On Sun, 4 Oct 2009 10:15:35 -0400 Thomas Krichel wrote:
kric...@fricka:~/a$ chmod 777 a
kric...@fricka:~/a$ ./a
r...@fricka:~/a#
...
kric...@chichek:~/a$ chmod 777 a
kric...@chichek:~/a$ ./a
mmap: Permission denied
this looks like a standard privilege escalation (not a rootkit). it
appears
On Sun, 4 Oct 2009 11:44:52 -0400 Thomas Krichel wrote:
It looks like the affected machines run older kernels, so
I will follow your advice and upgrade.
i forgot to mention that 'uname -r' won't actually tell you whether you
are running the most up-to-date debian kernel. to do that, look
On Sun, 4 Oct 2009 12:10:04 -0400 Thomas Krichel wrote:
Michael S Gilbert writes
'apt-get update apt-get upgrade' followed by a reboot into the new
kernel should bring you up to date.
Since I just download the kernel last week I did not really
believe your advice but I have
On Sun, 13 Sep 2009 21:06:59 +0200 Pascal Stumpf wrote:
Hi,
In the recently published Firefox update (3.0.14), several security
vulnerabilities have been fixed. Now, since obviously Debian doesn’t include
new upstream releases in stable (3.0.14 was accepted in unstable though), I
was
On Thu, 20 Aug 2009 15:24:59 +0200, Francesco Poli wrote:
Hi everyone!
There seems to be no tracker page for DSA-1870-1 [1].
Please add it by hand, if the automatic mechanism failed.
done.
--
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of
On 18 Aug 2009 10:54:04 GMT, Harald Weidner wrote:
Hello,
Michael S. Gilbert michael.s.gilb...@gmail.com:
Will there also be a fix for etch's 2.6.18 kernel?
yes, dsa-1865 was issued for etch's 2.6.18 yesterday.
Thank you.
I was confused because the 2.6.18 fix was not mentioned
On 17 Aug 2009 14:20:24 GMT, Harald Weidner wrote:
Hello,
dann frazier da...@dannf.org:
The previous fix was for lenny's 2.6.26 kernel. This fix is for etch's
2.6.24 kernel.
Will there also be a fix for etch's 2.6.18 kernel?
yes, dsa-1865 was issued for etch's 2.6.18 yesterday.
mike
On Mon, 17 Aug 2009 15:36:57 +0200, Jan de Groot wrote:
On Fri, 2009-08-14 at 13:31 -0600, dann frazier wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA-1862-1
On Fri, Aug 14, 2009 at 4:02 PM, Florian Weimerf...@deneb.enyo.de wrote:
* Michael S. Gilbert:
On Fri, 14 Aug 2009 00:58:46 +0200 Francesco Poli wrote:
Hi all!
I cannot yet find any tracker page for DSA-1861-1 [1].
Please add it by hand, if the automatic mechanism failed somehow.
done
On Fri, 14 Aug 2009 00:58:46 +0200 Francesco Poli wrote:
Hi all!
I cannot yet find any tracker page for DSA-1861-1 [1].
Please add it by hand, if the automatic mechanism failed somehow.
done.
--
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of
On Mon, 10 Aug 2009 20:24:10 +0200, Nico Golde wrote:
Hi,
* Michael S. Gilbert michael.s.gilb...@gmail.com [2009-08-10 20:18]:
On Mon, 10 Aug 2009 18:09:16 +, Nico Golde wrote:
[...]
-CVE-2009-2414
+CVE-2009-2414 [libxml2 stack recursion]
RESERVED
+ - libxml2 unfixed
On Wed, 29 Jul 2009 22:00:46 +0200, Francesco Poli wrote:
Hi all!
I found another vulnerability in the tracker that shows up as fixed in
lenny, and as unfixed in squeeze, despite the package version is the
*same* in the two branches.
On Tue, 7 Jul 2009 19:51:16 +0200, Francesco Poli wrote:
Well, if I see correctly, by plenty you mean 5:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=linux-2.6archive=nopend-exc=pending-fixedpend-exc=fixedpend-exc=donesev-inc=criticalsev-inc=gravesev-inc=seriousrepeatmerged=no
Moreover,
On 7/5/09, Francesco Poli wrote:
http://security-tracker.debian.net/tracker/CVE-2009-0834
commit 8776fc989b070d4a323793502365acae6851d936
applied to upstream version 2.6.28.8
see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.8
fix present in upstream version 2.6.30: yes
On 7/5/09, Francesco Poli wrote:
http://security-tracker.debian.net/tracker/CVE-2007-6514
commit ???
applied to upstream version ???
see ???
fix present in upstream version 2.6.30: I don't know
help! the CVE mitre page does not link to any fix, it seems
the attack vector for this one is
On Sat, 4 Jul 2009 17:33:08 +0200 Francesco Poli wrote:
I was going to file an RC bug against linux-2.6 for the following 7
vulnerabilities that are fixed in testing, but not in unstable,
according to the security tracker:
http://security-tracker.debian.net/tracker/CVE-2009-1758
On Sat, 4 Jul 2009 16:34:56 +0200 Francesco Poli wrote:
I think I found another little inconsistency between a DSA and the
security tracker.
DSA-1825-1 [1] claims that CVE-2009-2288 is fixed in old stable by
nagios2/2.6-2+etch3, the DSA tracker page [2] agrees, but the CVE
tracker page [3]
On Fri, 3 Jul 2009 22:52:35 +0200 Francesco Poli wrote:
the issue is not necessarily manpower itself, but rather the value of
volunteers' time. it makes little sense to duplicate work for testing
and unstable when unstable will eventually overwrite testing.
The same reasoning (on a larger
On Tue, 30 Jun 2009 01:12:44 +0200, Francesco Poli wrote:
How can we make sure that those Debian patches, as long as they are
still needed, are retained for new upstream versions, when they are
packaged?
this is mostly a matter of trusting the maintainer to do the requisite
background work
On Thu, 02 Jul 2009 19:11:24 +0200, Laurent Bonnaud wrote:
Hi,
I was looking at this security issue:
http://security-tracker.debian.net/tracker/CVE-2009-1192
and noticed that linux 2.6.30 is marked as vulnerable, whereas a patch
exists:
On 6/28/09, Francesco Poli wrote:
BTW, since a point release was issued yesterday, I've just seen the
stable-update -- testing,unstable migration happen for a number of
packages (including linux-2.6).
This caused a number of new same versions, different status
inconsistencies in the tracker:
On Mon, 29 Jun 2009 20:14:59 +0200, Francesco Poli wrote:
Great!
Only
http://security-tracker.debian.net/tracker/CVE-2009-1392
http://security-tracker.debian.net/tracker/CVE-2009-0146
seem to be unfixed, now.
should be fixed now.
As far as sid is concerned, I think vulnerabilities
On Sat, 20 Jun 2009 00:35:28 +0200 Francesco Poli wrote:
You seem to say: since testing is not officially supported, there's no
reason to do *anything* that would improve its security.
What's next step, then? Intentionally introduce vulnerabilities into
testing, since it's not officially
On Fri, 19 Jun 2009 20:17:18 +0200, Francesco Poli wrote:
I am aware of this distinction, I just considered the start of (more or
less) regular DTSA publishing as a sign of Debian Testing Security team
activity on the testing suite.
Having a (more or less regular) DTSA flow is certainly not
On Wed, 10 Jun 2009 00:47:08 +0200, Francesco Poli wrote:
this would be nice, but it is usually a short timeframe for which there
exist testing and stable versions that match. i think it will
always have to be a manual process involving DTSAs.
Short time frame?
I still see cases where
On Mon, 8 Jun 2009 08:36:35 -0700, john wrote:
Hi all,
Is there an announce list for the updates to the Main repository or
are packages just added there and end-users find out when they do
apt-get update? For example I see that there's an update to libsasl2
and libsasl2-2. I can't find any
On Tue, 12 May 2009 13:54:10 +0100, Dominic Hargreaves wrote:
Hi,
I wondered if any fix is likely to be available for CVE-2008-5519
(information disclosure, looks potentially quite severe) any time
soon or if any more help is needed?
hi,
no one has claimed this (that i've seen), and the
On Sat, 9 May 2009 17:31:11 +0200 Francesco Poli wrote:
Hi everyone!
DSA-1789-1 [1] claims that all the mentioned CVEs are fixed in
php5/5.2.9.dfsg.1-1 for sid.
All tracker pages for the mentioned CVEs seem to be consistent, except
for the one for CVE-2008-5814 [2], which claims that sid is
On Wed, 06 May 2009 20:36:24 +0200, Florian Weimer wrote:
* Michael S. Gilbert:
is there any way to do a better job of tracking these non-CVEified
issues? for example, there is currently no tracking information for
unstable in the CVE list for either of these issues; and no way to
link
hello all,
what is the correct way to track not-affected issues so that they stay
connected to the bug number in the security tracker? once i changed the
ntop issue to not-affected, it got disconnected from the bug number.
see [1].
thanks,
mike
[1]
On Sun, 19 Apr 2009 17:05:14 -0400 Michael S. Gilbert wrote:
hence, i think the following would be a good process for ubuntu
security triagers:
1. triage issue in ubuntu
2. check status of CVE in debian (debsecan could be used for this)
3. submit bug report to launchpad (with link
On Sat, 18 Apr 2009 17:01:36 +0200Nico Golde wrote:
* Kees Cook [2009-04-17 18:38]:
On Fri, Apr 17, 2009 at 10:57:38AM -0400, Michael S. Gilbert wrote:
On Fri, 17 Apr 2009 11:30:19 +0200, Nico Golde wrote:
* Kees Cook [2009-04-17 09:59]:
Author: kees
Date: 2009-04-17 01:25:52
On Fri, 17 Apr 2009 08:43:27 -0700 Kees Cook wrote:
On Fri, Apr 17, 2009 at 09:48:47AM -0400, Michael S. Gilbert wrote:
i have one request to improve the process: please submit a 'NOTE' with
a link to the ubuntu patch whenever you issue a fix that hasn't been
issued by debian yet
On Fri, 17 Apr 2009 22:14:24 +0200 Francesco Poli wrote:
Hi everyone,
DSA-1771-1 [1] was issued back on Wednesday, and the corresponding
tracker page [2] was created.
I think there are a few inconsistencies, though.
The DSA refers to two CVEs [3][4] and to one further vulnerability
with
On Thu, 16 Apr 2009 23:40:00 -0700, Kees Cook wrote:
Hi Michael,
On Thu, Apr 16, 2009 at 11:10:38PM -0400, Michael S. Gilbert wrote:
would it make sense to integrate ubuntu's security tracker with
debian's, especially since the two distros are so closely related?
for example, [intrepid
would it make sense to integrate ubuntu's security tracker with
debian's, especially since the two distros are so closely related?
for example, [intrepid]/[jaunty] tags could be used to track
ubuntu-specific issues within the debian tracker.
this would greatly reduce duplication of effort and
On Fri, 10 Apr 2009 18:15:06 +0200
sean finney sean...@debian.org wrote:
hi guys,
On Fri, Apr 10, 2009 at 02:27:46PM +0200, Nico Golde wrote:
I ask because I recently submitted a bug on php5 and got pushback from
the maintainer saying that I should not have submitted multiple
Hello,
What is the modus operandi for submitting multiple CVEs in the same bug
report?
I ask because I recently submitted a bug on php5 and got pushback from
the maintainer saying that I should not have submitted multiple
vulnerabilites in one report [1].
From my perspective, being able to
On Thu, 2 Apr 2009 10:59:10 +0200, Thijs Kinkhorst wrote:
On Wed, April 1, 2009 22:00, Michael S. Gilbert wrote:
Even though it's not always daily, this is still a significant
improvement over previous years, in which updates would occur once a week
or less. For the CVE data updates, our
On Wed, 1 Apr 2009 20:03:18 +0200, Francesco Poli wrote:
I can confirm that DSA-1755-1 now seems to be correctly tracked (except
for etch status: the DSA claims that etch is not affected, but the
tracker says that etch is vulnerable...).
fixed.
On the other hand, DSA-1758-1 refers to a CVE
On Wed, 1 Apr 2009, Michael S. Gilbert wrote:
like i said, this gets pulled in automatically from the Mitre database,
and there really isn't anything debian can do about their tardiness.
fyi, i asked the following question to Mitre:
The CVE pages and feeds on Mitre's site are very tardy
On Mon, 30 Mar 2009 19:04:10 +0200, Thijs Kinkhorst wrote:
there are a couple DSAs missing from the security tracker.
DSA-1753 is
the end of life for iceweasel, should any kind of note be made for
that in the tracker?
I don't think so, as there are no issues that entry would mark as
On Mon, 30 Mar 2009 20:07:08 +0200, Thijs Kinkhorst wrote:
I don't think we've encountered this misimpression in past occurances, so I
don't think such a solution would solve a real problem.
from what i can gather, this is the first time (ever) that a DSA has
been issued without including a
On Mon, 30 Mar 2009 15:10:07 -0400, Michael S. Gilbert wrote:
from what i can gather, this is the first time (ever) that a DSA has
been issued without including a set of fixed packages, so there is no
precedent...yet.
i did a little more work and found that dsa-1529, dsa-1604, and
dsa-1605
On Mon, 30 Mar 2009 23:46:10 +0200, Francesco Poli wrote:
Hi.
DSA-1756-1 and DSA-1757-1 have been recently issued, but no
corresponding tracker page is present yet.
What happened to the automatic creation of DSA tracker pages?
this is a good question. what triggers generation of these
I submitted the recent application launcher issues into the tracker with
medium urgency, and the severity was subsequently reduced to low. I
had followed the categorization guidelines [1], and medium seemed like
a better fit since malicious code execution is possible with user
interaction:
I just came across a reference [1] on potential flaws in the linux
kernel PRNG (Pseudo-Random Number Generator). Does anyone know if
CVE's have been issued for these problems and/or whether they have been
fixed either upstream or in debian? If not, someone should issue
requests for CVE's.
A lot of you have probably seen some of the recent coverage about the
potential avenue for exploits via kde and gnome application launchers
(it looks like xfce is safe, for now) [1],[2],[3]. Is there any plan
within debian to begin addressing these concerns? Where do I even
start reporting bugs
48 matches
Mail list logo