Re: Gaps in security coverage?

On Tue, Nov 06 2018, Paul Wise wrote: > On Mon, Nov 5, 2018 at 10:29 PM John Goerzen wrote: > >> Hi folks, > > FTR, in case you were trying to contact the Debian Security Team > directly I suggest using secur...@debian.org or > t...@security.debian.org instead, debi

Gaps in security coverage?

Hi folks, So I recently started running debsecan on one of my boxes. It's a fairly barebones server install, uses unattended-upgrades and is fully up-to-date. I expected a clean bill of health, but didn't get that. I got pages and pages and pages of output. Some of it (especially kernel relate

Re: Should we be alarmed at our state of security support?

On 02/19/2015 05:31 PM, Paul Wise wrote: > On Fri, Feb 20, 2015 at 12:40 AM, John Goerzen wrote: > >> Right now, the security tracker has, apparently, three status for each >> version of Debian: >> >> not vulnerable >> vulnerable >> fixed >> &g

Re: Should we be alarmed at our state of security support?

On 02/19/2015 08:24 AM, Michael Stone wrote: > On Thu, Feb 19, 2015 at 07:29:29AM -0600, John Goerzen wrote: >> However, part of what I was trying to figure out here is: do we have a >> lot of unpatched vulnerabilities in our archive? > > Yes. Every system (not just

Re: Should we be alarmed at our state of security support?

On 02/19/2015 12:25 AM, Michael Gilbert wrote: > On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote: >> On this machine, it found 472 vulnerabilities. Quite a few of them fit >> into the remotely exploitable, high urgency category. Many date back to >> last year, some as fa

Re: Should we be alarmed at our state of security support?

On 02/18/2015 08:44 AM, Thijs Kinkhorst wrote: > Yes, we know about those issues. That's why debsecan reports them to you > in the first place. A good place to learn more about an issue is to > actually follow the links you pasted at the bottom of your email. There > you can e.g. see a motivation f

Re: Missing tiff3 patch in security repo

On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote: > Hi John, > > On Wed, February 18, 2015 14:51, John Goerzen wrote: >> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... >> <http://security-tracker.debian.org/tracker/CVE-2013-1961> >> - lib

Should we be alarmed at our state of security support?

Hi folks, So I recently downloaded and installed debsecan on several of my machines. These are all fully up-to-date machines, running either wheezy or jessie. For now I'll just focus on wheezy since it's where our security focus should go. On this machine, it found 472 vulnerabilities. Quite a

Missing tiff3 patch in security repo

Hi folks, I've been going through the output of debsecan on my systems (more on that later). For the moment, I have discovered something odd regarding a tiff advisory. Debsecan noted this on my wheezy machine: CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...

Re: Debian Live CD - unsecured ssh open by default

Great news, thanks! On 01/31/2015 07:01 PM, Evgeny Kapun wrote: > This should be fixed in the latest version. See > https://bugs.debian.org/741678. > > On 01.02.2015 03:09, John Goerzen wrote: >> Hello, >> >> A friend of mine pointed out to me recently that the Deb

Debian Live CD - unsecured ssh open by default

Hello, A friend of mine pointed out to me recently that the Debian Live CD has ssh open to the network by default, and the "user" account -- which has passwordless sudo to root privileges -- has a password that is well-known and easily found via Google. This poses some nasty surprises for people

libapache2-mod-fcgid in lenny vulnerable to hole for weeks

but AFAICT there are, as yet, no new packages. This is not an attack on any person/team, just a question about whether we have an organizational problem we need to correct. Thanks, -- John Goerzen -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsub

Re: Linux infected ?

On Thu, Jan 29, 2009 at 09:04:46AM -0200, Eduardo M KALINOWSKI wrote: > Rodrigo Hashimoto wrote: > > Hi, > > > > I received a file via e-mail and tried to open it, then the iceweasel > > did nothing. I tried again and I realized the iceweasel was trying to > > user the "wine" to open a file ".com".

Re: What's going on with advisory for phpmyadmin?

On Fri, Oct 28, 2005 at 04:26:43PM +0100, Steve Kemp wrote: > > This seems to be a very frequent problem going on for awhile now. > > > > Could someone from the security team comment on what the problem is? > > The problem is that we receive a lot of reports, each of which may > involve a sign

Re: What's going on with advisory for phpmyadmin?

On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote: > Why my report was ignored? I've reported the problem 3 days ago and I had no > reply. This seems to be a very frequent problem going on for awhile now. Could someone from the security team comment on what the problem is? -- T

Re: Please allow drupal 4.5.3-1

On Fri, Jun 03, 2005 at 10:56:47AM +0200, Hilko Bengen wrote: > Steve Langasek <[EMAIL PROTECTED]> writes: > > So, you are not accepting my drupal_4.5.3-1 (or -2) package into sarge > because 4.5.3 fixes more than cited security issue? Why are you not using the simple patch available at http://dr

Re: Richtig swappen

On Fri, Jan 28, 2005 at 10:46:24AM +0100, martin f krafft wrote: > also sprach Demonen <[EMAIL PROTECTED]> [2005.01.28.1036 +0100]: > > Stop the german. > > Ha! Naturlich! Nodingkt kan stop ze German! I feel a call to "dict blinkenlights" coming on... -- To UNSUBSCRIBE, email to [EMAIL PROTECT

Re: Fwd: Re: [ox-en] Walther

On Wed, Feb 25, 2004 at 06:50:50PM +0200, Martin Hardie wrote: > the differnce is guys is that Debian and free software professes to be based > upon a community and a community that believes in sharing and respect and > thus must have the guts to move beyond the inane ... no discrimination > sta

Re: Fwd: Re: [ox-en] Walther

On Wed, Feb 25, 2004 at 06:02:22PM +0200, Martin Hardie wrote: > so the use of debian products for rascist work is ok for debian Yes, it is. Our Debian Free Software Guidelines enforce a mandate of no discrimination. Software included in Debian does not discriminate on people based on their

Re: Fwd: Re: [ox-en] Walther

On Wed, Feb 25, 2004 at 06:50:50PM +0200, Martin Hardie wrote: > the differnce is guys is that Debian and free software professes to be based > upon a community and a community that believes in sharing and respect and > thus must have the guts to move beyond the inane ... no discrimination > sta

Re: Fwd: Re: [ox-en] Walther

On Wed, Feb 25, 2004 at 06:02:22PM +0200, Martin Hardie wrote: > so the use of debian products for rascist work is ok for debian Yes, it is. Our Debian Free Software Guidelines enforce a mandate of no discrimination. Software included in Debian does not discriminate on people based on their

Re: Which Distro?

Hum, this message was also sent to ipv6. It looks like it may be some sort of spammer or something... apparently its HTML part it strange... On Fri, Feb 06, 2004 at 06:08:47AM -, K.K. Senthil Velan wrote: > Hello all, >Iam new to Debain & this great community. Now Iam working a

Re: Which Distro?

Hum, this message was also sent to ipv6. It looks like it may be some sort of spammer or something... apparently its HTML part it strange... On Fri, Feb 06, 2004 at 06:08:47AM -, K.K. Senthil Velan wrote: > Hello all, >Iam new to Debain & this great community. Now Iam working a

Re: More hacked servers?

On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote: > After the Linux kernel server got hacked a few weeks ago, and now this > successful attack at Debian, my confidence is shaken. I hope we'll see full I'm curious: why would this serve to shake your confidence? -- John

Re: More hacked servers?

On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote: > After the Linux kernel server got hacked a few weeks ago, and now this > successful attack at Debian, my confidence is shaken. I hope we'll see full I'm curious: why would this serve to shake your confidence? -- John -- To UNSUBSC

Re: Firewall Informer

On Sun, Feb 23, 2003 at 05:47:18PM -, Matt Foster wrote: > Just to let you know Firewall Informer transmits network traffic between two > network cards on a standard windows PC, this allows So why would you be bothering us with some piece of crap that requires us to install the non-free Windo

Re: Firewall Informer

On Sun, Feb 23, 2003 at 05:47:18PM -, Matt Foster wrote: > Just to let you know Firewall Informer transmits network traffic between two network > cards on a standard windows PC, this allows So why would you be bothering us with some piece of crap that requires us to install the non-free Windo

Re: Removing stupid HTTP methods from Apache

This is what people suggest for Subversion: AuthType Basic AuthName "Subversion repository" AuthUserFile /usr/local/etc/apache2/svn-pass Require valid-user DAV svn SVNPath /var/svn/

Re: Removing stupid HTTP methods from Apache

This is what people suggest for Subversion: AuthType Basic AuthName "Subversion repository" AuthUserFile /usr/local/etc/apache2/svn-pass Require valid-user DAV svn SVNPath /var/svn/

Re: Good Day -- RR and rbl

Ironically enough, Rafael's server rejected my message for the sole reason that Savvis broke reverse DNS for the colo facility my box is at 2 weeks ago and has been slow to fix it. Shows you right away why these restrictions are bad. -- John Goerzen <[EMAIL P

Re: Good Day -- RR and rbl

On Tue, Jul 02, 2002 at 12:13:30PM -0700, Rafael wrote: > > It sure will, but being this the security list, let's say someone > > found a root crack in let's say, the inetd server. And their post > > gets thrown out because no RR. Hmmm, no one gets warned and some > > worm starts going around and

Re: unsubscribe

EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- John Goerzen <[EMAIL PROTECTED]>GPG: 0x8A1D9A1Fwww.complete.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package/Mirror integrity?

oo) debsig-verify: Ben Collins debsigs: John Goerzen dpkg patches: John Goerzen apt-checksigs: Branden Robinson integration testing: Branden Robinson and the Progeny QA team Hope this helps! -- John Goerzen <[EMAIL PROTECTED]> www.complete.org Sr. Software Developer,

Re: Package/Mirror integrity?

oo) debsig-verify: Ben Collins debsigs: John Goerzen dpkg patches: John Goerzen apt-checksigs: Branden Robinson integration testing: Branden Robinson and the Progeny QA team Hope this helps! -- John Goerzen <[EMAIL PROTECTED]> www.complete.org Sr. Software Developer,