On Mon, Jan 15, 2001 at 12:13:13PM -0300, Felipe Alvarez Harnecker wrote:
Hi,
doing an apt-get -u dist-upgrade appears libc6*, locales as new
packages in security.debian.org but no advice was mailed nor published
in security.debian.org.
So are they real or someone has hacked
Hello Felipe,
On Mon, Jan 15, 2001 at 12:13:13PM -0300, Felipe Alvarez Harnecker wrote:
doing an apt-get -u dist-upgrade appears libc6*, locales as new
packages in security.debian.org but no advice was mailed nor published
in security.debian.org.
So are they real or someone has hacked
On Mon, Jan 15, 2001 at 11:08:19PM +, Ruben Leote Mendes wrote:
I think the new packages solve the problems mentioned in a recent thread
in debian-security:
http://lists.debian.org/debian-security-0101/msg00011.html
Anyone confirms this?
no, that is a glibc 2.2 specific problem, a
Glenn,
Yes, Maximum Linux Security is a very good compilation of Linux network
security info. I read that book after being in the network security biz for
a couple years and still learned quite a bit. www.linuxsecurity.com is also
a very good online resource. They have some fantastic
Well, you could always subscribe to debian-security and
debian-security-announce@lists.debian.org, if you haven't already. Just
lurking on those lists will keep you up to date on current security
trends. The people there are generally pretty good about answering
on-topic questions as well.
noah
On Sat, Dec 16, 2000 at 12:09:22AM -0800, Peter Jay Salzman wrote:
can someone point me to documentation specifically aimed at beefing up
security of ftp and apache? everything is behind an LRP (linux router
project) firewall, so i'm pretty secure otherwise. i let hardly anything in
or out,
on Tue, Nov 07, 2000 at 09:06:32PM -0800, Vijay Prabakaran ([EMAIL PROTECTED])
wrote:
Hi,
I have been following the horrifying suggestion thread on
the lists and what you say about the go-gnome script makes perfectly
good sense. Has anyone talked to Helixcode about the problem?
I
On Thu, Nov 02, 2000 at 03:06:09PM -, mr matsui wrote:
Could anybody please clarify for me,
Should I use proposed-updates/ or security.debian.org in apt-get for
security updates ?
security.debian.org
Are there any mirrors for security.debian.org ?
no
Whats the difference between
Phil Brutsche wrote:
sudo rocks, btw. It should be standard equipment on any and all
Linux/unix systems. But only on OpenBSD is that so :(
Fyi, MacOS X public beta ships with sudo as well.
jpb
--
Joe Block [EMAIL PROTECTED]
University of Central Florida School of Optics/CREOL
On Tue, Oct 31, 2000 at 10:50:17PM -0600, Phil Brutsche wrote:
There's also the side benefit that you can give limited root access to
people you only sorta trust with administrative duties, especially since
you don't need to give out the root password anymore :)
its actually very limited
Quoth Damon Muller,
Quoth kmself@ix.netcom.com,
I use a fairly liberal sudoers setting for my personal account. Yes,
this means that I'm usually only a few keystrokes away from being
root -- but that's what I'm after. And a password is still required.
I'm of the same opinion with
On Wed, 1 Nov 2000, Damon Muller wrote:
Without actually knowing your password, which sudo requires, having
your account *isn't* equivalent to having root.
It's certainly possible to build a rootkit style setup which would be
suitable for converting a privileged account into root.
What if I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
I'm of the same opinion with regard to sudo. Basically, if you're the
sort of person who never passes your password over the network in
plaintext (ie., ssh, apop, etc.), then it's unlikely
On Sun, Oct 29, 2000 at 11:50:18PM +, sena wrote:
I heard that Jonathan Markevich wrote this on 29/10/00:
However, writing one in C proved to be simple, and an afternoon's worth
of fun.
--(snip - false.c)--
int main() { return 1; }
--(snip - false.c)--
10 seconds writing
I heard that Jonathan Markevich wrote this on 29/10/00:
Only 3 minutes of fun? Disappointing. You've gone and blown the rest of
the afternoon. Read through it, make it funnier. Imagine it in Perl. Or
Befunge. Or my favorite, Rube. (extra points if you use the weasel -- I
believe it's
On Mon, 30 Oct 2000, sena wrote:
I heard that Jonathan Markevich wrote this on 29/10/00:
32 bytes, huh? 24 for your source above (with spaces). Might as well
compile it yourself.
Or, as in C the return type of a function defaults to int, we could write:
main(){return 1;}
even
In article [EMAIL PROTECTED],
sena [EMAIL PROTECTED] wrote:
I heard that Jonathan Markevich wrote this on 29/10/00:
However, writing one in C proved to be simple, and an afternoon's worth
of fun.
--(snip - false.c)--
int main() { return 1; }
--(snip - false.c)--
10 seconds writing
I heard that Miquel van Smoorenburg wrote this on 30/10/00:
Ah, way too big ...
(snip...)
Compile with cc -s -o false -nostdlib false.c
[EMAIL PROTECTED]:~$ cc -s -o false -nostdlib false.c
false.c: In function `exit':
false.c:6: warning: function declared `noreturn' has a `return'
On Sat, Oct 28, 2000 at 08:36:47PM +0200, Robert Waldner wrote:
On Sat, 28 Oct 2000 10:06:56 PDT, Peter Jay Salzman writes:
also, i noticed that some accounts which are disabled are given a shell of
/bin/false:
ftp:x:100:65534::/home/ftp:/bin/false
tiger seemed to hate this too. i
On Sat, Oct 28, 2000 at 03:20:15PM -0700, kmself@ix.netcom.com wrote:
also, i noticed that some accounts which are disabled are given a shell of
/bin/false:
ftp:x:100:65534::/home/ftp:/bin/false
tiger seemed to hate this too. i tried playing around with /bin/false.
can't seem
I heard that Jonathan Markevich wrote this on 29/10/00:
However, writing one in C proved to be simple, and an afternoon's worth
of fun.
--(snip - false.c)--
int main() { return 1; }
--(snip - false.c)--
10 seconds writing plus 3 minutes worth of fun is more like it... :)
Oh writing
On Sat, 28 Oct 2000 10:06:56 PDT, Peter Jay Salzman writes:
also, i noticed that some accounts which are disabled are given a shell of
/bin/false:
ftp:x:100:65534::/home/ftp:/bin/false
tiger seemed to hate this too. i tried playing around with /bin/false.
can't seem to figure out what it
on Sat, Oct 28, 2000 at 10:06:56AM -0700, Peter Jay Salzman ([EMAIL PROTECTED])
wrote:
also, i noticed that some accounts which are disabled are given a shell of
/bin/false:
ftp:x:100:65534::/home/ftp:/bin/false
tiger seemed to hate this too. i tried playing around with
Why can't you? Have you made the appropriate change to your
sources.list? IIRC, APT should work just fine with FTP. (Also IIRC,
APT slightly predates the widespread appearance of HTTP Debian
mirrors...)
um, because security updates works only with HTTP. i know all what one can
do with the
Subject: Re: security update using ftp
Rino Mardo [EMAIL PROTECTED] wrote:
Is there a way to get security updates using ftp instead of http via
apt-get?
deb ftp://security.debian.org/debian-security stable/updates main
(Untested - I'm not running stable here - but should work judging from
On Sat, Oct 07, 2000 at 03:07:43PM +0400, Rino Mardo wrote:
|Is there a way to get security updates using ftp instead of http via
|apt-get?
|
man sources.list
]
To: debian-user@lists.debian.org
Cc: debian-user@lists.debian.org
Sent: Saturday, October 07, 2000 3:06 PM
Subject: Re: security update using ftp
On Sat, Oct 07, 2000 at 03:07:43PM +0400, Rino Mardo wrote:
|Is there a way to get security updates using ftp instead of http via
|apt-get?
|
man
Rino Mardo [EMAIL PROTECTED] writes:
RM heh. just want we need someone from #linux recommending RTFM. if
RM you read my message right, security updates are done via http in
RM /etc/apt/sources.list what i'm looking for is if someone has done
RM it using ftp as i can't.
Why can't you? Have you
* David Z Maze [EMAIL PROTECTED]
Rino Mardo [EMAIL PROTECTED] writes:
RM heh. just want we need someone from #linux recommending RTFM. if
RM you read my message right, security updates are done via http in
RM /etc/apt/sources.list what i'm looking for is if someone has done
RM it using ftp
Rino Mardo [EMAIL PROTECTED] wrote:
Is there a way to get security updates using ftp instead of http via
apt-get?
deb ftp://security.debian.org/debian-security stable/updates main
(Untested - I'm not running stable here - but should work judging from
the directory structure of
On Mon, Sep 11, 2000 at 01:02:18AM -0400, S.Salman Ahmed wrote:
Could you explain the steps necessary to do this ? I am running sshd (v1
I think) on my home system (woody) which is on a cable connection. I
if you track woody then your probably using openssh v2.
to forbid password
William Jensen wrote:
Can anyone shed any light upon the likely security risks I would run using
proftpd vs sftp? From what I can tell sftp is for users only and it sets
up an encrypted connection before any passwords/users names are sent. That's
great, but how secure is this against
the program that is running is the updatedb program it updates the
locate database. can take quite a while on slower systems(30+minutes
sometimes) usually runs around 6am. what it does is finds every file on
the system and puts it in an easy to use database see the man page for
locate.
it also
On Sun, Sep 03, 2000 at 01:46:51AM -0500, Mike McNally wrote:
It concerns me when my machine grinds when I don't know why it's
grinding. I run top and it says find is running. Why? I do a grep -r
find /etc/cr* and the only things that come up run per crontab. Crontab
shows that all cron
Ethan Benson [EMAIL PROTECTED] writes:
On Sun, Sep 03, 2000 at 01:46:51AM -0500, Mike McNally wrote:
It concerns me when my machine grinds when I don't know why it's
grinding. I run top and it says find is running. Why? I do a grep
-r
find /etc/cr* and the only things that come up run
Before the list gets clogged with replies, I must state that in my
opinion an administrator or user responsible for a system must also be
responsible for its desired security level, creating a fully secure
distro (if it were possible) may create complacency.
Also this article fails to recognize
Peter Firmstone said:
I noticed this posted on slashdot, this bloke seems to make some valid
points, In my mind Debian is
still the best distro however I consider this constructive criticism.
See also the response from Ben Collins at
Bob Bernstein [EMAIL PROTECTED] writes:
On Mon, Aug 21, 2000 at 03:08:49PM -0400, Noah L. Meyerhans wrote:
You can't. Period. Same goes for source. Same goes for commercial
binaries. Same goes for any code you haven't read (or had someone you
thoroughly trust read).
Agreed.
-BEGIN PGP SIGNED MESSAGE-
On Tue, 22 Aug 2000, hogan wrote:
I go to this site, download the .deb's .. How can I be sure they're not
malicious.
You can't. Period. Same goes for source. Same goes for commercial
binaries. Same goes for any code you haven't read (or had someone you
On Mon, Aug 21, 2000 at 03:08:49PM -0400, Noah L. Meyerhans wrote:
You can't. Period. Same goes for source. Same goes for commercial
binaries. Same goes for any code you haven't read (or had someone you
thoroughly trust read).
Agreed. However, the classic statement on the subject is even
On Tue, Jun 06, 2000 at 12:15:23PM +0200, David Charro Ripa wrote:
Al final lo he conseguido poniendo
deb http://security.debian.org/ potato updates/main updates/contrib
updates/non-free
Supongo que lo han hecho así porque ahora hay el doble de paquetes, y para
no tener un vertedero de paqutes
On Mon, May 08, 2000 at 03:28:23PM +0700, Umum Wijoyo wrote:
Hello again...
I've noticed that Debian frozen/potato has already used the PAM security
scheme...
it uses PAM as its authentication system, all the main authenticating
utilities, /bin/login /bin/su et al use PAM to authenticate the
All known vulnerabilities in PAM are resolved in Potato/Woody.
--
---===-=-==-=---==-=--
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] '
Let me start by stating that I am NOT a security expert.
That said, for a hacker to *break into a system* that is not running any
deamons, he would have to find a SERIOUS flaw in a client program or the OS.
Incoming packets are pulled from the network device by the kernel, which
will either
Evan Moore [EMAIL PROTECTED] wrote:
If a person has a box connected to a network, but there are no daemons
such as telnetd, ftpd etc etc is it still possible for that box to be
hacked into?
There is no way to have perfect security on any system connected to a
network. It's just about impossible.
A long time ago, in a galaxy far, far way, someone said...
If a person has a box connected to a network, but there are no daemons
such as telnetd, ftpd etc etc is it still possible for that box to be
hacked into?
Not really - for someone to hack something there has to be something to
hack :)
On 30/11/99 Martin Dickopp wrote:
Read the section Restricted Shell in the bash documentation; this
might be what you're looking for. In restricted mode, you can
control what commands bash can execute, so you could limit them
to telnet and ssh.
I tried this out once, it was interesting, but
On Mon, 29 Nov 1999, Ethan Benson wrote:
On 30/11/99 Martin Dickopp wrote:
Read the section Restricted Shell in the bash documentation; this
might be what you're looking for. In restricted mode, you can
control what commands bash can execute, so you could limit them
to telnet and ssh.
On Mon, 29 Nov 1999 14:49:04 -0800
Jim McCloskey [EMAIL PROTECTED] wrote:
Is there a safe way to set up a `guest' user-account with a
publicly known password?
The usual method is to set it up in a chroot jail using a restricted
shell.
--
J C Lawrence Home:
On Mon, 29 Nov 1999, Jim McCloskey wrote:
Can I ask for some advice?
We've just set up two Slink machines in a graduate student lab. They
have ethernet connections; there is no firewall. Some of the students
want to do all their work in a regular way on these machines and those
students
Jim McCloskey wrote:
Can I ask for some advice?
We've just set up two Slink machines in a graduate student lab. They
have ethernet connections; there is no firewall. Some of the students
want to do all their work in a regular way on these machines and those
students have user accounts.
On Wed, 3 Nov 1999, Evan Moore wrote:
port to act as a loging machine, and then make the web server a read
only system. How may a person make a read only system. Would mounting
the drive ro do the trick, or would it be easy for someone to remount
the system rw.
In general it is neither
best way is to get a drive that physically supports read only via a
jumper, or some bios's support setting the drive in read only mode.(ive
seen this feature on some single board computers ive been testing)
many scsi drives have a jumper on them for read only operation. software
read only is
Actually, .t has been mentioned in Debian Weekly News.
Proftpd seems like it was designed with security in mind,
much more so than wu-ftpd. Do you remember the date of that post
that discussed the design flaws? I'd like to read it.
proftpd just switched primary developers. As such, it's
i dont have the date of the post..i rm my mail weekly ..didnt know about
the weekly news thing i knew it existed but never read it yet.. i did/do
check freshmeat/linuxtoday/linuxweeklynews/bugtraq/(others?) regularly and
never saw a mention.
nate
On Sun, 3 Oct 1999, Salman Ahmed wrote:
You are right. I am using WDM. BTW, where is this port 1024 specified
for WDM ? Just curious.
using a bind(2) call in the program source code.
[]s,
Mario O.de MenezesMany are the plans in a man's heart, but
IPEN-CNEN/SP
On Sun, Oct 03, 1999 at 05:12:15PM -0500, Stephen R. Gore wrote:
BTW, where is this port 1024 specified for WDM ? Just
curious.
I don't even know if it IS specified. I got the info like
this:
Daemons that run stand-alone do not need a file like
/etc/inetd.conf to specify on which port
Salman Ahmed [EMAIL PROTECTED] writes:
Then there was the issue with ndbm.h not getting found. It was located in
/usr/include/db1 but I had to explicitly specify that dir with
--site-includes, which I thought was a bit strange.
That is because the glibc maintainers have decide to move to db2
Jan == Jan Vroonhof [EMAIL PROTECTED] writes:
Jan What struggle? XEmacs should compile on a typical Debian system,
Jan just using
What I meant by that was that I didn't have all the dev libraries installed
so, after installing a couple and trying make it would later bomb on some
dev
Stephen == Stephen R Gore [EMAIL PROTECTED] writes:
Stephen On my system wdm runs on port 1024. I don't know if you are
Stephen running wdm, but I would suspect that xdm and gdm use the same
Stephen port. YMMV.
You are right. I am using WDM. BTW, where is this port 1024 specified
Salman Ahmed wrote:
Stephen == Stephen R Gore [EMAIL PROTECTED] writes:
Stephen On my system wdm runs on port 1024. I don't know if you are
Stephen running wdm, but I would suspect that xdm and gdm use the same
Stephen port. YMMV.
You are right. I am using WDM. BTW, where is
On Wed, 29 Sep 1999, Art Lemasters wrote:
has had its group permission changed to from x to s without my doing
so, a couple of times. For example, in the /home directory, one user
This is fine. Depending on the user this may be helpful or even
necessary. Is it a real human or a program that
Art Lemasters [EMAIL PROTECTED] writes:
One account on my system (e.g., one user in the /home directory)
has had its group permission changed to from x to s without my doing
so, a couple of times. For example, in the /home directory, one user
directory permission looked thusly:
Check your /etc/suid.conf file, if you have one. :)
On Wed, Sep 29, 1999 at 08:20:39PM -0600, Art Lemasters wrote:
One account on my system (e.g., one user in the /home directory)
has had its group permission changed to from x to s without my doing
so, a couple of times. For example, in
On Wed, Sep 29, 1999 at 08:20:39PM -0600, Art Lemasters wrote:
One account on my system (e.g., one user in the /home directory)
has had its group permission changed to from x to s without my doing
so, a couple of times. For example, in the /home directory, one user
directory permission
On Sat, 28 Aug 1999, Mark Wagnon wrote:
The only thing I recognize is tripwire, and that from reading it in
few posts, but it appears to be available only in rpm format, and as
source only.
tripwire is available as .deb (section non-free/admin) at least in slink.
[]s,
Mario O.de Menezes
I've been lurking in a few lists, and I keep reading about port
scans, so I'd like to learn more about them, and how to detect/log
them, etc.
The only thing I recognize is tripwire, and that from reading it in
few posts, but it appears to be available only in rpm format, and as
source
Check out Abacus PortSentry if you're looking for pretty good portscanning
detection software. He also does a log scanner and a host protection
scanner.
http://www.psionic.org/
On Sat, 28 Aug 1999, Mark Wagnon wrote:
Hi all:
I'm looking at Firewall and Security listing on Freshmeat, but I
Andrei == Andrei Ivanov [EMAIL PROTECTED] wrote:
You can instead deny them telnet access in /etc/hosts.deny
with something like:
in.telnetd: ALL
Andrei That would refuse telnet access to everyone, and she would not be able
to
Andrei telnet to the box from somewhere else to administer it
lena wrote:
Hello!
I am a newbie with administrating my own Debian server, and got problems
that got to do with security.
I have 20 different users that got both ftp and telnet access to the server
/using it for web publishing/. I would like to add they got access to their
root
On 18-Jul-99 John Foster wrote:
That is all handled via granting permissions to their /home directories
and establishing a path for these users that allows the access to only
those prgs that you want them to use.
If a user knows the path to some program that is not in their path, could they
Hopefully this gets back to whoever asked originally..
You could roll a solution using chroot() to move the user into their
home dir - all it costs is the disk space to recreate the bin and lib
trees.
Carl
You can do this with proftpd. There is a DefaultRoot directive that will
chroot to a dir on a per-group basis. I have the same situation with a
group of web publishers. The first step was to define a virtual host (this
particular server is restricted to internal use only). Then each user is
added
On 17-Jul-99 lena wrote:
Hello!
I am a newbie with administrating my own Debian server, and got problems
that got to do with security.
I have 20 different users that got both ftp and telnet access to the server
/using it for web publishing/. I would like to add they got access to their
You can instead deny them telnet access in /etc/hosts.deny
with something like:
in.telnetd: ALL
That would refuse telnet access to everyone, and she would not be able to
telnet to the box from somewhere else to administer it (if needed). So
change the shells.
Andrew
lena == lena [EMAIL PROTECTED] wrote:
lena I am a newbie with administrating my own Debian server, and got problems
lena that got to do with security.
If you are new to this, go to your local bookshop, and check the
Practical UNIX Internet Security (O'Reilly).
Especially if your living
On Thu, Jul 01, 1999 at 01:54:59PM +0200, Carel Fellinger wrote:
Jun 27 13:30:46 vvs pppd[16671]: rcvd [LCP ConfAck id=0x2 asyncmap 0x0
magic 0x1b9a3fac]
Jun 27 13:30:46 vvs pppd[16671]: rcvd [LCP ConfReq id=0x28 mru
On Thu, Jul 01, 1999 at 10:51:22PM +0400, Konstantin Kivi wrote:
[pppd logging user/pasword details]
its also annoying as I like to
send all syslogd output to tty12
Remove or comment out the debug line from your /etc/ppp/peeers/foo
file.
--
Mark Brown mailto:[EMAIL PROTECTED] (Trying to
These log messages show up because somewhere you've specified the 'debug'
option. Just get rid of this option.
Carel Fellinger wrote:
Sorry for reposting this question, but somehow my posts to the newsgroup
never make
and there they are, so what did I do wrong?
Nothing. A bug in pppd causes it to put the password in the log when using
PAP even if you put a '\q' in front of it. Later versions of pppd fix this
by adding the 'hide-password' option. Edit /etc/ppp/peers/provider and
delete the 'debug' option.
Pere Camps [EMAIL PROTECTED] writes:
Hi!
I've just installed innd and besides the tipical allowing of
access for some hosts that I guess it must exists, are there any other
security considerations I should follow?
Well this is not easily answered, to be more exact a complete answer
eferen1 [EMAIL PROTECTED] writes:
I am now involved in a research project at SFCC in Spokane, WA for a =
computer science class, and have taken on the project of security in =
operating systems. What I am doing is researching the security problems =
in Windows NT and Linux. If any one has
Thanks to all who responded to my request. I'm sure I will find what I'm
looking for there.
Ed.
- Original Message -
From: Jens Ritter [EMAIL PROTECTED]
To: debian-user@lists.debian.org
Sent: Wednesday, April 21, 1999 00:32
Subject: Re: Security in Linux
eferen1 [EMAIL PROTECTED
In foo.debian-user, you wrote:
I have a question regarding security issue with Debian and Linux in
general. By now everyone has probably heard about the new Mellissa
virus. I know that this doesn't affect Linux because it is related to
M$ products only. However, I just wondered if
Hi,
I have a question regarding security issue with Debian and Linux in
general. By now everyone has probably heard about the new Mellissa
virus. I know that this doesn't affect Linux because it is related to
M$ products only. However, I just wondered if anything of this sort
On Wed, Nov 18, 1998 at 09:57:32AM -0800, Cliff Draper wrote:
Is there an option to dpkg (or it's friends) to verify that what's
currently installed is the same as what should be installed? In other
words, if random cracker person decides to break into my system and
change login, ls, and ps,
CD == Cliff Draper [EMAIL PROTECTED] writes:
CD Is there an option to dpkg (or it's friends) to verify that what's
CD currently installed is the same as what should be installed? In other
Another option would be to use the package tripwire, which can monitor
files for changes.
Ciao,
On Tuesday, October 27, Lukas Eppler wrote
I have [dists/hamm/main dists/hamm/contrib dists/hamm/non-free] in my
selection in dselect. is there a directory to mention to have the security
updates quicker than a week, without going slink/unstable?
The best thing to do is to subscribe to
The bug is real, and Debian has a fix. See security
lists in Debian. If you are running Debian 2.0
you might have a security hole. There was also security
problems with bind. The fixes appear in the current distributions
(2.0.2 I think) not in package-updates.
Why the
King Lee wrote:
The fixes appear in the current distributions
(2.0.2 I think) not in package-updates.
Now I'm really confused. I always thought that I'd have everything by
installing 2.0 and then tracking proposed-updates.
I thought that 2.0 was _stable_, and therefore
On Mon, 26 Oct 1998, Christian Hudon wrote:
...
Well, you can also subscribe to debian-security-announce@lists.debian.org
Information about every security fix released by Debian is posted there.
(To subscribe, send an email to
[EMAIL PROTECTED] with the single word
'subscribe' in the subject
On Tue, Oct 27, 1998 at 09:27:55AM -0500, Peter S Galbraith wrote:
I thought that 2.0 was _stable_, and therefore was the same as my CD.
This is not the case?
Proposed security fixes (from proposed-updates) are moved into the stable tree
at the request of the security team.
Ray
--
ART A
J.H.M. Dassen (Ray) wrote:
On Tue, Oct 27, 1998 at 09:27:55AM -0500, Peter S Galbraith wrote:
I thought that 2.0 was _stable_, and therefore was the same as my CD.
This is not the case?
Proposed security fixes (from proposed-updates) are moved into the stable
tree at the request of
On Fri, 23 Oct 1998, King Lee wrote:
The bug is real, and Debian has a fix. See security
lists in Debian. If you are running Debian 2.0
you might have a security hole. There was also security
problems with bind. The fixes appear in the current distributions
(2.0.2 I think) not in
Sorry to keep this thread going, but perhaps one more clarification.
The original post said that the bug occured on RedHat 5.1 of our
system administrator. I immediately emailed Red Hat
(haven't heard from them yet), and also posted to Debian.
I got a reply from Debian within 12 hours and
On Thu, 22 Oct 1998, King Lee wrote:
: Hello,
:
: At our school our system administrator (who is very good) was
: running Red Hat 5.1 and someone broke in and got root privileges.
: Since he had written a Lan watch, we think we know how it happened.
:
: The Lan Watch showed someone form
At our school our system administrator (who is very good) was
running Red Hat 5.1 and someone broke in and got root privileges.
Since he had written a Lan watch, we think we know how it happened.
The Lan Watch showed someone form Israel send a very long
packet to mountd. Shortly after,
My message was not clear.
We did not mount /etc writable. The hacker sent a a long packet
which we think overflowed buffer and caused /etc to be mounted
writable.
The bug is real, and Debian has a fix. See security
lists in Debian. If you are running Debian 2.0
you might have a
Liran Zvibel wrote:
I would like to do some RTFMing about security, and would like to have
some pointers.
Thanks,
Liran.
---
http://www.math.tau.ac.il/~liranz/
Well, if you can understand everything the ssh man page has in it,
then you'll have a much better understanding than most, I'm
On Sat, 17 Oct 1998, Keith Beattie wrote:
Liran Zvibel wrote:
I would like to do some RTFMing about security, and would like to have
some pointers.
Thanks,
Liran.
---
http://www.math.tau.ac.il/~liranz/
Well, if you can understand everything the ssh man page has in it,
901 - 1000 of 1063 matches
Mail list logo
