Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
On Tue, Dec 09, 2008 at 11:05:28PM -0500, Jim Popovitch wrote: I am seeing the same thing. The fix is on volatile.d.o as clamav_0.94.dfsg.2-1~volatile1, but apt-get upgrade is not recognizing it. I don't see it in the Releases file either. Looks like it is in the etch-proposed-updates/etch dist, though, if you wanted it. Volatile admins, is there something wrong with this package or has it just been forgotten about? Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: [SECURITY] [DSA 1680-1] New clamav packages fix potentialcode execution
Yes that line was already in. (deb http://security.debian.org/ stable/updates main) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
On Wed, Dec 10, 2008 at 11:51:49AM +0100, Cyril Brulebois wrote: Dominic Hargreaves [EMAIL PROTECTED] (10/12/2008): Looks like it is in the etch-proposed-updates/etch dist, though, if you wanted it. Volatile admins, is there something wrong with this package or has it just been forgotten about? (sorry, I mistyped - I meant etch-proposed-updates/volatile) above. Correct according to: http://release.debian.org/proposed-updates/stable.html I don't think that's relevant to volatile versions though. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
Dominic Hargreaves [EMAIL PROTECTED] (10/12/2008): Looks like it is in the etch-proposed-updates/etch dist, though, if you wanted it. Volatile admins, is there something wrong with this package or has it just been forgotten about? Correct according to: http://release.debian.org/proposed-updates/stable.html Mraw, KiBi. signature.asc Description: Digital signature
Freeze SO Linux, it's possible?
Hi, i would like to freeze my linux in order to freeze the OS, then, when I reboot the computer all changes that i made in the computer dissapears and it returns to the previous OS freezed. In windows there is something similar, called Deep Freeze (it's freeware). Somebody could help me? Thank you very much, I appreciate your help. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential code execution
On Wed, Dec 10, 2008 at 07:27, Dominic Hargreaves [EMAIL PROTECTED] wrote: I don't think that's relevant to volatile versions though. To Volatile or Not to Volatile. That is the question (now).Is volatile a dead thing and security now back to real-time updates? I'm ok with manually downloading, even custom compiling, one or two apps. I'm just looking toward the future to better understand how clam/SA/etc app updates should best be applied to Stable. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freeze SO Linux, it's possible?
On Wed, Dec 10, 2008 at 6:51 PM, Carlos Carrero Gutierrez [EMAIL PROTECTED] wrote: Hi, i would like to freeze my linux in order to freeze the OS, then, when I reboot the computer all changes that i made in the computer dissapears and it returns to the previous OS freezed. Cross posting is bad netiquette, especially when you are crossing various different distros not to mention debian-security when it is not a security issue. Linux can suspend to disk as long as the hardware plays along. Read this: http://www.linux.com/articles/54610 regards, Izak -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freeze SO Linux, it's possible?
Izak Burger wrote: On Wed, Dec 10, 2008 at 6:51 PM, Carlos Carrero Gutierrez [EMAIL PROTECTED] wrote: Hi, i would like to freeze my linux in order to freeze the OS, then, when I reboot the computer all changes that i made in the computer dissapears and it returns to the previous OS freezed. Cross posting is bad netiquette, especially when you are crossing various different distros not to mention debian-security when it is not a security issue. Linux can suspend to disk as long as the hardware plays along. Read this: He doesn't mean a suspend to disk, which is what I thought too, first. He wants to make his installation frozen, i.e., changes aren't saved over reboots. I don't know how to do it, but maybe this clears up his original question. Sjors -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freeze SO Linux, it's possible?
X-TM-IMSS-Message-ID: [EMAIL PROTECTED] Old-Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on liszt.debian.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=4.0 tests=GMAIL,LDOSUBSCRIBER, LDO_WHITELIST autolearn=failed version=3.2.3 X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-policyd-weight: DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .dazjorz. - helo: .mail-ew0-f20.google. - helo-domain: .google.) FROM/MX_MATCHES_NOT_HELO(DOMAIN)=0 client=209.85.219.20 helo=mail-ew0-f20.google.com [EMAIL PROTECTED] [EMAIL PROTECTED], rate: -5 Date: Wed, 10 Dec 2008 18:40:05 +0100 From: Sjors Gielen [EMAIL PROTECTED] User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: Izak Burger [EMAIL PROTECTED] CC: Carlos Carrero Gutierrez [EMAIL PROTECTED], debian-security@lists.debian.org Subject: Re: Freeze SO Linux, it's possible? X-Enigmail-Version: 0.95.7 OpenPGP: id=43F437E1; url=http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x63C41921 Content-Transfer-Encoding: 7bit X-Virus-Scanned: at lists.debian.org with policy bank en-ht X-Amavis-Spam-Status: No, score=-4 tagged_above=3.6 required=5.3 tests=[GMAIL=1, LDO_WHITELIST=-5] X-Rc-Virus: 2007-09-13_01 X-Rc-Spam: 2008-11-04_01 Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/22737 X-Loop: debian-security@lists.debian.org List-Id: debian-security.lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Resent-Sender: [EMAIL PROTECTED] Resent-Date: Wed, 10 Dec 2008 17:40:41 + (UTC) X-TM-AS-Product-Ver: IMSS-7.0.0.6126-5.5.0.1027-16330.006 X-TM-AS-Result: No--16.227-5.0-31-1 X-imss-scan-details: No--16.227-5.0-31-1 X-TM-AS-User-Approved-Sender: No X-TM-AS-User-Blocked-Sender: No Izak Burger wrote: On Wed, Dec 10, 2008 at 6:51 PM, Carlos Carrero Gutierrez [EMAIL PROTECTED] wrote: Hi, i would like to freeze my linux in order to freeze the OS, then, when I reboot the computer all changes that i made in the computer dissapears and it returns to the previous OS freezed. Cross posting is bad netiquette, especially when you are crossing various different distros not to mention debian-security when it is not a security issue. Linux can suspend to disk as long as the hardware plays along. Read this: He doesn't mean a suspend to disk, which is what I thought too, first. He wants to make his installation frozen, i.e., changes aren't saved over reboots. I don't know how to do it, but maybe this clears up his original question. Sjors What about unionfs ? Cheers, Phibo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- System Engineer Unix B | SOURCE Phone +41 44 712 65 14 Mobile +41 79 412 36 40 (for urgent cases) -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
But the volatile fixed version (0.94.dfsg.2-1~volatile ( http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav/clamav-base_0.94.dfsg.2-1%7Evolatile1_all.deb )) is already placed in the volatile archive. Or will it only be updated when it is in the security archive? With kind regards, Tony
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
On Wed, Dec 10, 2008 at 06:48:59PM +0100, Tony Nederpel wrote: But the volatile fixed version (0.94.dfsg.2-1~volatile ( http://volatile.debian.org/debian-volatile/pool/volatile/main/c/clamav/clamav-base_0.94.dfsg.2-1%7Evolatile1_all.deb )) is already placed in the volatile archive. It's in the archive, yes, but not in the distribution (see eg http://volatile.debian.org/debian-volatile/dists/etch/volatile/main/binary-i386/Packages ) Or will it only be updated when it is in the security archive? I don't really understand your question. There is no separate security archive for volatile, as I understand it. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freeze SO Linux, it's possible?
Hr. Philip Rueegsegger wrote: X-TM-IMSS-Message-ID: [EMAIL PROTECTED] Old-Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on liszt.debian.org X-Spam-Level: [..snip..] X-TM-AS-Result: No--16.227-5.0-31-1 X-imss-scan-details: No--16.227-5.0-31-1 X-TM-AS-User-Approved-Sender: No X-TM-AS-User-Blocked-Sender: No Your cloning of my headers scare me! He doesn't mean a suspend to disk, which is what I thought too, first. He wants to make his installation frozen, i.e., changes aren't saved over reboots. I don't know how to do it, but maybe this clears up his original question. Sjors What about unionfs ? My first thought indeed. Only with a tmpfs, which would require enough RAM. Seems like some people have been trying in the past. Or, Carlos, find out how a live CD root filesystem is mounted, I don't know that. Good luck, and please let me know if it worked. Sjors Cheers, Phibo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potentialcode execution
*** posted this one again to get the mail under the correct subject again *** Have you security support activated for your apt? Add the line deb http://security.debian.org/ stable/updates mainto your /etc/apt/sources.list (as described in the security announcement). That line is in the sources list Johannes. With kind regards, Tony -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freeze SO Linux, it's possible?
Carlos Carrero Gutierrez wrote: Hi, i would like to freeze my linux in order to freeze the OS, then, when I reboot the computer all changes that i made in the computer dissapears and it returns to the previous OS freezed. In windows there is something similar, called Deep Freeze (it's freeware). Somebody could help me? Thank you very much, I appreciate your help. Deep Freeze is also available for Linux signature.asc Description: OpenPGP digital signature
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
On Wed, Dec 10, 2008 at 13:21, Dominic Hargreaves [EMAIL PROTECTED] wrote: I don't really understand your question. There is no separate security archive for volatile, as I understand it. Oddly enough I understood Tony, yet I don't understand the Volative+ClamAV situation. Can someone definatively state what is the holdup/situation/reasoning for why the latest ClamAV release has been pushed to all the mirrors but not updating via apt. Thank you, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freeze SO Linux, it's possible?
On Wed, Dec 10, 2008 at 7:40 PM, Sjors Gielen [EMAIL PROTECTED] wrote: He doesn't mean a suspend to disk, which is what I thought too, first. He wants to make his installation frozen, i.e., changes aren't saved over reboots. I don't know how to do it, but maybe this clears up his original question. Aaah ok. Well, then something like what knoppix does, with a read only filesystem containing the original, a second read-write file system for modifications (knoppix uses a tmpfs ie stores it in RAM) and unionfs over the two. Certainly possible. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
On Wed, Dec 10, 2008 at 13:21, Dominic Hargreaves [EMAIL PROTECTED] wrote: I don't really understand your question. There is no separate security archive for volatile, as I understand it. Oddly enough I understood Tony, yet I don't understand the Volative+ClamAV situation. Can someone definatively state what is the holdup/situation/reasoning for why the latest ClamAV release has been pushed to all the mirrors but not updating via apt. From the ClamAV maintainer team's perspective I can only say that we uploaded the packages to the volatile archive (well, you noticed that the packages are there indeed), but for some reason they did not make their way into the Packages/Release files. I guess only the volatile archive maintainers can help out. Best, Michael pgpr5muKAnq4D.pgp Description: PGP signature
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
On Wed, Dec 10, 2008 at 15:10, Michael Tautschnig [EMAIL PROTECTED] wrote: I guess only the volatile archive maintainers can help out. Yet they have been silent for several days now on this issue. Are they overloaded? Do we need new volatile maintainers? Who's in the know here? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
On Wed, Dec 10, 2008 at 03:26:46PM -0500, Jim Popovitch wrote: On Wed, Dec 10, 2008 at 15:10, Michael Tautschnig [EMAIL PROTECTED] wrote: I guess only the volatile archive maintainers can help out. Yet they have been silent for several days now on this issue. FTR there's been no response to my postgrey upload to volatile, either, for over two weeks now. regards, -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: [VUA 51-1] Updated clamav version
On Thu, Dec 11, 2008 at 00:55, Andreas Barth [EMAIL PROTECTED] wrote: --- Debian Volatile Update Announcement VUA 51-1 http://volatile.debian.org [EMAIL PROTECTED] Stephen Gran Dec 11, 2008 --- Package : clamav Version : 0.94.dfsg.2-1~volatile1 Importance : medium CVE IDs : CVE-2008-5050 CVE-2008-5314 [snip] and install them with dpkg, or add deb http://volatile.debian.org/debian-volatile etch/volatile main deb-src http://volatile.debian.org/debian-volatile etch/volatile main FAIL! -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#508314: Please add package subscription/notification support
Hi, On Wed, Dec 10, 2008 at 12:15:27AM +0100, Nico Golde wrote: Thanks for the report. Indeed this would be a nice feature and we discussed this at the security team meeting in Essen. Tracker integration for the PTS is on our todo list. Great. I don't know if the tracker is written in a language that I understand well, but let me know if I can help you, anyway. Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]