On Mon, 29 Aug 2016 23:39:01 +0100 Lisi Reisz sent:
> On Monday 29 August 2016 22:44:52 deloptes wrote:
> > Crazy but fact. IMHO people try to convince themself it will never
> > happen (to them). I would like to know why and how one could deal
> > with such line of argumentation.
>
> You
On Monday 29 August 2016 22:44:52 deloptes wrote:
> Crazy but fact. IMHO people try to convince themself it will never happen
> (to them). I would like to know why and how one could deal with such line
> of argumentation.
You can't. I live with it! I now just say: please, please, please, if you
Perry E. Metzger wrote:
> I don't get why everyone wants to argue that a problem that is known
> to be bad and is fixed in the kernel versions released by the kernel
> maintainers should be ignored.
I'm asking myself the same, but I'm not psychotherapist to be able to
answer.
For instance a
On Mon, 29 Aug 2016 19:30:11 +0200 "Thomas Schmitt"
wrote:
> Hi,
>
> Gene Heskett wrote:
> > Normally security things are pushed right on thru particularly
> > when they are a one file changed in the whole kernel source
> > tree. Why not this time?
>
> I guess because it
Hi,
Gene Heskett wrote:
> Normally security things are pushed right on thru particularly
> when they are a one file changed in the whole kernel source tree. Why
> not this time?
I guess because it is easy to work around
https://access.redhat.com/security/vulnerabilities/challengeack
and
On Monday 29 August 2016 12:11:27 Perry E. Metzger wrote:
> On Mon, 29 Aug 2016 11:55:03 +0100 Tixy wrote:
> > On Sun, 2016-08-28 at 15:36 -0400, Perry E. Metzger wrote:
> > > On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal
> >
> > [...]
> >
> > > > Even if the requirements
On Mon, 29 Aug 2016 07:25:42 +0200 Salvatore Bonaccorso
wrote:
> The issue is already been worked on by Ben for all versions in sid,
> jessie (and wheezy lts):
>
> sid:
> https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=sid=7184d7bfd94443b6403d71da639ec390224af594
>
On Mon, 29 Aug 2016 11:55:03 +0100 Tixy wrote:
> On Sun, 2016-08-28 at 15:36 -0400, Perry E. Metzger wrote:
> > On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal
> [...]
> > >
> > > Even if the requirements are met, the attack fails if the
> > > client is protected by a
On Sun, 2016-08-28 at 15:36 -0400, Perry E. Metzger wrote:
> On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal
[...]
> >
> > Even if the requirements are met, the attack fails if the client is
> > protected by a stateful firewall (either on a NAT router, modem or
> > computer).
>
> So
Hi,
On Mon, Aug 29, 2016 at 01:08:45AM -0400, Neal P. Murphy wrote:
> On Mon, 29 Aug 2016 03:43:15 +
> Mark Fletcher wrote:
>
> > Version 4.7 of the kernel contains a fix, which only required changes to
> > one source file, so I assume it's a question of back porting
On Mon, 29 Aug 2016 03:43:15 +
Mark Fletcher wrote:
> Version 4.7 of the kernel contains a fix, which only required changes to
> one source file, so I assume it's a question of back porting that fix into
> the Jessie version of the kernel. I might take a look at trying
On Mon, 29 Aug 2016 at 10:21, Neal P. Murphy
wrote:
> On Sun, 28 Aug 2016 14:35:01 +0200
> Frederic Marchal wrote:
>
> > The attack is also useless if the attacker can't spoof the source IP
> > address. Routers in corporate
On Sun, 28 Aug 2016 14:35:01 +0200
Frederic Marchal wrote:
> The attack is also useless if the attacker can't spoof the source IP
> address. Routers in corporate environments usually block this by design or
> due to VLAN. For that reason, the attack can't
Perry E. Metzger wrote:
> The hole needs to be fixed.
AMEN
On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal
wrote:
> The requirements are:
>
> * TCP connection,
> * long-lived,
> * unencrypted,
> * long silences.
>
> I'll add that the protocol must allow the server to initiate data
> sending with only one packet
On Friday 26 August 2016 23:11:23 Perry E. Metzger wrote:
> On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal
>
> wrote:
> > On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote:
> > > According to:
> > >
> > >
"John T. Haggerty" writes:
> On Fri, Aug 26, 2016 at 9:11 PM, Perry E. Metzger
> wrote:
>
>On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal
> wrote:
>
> > The download must be long
> > enough (more
On Fri, Aug 26, 2016 at 9:11 PM, Perry E. Metzger
wrote:
> On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal
> wrote:
> > On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote:
> > > According to:
> > >
> > >
On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal
wrote:
> On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote:
> > According to:
> >
> > https://security-tracker.debian.org/tracker/CVE-2016-5696
> >
> > Wheezy and Jessie are still vulnerable. The
On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote:
> According to:
>
> https://security-tracker.debian.org/tracker/CVE-2016-5696
>
> Wheezy and Jessie are still vulnerable. The attack in question is
> kind of bad (it allows blind injection of arbitrary data into
> things like http
On Fri, 26 Aug 2016 17:34:39 +0100 Lisi Reisz
wrote:
> The "fix" seems not to have been dealt with yet, but the list has
> published a workaround at some length in this thread:
Updated kernels have been announced and released by the kernel folks
at this point. (See, for
On Friday 26 August 2016 16:13:09 Mark Fletcher wrote:
> On Sat, Aug 27, 2016 at 12:04 AM Perry E. Metzger
>
> wrote:
> > According to:
> >
> > https://security-tracker.debian.org/tracker/CVE-2016-5696
> >
> > Wheezy and Jessie are still vulnerable. The attack in question is
>
On Sat, Aug 27, 2016 at 12:04 AM Perry E. Metzger
wrote:
> According to:
>
> https://security-tracker.debian.org/tracker/CVE-2016-5696
>
> Wheezy and Jessie are still vulnerable. The attack in question is
> kind of bad (it allows blind injection of arbitrary data into
>
According to:
https://security-tracker.debian.org/tracker/CVE-2016-5696
Wheezy and Jessie are still vulnerable. The attack in question is
kind of bad (it allows blind injection of arbitrary data into
things like http downloads) and has been known for a few weeks now to
the general public.
Any
24 matches
Mail list logo