Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
René Mayrhofer wrote: On 2014-09-25 06:24, Hans-Christoph Steiner wrote: W. Martin Borgert wrote: On 2014-09-24 23:05, Hans-Christoph Steiner wrote: * the signature files sign the package contents, not the hash of whole .deb file (i.e. control.tar.gz and data.tar.gz). So preinst and friends would not be signed? Sounds dangerous to me. All package contents would be signed, except the signature itself. The signature would be a separate file in the ar archive of the .deb that signs control.tar.gz and data.tar.gz. See jar or apk format for an example of how this works. I know I'm late to the discussion, but for the record, I fully agree with this approach as the probably best compromise between usability (don't underestimate that, see the emergence of the various app shops for Linux applications), security, and flexibility. If anybody wants to work on that, I'm happy to support it in the University Linz context (i.e. as student work, thesis, etc.) and contribute to the process (although, depressingly but realistically, not the implementation). Rene Since you mention Austria, I'll be based in Vienna from Oct 30th until March 3rd, perhaps we could even arrange a dev meeting/sprint on this topic in Linz or Vienna. .hc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/543fe36a.5070...@at.or.at
Iceweasel and web browsers vulnerabilty concerning poodle.
Hi, As I know, a new vulnerability called poodle has been discovered regadirng https. This vulnerabilty takes advantage of the ssl 3.0, and forcecs the https protocol to use this outdated protocol. I have been told that a fix for this vulnerabilty is to disable the use of this protocol in the web browsers. In inceweasel: *change this option in about:config* *security.tls.version.min * *to 1* *shoulnd't iceweasel be recompiled to include this option in the complilation settings??* *Can it be done officially in debian??* *Can this be done also for other web browsers??* If if is not possible to do ti officially?? How can i do it?? What would be the compilation parameter, something like /.config --security.tls-version.min.1?? I have obtained the info from this webiste. http://www.dmdcosillas.org/2014/10/que-demonios-no-hay-dos-sin-tres/ (in spanish) -- *Por favor, evite enviarme documentos adjuntos en formato Word Excel o PowerPoint.Como alternativa puede enviarme documentos en formato odt, odx u ods, además de documentos en formato pdfSi realmente es necesario enviarme un documento en formato Word, por favor utilize el formato .doc en lugar de .docx Vea http://www.gnu.org/philosophy/no-word-attachments.html http://www.gnu.org/philosophy/no-word-attachments.htmlhttp://es.libreoffice.org/ http://es.libreoffice.org/http://getgnulinux.org/es http://getgnulinux.org/es*
Re: Iceweasel and web browsers vulnerabilty concerning poodle.
I would like to point out what security.tls.version.min actually does: http://kb.mozillazine.org/Security.tls.version.* Setting security.tls.version.min to 1 allows TLSv1.0 to be used, which is vulnerable to a similar padding oracle attack (and timing oracle attacks) found long ago. You should be using a value of 2 for this setting. -Brad On 10/16/2014 10:28 AM, Marco Galicia wrote: Hi, As I know, a new vulnerability called poodle has been discovered regadirng https. This vulnerabilty takes advantage of the ssl 3.0, and forcecs the https protocol to use this outdated protocol. I have been told that a fix for this vulnerabilty is to disable the use of this protocol in the web browsers. In inceweasel: /change this option in about:config / /* security.tls.version.min */ /*to 1 */ /* */ /shoulnd't iceweasel be recompiled to include this option in the complilation settings?? / /Can it be done officially in debian?? / /Can this be done also for other web browsers?? / If if is not possible to do ti officially?? How can i do it?? What would be the compilation parameter, something like /.config --security.tls-version.min.1?? I have obtained the info from this webiste. http://www.dmdcosillas.org/2014/10/que-demonios-no-hay-dos-sin-tres/ (in spanish) -- /Por favor, evite enviarme documentos adjuntos en formato Word Excel o PowerPoint. Como alternativa puede enviarme documentos en formato odt, odx u ods, además de documentos en formato pdf Si realmente es necesario enviarme un documento en formato Word, por favor utilize el formato .doc en lugar de .docx Vea http://www.gnu.org/philosophy/no-word-attachments.html http://es.libreoffice.org/ http://getgnulinux.org/es /
Re: Iceweasel and web browsers vulnerabilty concerning poodle.
Just something related I happened to stumble across: http://www.bit-tech.net/news/bits/2014/10/15/google-mozilla-sslv3/1
Re: Iceweasel and web browsers vulnerabilty concerning poodle.
Sorry about the double email, this is the original source for Mozilla https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ 2014-10-17 9:12 GMT+13:00 Pedro Worcel pe...@worcel.com: Just something related I happened to stumble across: http://www.bit-tech.net/news/bits/2014/10/15/google-mozilla-sslv3/1
Re: Iceweasel and web browsers vulnerabilty concerning poodle.
On jeu., 2014-10-16 at 10:28 -0500, Marco Galicia wrote: *shoulnd't iceweasel be recompiled to include this option in the complilation settings??* You're not asking at the correct place, it's a bit unlikely the maintainer read that list. But in any case, Mozilla themselves intend to disable SSLv3 in future Firefox releases. Regards, -- Yves-Alexis Perez - Debian Security signature.asc Description: This is a digitally signed message part
External check
CVE-2014-0558: TODO: check CVE-2014-0564: TODO: check CVE-2014-0569: TODO: check CVE-2014-3689: RESERVED CVE-2014-3692: RESERVED CVE-2014-4287: RESERVED CVE-2014-6457: RESERVED CVE-2014-6463: RESERVED CVE-2014-6464: RESERVED CVE-2014-6469: RESERVED CVE-2014-6474: RESERVED CVE-2014-6478: RESERVED CVE-2014-6484: RESERVED CVE-2014-6489: RESERVED CVE-2014-6491: RESERVED CVE-2014-6494: RESERVED CVE-2014-6495: RESERVED CVE-2014-6496: RESERVED CVE-2014-6500: RESERVED CVE-2014-6506: RESERVED CVE-2014-6507: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/543f6988.ft1+nunoon7r4sog%atomo64+st...@gmail.com