Lee, Is the certificate for the entire server or just one site? Bill
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 17, 2002 12:00 PM To: [EMAIL PROTECTED] Subject: cobalt-security digest, Vol 1 #882 - 10 msgs Send cobalt-security mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://list.cobalt.com/mailman/listinfo/cobalt-security or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of cobalt-security digest..." Today's Topics: 1. Re: OT: SSL Certs (Up The Blues) 2. RE: OT: SSL Certs (Bradley Caricofe) 3. RE: OT: SSL Certs (craig) 4. RE: OT: SSL Certs (njd76) 5. Re: Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! (Zeffie) 6. Re: Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! (Zeffie) 7. Re: Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! (Mailing Lists) 8. Re: Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! (Zeffie) 9. Re: Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! (Michael Stauber) --__--__-- Message: 1 From: "Up The Blues" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] OT: SSL Certs Date: Fri, 16 Aug 2002 20:11:44 +0100 Reply-To: [EMAIL PROTECTED] Try Geotrust. Cheap and works well. regards Lee ----- Original Message ----- From: "Chris Burchell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 16, 2002 3:55 PM Subject: [cobalt-security] OT: SSL Certs > I'm looking for an inexpesive option for obtaining an SSL certificate. > > So far, I see: > > Thawte - 1 year: $200 > VeriSign - 1 year: $400 > IPSCA - 2 years: $69 > > > I'm inclined to go with a name like Thawte, but has anyone had experience with certs from IPSCA? > > Are there any other relatively inexpensive places to buy SSL certs? > > Regards, > Chris > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > --__--__-- Message: 2 Date: Fri, 16 Aug 2002 16:59:03 -0400 From: Bradley Caricofe <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] OT: SSL Certs To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] > I'm looking for an inexpesive option for obtaining an SSL certificate. > > So far, I see: > > Thawte - 1 year: $200 > VeriSign - 1 year: $400 > IPSCA - 2 years: $69 I've tried a couple from RackShack.net for $50 and they work great. -Brad --__--__-- Message: 3 Date: Sat, 17 Aug 2002 09:27:24 +1200 (NZST) From: craig <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: [cobalt-security] OT: SSL Certs Reply-To: [EMAIL PROTECTED] > > I'm looking for an inexpesive option for obtaining an SSL certificate. > > > > So far, I see: > > > > Thawte - 1 year: $200 > > VeriSign - 1 year: $400 > > IPSCA - 2 years: $69 > > I've tried a couple from RackShack.net for $50 and they work great. > There is also instantssl.com freessl.com most of the cheaper ones only work with IE 5.01 x and above and NE 4.7 and above --__--__-- Message: 4 From: "njd76" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] OT: SSL Certs Date: Fri, 16 Aug 2002 17:51:48 -0400 Reply-To: [EMAIL PROTECTED] Great site I found that compares them all for you. www.whichssl.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of craig Sent: Friday, August 16, 2002 5:27 PM To: [EMAIL PROTECTED] Subject: RE: [cobalt-security] OT: SSL Certs > > I'm looking for an inexpesive option for obtaining an SSL certificate. > > > > So far, I see: > > > > Thawte - 1 year: $200 > > VeriSign - 1 year: $400 > > IPSCA - 2 years: $69 > > I've tried a couple from RackShack.net for $50 and they work great. > There is also instantssl.com freessl.com most of the cheaper ones only work with IE 5.01 x and above and NE 4.7 and above _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security --__--__-- Message: 5 From: "Zeffie" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! Date: Sat, 17 Aug 2002 03:17:47 -0400 Reply-To: [EMAIL PROTECTED] > Like the man says, just disable logging/emails > > I am sure it will just be a remotely exploitable filelimit / email ddos, > > Each scan will result in an admin email, do enough scans form enough > simulated host in such a short period, and the box will die due to > number of concurrent open emails / drain on resources sending them.. you are incorrect sir... > I could be wrong tho.. :) you are :) Zeffie http://www.zeffie.com/ --__--__-- Message: 6 From: "Zeffie" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! Date: Sat, 17 Aug 2002 05:15:49 -0400 Reply-To: [EMAIL PROTECTED] > > The recent RaQ4-en-Security-2.0.1-SHP.pkg allows a remote attacker to > > cause system crashes. To avoid this I suggest you disable the Scan > > Detection in Parameters by selecting "do nothing". Else you might not be > > happy... > > I have written a small script that can reproduce the problem consistently. > > I don't seem to be able to find any way to contact Sun cobalt about this. > > what to do? maybe a whitepaper advert?? > > Sun Cobalt Please Call or contact me > Email Shaun White ([EMAIL PROTECTED]) - he's in charge of security > stuff, and runs cobalt-security list as well... > Bruce Timberlake > Cobalt/Linux Technology Engineer > Communications Market Area > Sun Microsystems, Inc. - San Diego done. I have ask Shaun to let me know that he has received it. Zeffie http://www.zeffie.com/ --__--__-- Message: 7 Date: Sat, 17 Aug 2002 07:38:30 -0500 Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! From: Mailing Lists <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] on 8/17/02 2:17 AM, Zeffie stated: >> Like the man says, just disable logging/emails >> >> I am sure it will just be a remotely exploitable filelimit / email ddos, >> >> Each scan will result in an admin email, do enough scans form enough >> simulated host in such a short period, and the box will die due to >> number of concurrent open emails / drain on resources sending them.. > > you are incorrect sir... > >> I could be wrong tho.. :) > > you are :) > > Zeffie > http://www.zeffie.com/ > What is the issue with SHP installed on the Raq4's??? Dave --__--__-- Message: 8 From: "Zeffie" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! Date: Sat, 17 Aug 2002 13:06:16 -0400 Reply-To: [EMAIL PROTECTED] > > Well, theoretically it is not impossible to save all replaced files in a > > safe place (== directory unique to this package), together with > > checksums of _replacing_ files. Then the uninstaller could restore the > > files from backup, and do it only if they where not replaced by yet > The underlying OS on the Cobalt's is an RPM based Linux distribution. You > install and uninstall RPM packages at leizure - as often as you want. > Ok, lets say we install the package Neomail-1.20-1.PKG which contains the > file neomail-1.2.5-1.noarch.rpm. When you install a PKG file (which > one or more RPMs), then the RPMs are deleted after installation as they > no longer needed. That's a standard procedure of the PKG installation > With "rpm -ql neomail-1.2.5-1" you can query which files it brought aboard > where they are on the system. However, you cannot (reasonably) recreate > neomail-1.2.5-1.noarch.rpm and tuck it away as backup. The PKG file with > which we installed it is gone and also the RPM which it contained has been > erased automatically after or during the installation. Actually you could... and in some cases it's good to backup your configs depending on who and how the rpms where built. > Lets spin this thought further Oh my head! > Now we install a newer PKG file of the same software: Neomail-1.20-2.PKG > It contains neomail-1.2.5-2.noarch.rpm and upon installation it replaces > files which the older neomail-1.2.5-1.noarch.rpm brought aboard. > Lets assume we don't like the new Neomail and want to go back to the old > But even if we backed up all files of the old neomail-1.2.5-1.noarch.rpm > copy 'em back to where they belong: The RPM database still will claim that > the newer RPM neomail-1.2.5-1.noarch.rpm is installed. that's because we don't do things like that. We would just reinstall the old rpm. If for some reason we can't move forward. which doesn't happen often because of the ways we build things. (me anyway) > So although the original functionality could be restored by a smart and > automated uninstaller, it wouldn't restore the server to the same exact > condition, as the RPM database still claims otherwise. Unfortunately the > RPM > database is usually the authority which an installer queries to find out > it's OK to go ahead with an installation or not. > For unimportant stuff like Nemail this is of no consequence, but for > critical > stuff like Apache, Sendmail, Qpopper, IMAP and so on it's a different there is no diffrence. you should still manage all files on a system. . > The resolution would be: > If an installer replaced an existing (older) RPM, then a proper and > complete > uninstall has to reinstall the old RPM which previously was aboard. But > where > do you get it from when RPMs are always deleted after PKG installation? well thats what we have ftp sites for. :) Granted that Sun.Cobalt does not have a location where we can get current rpms and srpms. grrrrrr ak > It could be remotely downloaded from the internet and then installed. > ftp.cobalt.com contains the RPMs which a stock and unpatched RaQ usually > aboard. That would be one possibility in case were third party software > installs RPM which replace system services. Or an uninstaller could > download > and (partially or completly) re-install the official Sun Cobalt PKG which > contains the replaced RPM file in such a case. not really because there are scripts inside of rpms and like a program there is an order to these things.. <snip> > FWIW: Windows 2000 Service Pack 3 can't be uninstalled either. ;o) > Michael Stauber > Unix/Linux Support Engineer Ok I'm starting to see the problem. But I knew it the first time I saw your work. :) This is not windows. Things work much different here.. In the development of rpms we have the ability to verify how things are building through simple testing before installing on production machines and then we are installing the same exact thing. We don't do ./configure make make install all over. There is rarely a need at all to uninstall things... Unlike MS we build things correctly and maintain various versions. Which sometimes can make it into production... but only after development on devel boxes. There are reasons for all this rpm fun. Zeffie http://www.zeffie.com/ "Windows 2000 Support Engineer" (not) --__--__-- Message: 9 From: Michael Stauber <[EMAIL PROTECTED]> Organization: SOLARSPEED.NET To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Security Hardening Update 2.0.1 MAJOR FLAW!!!!!! ACTION REQUIRED! Date: Sat, 17 Aug 2002 19:35:51 +0200 Reply-To: [EMAIL PROTECTED] Hi Zeffie, > that's because we don't do things like that. We would just reinstall the > old rpm. EXACTLY. ;o) That's how do do it properly. That's how you and I and a few others would do it. The whole point I was trying to make with my previous message was about that. You can't reasonably put that much logic in an installer that it in all cases allows you to go back all the way if something fails. In some cases you can do it, but not in all. > If for some reason we can't move forward. which doesn't happen > often because of the ways we build things. (me anyway) Same here. > Granted that Sun.Cobalt does not have a location where we can get current > rpms and srpms. grrrrrr Yeah, I also agree that this would make life a whole deal easier if it were otherwise. :o( > > Or an uninstaller could download > > and (partially or completly) re-install the official Sun Cobalt PKG which > > contains the replaced RPM file in such a case. > > not really because there are scripts inside of rpms and like a program > there is an order to these things.. If you'd do an uninstaller that way, then you'd have to take that into account, of course. But in most cases the scripts in the RPM are very well needed, so that's not a problem. If it is, then there is always the --noscripts parameter of the RPM command. > > FWIW: Windows 2000 Service Pack 3 can't be uninstalled either. ;o) > Ok I'm starting to see the problem. But I knew it the first time I saw > your work. :) This is not windows. You don't know anything about me, dear colleague. I'm a Linux man trough and through. The only thing I use Windows for is for accounting and for web- and image design. > In the development of rpms we have the ability to verify how things are > building through simple testing before installing on production machines and > then we are installing the same exact thing. You're preaching to the choir, so please turn around if you want to continue your lecture. ;o) I was using that analogy just to show that even in the Windows world (to which so many others are used to) a clean uninstall is sometimes not possible. "Clean" and Windows are contradicting terms anyway <shrug>. > There are reasons for all this rpm fun. I wouldn't exactly call it fun, especially not after porting 20 RPMs from the Qube3 to the RaQ550, which is what I did the last two days. -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer --__--__-- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security End of cobalt-security Digest _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
