Re: about bash and Debian Lenny
Paul Wise p...@debian.org wrote: On Thu, Oct 2, 2014 at 1:37 AM, Jann Horn wrote: You're doing this the wrong way - as others have already said, upgrade your server to a supported release. Based on our off-list discussions, Nikolay has valid reasons for not upgrading. Oh dear! Pabs, now you've made bursting with curiosity the whole list! Bye, A. Sent from my Sylpheed -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141002095810.515e684e76b4578fb26b0...@linkspirit.org
Re: concrete steps for improving apt downloading security and privacy
On 07/07/2014 13:09, Joel Rees wrote: Sorry Joel, I almost totally disagree with your vision on privacy and security, but I really i don't want to go into the merit of it, because I think Lou is representing my vision already; I only have a question: Did you know that encrypting a picture sometimes results in a picture that looks like it has been through a random color-permuting filter? Can you proof it? Or maybe, you can tell the list what the attached image - that is encrypted with Moritz Muehlenhoff's and Florian Weimer's public keys - represent? Cheers (and thanks Mr. Moritz and Mr. Florian - who were the only I had in my keyring - to accept being the judges of the challenge). :-) Andrea Zwirner Sent from my Sylpheed image.jpg.gpg Description: Binary data
Re: Please remove me from this list
Hint: http://www.list-unsubscribe.com/ Sent from my Sylpheed On Wed, 25 Jun 2014 11:23:47 -0500 Ed Blonski eblon...@homeaccess.com wrote: Please remove me from this list Ed Blonski 847-310-6034 Manager, Technology Security and Compliance Initiatives Privacy, Security Compliance Officer __ 2401 W. Hassell Road, Suite 1510 | Hoffman Estates, IL 60169 | Tel: 847-310-6034 http://www.homeaccess.com http://www.homeaccess.com/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140625195009.ce9f17c6dd3bba76828ae...@linkspirit.org
Re: Debian owned by the NSA
Chapeau Anton, this is the way in which I would be able to answer any question. Andrea Sent from my Sylpheed On Thu, 19 Jun 2014 14:25:17 +0200 an.to_n...@riseup.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everybody! I think, that the linked blog entry of IngnorantGuru is just another conspiration theory. In addition the author really seems to be afraid of being watched by them. Just read the paragraph in another post (1), starting with The other event also left an indelible memory. No dates, names or details, just the unproven tale of being contacted by strange people. So I guess that the claim Debian Is Owned By The NSA is wrong, also it was a false quote ... Anyway, surveillance agencies surely try to put backdoors into software (open and closed source) and encryption standards (2)(3)(4)(5)(6). In 8/2013 and 1/2014 serious discussions took place on this mailing list, how adversaries could compromise Debian or at least some packages by default (7)(8). To sum up: Yes, they can! To my mind it is not necessary to own a whole OS to spy on persons of interest (although it would be very practical :-) ... ). The surveillants just need a possibility to enter the victims server, PC, tablet or smartphone. Professional players have many such options in terms of zero day exploits. They just search themselves or buy them with their huge budget (9). The US officially committed to store 0-days for serious cases (10). /Every/ professional cracker organisation, governmental or criminal, does this! = I am sure that some of the security flaws discussed on this and other lists were known to the Chinese / Russians / Americans / Europeans and exploited before, to enter Debian systems. You can't do much against this. Just think of a Quantum attack with their shadow servers on your browser (11). So don't use connected computers for really important stuff! And don't use browsers outside VMs. I am only a hyprocrite, because I do both things. But have at look at the Chinese official OS Kylin (12). Their computers are surely monitored by the NSA. In 2002 they started with a FreeBSD based system (13) for governmental use. This year they switch to Ubuntu Kylin (14)(15), which bases on Linux+Debian. Now one can surely ask for Guoanbu's standard backdoor in Kylin, by that is another topic :-). *= To conclude: A country, which is surely monitored by the NSA, runs an Linux/Debian-based operating system.* I think, there can't be a better advertisement! Best regards, and stay wiretapped! Anton 1) http://igurublog.wordpress.com/2014/02/17/biography-of-a-cypherpunk-and-how-cryptography-affects-your-life 2) http://www.aftenposten.no/nyheter/uriks/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-7413285.html 3) http://www.heise.de/tp/artikel/2/2898/1.html 4) http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor 5) Torvalds was also asked if he had ever been approached by the U.S. government to insert a backdoor into Linux. Torvalds responded 'no' while nodding his head 'yes', as the audience broke into spontaneous laughter. http://www.eweek.com/print/developer/linus-torvalds-talks-linux-development-at-linuxcon.html 6) http://securitywatch.pcmag.com/security/319544-what-it-s-like-when-the-fbi-asks-you-to-backdoor-your-software 7) https://lists.debian.org/debian-security/2013/08/msg0.html 8) https://lists.debian.org/debian-security/2014/01/msg00021.html 9) http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees 10) http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities 11) http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdienst-fremde-rechner-fotostrecke-105329.html 12) https://en.wikipedia.org/wiki/Kylin_%28operating_system%29 13) http://web.archive.org/web/20070729215013/http://2006.eurobsdcon.org/talks-wu.php 14) http://www.ubuntukylin.com/index.php?lang=en 15) http://www.zdnet.com/china-switches-on-to-ubuntu-in-hunt-for-windows-xp-successor-726355 - -- an.to_n-73 at riseup dot net , PGP: 0B4C DF2C CB22 5DF4 25EA F212 49D1 ABF2 A2A9 7D7D Bitmessage: BM-2cTY8fuXGGXmh3fVgfQMaRCqTpgqp479ux On 19/06/14 04:36, Niklas Lemcke - 林樂寬 wrote: What's the deal with this? http://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJTotarAAoJEEnRq/KiqX19eS8P/RcG3wSMiugu1vFqa6mhPVEL s9M991jXXwUaBxkGEpXh8FYerlQDSU9AvQmEXxxgTjbBVDTB605lRRmP8im+FFy8 NKRrpfxPPHWBl4MFKcFSCqW8dVn+N2KIkZRiFqW1E5ODo5iemgyd7jy5Xh6NVj0J b1zBzYx9dOzvf/yBOo3PGXwZyK3BYkg3OpHvGM9RbcAK39sSDR6qF+0PKZIn62qw ig00yfSSZN3+Ab+P9HsGu0ej/e+yQDv3q/7NB0I7+QoYwj8nA4qqGTSq0HxLSqAK PRXgnErCQvCRFgD2DhPDXsUwnrIAdfymR//MvnuMF29UQ9CwLhy3ug+JK7dkRi1W
Re: [SECURITY] [DSA 2954-1] dovecot security update
Dovecot 1.2.15 seems to be affected [1] Will the update be available for squeeze-lts? Thanks, Andrea Zwirner [1] http://web.nvd.nist.gov/view/vuln/search-results?adv_search=truecves=oncpe_version=cpe:/a:dovecot:dovecot:1.2.15 Sent from my Sylpheed On Mon, 09 Jun 2014 18:02:29 + Salvatore Bonaccorso car...@debian.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2954-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 09, 2014 http://www.debian.org/security/faq - - Package: dovecot CVE ID : CVE-2014-3430 Debian Bug : 747549 It was discovered that the Dovecot email server is vulnerable to a denial of service attack against imap/pop3-login processes due to incorrect handling of the closure of inactive SSL/TLS connections. For the stable distribution (wheezy), this problem has been fixed in version 1:2.1.7-7+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1:2.2.13~rc1-1. For the unstable distribution (sid), this problem has been fixed in version 1:2.2.13~rc1-1. We recommend that you upgrade your dovecot packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTlfRZAAoJEAVMuPMTQ89EnisP/26H2tVdVc2/oTdtLLIqWsOX 66SqlmpfX0hwggvyJcMur6plkYkxFX+Ezrmapz7Qte+qnFSIyEOI8xLw+DloAsHg qsWlZQkLcpOixbY0Xk9fziD+Hm+bv/2DauDx7IGMkto5TSumZybJWK0gbWbFuWkg 4dUnU77Nl/VBJoChG1mxx918m1RUdYMCM5/tSxNGB8Eg/hN2oRP3tx35kjnZzr74 DAVbMTcp5I6uC4EhuEqGBiR05tkT4I4a5xJ1/hAO3jOXUjc6QSSu1qRGHhsQx7Am FYzaDDdSzqnj2Pu+aQuVMYFkWCDO65zw3avlOn5qPTiMzRSx1DmdUEJGIA6kGFyL gFu4Kew4U8tmsqPaCEV9YrhvD0rVGBzpTQGgc43Ud1Nd+RUN0sUpR2BM2eYKNt+p j/TH89ihdZE0xCct99gib20Qtzj2yv0FRqVeeIGXSaF2OXI/OLJOh0MHguKPCPIQ pj/+NV3BuX8uu57ogSGO+hm+kGAv+yaHi5bWpDpZpGKDKH1PtSi6oMPlUjubXZ+C cDORh91mFL8nFTcrMvYoSsRW6kBUsBI9uAeOhDjyPAolhADwzE+KJ2Ru1S3vtLyC 7EMccBgtS7W99CZPI+TIwAIlivnCgyBHhX1H7pwgjOaPbQKbVx+Qs6+xQsrCtkVy 4bWkR7B41Z0sAu7YcoE8 =y6t5 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1wu3tt-0002f6...@master.debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140609223005.a20c306b607666d6a82a7...@linkspirit.org
Re: CVE-2011-1521 - python update for squeeze?
I would be glad to make this one my first contribute to debian, can you just route me to the right manuals to do it? Thanks, Andrea Zwirner Il 23/04/2012 01:20, Michael Gilbert ha scritto: On Sun, Apr 22, 2012 at 1:13 PM, Arne Wichmann wrote: Hi... Is there an intention or interest to create a python update which fixes CVE-2011-1521 for squeeze? From what I'm aware, there is currently no plan for that; although anyone interested in the problem can take the initiative to prepare a stable-proposed-update. Best wishes, Mike -- *Andrea Zwirner* *email:* and...@linkspirit.org *cell:* +39 366 1872016 *Linkspirit Sistemi Informatici* /Applicazioni raffinate della scienza informatica/ Via Delle Industrie 5 - 33050 Ronchis UD *tel:* +39 0432 1845030 - *fax:* +39 0432 309903 *web:* www.linkspirit.it - *email:* i...@linkspirit.it *P* Please consider the environment before printing this email
Re: Bug#645881: critical update 29 available
Il 01/12/2011 21:47, Florian Weimer ha scritto: * Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on these updates, I'll gladly share what I've learnt about the packaging. I would also be very happy of helping, if possible. I'm not a Debian expert, but I'm quite smart with linux (I've used Slackware and Gentoo until this year) and since I feel sooo confortable with Debian I really would like to delve into the distibution internals and, why not, help the security team! :-) So, if you think I can help you, just let me know how. Andrea -- *Andrea Zwirner* *email:* and...@linkspirit.org *cell:* +39 366 1872016 *Linkspirit Sistemi Informatici* /Applicazioni raffinate della scienza informatica/ Via Delle Industrie 5 - 33050 Ronchis UD *tel:* +39 0432 1845030 - *fax:* +39 0432 309903 *web:* www.linkspirit.it - *email:* i...@linkspirit.it *P Please consider the environment before printing this email*
Re: Grave apache dos possible through byterange requests
2011/8/24 Carlos Alberto Lopez Perez clo...@igalia.com On 24/08/11 08:53, Dirk Hartmann wrote: Hi, it is possible to dos a actual squeeze-apache2 with easy to forge rage-requests: http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html Apache-devs are working on a solution: http://www.gossamer-threads.com/lists/apache/dev/401638 But because the situation seems serious I thought I give you a heads up. Running this script against a squeeze machine with 8 Cores and 24GB Ram you only need 200 threads to kick it out of memory. Cheers Dirk You can use the following redirect as a temporally workaround: # a2enmod rewrite RewriteEngine On RewriteCond %{HTTP:Range} bytes=0-.* [NC] RewriteRule .? http://%{SERVER_NAME}/ [R=302,L] I'm not an Apache expert, could you please explain in broad terms what does the workaround does? Thanks a lot, Andrea -- *Andrea Zwirner* *email:* and...@linkspirit.org *cell:* +39 366 1872016 *Linkspirit Sistemi Informatici* *Applicazioni raffinate della scienza informatica* Via Delle Industrie 5 - 33050 Ronchis UD *tel:* +39 0432 1845030 - *fax:* +39 0432 309903 *web:* www.linkspirit.it - *email:* i...@linkspirit.it