Daniel Jacobowitz Carnegie Mellon University
MontaVista Software Debian GNU/Linux Developer
security is especially important to you, run stable with security
updates, or track unstable daily and hope maintainers are responsive.
We try to see that woody is in coherent shape just before release, but
we can't supply fixes for it on any more urgent basis. It moves too
fast.
--
Daniel Jac
You're safe. It was fixed before potato; it would not have been logged
if it had succeeded.
--
Daniel Jacobowitz Carnegie Mellon University
MontaVista Software Debian GNU/Linux Developer
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with
; whats really needed is a passwd command that behaves exactly the same
> as passwd, only with alternate passwd files.
Hmm, shouldn't some PAM-aware passwd implementation be able to do this?
--
Daniel Jacobowitz Carnegie Mellon University
MontaVista Software Debian GNU/Linux Developer
; whats really needed is a passwd command that behaves exactly the same
> as passwd, only with alternate passwd files.
Hmm, shouldn't some PAM-aware passwd implementation be able to do this?
--
Daniel Jacobowitz Carnegie Mellon University
MontaVista Software
ure.
--
Daniel Jacobowitz Debian GNU/Linux Developer
Monta Vista Software Debian Security Team
"I am croutons!"
ure.
--
Daniel Jacobowitz Debian GNU/Linux Developer
Monta Vista Software Debian Security Team
"I am croutons!"
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe".
20\220\220\220\220\220\220
>
> It looks like statd is still running. Is rpc still vulnerable? Is there a
Nope, you're safe if you saw the % signs in your logs.
> way to track down who
> connected to rpc.statd?
Run a tcp logger, like ippl.
--
Daniel Jacobowitz
20\220\220\220\220\220\220
>
> It looks like statd is still running. Is rpc still vulnerable? Is there a
Nope, you're safe if you saw the % signs in your logs.
> way to track down who
> connected to rpc.statd?
Run a tcp logger, like ippl.
--
Daniel Jacobowitz
; - xntp3 w/patch (just keeps CAP_SYS_TIME, drops uid 0)
Vsftpd does, too.
I'm fairly sure there's a lot more - you can access them through PAM
somehow, I think...
--
Daniel Jacobowitz Debian GNU/Linux Developer
Monta Vista Software Debian Security Team
"I am croutons!"
; - xntp3 w/patch (just keeps CAP_SYS_TIME, drops uid 0)
Vsftpd does, too.
I'm fairly sure there's a lot more - you can access them through PAM
somehow, I think...
--
Daniel Jacobowitz Debian GNU/Linux Developer
Monta Vista Software
ault (core dumped) joe foo
>
> I wonder what's the best fix for this bug... check ownership of ./.joerc
> file before trying to read it? Not read it at all?
Don't read it at all, please. I guess there's a command line option to
choose an rc file? If so, I'd have no qualms about killing this
behavior.
--
Daniel Jacobowitz Debian GNU/Linux Developer
Monta Vista Software Debian Security Team
>
> I wonder what's the best fix for this bug... check ownership of ./.joerc
> file before trying to read it? Not read it at all?
Don't read it at all, please. I guess there's a command line option to
choose an rc file? If so, I'd have no qualms about killing this
behavi
n for stable it has no purpose.
It is preparation for becoming stable, but not "on half a moment's
notice". Security fixes go into unstable and trickle into testing.
The principal, I think, is that we can throttle the packages being
allowed into testing for an easier release cycle.
ration for stable it has no purpose.
It is preparation for becoming stable, but not "on half a moment's
notice". Security fixes go into unstable and trickle into testing.
The principal, I think, is that we can throttle the packages being
allowed into testing for an easier rel
t support that any more; you
should upgrade to potato, which has been out since last August. The
web page does not reference slink any more...
Dan
/\ /\
| Daniel Jacobowitz|__|SCS Class of 2002
upport that any more; you
should upgrade to potato, which has been out since last August. The
web page does not reference slink any more...
Dan
/\ /\
| Daniel Jacobowitz|__|SCS Class of 2002
ing language for this page ?
The web people tell me that this was a bug in the automatic
regeneration of the web pages; it should be fixed.
Dan
/\ /--------\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian
ing language for this page ?
The web people tell me that this was a bug in the automatic
regeneration of the web pages; it should be fixed.
Dan
/\ /--------\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian
tainly accurate, but to my knowledge lprng is the only thing to
slip through the cracks that way in a year. We're often behind with
fixes in general, but when we post a fix the advisory generally goes
out the same day!
Dan
/----\ /----
tainly accurate, but to my knowledge lprng is the only thing to
slip through the cracks that way in a year. We're often behind with
fixes in general, but when we post a fix the advisory generally goes
out the same day!
Dan
/----\ /----
uld have crashed well beforehand.
Dan
/\ /--------\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
would have crashed well beforehand.
Dan
/\ /--------\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTE
pb/project/openafs/debian packages/
for some preliminary packages.
Dan
/--------\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
pb/project/openafs/debian packages/
for some preliminary packages.
Dan
/--------\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon Univer
es getting all fixes compiled on all architectures for unstable.
That's impractical; we do the best that we can, but it's too time
consuming and too complicated, especially given the quirks of some of
our architectures.
Dan
/\ /-
es getting all fixes compiled on all architectures for unstable.
That's impractical; we do the best that we can, but it's too time
consuming and too complicated, especially given the quirks of some of
our architectures.
Dan
/\ /-
st - debian-security-announce.
That's what it's for :)
Dan
/--------\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
st - debian-security-announce.
That's what it's for :)
Dan
/--------\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon Universi
h - that's the whole use of it. It shows what files were being
edited when joe was killed.
Dan
/----\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
crash - that's the whole use of it. It shows what files were being
edited when joe was killed.
Dan
/----\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mello
t clean Debian installs it is not mode 0700.
There will be a security advisory shortly.
Dan
/\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
t clean Debian installs it is not mode 0700.
There will be a security advisory shortly.
Dan
/\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__
ly (when possible), yes
> - I should use potato security fixes with woody
Well, it's safe to list it as an apt source, and there will
occasionally be things available there before in unstable. But fixes
also tend to go straight into unstable.
Dan
/
ly (when possible), yes
> - I should use potato security fixes with woody
Well, it's safe to list it as an apt source, and there will
occasionally be things available there before in unstable. But fixes
also tend to go straight into unstable.
Dan
/
gt; fixes for nonus packages (if any)?
I believe it is a matter of trust and of instant distribution; we can
provide uploads to everyone using the security site in a very limited
amount of time.
Dan
/\ /--------\
| Daniel Jacobowitz
t the broken functionality. The PHP folks know about it, and
> hopefully. 3.0.18 will be out soon.
Yep, so I've gathered. I'll do a new security upload when this
happens.
Dan
/----\ /----\
| Daniel Jacobowitz|__|
gt; fixes for nonus packages (if any)?
I believe it is a matter of trust and of instant distribution; we can
provide uploads to everyone using the security site in a very limited
amount of time.
Dan
/\ /--------\
| Daniel Jacobowitz
o hit the broken functionality. The PHP folks know about it, and
> hopefully. 3.0.18 will be out soon.
Yep, so I've gathered. I'll do a new security upload when this
happens.
Dan
/----\ /----\
| Daniel Jacobowitz
erbenson/
Probably some current trojan. Maybe a sub7 variant? There's a trojan
list on the web somewhere.
Dan
/\ /--------\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__
erbenson/
Probably some current trojan. Maybe a sub7 variant? There's a trojan
list on the web somewhere.
Dan
/\ /--------\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__
On Wed, Oct 11, 2000 at 08:01:57AM -0700, andy wrote:
> On Wed, 11 Oct 2000, Daniel Jacobowitz wrote:
>
> > On Wed, Oct 11, 2000 at 07:18:23AM -0700, andy wrote:
> > > just ran tiger on a fresh debian (2.2) install, and received the following
> > > warnings:
>
are you installing
from?
I can't reproduce this.
Dan
/--------\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
On Wed, Oct 11, 2000 at 08:01:57AM -0700, andy wrote:
> On Wed, 11 Oct 2000, Daniel Jacobowitz wrote:
>
> > On Wed, Oct 11, 2000 at 07:18:23AM -0700, andy wrote:
> > > just ran tiger on a fresh debian (2.2) install, and received the following
> > > warnings:
>
are you installing
from?
I can't reproduce this.
Dan
/--------\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\---
On Tue, Oct 10, 2000 at 10:28:39PM -0400, Ben Pfaff wrote:
> Daniel Jacobowitz <[EMAIL PROTECTED]> writes:
>
> > This was fixed a month or two before potato was released.
>
> I've seen those too, on up-to-date woody, so I don't think it
> really got fixed.
in advance.
>
>
> herbert
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>
Dan
/\ /\
| Daniel Jacobowi
On Tue, Oct 10, 2000 at 10:28:39PM -0400, Ben Pfaff wrote:
> Daniel Jacobowitz <[EMAIL PROTECTED]> writes:
>
> > This was fixed a month or two before potato was released.
>
> I've seen those too, on up-to-date woody, so I don't think it
> really got fixed.
in advance.
>
>
> herbert
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>
Dan
/\ /\
| Daniel Jacobowi
) (even though thats only a DoS solved easily by disk
> file quotas)
I'll say this for the fifth time this week...
We are backlogged. There aren't very many of us, and we have over half
a dozen half-written advisories. They will be going out soon.
I posted on bugtraq that the vulnera
le quotas)
I'll say this for the fifth time this week...
We are backlogged. There aren't very many of us, and we have over half
a dozen half-written advisories. They will be going out soon.
I posted on bugtraq that the vulnerability had been fixed in debian,
informally,
distributions are
generally fairly well looked-over and tested.
Dan
/--------\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon University |
| [EMAIL PROTECTED] | | [EMAIL PROTECTED] |
\/ \/
distributions are
generally fairly well looked-over and tested.
Dan
/--------\ /\
| Daniel Jacobowitz|__|SCS Class of 2002 |
| Debian GNU/Linux Developer__Carnegie Mellon Universit
64 matches
Mail list logo
