Re: about bash and Debian Lenny

2014-10-02 Thread Andrea Zwirner 
Paul Wise p...@debian.org wrote:
 On Thu, Oct 2, 2014 at 1:37 AM, Jann Horn wrote:
 
  You're doing this the wrong way - as others have already said, upgrade your
  server to a supported release.
 
 Based on our off-list discussions, Nikolay has valid reasons for not 
 upgrading.
 
Oh dear! Pabs, now you've made bursting with curiosity the whole list!

Bye,
A.


Sent from my Sylpheed


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141002095810.515e684e76b4578fb26b0...@linkspirit.org

Re: concrete steps for improving apt downloading security and privacy

2014-07-07 Thread Andrea Zwirner 
On 07/07/2014 13:09, Joel Rees wrote:

Sorry Joel, I almost totally disagree with your vision on privacy and 
security, but I really i don't want to go into the merit of it, because 
I think Lou is representing my vision already; I only have a question:

 Did you know that encrypting a picture sometimes results in a picture 
 that looks like it has been through a random color-permuting filter?

Can you proof it?

Or maybe, you can tell the list what the attached image - that is 
encrypted with Moritz Muehlenhoff's and Florian Weimer's public keys - 
represent?

Cheers (and thanks Mr. Moritz and Mr. Florian - who were the only I had 
in my keyring - to accept being the judges of the challenge). :-)

 Andrea Zwirner


Sent from my Sylpheed



image.jpg.gpg
Description: Binary data

Re: Please remove me from this list

2014-06-25 Thread Andrea Zwirner 
Hint: http://www.list-unsubscribe.com/

Sent from my Sylpheed

On Wed, 25 Jun 2014 11:23:47 -0500
Ed Blonski eblon...@homeaccess.com wrote:

 Please remove me from this list
  
 
 Ed Blonski
 
 847-310-6034 
 
 Manager, Technology Security and Compliance Initiatives
 
 Privacy, Security  Compliance Officer
 
 __
 2401 W. Hassell Road, Suite 1510 | Hoffman Estates, IL 60169 | Tel:
 847-310-6034 http://www.homeaccess.com http://www.homeaccess.com/ 
 
  
 
  


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140625195009.ce9f17c6dd3bba76828ae...@linkspirit.org

Re: Debian owned by the NSA

2014-06-19 Thread Andrea Zwirner 
Chapeau Anton, this is the way in which I would be able to answer any question.

Andrea

Sent from my Sylpheed

On Thu, 19 Jun 2014 14:25:17 +0200
an.to_n...@riseup.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Hello everybody!
 
 I think, that the linked blog entry of IngnorantGuru is just another
 conspiration theory.
 In addition the author really seems to be afraid of being watched by
 them. Just read the paragraph in another post (1), starting with
 The other event also left an indelible memory. No dates, names or
 details, just the unproven tale of being contacted by strange people.
 So I guess that the claim Debian Is Owned By The NSA is wrong, also
 it was a false quote ...
 
 Anyway, surveillance agencies surely try to put backdoors into
 software (open and closed source) and encryption standards
 (2)(3)(4)(5)(6).
 In 8/2013 and 1/2014 serious discussions took place on this mailing
 list, how adversaries could compromise Debian or at least some
 packages by default (7)(8). To sum up: Yes, they can!
 To my mind it is not necessary to own a whole OS to spy on persons
 of interest (although it would be very practical :-) ... ). The
 surveillants just need a possibility to enter the victims server, PC,
 tablet or smartphone. Professional players have many such options in
 terms of zero day exploits. They just search themselves or buy them
 with their huge budget (9). The US officially committed to store
 0-days for serious cases (10). /Every/ professional cracker
 organisation, governmental or criminal, does this!
 
 = I am sure that some of the security flaws discussed on this and
 other lists were known to the Chinese / Russians / Americans /
 Europeans and exploited before, to enter Debian systems. You can't do
 much against this. Just think of a Quantum attack with their shadow
 servers on your browser (11).
 So don't use connected computers for really important stuff! And don't
 use browsers outside VMs. I am only a hyprocrite, because I do both
 things.
 
 But have at look at the Chinese official OS Kylin (12). Their
 computers are surely monitored by the NSA. In 2002 they started with a
 FreeBSD based system (13) for governmental use. This year they switch
 to Ubuntu Kylin (14)(15), which bases on Linux+Debian. Now one can
 surely ask for Guoanbu's standard backdoor in Kylin, by that is
 another topic :-).
 
 *= To conclude: A country, which is surely monitored by the NSA, runs
 an Linux/Debian-based operating system.*
 
 I think, there can't be a better advertisement!
 
 Best regards, and stay wiretapped!
 
 Anton
 
 1)
 http://igurublog.wordpress.com/2014/02/17/biography-of-a-cypherpunk-and-how-cryptography-affects-your-life
 2)
 http://www.aftenposten.no/nyheter/uriks/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-7413285.html
 3) http://www.heise.de/tp/artikel/2/2898/1.html
 4) http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor
 5) Torvalds was also asked if he had ever been approached by the U.S.
 government to insert a backdoor into Linux. Torvalds responded 'no'
 while nodding his head 'yes', as the audience broke into spontaneous
 laughter.
 http://www.eweek.com/print/developer/linus-torvalds-talks-linux-development-at-linuxcon.html
 6)
 http://securitywatch.pcmag.com/security/319544-what-it-s-like-when-the-fbi-asks-you-to-backdoor-your-software
 7) https://lists.debian.org/debian-security/2013/08/msg0.html
 8) https://lists.debian.org/debian-security/2014/01/msg00021.html
 9)
 http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees
 10)
 http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities
 11)
 http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdienst-fremde-rechner-fotostrecke-105329.html
 12) https://en.wikipedia.org/wiki/Kylin_%28operating_system%29
 13)
 http://web.archive.org/web/20070729215013/http://2006.eurobsdcon.org/talks-wu.php
 14) http://www.ubuntukylin.com/index.php?lang=en
 15)
 http://www.zdnet.com/china-switches-on-to-ubuntu-in-hunt-for-windows-xp-successor-726355
 
 
 - -- 
 an.to_n-73 at riseup dot net , PGP:
 0B4C DF2C CB22 5DF4 25EA F212 49D1 ABF2 A2A9 7D7D
 Bitmessage: BM-2cTY8fuXGGXmh3fVgfQMaRCqTpgqp479ux
 
 
 
 On 19/06/14 04:36, Niklas Lemcke - 林樂寬 wrote:
  What's the deal with this?
  
  http://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAEBAgAGBQJTotarAAoJEEnRq/KiqX19eS8P/RcG3wSMiugu1vFqa6mhPVEL
 s9M991jXXwUaBxkGEpXh8FYerlQDSU9AvQmEXxxgTjbBVDTB605lRRmP8im+FFy8
 NKRrpfxPPHWBl4MFKcFSCqW8dVn+N2KIkZRiFqW1E5ODo5iemgyd7jy5Xh6NVj0J
 b1zBzYx9dOzvf/yBOo3PGXwZyK3BYkg3OpHvGM9RbcAK39sSDR6qF+0PKZIn62qw
 ig00yfSSZN3+Ab+P9HsGu0ej/e+yQDv3q/7NB0I7+QoYwj8nA4qqGTSq0HxLSqAK
 PRXgnErCQvCRFgD2DhPDXsUwnrIAdfymR//MvnuMF29UQ9CwLhy3ug+JK7dkRi1W

Re: [SECURITY] [DSA 2954-1] dovecot security update

2014-06-09 Thread Andrea Zwirner 
Dovecot 1.2.15 seems to be affected [1]

Will the update be available for squeeze-lts?

Thanks,

Andrea Zwirner



[1] 
http://web.nvd.nist.gov/view/vuln/search-results?adv_search=truecves=oncpe_version=cpe:/a:dovecot:dovecot:1.2.15

Sent from my Sylpheed

On Mon, 09 Jun 2014 18:02:29 +
Salvatore Bonaccorso car...@debian.org wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 - -
 Debian Security Advisory DSA-2954-1   secur...@debian.org
 http://www.debian.org/security/  Salvatore Bonaccorso
 June 09, 2014  http://www.debian.org/security/faq
 - -
 
 Package: dovecot
 CVE ID : CVE-2014-3430
 Debian Bug : 747549
 
 It was discovered that the Dovecot email server is vulnerable to a
 denial of service attack against imap/pop3-login processes due to
 incorrect handling of the closure of inactive SSL/TLS connections.
 
 For the stable distribution (wheezy), this problem has been fixed in
 version 1:2.1.7-7+deb7u1.
 
 For the testing distribution (jessie), this problem has been fixed in
 version 1:2.2.13~rc1-1.
 
 For the unstable distribution (sid), this problem has been fixed in
 version 1:2.2.13~rc1-1.
 
 We recommend that you upgrade your dovecot packages.
 
 Further information about Debian Security Advisories, how to apply
 these updates to your system and frequently asked questions can be
 found at: http://www.debian.org/security/
 
 Mailing list: debian-security-annou...@lists.debian.org
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 
 iQIcBAEBCgAGBQJTlfRZAAoJEAVMuPMTQ89EnisP/26H2tVdVc2/oTdtLLIqWsOX
 66SqlmpfX0hwggvyJcMur6plkYkxFX+Ezrmapz7Qte+qnFSIyEOI8xLw+DloAsHg
 qsWlZQkLcpOixbY0Xk9fziD+Hm+bv/2DauDx7IGMkto5TSumZybJWK0gbWbFuWkg
 4dUnU77Nl/VBJoChG1mxx918m1RUdYMCM5/tSxNGB8Eg/hN2oRP3tx35kjnZzr74
 DAVbMTcp5I6uC4EhuEqGBiR05tkT4I4a5xJ1/hAO3jOXUjc6QSSu1qRGHhsQx7Am
 FYzaDDdSzqnj2Pu+aQuVMYFkWCDO65zw3avlOn5qPTiMzRSx1DmdUEJGIA6kGFyL
 gFu4Kew4U8tmsqPaCEV9YrhvD0rVGBzpTQGgc43Ud1Nd+RUN0sUpR2BM2eYKNt+p
 j/TH89ihdZE0xCct99gib20Qtzj2yv0FRqVeeIGXSaF2OXI/OLJOh0MHguKPCPIQ
 pj/+NV3BuX8uu57ogSGO+hm+kGAv+yaHi5bWpDpZpGKDKH1PtSi6oMPlUjubXZ+C
 cDORh91mFL8nFTcrMvYoSsRW6kBUsBI9uAeOhDjyPAolhADwzE+KJ2Ru1S3vtLyC
 7EMccBgtS7W99CZPI+TIwAIlivnCgyBHhX1H7pwgjOaPbQKbVx+Qs6+xQsrCtkVy
 4bWkR7B41Z0sAu7YcoE8
 =y6t5
 -END PGP SIGNATURE-
 
 
 -- 
 To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/e1wu3tt-0002f6...@master.debian.org
 


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140609223005.a20c306b607666d6a82a7...@linkspirit.org

Re: CVE-2011-1521 - python update for squeeze?

2012-04-23 Thread Andrea Zwirner 
I would be glad to make this one my first contribute to debian, can you 
just route me to the right manuals to do it?


Thanks,

Andrea Zwirner

Il 23/04/2012 01:20, Michael Gilbert ha scritto:

On Sun, Apr 22, 2012 at 1:13 PM, Arne Wichmann wrote:
   

Hi...

Is there an intention or interest to create a python update which fixes
CVE-2011-1521 for squeeze?
 

 From what I'm aware, there is currently no plan for that; although
anyone interested in the problem can take the initiative to prepare a
stable-proposed-update.

Best wishes,
Mike


   



--
*Andrea Zwirner*
*email:* and...@linkspirit.org
*cell:* +39 366 1872016

*Linkspirit Sistemi Informatici*
/Applicazioni raffinate della scienza informatica/
Via Delle Industrie 5 - 33050 Ronchis UD
*tel:* +39 0432 1845030 - *fax:* +39 0432 309903
*web:* www.linkspirit.it - *email:* i...@linkspirit.it

*P* Please consider the environment before printing this email

Re: Bug#645881: critical update 29 available

2011-12-02 Thread Andrea Zwirner 

Il 01/12/2011 21:47, Florian Weimer ha scritto:

* Moritz Mühlenhoff:

   

Florian, what's the status of openjdk6 for stable/oldstable?
 

I've released the pending update for squeeze.  lenny will eventually
follow, and so will the pending updates for squeeze, but judging by my
past performance, it will take a while.

If someone else wants to work on these updates, I'll gladly share what
I've learnt about the packaging.


   

I would also be very happy of helping, if possible.

I'm not a Debian expert, but I'm quite smart with linux (I've used 
Slackware and Gentoo until this year) and since I feel sooo confortable 
with Debian I really would like to delve into the distibution internals 
and, why not, help the security team! :-)


So, if you think I can help you, just let me know how.

Andrea

--
*Andrea Zwirner*
*email:* and...@linkspirit.org
*cell:* +39 366 1872016

*Linkspirit Sistemi Informatici*
/Applicazioni raffinate della scienza informatica/
Via Delle Industrie 5 - 33050 Ronchis UD
*tel:* +39 0432 1845030 - *fax:* +39 0432 309903
*web:* www.linkspirit.it - *email:* i...@linkspirit.it

*P Please consider the environment before printing this email*

Re: Grave apache dos possible through byterange requests

2011-08-24 Thread Andrea Zwirner 
2011/8/24 Carlos Alberto Lopez Perez clo...@igalia.com

 On 24/08/11 08:53, Dirk Hartmann wrote:
  Hi,
 
  it is possible to dos a actual squeeze-apache2 with easy to forge
  rage-requests:
 
 
 http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
 
  Apache-devs are working on a solution:
 
  http://www.gossamer-threads.com/lists/apache/dev/401638
 
  But because the situation seems serious I thought I give you a heads up.
 
  Running this script against a squeeze machine with 8 Cores and 24GB Ram
 you
  only need 200 threads to kick it out of memory.
 
  Cheers
  Dirk
 

 You can use the following redirect as a temporally workaround:

 # a2enmod rewrite

 RewriteEngine On
 RewriteCond %{HTTP:Range} bytes=0-.* [NC]
 RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]


I'm not an Apache expert, could you please explain in broad terms what does
the workaround does?

Thanks a lot,

   Andrea



-- 
*Andrea Zwirner*
*email:* and...@linkspirit.org
*cell:* +39 366 1872016

*Linkspirit Sistemi Informatici*
*Applicazioni raffinate della scienza informatica*
Via Delle Industrie 5 - 33050 Ronchis UD
*tel:* +39 0432 1845030 - *fax:* +39 0432 309903
*web:* www.linkspirit.it - *email:* i...@linkspirit.it