potato libssl09 package vulnerable?

2002-08-02 Thread Paul Baker 
So I see that the openssl, libssl-dev, libssl0.9.6 packages in potato 
have been fixed for DSA-136-1. I'm wondering if the libssl09 packages 
are also vulnerable to this exploit? If it is, is a fixed package going 
to be out soon, or should I be expending the effort to back port woody's 
openssl094 package myself?



--
Paul Baker

"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety."

 -- Benjamin Franklin, 1759

GPG Key: http://homepage.mac.com/pauljbaker/public.asc

PGP

2002-08-02 Thread Daniel Rychlik 
-BEGIN PGP SIGNED MESSAGE-

Hello,

I have recently setup PGP on my Debian server at home.  I have setup Exim for 
relay of 3 hosts.  I would like to be able to include pgp signature signing for 
the three hosts.  My wife uses Outlook for her email and I was wandering if 
their was a way to automatically sign her email messages as they leave the 
mailbox.  Ive read the documentation Phillip Zimmerman, but it doesnt really 
have any info on setting up pgp keys for mail clients.  Any information would 
be great!  

Daniel J. Rychlik
http://daniel.rychlik.ws
-BEGIN PGP SIGNATURE-
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPUrwdQ8VKKJfCDjBAQH2tAP9HpxPoEtitgy/Sz7BtBbDnj4244CAVWhE
DxXa0jlTJHDC5WnMmJ1da0OANHxTHA0XQeXFOB3S/5tmvvOJr56/An+/gN2lReZS
MbkMhgHhTjEP+pbRNLQZN6MQ13H7SaSuEWhww8TaPwuhzdXqZmzKsc4kpjoh5ybM
Au9Xidoems4=
=DFXM
-END PGP SIGNATURE-

PGP

2002-08-02 Thread Daniel Rychlik 
G


jq
q

Re: Question on the safety sharing NFS with untrusted machines.

2002-08-02 Thread Michelle Konzack 
Hello, 

there is a Debian-Package ssl-nfs (or secure-nfs) in the Mirror...
It is much more save the all other trics with your Networks.

Michelle

Am 13:07 25/07/02 -0500 hat Dast geschrieben:
>
>Hello all,

>So my question is, is it safer to host the NFS from the DMZ and mount
>remotely on machines in the internal network, or host the NFS from a
>machine on the internal network and remotely mount in the DMZ?  Or
>does it matter?  Any suggestions or pointers to relevant docs would be
>greatly appreciated.  Also, does anyone know what traffic, at minimum,
>I need to allow to share NFS?
>
> ##  Get the Power of Debian/GNU-Linux  ##

Re: (fwd) OpenSSH trojan!

2002-08-02 Thread Vincent Hanquez 
On Fri, Aug 02, 2002 at 05:10:11PM +0300, Halil Demirezen wrote:
> I wanna make it clear.
> 
> We are using OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0,
> OpenSSL 0x0090603f
> 
> 
> and we installed the ssh from the deb packages using
> apt-get install utility.
> 
> I wonder if there is any risk on this stable version of OpenSSH (Debian)
> undependent from openbsd's source tarball?

no, there's no (known) problem on the ssh Debian package.
ONLY the ftp site of openbsd was trojaned !

-- 
Tab

Re: (fwd) OpenSSH trojan!

2002-08-02 Thread Florian Weimer 
Halil Demirezen <[EMAIL PROTECTED]> writes:

> and we installed the ssh from the deb packages using
> apt-get install utility.
>
> I wonder if there is any risk on this stable version of OpenSSH
> (Debian) undependent from openbsd's source tarball?

There isn't an easy way to determine whether a Debian package is
authentic or not.  I'm not even sure what "authentic" means in this
context.

The package you are referring to is probably not affected by the
OpenBSD incident, but you cannot be sure that it hasn't been
manipulated by some other means.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  fax +49-711-685-5898

Re: (fwd) OpenSSH trojan!

2002-08-02 Thread Halil Demirezen 
I wanna make it clear.

We are using OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0,
OpenSSL 0x0090603f


and we installed the ssh from the deb packages using
apt-get install utility.

I wonder if there is any risk on this stable version of OpenSSH (Debian)
undependent from openbsd's source tarball?

if there is, how can i fix it with the real stable one?

sincerely.




On Fri, 2 Aug 2002, Vincent Hanquez wrote:

> On Fri, Aug 02, 2002 at 03:36:53PM +0200, Florian Weimer wrote:
> > Vincent Hanquez <[EMAIL PROTECTED]> writes:
> > 
> > > as the others said, no.
> > > only Openbsd source package has been trojaned
> > 
> > No, both 3.4p1 and 3.2.2p1 (portable versions) have been changed, too.
> 
> sorry i've forget a word. I was speaking of Openbsd's ftp.
> 
> -- 
> Tab
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>

Re: (fwd) OpenSSH trojan!

2002-08-02 Thread Vincent Hanquez 
On Fri, Aug 02, 2002 at 03:36:53PM +0200, Florian Weimer wrote:
> Vincent Hanquez <[EMAIL PROTECTED]> writes:
> 
> > as the others said, no.
> > only Openbsd source package has been trojaned
> 
> No, both 3.4p1 and 3.2.2p1 (portable versions) have been changed, too.

sorry i've forget a word. I was speaking of Openbsd's ftp.

-- 
Tab

Re: (fwd) OpenSSH trojan!

2002-08-02 Thread Florian Weimer 
Vincent Hanquez <[EMAIL PROTECTED]> writes:

> as the others said, no.
> only Openbsd source package has been trojaned

No, both 3.4p1 and 3.2.2p1 (portable versions) have been changed, too.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  fax +49-711-685-5898

Re: (fwd) OpenSSH trojan!

2002-08-02 Thread Vincent Hanquez 
On Fri, Aug 02, 2002 at 02:27:11PM +0300, Halil Demirezen wrote:
> I installl my Debian system on 29th July. and i get the packets from
> mirror security.debian... as anyone can say , should i be worried.?

as the others said, no.
only Openbsd source package has been trojaned

-- 
Tab

Re: (fwd) OpenSSH trojan!

2002-08-02 Thread Halil Demirezen 
I installl my Debian system on 29th July. and i get the packets from
mirror security.debian... as anyone can say , should i be worried.?



On Thu, 1 Aug 2002, Dale Amon wrote:

> On Thu, Aug 01, 2002 at 03:06:47PM -0500, Daniel J. Rychlik wrote:
> > Should debian users be worried if they only install the pre built .deb
> > package or should we evaluate the source and install the ssh from
> > source?
> > 
> > I guess the next question is Do I Have it?
> 
> I think the answer from earlier today was: No.
> 
>  
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>

Re: openssh-3.4p1.tar.gz on ftp.openbsd.org trojaned

2002-08-02 Thread Roberto Gordo Saez 
See also:

http://online.securityfocus.com/archive/75/285547/2002-07-30/2002-08-05/0/


-- 
Roberto Gordo - Free Software Engineer
Linalco "Especialistas Linux y en Software Libre"
Tel: +34-91-5970074 Fax: +34-91-5970083