Re: Reintroducing openjdk-8 for Bullseye?

* Graham Inggs: > As of nvidia-cuda-toolkit 10.1.243, upstream stopped shipping the > bundle JRE, and expect users to download it directly from Oracle. We > are considering our options, and one which is very attractive for us > is for openjdk-8 to be reintroduced for Bullseye, but the question is

Re: package for security advice

* Russell Coker: > I think it would be good to have a package for improving system > security. It could depend on packages like spectre-meltdown-checker > and also contain scripts that look for ways of improving system > security. For example recommend SE Linux or Apparmor (if you don't > have o

Re: new hash algorithim for git and maybe a goal for Bullseye ?

* shirish शिरीष: > I was shared this [1] and while it's important, it is equally > important to point out that the work isn't complete atm. From what > little I know, almost all Debian's work is now using git (there may be > some subversion, some mercurial repos) but most of the work has now > be

Re: Why no security support for binutils? What to do about it?

* Paul Wise: > On Wed, Jan 1, 2020 at 1:00 PM Florian Weimer wrote: > >> Doesn't lintian on ftp-master use disposable VMs? > > No mention of qemu/kvm in dak.git nor any qemu processes running on > ftp-master.d.o, so I don't think so. Uh-oh. >> Some of its

Re: Why no security support for binutils? What to do about it?

* Daniel Reichelt: >> Some of its checks look inherently dangerous, e.g. the bash -n >> check for shell syntax. > > Why would bash -n be dangerous? In the past, the bash parser was not very successful at inhibiting command execution. I doubt that this has changed, although some corner cases have

Re: Why no security support for binutils? What to do about it?

* Paul Wise: > On Tue, Dec 31, 2019 at 9:47 AM Florian Weimer wrote: > >> BFD and binutils have not been designed to process untrusted data. >> Usually, this does not matter at all. For example, no security >> boundary is crossed when linking object files that have be

Re: Why no security support for binutils? What to do about it?

* Andreas: > there is no security support for binutils in debian stable > (buster). Given the importance of binutils this seems to me to be a real > problem. BFD and binutils have not been designed to process untrusted data. Usually, this does not matter at all. For example, no security boundary

Re: "-fstack-clash-protection" option

* Hideki Yamane: > I've read systemd's vulnerability article [1] and then I have > a question, do we have any plan to enable "-fstack-clash-protection" > by default? I cannot find any discussion about it. There's a bug report requesting a build flags change:

Re: [release-notes/stretch] Release notes sign-off from the security team

* Julien Cristau: > On Mon, Apr 3, 2017 at 20:43:08 +0200, Florian Weimer wrote: > >> * Niels Thykier: >> >> > There is a security team related item in the release checklist where we >> > need input from the you[1]: >> > >> > Items are:

Re: [release-notes/stretch] Release notes sign-off from the security team

* Niels Thykier: > There is a security team related item in the release checklist where we > need input from the you[1]: > > Items are: > * release-notes: Security Team signoff for lower supported packages > > Please review the release notes and file bugs for the missing items (if > any) and let

Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

* Michael Stone: > On Thu, Oct 13, 2016 at 02:45:29PM -, te3...@sigaint.org wrote: >>As you asked me for a specific case, may I bring up CVE-2016-5696. >> >>A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by >>Eric Dumazet (cf. >>https://github.com/torvalds/linux/commit/75

Re: Bug#839607: Robustify manager_dispatch_notify_fd()

* Salvatore Bonaccorso: > There were two CVE assingments for systemd recently, CVE-2016-7795 and > CVE-2016-7796, and assigned here: > https://marc.info/?l=oss-security&m=147521835218986&w=2 > > CVE-2016-7795 is for > > https://github.com/systemd/systemd/issues/4234 > https://www.agwa.name/blog/po

Re: Bug#839607: Robustify manager_dispatch_notify_fd()

* Michael Biebl: > Dear security team, I'd appreciate your input on bug #839607 It's a bug, and it should be fixed in stable, probably in a point update. Does this affect other distributions? In this case, it's best to request a CVE ID on the oss-security list.

Re: [SECURITY] [DSA 3372-1] linux security update

* Denny Bortfeldt: > Hello everyone, > > does anyone know why there aren't any changelogs for deb7u4 and dev7u5 ?! Hi Denny, I checked, and there are changelog entries in the package. > It would be really nice to know what have been changed. > > ~# apt-get changelog linux-headers-3.2.0-4-amd64

Re: curl security issue? - [SECURITY NOTICE] libidn with bad UTF8 input

* Patrick Schleizer: > Are you aware of this already? > > [SECURITY NOTICE] libidn with bad UTF8 input > > http://curl.haxx.se/mail/lib-2015-06/0143.html > > Haven’t found anything related on debian.org mailing lists and/or curl's > changelog. We are aware of it. This will be fixed in libidn bec

Re: openjdk-7 security updates after JDK 7 End of Public Updates

* Francis Devereux: > Thanks Moritz, that's good news. I can't find any details of > icedtea's security support lifecycle on their website so I might > email their mailing list. What I'm trying to do is get an > understanding of how long the Debian openjdk-7 packages are likely > to be supported f

Re: [SECURITY] [DSA 3171-1] samba security update

* Jernej Korinšek: > Za Debian ne vem, za RH: > Lastly the version of Samba 4.0 shipped with Red Hat Enterprise Linux > 6.2 EUS is based on an alpha release of Samba 4, which lacked the > password change functionality and thus the vulnerability. The same is > true for the version of Samba 3.0 ship

Re: Should we be alarmed at our state of security support?

* John Goerzen: > Regarding the python2.6 one you were saying wasn't a big deal -- there's > a proof of concept exploit for it > https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ > . Why would the tracker say that such a thing wasn't important enough > to

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

* Russell Coker: > On Sun, 1 Feb 2015 11:18:43 PM Paul Wise wrote: >> chromium was already being backported to wheezy for security updates, >> the latest versions need newer compilers so we can't backport any >> more. > > Why can't we backport the compilers too? You'd have to replace the system l

Re: [SECURITY] [DSA 3121-1] file security update

* Henrique de Moraes Holschuh: > However, it would be best if we could somehow get you permission to upload > backports of "file". Looks like it's being worked on: (I don't know what's blocking this, Christoph really shouldn't have any trouble pas

Re: NSA software in Debian

* Marco Saller: > i am not sure if this question has been asked or answered yet, > please do not mind if i would ask it again. > Is it possible that the NSA or other services included investigative > software in some Debian packages? We don't reject contributions just because they come from a go

Re: Check for revocation certificates before running apt-get?

* Kurt Roeckx: > On Sun, Dec 15, 2013 at 03:15:03AM +, adrelanos wrote: >> > When you implement this, please ensure it isn't vulnerable to any >> > duplicate-keyid problems: >> > >> > http://debian-administration.org/users/dkg/weblog/105 >> >> Damn, I wasn't aware of the latest news that lon

Re: MIT discovered issue with gcc

* Bob Proulx: > In those systems the zero page is initially bit-zero and reading from > the zero point will return zero values from the contents there. If > the program writes to the zero page then subsequent reads will return > whatever was written there. This is bad behavior that was the defau

Re: process to include upstream jar sig in Debian-generated jar

* Michael Stone: > On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote: >>Yes but the whole thing looks weird, on one hand OP wants to include a >>signed jar in the package, on the other hand he says "signature could be >>omitted if quick update is needed"… What's the point having sig

Re: process to include upstream jar sig in Debian-generated jar

* Hans-Christoph Steiner: > That should then result in a debian-generated jar that has the > martus signature on it. If Debian Security needed to update the > package to fix an urgent issue, then they could still do so. The > package build process would only include the upstream signature from >

Re: About adding security.debian.org ipv6 to iptables, which range should we add?

* Stefan Eriksson: > Hi now and again we get a timeout when looking up security.debian.org > while running apt-get update. We have traced it to the ipv6's we > get. It seems like they change (and as ipv6 have prio over ipv4 we are > affected) Which ipv6 range should we open for in iptables to have

Re: [SECURITY] [DSA 2563-1] viewvc security update

* Jon Dowland: > This DSA was signed with key 0x401DAC04, which is not in any debian-keyring > package I can find, nor on pgp.mit.edu. Is this a mistake? Thanks! It's a signing subkey of E1C21845, some software might have problems with that. The entire key is available from the developer LDAP.

Re: pre-screening new package: SQLCipher, based on SQLite3

* Stephen Lombardo: > I agree that implementing SQLCipher using a VFS plugin would work, and > we've considered it in the past. However, we've decided to stick with the > codec approach for now, given that some functionality could prove more > complex to implement and a major shift / rewrite could

Re: pre-screening new package: SQLCipher, based on SQLite3

* Hans-Christoph Steiner: > The tricky part is that it is a modified version of SQLite3, and lintian > properly gives an error about that. But because of the features that > SQLCipher provides, it must modify the core of SQLite to work, therefore > it cannot be made into a plugin. Why isn't it im

Re: sun-java6-plugin outdated and vulnerable to an actively exploited security issue

* Jason Fergus: > Is it plausible to get openjdk7 backported to squeeze as a security > measure in this regard? It sure seems to be more closely based to what > oracle is now putting out. Well there are some programs that apparently > refuse to work with Java7 altogether, but I'd say that's the

Re: [SECURITY] [DSA 2491-1] postgresql-8.4 security update

* Florian Weimer: > CVE-2012-2143 > The crypt(text, text) function in the pgcrypto contrib module > did not handle certain passwords correctly, ignoring > characters after the first character which does not fall into > the ASCII range. It's been po

[DSA 2442-1] openarena security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2442-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 26, 2012

Re: AW: Vulnerable PHP version according to nessus

* Jordon Bedwell: > New upstream version is used pretty loosely here. I would hardly > consider a bug fix release a new version. You guys treat versions as > if they're a matter of national security, because 5.3.7 vs 5.3.8 is > obviously gonna have some major major API changes and some way new >

Re: Bug#645881: critical update 29 available

* Matthias Klose: > On 12/11/2011 01:07 PM, Holger Levsen wrote: >> Hi, >> >> On Sonntag, 11. Dezember 2011, Philipp Kern wrote: >>> sorry, but I'd rather like to have an announcement that it has a bug, >> >> me too, for all the reasons Philipp noted. >> >> It's also trivial to download the fix

Re: Bug#645881: critical update 29 available

* Philipp Kern: > sun-java6 is sadly still a very high profile package. I won't go and > break all those installations which force sun-java6 over openjdk-6 > locally, either in unattended installations or through other means. It's really unfortunate that most of those installations seem to need

Re: Bug#645881: critical update 29 available

* Moritz Mühlenhoff: > Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on

Re: RSA/DSA

* Wim Bertels: > So why isn't it possible to choose one the longer keylengths for DSA? The original DSA standard explicitly required that key lengths did not exceed 1024 bits. Older OpenSSH versions implemented that standard. -- Florian Weimer BFK edv-consult

Re: Bug#645881: critical update 29 available

* Moritz Muehlenhoff: > As for stable/oldstable: I noticed that Red Hat provided packages for > update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): > http://lwn.net/Articles/463919/ If anyone remembers the rationale behind the DLJ, perhaps they can check if the current BCL matches our needs, too?

Re: Debian LTS?

> LTS doesn't mean to back-port everything like RedHat does. Just to > allow for the System to be more up to date with special feature or > have to be intime Software. So that you have a supported Database all > the time and so that it keep being supported. One person's essential features is anoth

Re: [SECURITY] [DSA 2311-1] openjdk-6 security update

* Simon McVittie: > Would it be possible to provide some sort of empty transitional package for > those Hotspot variants in order to get rid of them? I don't think we use transitional packages for this purpose. I think adding a Replaces: icedtea-6-jre-cacao to openjdk-6-jre-headless (on i386 and

Re: [SECURITY] [DSA 2260-1] rails security update

* Florian Weimer: > Subject: Re: [SECURITY] [DSA 2260-1] rails security update Sorry, this is the correct subject line. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [SECURITY] [DSA 2233-1] postfix security update

* Florian Weimer: > Package: postfix > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE ID : CVE-2009-2939 CVE-2011-0411 CVE-2011-1720 > > For the unstable distribution (sid), this problem has been fixed in > version 2.8.0-1.

Re: [SECURITY] [DSA 2208-1] bind9 security update

* Florian Weimer: > For the oldstable distribution (lenny), the DS record issue will be > fixed soon. (CVE-2011-0414 does not affect the lenny version.) We ran into trouble with the archive software, so only amd64 and i386 packages are available at this time. Hopefully, this will be rec

Re: [SECURITY] [DSA 2162-1] openssl security update

* Nick Boyce: > On 14/02/2011 16:28, Nico Golde wrote: > >>> We recommend that you upgrade your invalid memory access packages. >> >> This has been a mistake during the auto-generation of the DSA template. Of >> course thsi should say "your openssl packages". > Erm ... missing .. [cough] .. exi

Re: how to apply DSA-2157-1

* Edoardo Panfili: > Reading DSA-2157-1 I can see that I must upgrade to 8.4.7-0squeeze1 > but I can't find that package using > http://www.debian.org/distrib/packages or apt. 8.4.7-0squeeze2 packages are now available on security.debian.org for most architectures. The remaining architectures w

Re: [SECURITY] [DSA-2157-1] PostgreSQL security update

* Denis Feklushkin: > After upgrading postgresql 9.0 it is started to appear error > 'ERROR: XX000: cannot extract system attribute from virtual tuple' > in executing request in a trigger: Please file a bug in the BTS (especially as it affects sid only). I'm not sure if this is related to the s

Re: [SECURITY] [DSA 2122-2] New glibc packages fix privilege escalation

* Cyril Brulebois: >> Colin Watson discovered that the update for stable relased in >> DSA-2122-1 did not complete address the underlying security issue in > ↑ +ly > > I obeyed the Reply-To, but maybe one should mail another address to > get typos fixed in the web versi

Re: Bind security announce

* Account for Debian group mail: > On Fri, 10 Dec 2010, Florian Weimer wrote: > >> * Debian security: >> >>> Is there any plan to upgrade the bind version in debian to 9.6-ESV-R3 >>> which correct the bugs? >> >> There was a technical issue with th

Re: Bind security announce

* Debian security: > Is there any plan to upgrade the bind version in debian to 9.6-ESV-R3 > which correct the bugs? There was a technical issue with the update process, which has been resolved now. Updates will be released in due course. -- To UNSUBSCRIBE, email to debian-security-requ...@li

Re: [SECURITY] [DSA 2122-1] New glibc packages fix local privilege escalation

* Florian Weimer: > For the stable distribution (lenny), this problem has been fixed in > version 2.7-18lenny6. > > For the upcoming stable distribution (squeeze), this problem has been > fixed in version 2.11.2-6+squeeze1 of the eglibc package. > > For the unstable dis

Re: CVE-2009-3555 not addressed in OpenSSL

* Simon Josefsson: > FWIW, the latest stable GnuTLS version with RFC 5746 support is not > even in testing, so it won't be part of even the next stable. What would be required to get a backport of RFC 5746 support into the current stable (considering that we do not want to incorporate too many un

Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

* Michael Gilbert: > The problem here appears to be the jump to the new upstream version > (1.8.2 to 1.8.13), which has a different dependency set. The actual problem was that the dependency set was initially different (it included additional, incorrect dependencies). This was corrected, and upg

Re: [SECURITY] [DSA 2076-1] New gnupg2 packages fix potential code execution

* Florian Weimer: > For the stable distribution (lenny), this problem has been fixed in > version 2.0.9-3.1+lenny1. Hi, we're investigating an issue with the dissemination of the gnupg2 security update (and the recent DSA-2075-1 update for xulrunner) through the security

Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning

Two more issues with the update have been identified: Unexpected permissions on /etc/ssl/openssl.cnf causes OpenSSL and named to exit: (We can only try to detect this situation in BIND and print something to the log, it is not correctable i

Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning

* Florian Weimer: > This update is based on a new upstream version of BIND 9, 9.6-ESV-R1. > Because of the scope of changes, extra care is recommended when > installing the update. Due to ABI changes, new Debian packages are > included, and the update has to be installed using &qu

Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED

* Gabriele Giacone: > For example openjdk-6-source: source code is in both orig tarball and > openjdk-6-source binary package. This is a duplication, isn't it? First, the duplication refers to source packages. Second, openjdk-6-source is like the emacs*-el packages, it provides IDE navigation su

Re: Rails XSS hole

* Adam Majer: > I have prepared a package with the changes. The patch is attached > (patch1 - 1 line fix). One of the unit tests added in the security > patch exposes another bug in rails in stable. This bug can be easily > fixed via the 2nd patch (patch2, attached - 6 line fix). Is it > possible

Re: squirrelmail SA34627

* Adrian Minta: > Hi, > Does squirrelmail 1.4.15-4+lenny2 has fixes for SA34627 ? According to , it's still vulnerable. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Cont

Re: Xpdf Integer overflow

* Michael Gilbert: > On Fri, 16 Oct 2009 20:15:50 +0300, Henri Salo wrote: >> Is update for Xpdf-vulnerability coming soon for this issue: >> >> > > this issue was not disclosed responsibly Huh? Why do you think so? As far as I can see, a reasonab

Re: rootkit not found by rkhunter

* Noah Meyerhans: > AFAIK, the best way to know if you're running a stale kernel is to > compare the uptime of the machine against the mtime of the actual kernel > (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686"). If the uptime of the > machine places the last reboot sometime before the kernel was

Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures

* Philipp Kern: > Those are Root CAs with MD2 signatures on them. This does not mean that they > use MD2 to sign others, of course. Are those an attack vector and ought those > to be dropped from the package? The attack vector requires a complete break of MD2. You'd take that published RSA-bas

Re: Debian and recent TCP vulnerability

* Mlor Apac: > What's the status of debian (and linux kernel in general) regarding this > recent TCP vulnerability? I have been unable to find any precise > information. Let's imagine a server that has publicly accessible tcp service > enabled (e.g. http). The actual set of issues impacting Linux

Re: Version Numbers in DSAs

* Alex Page: > I'm having a bit of trouble with version numbers reported in DSAs. We keep > our stable systems patched by updating against security.debian.org but > have an external audit process, which compares the versions of installed > packages with the versions reported as fixed in each DS

Re: Screensaver in KDE 4.2

* Boyd Stephen Smith, Jr.: > In <200906101232.13509.zarl...@gmx.at>, Johannes Zarl wrote: >>4) Screensaver/screen lock: >>For some reason, the screen lock doesn't activate the screensaver. I.e. >> when my screen is locked (either via Ctrl-Alt-L or via time-delay in the >> screensaver itself), once

Re: firewall critique

* Zachary Uram: > iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT You should restrict RELATED to ICMP. For TCP and UDP, RELATED can open up your internal network to the outside world (depending on what firewall helpers you have loaded). -- To UNSUBSCRIBE, email to debia

Re: [DSA 1788-1] New quagga packages fix denial of service

* Florian Weimer: > Subject: Re: [DSA 1788-1] New quagga packages fix denial of service > > Debian Security Advisory DSA-1788-1 secur...@debian.org > http://www.debian.

Re: [SECURITY] [DSA 1772-1] New udev packages fix privilege escalation

* Dimitar Dobrev: > is the reboot mandatory after updating the udev package? No, the daemon is automatically restarted. In general, it's a good idea to reboot as soon as possible if you upgrade a package so deeply involved in the system boot process, so that if there is some regression, you noti

Re: [Secure-testing-team] Security support for volatile?

* Tom Furie: > On Fri, Mar 13, 2009 at 12:37:35PM +0100, Michael Tautschnig wrote: > >> I'm right now in the process of preparing an upload of clamav 0.95rc1; as >> such, >> the question is: where to upload to? unstable? volatile? Any of the other >> queues? > > Maybe I'm not quite clear on the c

Re: [Secure-testing-team] Security support for volatile?

* Kurt Roeckx: >> For ClamAV and ClamAV-derived packages, I'd prefer to see uploads of >> new upstream versions to stable-security or stable-proposed-updates >> (that is, remove it from volatile). > > I think one the reason why clamav is in volatile is that the engine > might need updating to dete

Re: [Secure-testing-team] Security support for volatile?

* Luk Claes: > Currently the security support for the volatile archive is supposed > to be taken care of by the uploaders of the respective packages. > > I think it would make sense to have someone or a team tracking > security issues for volatile. > > What do you think? Is anyone up to providing

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

* Nicolas Boullis: >> You could try if recompiling gnutls13 with this patch >> >> >> >> enables your setup to work. > > I just built it; it seems to work fine. Thanks. >> However, it is unlikely that we will >> apply a similar ch

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

* Thijs Kinkhorst: > On sneon 14 Febrewaris 2009, Florian Weimer wrote: >> > Our servers use commercial certificates, with "GTE CyberTrust Global >> > Root" as the root certificate. It apparently is a v1 x509 certificate... >> >> It's uses 1024

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

* Nicolas Boullis: >> In addition, this update tightens the checks for X.509v1 certificates >> which causes GNUTLS to reject certain certificate chains it accepted >> before. (In certificate chain processing, GNUTLS does not recognize >> X.509v1 certificates as valid unless explicitly requested b

Re: Paper on potential security issues with the linux kernel PRNG

* Michael S. Gilbert: > I just came across a reference [1] on potential flaws in the linux ([1] is based on Linux 2.6.10.) > kernel PRNG (Pseudo-Random Number Generator). Does anyone know if > CVE's have been issued for these problems and/or whether they have been > fixed either upstream or in

Re: [SECURITY] [DSA 1708-1] New Git packages fix remote code execution

* Florian Weimer: > For the unstable distribution (sid) and testing distribution (lenny), > the remote shell command injection issuei (CVE-2008-5516) has been fixed > in version 1.5.6-1. The other issue will be fixed soon. It turns out that both issues are fixed as of 1.5.6.5-2 (part

Re: Yet another list statistics for debian-security

* Andreas Tille: > Ups, the graph becomes quite sparse in the last years. I can > not really imagine that the reason should be that our software > became more secure. Is anybody out there who has an explanation > which does not come to the conclusion that we immediately should > try to strengthe

Preliminary statement on OpenSSL signature verification API misuse (CVE-2008-5077)

We are delaying the OpenSSL update because we want to make sure that we only have to release one update, and not two or more. There are some open questions surrounding the various advisories. As you might have noticed, the published information is somewhat inconsistent. Regarding the impact, not

Re: [SECURITY] [DSA 1694-1] New xterm packages fix remote code execution

* Peter Palfrader: > On Fri, 02 Jan 2009, Florian Weimer wrote: > >> As an additional precaution, this security update also disables font >> changing > > Is this really ncessary? I use that feature a lot and I rely on it for > most of my desktop setup. What are

Re: "Certification Authorities are recommended to stop using MD5 altogether"

* Cristian Ionescu-Idbohrn: > I noticed around 20 certificates distributed with the package > ca-certificates have "Signature Algorithm: md5WithRSAEncryption". > Reason to worry? These are self-signatures and typically not checked anyway. When these CA certificates are used to issue other certif

Re: Currently no security updates for arm (hppa available again)

* Florian Weimer: > There is a temporary configuration issue on the hppa security build > daemon, which means that we cannot provide security updates for the > hppa architecture. We are working on a solution. > > I will post a follow-up once security support has been restored. h

Currently no security updates for hppa

There is a temporary configuration issue on the hppa security build daemon, which means that we cannot provide security updates for the hppa architecture. We are working on a solution. I will post a follow-up once security support has been restored. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED

Re: secure execution of drivers

* Michael Iatrou: > When the date was Wednesday 19 November 2008, Dani d wrote: > >> hello everybody. >>I recently had a problem with drivers of my pc. The driver of the wifi >> sometimes it hung and the last time it broke my entire reiserfs file >> system and badly I've been able to recover.

Re: md5 hashes used in security announcements

* Sjors Gielen: > Kees Cook wrote: >> Additionally, it doesn't matter -- it's just the md5 in the email >> announcement. The Release and Packages files for the archive have SHA1 >> and SHA256. The md5 from the announcement is almost not important, >> IMO -- no one should download files individua

Re: md5 hashes used in security announcements

* Raphael Geissert: > Yeah, but remember that the "bad" version must also be a valid .deb file with > something inside that does work; otherwise you may just be able to get some > random stuff with the same file size and md5 sum but without any use. These days, you can generate meaningful collisi

Re: md5 hashes used in security announcements

* Bas Steendijk: > i have sent an email a while ago about the security implications of > using MD5 hashes in the security announcements (DSA), but i didn't get > any reply at all from this. has it been overlooked? I don't know to which address you sent the address, so I don't know if it's been ov

Re: [SECURITY] [DSA 1659-1] New libspf2 packages fix potential remote code execution

* Florian Weimer: > Package: libspf2 > Vulnerability : buffer overflow > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2008-2469 The missing update for the mips architecture will be provided as soon as it's ready. -- To UNSUBSCRIBE, email

Re: [SECURITY] [DSA 1638-1] New openssh packages fix denial of service

* Florian Weimer: > Debian-specific: no > It has been discovered that the signal handler implementing the login > timeout in Debian's version of the OpenSSH server uses functions which > are not async-signal-safe, leading to a denial of service > vulnerability (CVE-2008-41

Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

* Hideki Yamane: > On Sun, 10 Aug 2008 22:11:05 +0200 > Florian Weimer <[EMAIL PROTECTED]> wrote: >> The 2.6.24 >> kernel available since the last etch point release offers some >> protection as well. > > Umm? This is NEW information for me. Could you give m

Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

* Hideki Yamane: > On Wed, 09 Jul 2008 03:55:27 + > Nick Boyce <[EMAIL PROTECTED]> wrote: >> Also, which Debian systems would otherwise use the libc stub resolver ? >> All systems which *don't* have BIND installed ? > > I want to know that, too. > Should ALL systems (servers or desktops/l

Re: [CORRECTION] [SECURITY] [DSA 1628-1] New PowerDNS packages reduce DNS spoofing risk

* Florian Weimer: > Debian Security Advisory DSA-1628-1 [EMAIL PROTECTED] The subject line should read: Subject: [SECURITY] [DSA 1628-1] New PowerDNS packages reduce DNS spoofing risk Sorry about that. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject

Re: Tinydns - cache poisoning?

* Stephen Vaughan: > Does anyone know if TinyDNS is vulnerable to the dns cache poisoning > exploit? I run tinydns servers, I ran the test below and it came back as > POOR. tinydns as in djbdns? dnscache (the iterative resolver component of djbdns) uses source port randomization, so no code chan

Re: DNS Cache poisoning and pdnsd

* Kapil Hari Paranjape: > According to the following URL Dan Kaminsky's cat's whiskers may already > be out of the bag[*] and source port randomisation may not be enough. Most announcements indicated that source port randomization is only a band-aid, hopefully deployable in the short, and not a l

Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

* Carlos Carvalho: > >Note that using --random with a patched resolver (one that uses stronger > >random numbers for source ports) makes it vulnerable again. By default, > >Netfilter tries to preserve source ports, so its NAT does not destroy > >the effort put into BIND et al. > > Really? Thi

Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

* Vincent Deffontaines: > One solution is to let another device do the port randomization, to > protect your DNS clients. This is correct, but the device needs to know about the DNS protocol, so that it ties QNAME/QCLASS/QTYPE and transaction ID and source port to a particular request. > If you

Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

* John Elliot: > Hi, We have a couple of Sarge servers running bind9(9.2.4-1sarge3) > that appear to be vulnerable to the DNS cache poisoning issue(Looks > like port randomization was only introduced in bind9.3?) - As the > servers cannot be upgraded at this time to etch, what is the > recommended

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

* Joey Hess: > IIRC Dan Kaminsky has been suggesting using opendns, which has fixed > servers, if your ISPs server is not fixed. Won't using a third-party DNS > server defeat any filtering your ISP does on their network, and allow the > stub resolver to be spoofed? I disagree with this recommenda

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

* Noah Meyerhans: > On Wed, Jul 09, 2008 at 06:10:51PM +0200, Wolfgang Jeltsch wrote: >> > At this time, it is not possible to implement the recommended >> > countermeasures in the GNU libc stub resolver. >> >> I don???t have bind9 installed. Am I affected by the libc stub resolver bug? > > Yes.

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

* Henrique de Moraes Holschuh: > 3. Install lwresd from an updated BIND9, install libnss-lwres, and replace > "dns" with "lwres" in /etc/nsswitch.conf. Make sure to restart lwres when > /etc/resolv.conf changes. lwresd is far less-tested than BIND, and tweaking the NSS configuration is somethin

Re: DNS Cache poisoning and pdnsd

* Pierre Habouzit: > And the code matches the documentation. And yes a new socket is used for each > request if that matters. But it seems to use a weak PRNG (random from libc). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

* Mert Dirik: >> PowerDNS is not available on all architectures, and Unbound and tinydns >> are not part of etch. >> >> So it's lack of alternatives, more or less. > I don't really know much about these things but can't maradns MaraDNS could be used, I think. However, I'm not familiar with tha

  1   2   3   4   5   6   >