Re: concrete steps for improving apt downloading security and privacy

[Joel Rees]

2014/07/07 11:32 Lou RUPPERT hims...@louruppert.com:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Joel Rees:
  On Sat, Jul 5, 2014 at 12:43 AM, Lou RUPPERT
  hims...@louruppert.com wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
 
  Joel Rees:
  On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner
  h...@at.or.at wrote:
  You don't need a warning when you are looking at un-encrypted
  data. You only need a warning if you are _sending_ un-encrypted
  data.

 Not true. If I'm looking at an https-enabled page, and elements
 included in the page are http-only, I want to know about it.

Why? By the time you're looking at it, there's nothing to do about
what has been sent in the clear.

 It means
 the site maintainer messed up, and potentially sensitive information
 is going in the clear despite being included from a web page that is
 https.

https is not a flag for TOP SECRET NSA PLAN FOR BACKDOORING THE
UNIVERSE'S COMPUTERS OHS NOES!

 It means a breach is potentially occurring and that I should
 stop what I'm doing if the information presented is sensitive.

Most of what is sent https is not even classified sensitive.

If I'm looking at a catalog page from a shoe store on my table,
connected via the phone network, getting close to my 2G cap for my
wireless router for the month. My battery's getting low. Do I want to
waste bandwidth and CPU cycles for TLS encoding, just for pictures of
shoes?

I suppose, if I'm looking for shoes for my wife's birthday, and it's
supposed to be a surprise, and she regularly analyzes the house's
router logs to check whether the kids are going to pornofthemonth.xxx,
..., but that's not the wireless router, come to think of it. Does
your wife check your router logs? Okay, I suppose my son might, but,
seriously.

Oh, I suppose, if I were the kind of person to go to porn sites, I
might decide not to return to such a site that sent me it's bd
pics plaintext. (Did you know that encrypting a picture sometimes
results in a picture that looks like it has been through a random
color-permuting filter?)

Of course, if someone is tapping my stream and looking at the images
I'm looking at, they probably also know what sites I'm connecting to.

 What I
 don't want is a site that claims to be 'secure' while leaking.

Every site leaks. Secure pages that are blanket-sent TLS for the
wrong reasons will not be analyzed for leaks, because the people who
design the sight are unaware that TLS is not a big enough blanket.

  See how Microsoft has been complicit in this particular social
  engineering scheme from a long time ago? (I thought, back then,
  that they were just being lazy or trying to meet a stupid market
  window with incomplete tech again. Naive of me, yes.)

 Huh?

Content creators and site managers probably want a tool that will
highlight or red-circle elements on a page that are declared
plaintext, and (as a different option or command) elements that will
end up plaintext when the page is sent TLS. And they want the tool to
walk their site automatically, leaving a log behind.

Users want their browser to tell them when parts of the data in the
query they send TLS are going to be sent plaintext. Some may want to
know which elements are going to be sent plaintext. Some may want to
scan for plaintext elements before they start filling in the form, so
they don't waste their time. But they don't really care if the picture
of the shoe or its title is being received plaintext. Such information
is perceived as noise, unless they really are concerned about the off
chance that someone might be capturing their data stream to find out
what pictures or political rants they are accessing.

  Apple store or Play store would probably provide a more useful
  dataset for them anyway.
 
  But not so interesting, and not so constant. Sure, enough bits
  and pieces are separable to extract much of the constant part, but
  I don't think it's very interesting to the spooks. I mean, I think
  they already have what they need there pretty early on.

 We're talking about datasets used to factor keys, right?

Surely you see that is not all that we are talking about?

 If they want
 to perfect some secret squirrel factoring technique, there are plenty
 of popular candidates to use.

So, give them more data. Give them more of the hard data, in fact.

 We don't need to worry about debian
 repos becoming the key that allows them to develop that technique.

Really? I mean, the current encryptions will be broken sooner or
later. You're voting for sooner?

  I mean, yes, they are trying various ways to find the keys people
  are using, but those aren't the big fish. Especially since we have
  to assume that the hardware entropy generators in the CPUs for
  the most popular CPUs are pretty much under the control of one set
  of spooks or another.

 Yes, but except for freebsd's(?) mistake of using it exclusively,
 you'll find that OSes mix the entropy sources when providing
 /dev/random, and that 

Re: concrete steps for improving apt downloading security and privacy

[Hans-Christoph Steiner]

On 07/06/2014 10:20 PM, Michael Stone wrote:
 On Sat, Jul 05, 2014 at 08:54:55AM +0900, Joel Rees wrote:
 And you know, the funny thing is that MSIE took to warning people
 when there was a mix of encrypted and unencrypted data on a page. How
 long ago? Yeah, I know, it was so they could display that red herring
 of a lock for secured pages.

 You don't need a warning when you are looking at un-encrypted data.
 You only need a warning if you are _sending_ un-encrypted data.
 
 This kind of threat analysis is why so many of us are still skeptical of the
 need for HTTPS package mirrors.
 
 Mike Stone

Do you have another idea for making it difficult for network observers to keep
track of the software people are using?

Do you think it does not matter that governments and companies are tracking
the packages that people are downloading?


.hc


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53baecd7.3080...@at.or.at

Re: concrete steps for improving apt downloading security and privacy

[Hans-Christoph Steiner]

On 07/06/2014 10:31 PM, Lou RUPPERT wrote:
 Joel Rees:
 On Sat, Jul 5, 2014 at 12:43 AM, Lou RUPPERT
 hims...@louruppert.com wrote:

 As someone pointed out, verifying the mirror we've connected to is
 not useful when we don't particularly have, or want, a way to
 prevent a spook-owned mirror from joining the pool.
 
 OK so supposing the NSA offers its own mirror. The package
 installation process verifies PGP signatures. What is the actual
 scenario you're trying to prevent?

apt repositories are great because the users do not have to rely on the
servers that host the repositories in order to know that they packages are
authentic and unmodified.

Tor provides the same resilience in terms of privacy.  If apt-get is accessing
the NSA mirror using Tor, then even the NSA will not be able to see the IP
address of the computer that is downloading from that mirror.  And as long as
apt does not leak much metadata, it would be quite difficult for the NSA to
de-anonymize that connection.

.hc





signature.asc
Description: OpenPGP digital signature

Re: concrete steps for improving apt downloading security and privacy

[Andrea Zwirner]

On 07/07/2014 13:09, Joel Rees wrote:

Sorry Joel, I almost totally disagree with your vision on privacy and 
security, but I really i don't want to go into the merit of it, because 
I think Lou is representing my vision already; I only have a question:

 Did you know that encrypting a picture sometimes results in a picture 
 that looks like it has been through a random color-permuting filter?

Can you proof it?

Or maybe, you can tell the list what the attached image - that is 
encrypted with Moritz Muehlenhoff's and Florian Weimer's public keys - 
represent?

Cheers (and thanks Mr. Moritz and Mr. Florian - who were the only I had 
in my keyring - to accept being the judges of the challenge). :-)

 Andrea Zwirner


Sent from my Sylpheed



image.jpg.gpg
Description: Binary data

RFC: fail2ban wheezy security update

[Yaroslav Halchenko]

Dear Security Enthusiasts,

Would someone be kind to verify correct operation of a perspective security
update for the Fail2Ban package in wheezy.  Especially if you are using
postfix, cyrus imap, courier smtp, exim, or lighttpd.  Unfortunately amount of
changes to those filters definitions was quite large, and I have tried to do my
best to verify their correct operation on sample log lines we have in recent
Fail2Ban, but I could have missed something obvious since I have no working
deployments of postfix etc.

These changes will later me reapplied (where applicable) on top of the
squeeze LTS version as well (haven't looked into it yet).

I am attaching the debdiff and the .deb package could be found at
http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb
signature: http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb.asc
sha256sum: 815b28ffdfcfbf0c8983facad46d54edffce63df2269ef9dc79b60886e747794

If you prefer to review changes online, here is the corresponding
pull request: https://github.com/fail2ban/fail2ban/pull/757

Corresponding changelog, hinting on those filters which were affected by
the fixes -- the rest of the fail2ban should have not been affected

fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high

  * Use anchored failregex for filters to avoid possible DoS.  Manually
picked up from the current status of 0.8 branch (as of
0.8.13-29-g09b2016):
- CVE-2013-7176: postfix.conf - anchored on the front, expects
  postfix/smtpd prefix in the log line
- CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
  refactored to have a single failregex
- couriersmtp.conf - anchored on both sides
- exim.conf - front-anchored versions picked up from exim.conf
  and exim-spam.conf
- lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf

 -- Yaroslav Halchenko deb...@onerussian.com  Sun, 22 Jun 2014 11:56:54 -0400

Thank you very much and please CC me.

Best regards,
-- 
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Research Scientist,Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834   Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik
diff -u fail2ban-0.8.6/debian/changelog fail2ban-0.8.6/debian/changelog
--- fail2ban-0.8.6/debian/changelog
+++ fail2ban-0.8.6/debian/changelog
@@ -1,3 +1,19 @@
+fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
+
+  * Use anchored failregex for filters to avoid possible DoS.  Manually
+picked up from the current status of 0.8 branch (as of
+0.8.13-29-g09b2016):
+- CVE-2013-7176: postfix.conf - anchored on the front, expects
+  postfix/smtpd prefix in the log line
+- CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
+  refactored to have a single failregex
+- couriersmtp.conf - anchored on both sides
+- exim.conf - front-anchored versions picked up from exim.conf
+  and exim-spam.conf
+- lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
+
+ -- Yaroslav Halchenko deb...@onerussian.com  Sun, 22 Jun 2014 11:56:54 -0400
+
 fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high
 
   * Anchor apache- filters failregexes to avoid possible DoS on servers
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/config/filter.d/couriersmtp.conf
+++ fail2ban-0.8.6/config/filter.d/couriersmtp.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,7 +20,10 @@
 #  (?:::f{4,6}:)?(?Phost[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = error,relay=HOST,.*550 User unknown
+_daemon = courieresmtpd
+
+failregex = ^%(__prefix_line)serror,relay=HOST,.*: 550 User unknown\.$
+
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/config/filter.d/cyrus-imap.conf
+++ fail2ban-0.8.6/config/filter.d/cyrus-imap.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,10 +20,9 @@
 #  (?:::f{4,6}:)?(?Phost[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = : badlogin: .*\[HOST\] plaintext .*SASL\(-13\): authentication 
failure: checkpass failed$
-   : badlogin: .*\[HOST\] LOGIN \[SASL\(-13\): authentication 
failure: checkpass failed\]$
-   : badlogin: .*\[HOST\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): 
authentication failure: incorrect (?:digest|NTLM) response\]$
-   : badlogin: .*\[HOST\] DIGEST-MD5 \[SASL\(-13\): authentication 
failure: client response doesn't match what we generated\]$
+_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
+
+failregex = 

Re: concrete steps for improving apt downloading security and privacy

[Lou RUPPERT]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Joel Rees:
 2014/07/07 11:32 Lou RUPPERT hims...@louruppert.com:
 
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
 
 Joel Rees:
 On Sat, Jul 5, 2014 at 12:43 AM, Lou RUPPERT 
 hims...@louruppert.com wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
 
 Joel Rees:
 On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner 
 h...@at.or.at wrote:
 You don't need a warning when you are looking at un-encrypted 
 data. You only need a warning if you are _sending_
 un-encrypted data.
 
 Not true. If I'm looking at an https-enabled page, and elements 
 included in the page are http-only, I want to know about it.
 
 Why? By the time you're looking at it, there's nothing to do about 
 what has been sent in the clear.

There are sites now which have dynamic content. Imagine a site like
Facebook, where there is so much content that it can't even fit on one
page! As I already explained, the cleartext download warning isn't
warning you about the data you're already looking at; it's warning you
that the mechanism you're trusting may not be trustworthy. It's
telling you stop now unless you understand the problem. Advice I'd
recommend!

 It means the site maintainer messed up, and potentially sensitive
 information is going in the clear despite being included from a
 web page that is https.
 
 https is not a flag for TOP SECRET NSA PLAN FOR BACKDOORING THE 
 UNIVERSE'S COMPUTERS OHS NOES!

Not following you here.

 It means a breach is potentially occurring and that I should stop
 what I'm doing if the information presented is sensitive.
 
 Most of what is sent https is not even classified sensitive.

Agreed.

 If I'm looking at a catalog page from a shoe store on my table, 
 connected via the phone network, getting close to my 2G cap for my 
 wireless router for the month. My battery's getting low. Do I want
 to waste bandwidth and CPU cycles for TLS encoding, just for
 pictures of shoes?

Let's try to turn our focus back to the question at hand, which is
whether there are merits to promoting https mirrors for users who have
concerns about being watchlisted based on their software choices. I
think client cpu cycle and bandwidth concerns are a bit of an
anachronism these days anyway.

 Oh, I suppose, if I were the kind of person to go to porn sites, I 
 might decide not to return to such a site that sent me it's bd 
 pics plaintext. (Did you know that encrypting a picture sometimes 
 results in a picture that looks like it has been through a random 
 color-permuting filter?)

That's only if you don't include it inside of a stream with a bunch of
other content, like http 1.1, for instance.

 Of course, if someone is tapping my stream and looking at the
 images I'm looking at, they probably also know what sites I'm
 connecting to.

How about this scenario: Someone is installing software from a
software catalog from a country where downloading software isn't
illegal, but where people who download certain software are flagged as
terrorists and made to undergo certain invasive scrutiny as a result.

One catalog has the page served via https, but the software served via
http, because they haven't upgraded their servers in a couple decades,
and they own a lot of stock in the electric company.

The other catalog has the whole content served via https.

Which catalog do you think can install something like 'tor' without
the user being watchlisted? Now update the scenario for an environment
in which the nation state has a DPI border firewall and automatically
stops downloads of certain software they don't like. Which catalog do
you think will result in the user being able to successfully download
what they need?

(an interesting side effect from this is that the DPI site may decide
to block the entire TLS-only catalog because of the lack of
introspection, so maybe defaulting to an https mirror may have
unintended consequences in such an environment?)

 What I don't want is a site that claims to be 'secure' while
 leaking.
 
 Every site leaks. Secure pages that are blanket-sent TLS for the 
 wrong reasons will not be analyzed for leaks, because the people
 who design the sight are unaware that TLS is not a big enough
 blanket.

Explain, please?

 Apple store or Play store would probably provide a more
 useful dataset for them anyway.
 
 But not so interesting, and not so constant. Sure, enough
 bits and pieces are separable to extract much of the constant
 part, but I don't think it's very interesting to the spooks. I
 mean, I think they already have what they need there pretty
 early on.
 
 We're talking about datasets used to factor keys, right?
 
 Surely you see that is not all that we are talking about?

Nope. So what is the risk you're talking about, if not some key
factoring plot?

 If they want to perfect some secret squirrel factoring technique,
 there are plenty of popular candidates to use.
 
 So, give them more data. Give them more of the hard data, in fact.

Why 

AUTO: Jan Hübner ist außer Haus (Rückkehr am 28.07.2014)

[Jan . Huebner]

Ich bin bis 28.07.2014 abwesend.

Eingegangene Mails werde ich nach meiner Rückkehr umgehend beantworten.
In dringenden Fällen setzen Sie sich bitte mit Christian Pillat in
Verbindung.

Herr Christian Pillat
Tel.: 040 / 73 41 93 - 701
E-Mail: christian.pil...@louis.de

Mit freundlichen Grüßen
Jan Hübner


I will not be in office within the above mentioned time.

Upon my arrival I will check and answer all emails immediately.
In matter of urgency please don't hesitate to get in touch with Christian
Pillat.

Mr. Christian Pillat
Tel.: 0049 40 / 73 41 93 - 701
E-Mail: christian.pil...@louis.de

With best regards
Jan Hübner


Hinweis: Dies ist eine automatische Antwort auf Ihre Nachricht  [SECURITY]
[DSA 2973-1] vlc security update gesendet am 07.07.2014 23:38:12.

Diese ist die einzige Benachrichtigung, die Sie empfangen werden, während
diese Person abwesend ist.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/of9b048ce5.154ec6e4-onc1257d0e.0078f318-c1257d0e.0078f...@louis.de

Re: RFC: fail2ban wheezy security update

[Jason Fergus]

I run a postfix at home, and I just installed your new package.  It does
look pretty good so far.  Also reminds me I should pay more attention to
my logs.  There are a lot of attempts to connect from unauthorized
people.  Of course I'm sure that happens everywhere, which is why we use
fail2ban in the first place!

On Mon, 2014-07-07 at 17:55 -0400, Yaroslav Halchenko wrote:
 Dear Security Enthusiasts,
 
 Would someone be kind to verify correct operation of a perspective security
 update for the Fail2Ban package in wheezy.  Especially if you are using
 postfix, cyrus imap, courier smtp, exim, or lighttpd.  Unfortunately amount of
 changes to those filters definitions was quite large, and I have tried to do 
 my
 best to verify their correct operation on sample log lines we have in recent
 Fail2Ban, but I could have missed something obvious since I have no working
 deployments of postfix etc.
 
 These changes will later me reapplied (where applicable) on top of the
 squeeze LTS version as well (haven't looked into it yet).
 
 I am attaching the debdiff and the .deb package could be found at
 http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb
 signature: http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb.asc
 sha256sum: 815b28ffdfcfbf0c8983facad46d54edffce63df2269ef9dc79b60886e747794
 
 If you prefer to review changes online, here is the corresponding
 pull request: https://github.com/fail2ban/fail2ban/pull/757
 
 Corresponding changelog, hinting on those filters which were affected by
 the fixes -- the rest of the fail2ban should have not been affected
 
 fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
 
   * Use anchored failregex for filters to avoid possible DoS.  Manually
 picked up from the current status of 0.8 branch (as of
 0.8.13-29-g09b2016):
 - CVE-2013-7176: postfix.conf - anchored on the front, expects
   postfix/smtpd prefix in the log line
 - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
   refactored to have a single failregex
 - couriersmtp.conf - anchored on both sides
 - exim.conf - front-anchored versions picked up from exim.conf
   and exim-spam.conf
 - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
 
  -- Yaroslav Halchenko deb...@onerussian.com  Sun, 22 Jun 2014 11:56:54 
 -0400
 
 Thank you very much and please CC me.
 
 Best regards,



-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1404772864.2925.3.ca...@jfergusdeb.proofpoint.com

Re: concrete steps for improving apt downloading security and privacy

[Jeremie Marguerie]

On Mon, Jul 7, 2014 at 3:15 PM, Lou RUPPERT hims...@louruppert.com wrote:
 If I'm looking at a catalog page from a shoe store on my table,
 connected via the phone network, getting close to my 2G cap for my
 wireless router for the month. My battery's getting low. Do I want
 to waste bandwidth and CPU cycles for TLS encoding, just for
 pictures of shoes?

 Let's try to turn our focus back to the question at hand, which is
 whether there are merits to promoting https mirrors for users who have
 concerns about being watchlisted based on their software choices. I
 think client cpu cycle and bandwidth concerns are a bit of an
 anachronism these days anyway.

I think you pulled out the only reason why using https for mirrors
would be useful.

The threat analysis doesn't show any practicable way for the any
attacker to prevent alter packages even with control of the network.
He could block updates but the client-side would noticed: out-of-date
repository and package list, failed to download specific packages.

HTTPS is a solution to this risk scenario:
 A) I don't want anyone to know which package I download (passive listening)
 B) I don't want a third party to selectively prevent me from
downloading a package/update (active man i the middle)

Scenario A is more likely to happen or to already be in place.

HTTPS in this case is *not* about security but just privacy.

1) Performance concern: The CPU cycles for encrypting is now low
enough so that it seems feasible. Not all package providers need to
provide https-based repository but having a few of those and give them
visibility would be greatly appreciated.

2) TLS certificates: we do not need the package to be behind a
debian certificate, just to be behind a certificate trusted by a
recognized third party (same requirement as for websites). Since we do
not seek authentication of the package but just privacy, we only need
to ensure that we talk to the server we wanted to, whichever it is.

-- 
Jérémie MARGUERIE


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAKS89GpjJtSNWcRvy2vJ4Jat97qmqPa2Q-=_x12yipw8qqq...@mail.gmail.com

AUTOMÁTICO: Fábio Rodrigues está ausente do escritório (retorna em 21/07/2014)

[frodrigues]

Estarei ausente do escritório até 21/07/2014




Nota: esta é uma resposta automática à sua mensagem  [SECURITY] [DSA
2973-1] vlc security update enviado em 07/07/2014 18:38:12.

Esta é a única notificação que você receberá enquanto esta pessoa estiver
ausente.



Uso responsável do papel, você tem um compromisso com o futuro.   
**
 
Informação transmitida destina-se apenas à pessoa a quem foi endereçada e pode 
conter informação confidencial, legalmente protegida e para conhecimento 
exclusivo do destinatário. Se o leitor desta advertência não for o seu 
destinatário, fica ciente de que sua leitura, divulgação ou cópia é 
estritamente proibida. Caso a mensagem tenha sido recebida por engano, favor 
comunicar ao remetente e apagar o texto de qualquer computador. 


The information transmitted is intended only for the person or entity to which 
it is addressed and may contain confidential and/or privileged material. Any 
review, retransmission, dissemination or other use of, or taking of any action 
in reliance upon this information, by person or entity other than the intended 
recipient is prohibited. If you received this in error, please contact the 
sender and delete the material from any computer. 
**


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/OFEB7832C4.8D8A700E-ON83257D0F.000666D0-83257D0F.000666D1@LocalDomain

External check

[Raphael Geissert]

CVE-2014-3540: RESERVED
--
The output might be a bit terse, but the above ids are known elsewhere,
check the references in the tracker. The second part indicates the status
of that id in the tracker at the moment the script was run.


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/53ba438a.lLuRrODfP4ol+N/4%atomo64+st...@gmail.com