[SECURITY] [DSA 412-1] New nd packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 412-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq - -- Package: nd Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE Ids: CAN-2004-0014 Multiple vulnerabilities were discovered in nd, a command-line WebDAV interface, whereby long strings received from the remote server could overflow fixed-length buffers. This vulnerability could be exploited by a remote attacker in control of a malicious WebDAV server to execute arbitrary code if the server was accessed by a vulnerable version of nd. For the current stable distribution (woody) this problem has been fixed in version 0.5.0-1woody1. For the unstable distribution (sid) this problem has been fixed in version 0.8.2-1. We recommend that you update your nd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1.dsc Size/MD5 checksum: 566 d2e27c164d3544a251804570379eb44c http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1.diff.gz Size/MD5 checksum: 3533 4a7b92e2df684bf7f312e3a827764671 http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0.orig.tar.gz Size/MD5 checksum:52117 d07741e6323fdeb38a6b4549bca02c53 Alpha architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_alpha.deb Size/MD5 checksum:20650 c67cd2e49a3a61649ce5a452d55b05eb ARM architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_arm.deb Size/MD5 checksum:18072 3837139e2a5beba99b59984bb748315d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_i386.deb Size/MD5 checksum:17314 5edd55545dc4a92a67aea035e095 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_ia64.deb Size/MD5 checksum:24434 a538a442a1bb1b7c1cd5ee64096a3a1b HP Precision architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_hppa.deb Size/MD5 checksum:20862 92c12defa016b8a577ddf4fb1d80fdc3 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_m68k.deb Size/MD5 checksum:16622 f61ea0df91f69157ef653b406af90871 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_mips.deb Size/MD5 checksum:19466 d4d60babdecee2e7612410eb8670b9df Little endian MIPS architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_mipsel.deb Size/MD5 checksum:19470 e9a1e61cd15011fe1a30da782d3c7da9 PowerPC architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_powerpc.deb Size/MD5 checksum:18204 fb699d5bb90844990c52495f3863ccfe IBM S/390 architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_s390.deb Size/MD5 checksum:18212 65c7e34f77ddf46ebc4d10656772d055 Sun Sparc architecture: http://security.debian.org/pool/updates/main/n/nd/nd_0.5.0-1woody1_sparc.deb Size/MD5 checksum:17420 6d172963ca07e2e6ca0a1ab2bf59f67a These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQE/+m4NArxCt0PiXR4RAvZMAJ4jUgn+mVxT3hJuX4rUP0za5gPuBACgvY62 O+FlgwAMRnktJdDH5h5Q3Ac= =mQ79 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[SECURITY] [DSA 413-1] New Linux 2.4.18 packages fix locate root exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 413-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 6th, 2004 http://www.debian.org/security/faq - -- Package: kernel-source-2.4.18, kernel-image-2.4.18-1-i386 Vulnerability : mising boundary check Problem-Type : local Debian-specific: no CVE ID : CAN-2003-0985 Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.2.x, 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. For the stable distribution (woody) this problem has been fixed in kernel-source version 2.4.18-14.1 and kernel-images versions 2.4.18-12.1 and 2.4.18-5woody6 (bf) for the i386 architecture. For the unstable distribution (sid) this problem will be fixed soon with newly uploaded packages. We recommend that you upgrade your kernel packages. This problem has been fixed in the upstream version 2.4.24 as well. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.1.dsc Size/MD5 checksum: 664 fcb4f5a949cd17a2b528762db8c4a33e http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.1.diff.gz Size/MD5 checksum:67239 0ff7d0053ffbf71a66290081300ff759 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18.orig.tar.gz Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.1.dsc Size/MD5 checksum: 1193 cdce7e12e094de51f0c3e8baf0492bac http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.1.tar.gz Size/MD5 checksum:69900 a8543111fa965097e71112dbd8caa637 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/kernel-image-2.4.18-i386bf_2.4.18-5woody6.dsc Size/MD5 checksum: 656 37430a9bacd8c1b814306d2b0e396498 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/kernel-image-2.4.18-i386bf_2.4.18-5woody6.tar.gz Size/MD5 checksum:26175 486db2749031dd57f81e70f9a251e452 Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-doc-2.4.18_2.4.18-14.1_all.deb Size/MD5 checksum: 1719652 cb20d668b1600ddcc336c48ccb02f9ca http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.1_all.deb Size/MD5 checksum: 24132116 8b06d229ce4861b1d4369bc5dec36588 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1_2.4.18-12.1_i386.deb Size/MD5 checksum: 3413108 0a6e3d8c65686ab34ba27e7ed79590e0 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-386_2.4.18-12.1_i386.deb Size/MD5 checksum: 3505080 ac13ca0a917bf9b3d9499a4cc33f1a5d http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-586tsc_2.4.18-12.1_i386.deb Size/MD5 checksum: 3505652 7004b821ee15a5ede5ca5e42e8a9593f http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686_2.4.18-12.1_i386.deb Size/MD5 checksum: 3505770 5ee1efb1e377e836d4bda9d1dab07cdd http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686-smp_2.4.18-12.1_i386.deb Size/MD5 checksum: 3506916 44491cbfac2f95289f79d369c2e21e5e http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k6_2.4.18-12.1_i386.deb Size/MD5 checksum: 3505548 67d4e91b95ad433ef9fdcd20d5da7875 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k7_2.4.18-12.1_i386.deb Size/MD5 checksum: 3505798 3365e0518af36585927bf2fb16b1f05f http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-386_2.4.18-12.1_i386.deb Size/MD5
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix ... - PGP key? [solved]
Incoming from ZsoL: Hash: SHA1 On Tuesday 06 January 2004 06.37, s. keeling wrote: Incoming from Matt Zimmerman: Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq Package: mpg321 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] maybe you have to import [EMAIL PROTECTED]'s public key. I've tried. GPA import key fails quietly. So I used w3m to go to the URL he supplied: (2) keeling /home/keeling/dox_ gpg --verify matt_zimmerman.txt gpg: verify signatures failed: unexpected data (2) keeling /home/keeling/dox_ gpg --verify matt_zimmerman.txt gpg: verify signatures failed: unexpected data So, I tried wget: (0) keeling /home/keeling/dox_ gpg --verify lookup\?op\=get\search\=0x440202C3137B1CB4 gpg: verify signatures failed: unexpected data (2) keeling /home/keeling/dox_ gpg --verify lookup\?op\=get\search\=0x440202C3137B1CB4 gpg: verify signatures failed: unexpected data So, I Copied the mail to a file, then: (0) keeling /home/keeling/dox_ gpg --verify-files matt_zimmerman.msg gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found Then I tried --import: (2) keeling /home/keeling/dox_ gpg --import matt_zimmerman.msg gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Ah! Finally: (2) keeling /home/keeling/dox_ gpg --recv-keys 43E25D1E gpg: key 43E25D1E: removed multiple subkey binding gpg: key 43E25D1E: public key Matt Zimmerman [EMAIL PROTECTED] imported gpg: Total number processed: 1 gpg: imported: 1 Now why was that so difficult?!? Every other time just reading mail from someone grabs their key from the keyserver and checks the signature. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
On Mon, Jan 05, 2004 at 10:37:49PM -0700, s. keeling wrote: Incoming from Matt Zimmerman: Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq Package: mpg321 Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0969 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) --] gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] wget -O- http://www.debian.org/security/keys.txt | gpg --import -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
subscribe
-- Maciek Hofstede PGP: http://www.demon.pl/max/max.pgp pgp0.pgp Description: PGP signature
Content-Type in DSAs
Hi! When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. Thank you for your patience, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
unsubscribeFraser Computer Consulting ServicesPC advice - Network Engineering - Network Security - Infrastructure solutionsEmail [EMAIL PROTECTED]Phone 0413 495 4236am -6pm 7 Days a week. Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
Re: Content-Type in DSAs
* Lupe Christoph [Tue, 06 Jan 2004 11:25:27 +0100]: When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign I think this format is obsolete. A correct PGP/MIME message would read something similar to (correct me if I'm wrong): Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=tKW2IUtsqtDRztdT Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. I know about the procmail hack too, and it miserably fails when the message is a multipart one. Of course the long term solution is to get everybody to use the new not-obsolete PGP/MIME format, but in the meanwhile I would recommend to mutt users to try this little mutt hook: message-hook '!(~g|~G) ~b^-BEGIN\ PGP\ (SIGNED\ )?MESSAGE' exec check-traditional-pgp Personally, I found it quite useful, as I've now completely forgotten about headaches brought by inline-signed mail. (The hook, oviously, simuates presssing ESC P *each* time the message is viewed.) HTH. -- Adeodato Simó (a.k.a. thibaut) EM: asp16 [ykwim] alu.ua.es | IM: my_dato [jabber.org] | PK: DA6AE621 If there is a sin against life, it consists perhaps not so much in despairing of life as in hoping for another life and in eluding the implacable grandeur of this life. -- Albert Camus signature.asc Description: Digital signature
Re: Content-Type in DSAs
Hi Lupe, * Lupe Christoph [EMAIL PROTECTED] wrote: Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign - PGP/MIME Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii - old, deprecated format Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. right. mutt doesn't change the mail but just verifies the message. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. There is a reason: Broken MUAs which still do not support PGP/MIME. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. This is a workaround, not a solution. The solution would be either to fix broken MUAs or to not use such broken MUAs. - Alexander signature.asc Description: Digital signature
Re: 2.4.18-bf2.4 version confusion, patches?
On Mon, 2004-01-05 at 16:57, Matt Zimmerman wrote: On Mon, Jan 05, 2004 at 02:26:12PM +0100, kuene wrote: [snip] You are still wrong. What you do not understand is, when you install Debian, you do not have the package kernel-image-2.4.18-bf2.4 installed. You have a copy of some of the files in that package, but the package itself is not installed, and so will never be automatically upgraded. [snip] I know that the kernel is not installed. but if you install it (apt-get install kernel-image-2.4.18-bf2.4) it will be an old one, with security holes! is this true? greets kuene -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious files in /tmp
On Montag Januar 5 2004 18:43, Marcel Weber wrote: Whatever, I guess during the inital setup of LFS I made a mistake and compiled these files statically... This probably explains the size. I do not think, that they're belonging to a rootkit, as I have the same files on my initial install backup. Anyways, if someone is interested in them, I could send them, but I think 1.3 MB of files is too much for this mailing list... It is easy to check if an executable is linked statically or dynamically: c++ -o hello.dyn hello.cc c++ -o hello.stat -static hello.cc ls -l hello.* -rw-r--r--1 rz37 users 91 Sep 20 2002 hello.cc -rwxr-xr-x1 rz37 users 14269 Jan 6 15:43 hello.dyn -rwxr-xr-x1 rz37 users 1619690 Jan 6 15:43 hello.stat file hello.dyn hello.dyn: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped file hello.stat hello.stat: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, not stripped ldd hello.dyn libstdc++-libc6.2-2.so.3 = /usr/lib/libstdc++-libc6.2-2.so.3 (0x4003) libm.so.6 = /lib/libm.so.6 (0x4007d000) libc.so.6 = /lib/libc.so.6 (0x4009f000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) ldd hello.stat not a dynamic executable Greetings, Rudolf -- Rudolf Lohner --- Universitaet Karlsruhe (TH) --- Rechenzentrum Zirkel 2, D-76128 Karlsruhe, phone/fax: +49 721 {608-6958 | 32550} www: http://www.uni-karlsruhe.de/~Rudolf.Lohner email: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious files in /tmp
Rudolf Lohner wrote: [snip] file hello.dyn hello.dyn: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped file hello.stat hello.stat: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, not stripped [snip] Greetings, Rudolf Great, thanks! So here it comes: www:~/chkrootkit/bin # file netstat netstat: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), not stripped www:~/chkrootkit/usr/bin # file env env: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped So everythings clear now: One was statically linked, the other dynamically and I guess, that the meaning of stripped is, if there is debugging information in the file or not(?), which would make the file even bigger... Greettings Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
On Monday, 05 January 2004, at 17:21:52 +0100, Teófilo Ruiz Suárez wrote: What about 2.6? Is it fixed anyhow? It seems to be fixed in 2.6.1-rc2, as Linus said. But the fix seems to be temporary while kernel gurus and the people in charge of libc agree on a better solution. http://marc.theaimsgroup.com/?l=linux-kernelm=107332772321771w=2 From patch-2.6.1-rc2.bz2: diff -Nru a/mm/mremap.c b/mm/mremap.c --- a/mm/mremap.c Mon Jan 5 22:49:37 2004 +++ b/mm/mremap.c Mon Jan 5 22:49:37 2004 @@ -315,6 +315,10 @@ old_len = PAGE_ALIGN(old_len); new_len = PAGE_ALIGN(new_len); + /* Don't allow the degenerate cases */ + if (!(old_len | new_len)) + goto out; + /* new_addr is only valid if MREMAP_FIXED is specified */ if (flags MREMAP_FIXED) { if (new_addr ~PAGE_MASK) Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.1-rc1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: 2.4.18-bf2.4 version confusion, patches?
On Tue, Jan 06, 2004 at 12:29:41PM +0100, kuene wrote: On Mon, 2004-01-05 at 16:57, Matt Zimmerman wrote: On Mon, Jan 05, 2004 at 02:26:12PM +0100, kuene wrote: [snip] You are still wrong. What you do not understand is, when you install Debian, you do not have the package kernel-image-2.4.18-bf2.4 installed. You have a copy of some of the files in that package, but the package itself is not installed, and so will never be automatically upgraded. [snip] I know that the kernel is not installed. but if you install it (apt-get install kernel-image-2.4.18-bf2.4) it will be an old one, with security holes! is this true? No, that is completely false. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
GnuPG can not read some pgp signatures
Hello! I have installed KMail a few days ago, and with it I've installed the GnuPG program too. But some of the signatures can not be read by gpg. There are some messages, which has a signature.asc attached, but KMail writes this in the messages window: The message is signed, but the validity of the signature can't be verified. Reason: No appropriate crypto plug-in was found. And when I Save the attached signature, and run cat signature.asc | gpg --import, I get this messages: gpg: no valid OpenPGP data found. gpg: Total number processed: 0 But, sometimes I get messages, which has also a signature file attached, and it can be verified by KMail, and the signatures can be imported with gpg. For example these keys: http://www.debian.org/security/keys.txt I can import those keys, and KMail can verify these keys, when I'm getting emails from those guys. What could be the problem with the other signature files? If it helps, I can send you a signature, which is not working. Thanks for the help! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG can not read some pgp signatures
LeVA [EMAIL PROTECTED] [2004-01-06 18:22]: Hello! I have installed KMail a few days ago, and with it I've installed the GnuPG program too. But some of the signatures can not be read by gpg. There are some messages, which has a signature.asc attached, but KMail writes this in the messages window: The message is signed, but the validity of the signature can't be verified. Reason: No appropriate crypto plug-in was found. And when I Save the attached signature, and run cat signature.asc | gpg --import, I get this messages: gpg: no valid OpenPGP data found. gpg: Total number processed: 0 I assume the keys you try to make use of are for PGP 2.x -- thus they require idea. As far as I found on the web, the gpg-idea package somehow vanished. See my question I posted five minutes ago. wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? - http://www.rawip.org | eMail Style Guide: http://www.rawip.org/style.html| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG can not read some pgp signatures
2004. január 06. 18:26 dátummal Lukas Ruf ezt írta: I assume the keys you try to make use of are for PGP 2.x -- thus they require idea. As far as I found on the web, the gpg-idea package somehow vanished. See my question I posted five minutes ago. But there are not any gpg-idea packages anywhere. I mean, aren't there a hp for that idea plugin? On the www.gnupg.org site, there aren't any info about this plugin. Where can I download the sources of this idea plugin? Daniel wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? - http://www.rawip.org | eMail Style Guide: http://www.rawip.org/style.html| -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG can not read some pgp signatures
On Tue, Jan 06, 2004 at 19:06:50 +0100, LeVA wrote: But there are not any gpg-idea packages anywhere. IDEA is patent encumbered in much of Europe, including The Netherlands where non-us.debian.org is hosted and apparently Germany where ftp.gnupg.org is hosted (AFAIK). On the www.gnupg.org site, there aren't any info about this plugin. ftp://ftp.gnupg.org/gcrypt/contrib/README.idea leads you to ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz and ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz.sig Comments in the .c file explain how to build/use it. HTH, Ray -- Text processing doesn't matter. Fortran. Larry Wall on common fallacies of language design -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG can not read some pgp signatures
2004. január 06. 19:17 dátummal J.H.M. Dassen (Ray) ezt írta: On Tue, Jan 06, 2004 at 19:06:50 +0100, LeVA wrote: But there are not any gpg-idea packages anywhere. IDEA is patent encumbered in much of Europe, including The Netherlands where non-us.debian.org is hosted and apparently Germany where ftp.gnupg.org is hosted (AFAIK). On the www.gnupg.org site, there aren't any info about this plugin. ftp://ftp.gnupg.org/gcrypt/contrib/README.idea leads you to ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz A quote from that .c file: however we suggest to avoid this algorithm entirely due to interoperability problems. Then it is not about my wrong configuration, or my problem if I can not use those signatures, right? This is the other partner's problem, that he/she uses an algorithm, which is not international? Am I right? Daniel and ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz.sig Comments in the .c file explain how to build/use it. HTH, Ray -- Text processing doesn't matter. Fortran. Larry Wall on common fallacies of language design -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG can not read some pgp signatures
Quoting Lukas Ruf ([EMAIL PROTECTED]): I assume the keys you try to make use of are for PGP 2.x -- thus they require idea. As far as I found on the web, the gpg-idea package somehow vanished. See my question I posted five minutes ago. You probably already realise this, but idea.c is still available at ftp://ftp.gnupg.dk/pub/contrib-dk/ for anyone who really needs it -- though it's been dropped from the upstream tarball. -- Cheers, * Contributing Editor, Linux Gazette * Rick Moen -*- See the Linux Gazette in its new home: -*- [EMAIL PROTECTED] http://linuxgazette.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 06 January 2004 06.37, s. keeling wrote: Incoming from Matt Zimmerman: Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq Package: mpg321 Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0969 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) --] gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] I'm using mutt, and ESC-P usually works checking traditional PGP signatures, but not with these three (bind, libnids, mpg321). -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - maybe you have to import [EMAIL PROTECTED]'s public key. ZsoL - -- ICQ#: 66782170 PGP key: http://pks.gpg.cz:11371/pks/lookup?op=getsearch=0x440202C3137B1CB4 I love deadlines. I like the whooshing sound they make as they fly by. - Douglas Adams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQE/+lHZRAICwxN7HLQRAmk9AKC9NYqT7GOgOw9ClKkwV+2KskLq3QCfTtcX TypB/rTlckTUvsO1U/ZYEus= =G2Rd -END PGP SIGNATURE-
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix ... - PGP key? [solved]
Incoming from ZsoL: Hash: SHA1 On Tuesday 06 January 2004 06.37, s. keeling wrote: Incoming from Matt Zimmerman: Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq Package: mpg321 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] maybe you have to import [EMAIL PROTECTED]'s public key. I've tried. GPA import key fails quietly. So I used w3m to go to the URL he supplied: (2) keeling /home/keeling/dox_ gpg --verify matt_zimmerman.txt gpg: verify signatures failed: unexpected data (2) keeling /home/keeling/dox_ gpg --verify matt_zimmerman.txt gpg: verify signatures failed: unexpected data So, I tried wget: (0) keeling /home/keeling/dox_ gpg --verify lookup\?op\=get\search\=0x440202C3137B1CB4 gpg: verify signatures failed: unexpected data (2) keeling /home/keeling/dox_ gpg --verify lookup\?op\=get\search\=0x440202C3137B1CB4 gpg: verify signatures failed: unexpected data So, I Copied the mail to a file, then: (0) keeling /home/keeling/dox_ gpg --verify-files matt_zimmerman.msg gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found Then I tried --import: (2) keeling /home/keeling/dox_ gpg --import matt_zimmerman.msg gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Ah! Finally: (2) keeling /home/keeling/dox_ gpg --recv-keys 43E25D1E gpg: key 43E25D1E: removed multiple subkey binding gpg: key 43E25D1E: public key Matt Zimmerman [EMAIL PROTECTED] imported gpg: Total number processed: 1 gpg: imported: 1 Now why was that so difficult?!? Every other time just reading mail from someone grabs their key from the keyserver and checks the signature. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
On Mon, Jan 05, 2004 at 10:37:49PM -0700, s. keeling wrote: Incoming from Matt Zimmerman: Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq Package: mpg321 Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0969 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) --] gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] wget -O- http://www.debian.org/security/keys.txt | gpg --import -- - mdz
Content-Type in DSAs
Hi! When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. Thank you for your patience, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
subscribe
-- Maciek Hofstede PGP: http://www.demon.pl/max/max.pgp pgpvrBe1S0uq3.pgp Description: PGP signature
unsubscribe
unsubscribeFraser Computer Consulting ServicesPC advice - Network Engineering - Network Security - Infrastructure solutionsEmail [EMAIL PROTECTED]Phone 0413 495 4236am -6pm 7 Days a week. Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
Re: Content-Type in DSAs
* Lupe Christoph [Tue, 06 Jan 2004 11:25:27 +0100]: When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign I think this format is obsolete. A correct PGP/MIME message would read something similar to (correct me if I'm wrong): Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=tKW2IUtsqtDRztdT Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. I know about the procmail hack too, and it miserably fails when the message is a multipart one. Of course the long term solution is to get everybody to use the new not-obsolete PGP/MIME format, but in the meanwhile I would recommend to mutt users to try this little mutt hook: message-hook '!(~g|~G) ~b^-BEGIN\ PGP\ (SIGNED\ )?MESSAGE' exec check-traditional-pgp Personally, I found it quite useful, as I've now completely forgotten about headaches brought by inline-signed mail. (The hook, oviously, simuates presssing ESC P *each* time the message is viewed.) HTH. -- Adeodato Simó (a.k.a. thibaut) EM: asp16 [ykwim] alu.ua.es | IM: my_dato [jabber.org] | PK: DA6AE621 If there is a sin against life, it consists perhaps not so much in despairing of life as in hoping for another life and in eluding the implacable grandeur of this life. -- Albert Camus signature.asc Description: Digital signature
Re: 2.4.18-bf2.4 version confusion, patches?
On Mon, 2004-01-05 at 16:57, Matt Zimmerman wrote: On Mon, Jan 05, 2004 at 02:26:12PM +0100, kuene wrote: [snip] You are still wrong. What you do not understand is, when you install Debian, you do not have the package kernel-image-2.4.18-bf2.4 installed. You have a copy of some of the files in that package, but the package itself is not installed, and so will never be automatically upgraded. [snip] I know that the kernel is not installed. but if you install it (apt-get install kernel-image-2.4.18-bf2.4) it will be an old one, with security holes! is this true? greets kuene
Re: Content-Type in DSAs
Hi Lupe, * Lupe Christoph [EMAIL PROTECTED] wrote: Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign - PGP/MIME Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii - old, deprecated format Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. right. mutt doesn't change the mail but just verifies the message. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. There is a reason: Broken MUAs which still do not support PGP/MIME. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. This is a workaround, not a solution. The solution would be either to fix broken MUAs or to not use such broken MUAs. - Alexander signature.asc Description: Digital signature
Re: another kernel vulnerability
On Monday, 05 January 2004, at 17:21:52 +0100, Teófilo Ruiz Suárez wrote: What about 2.6? Is it fixed anyhow? It seems to be fixed in 2.6.1-rc2, as Linus said. But the fix seems to be temporary while kernel gurus and the people in charge of libc agree on a better solution. http://marc.theaimsgroup.com/?l=linux-kernelm=107332772321771w=2 From patch-2.6.1-rc2.bz2: diff -Nru a/mm/mremap.c b/mm/mremap.c --- a/mm/mremap.c Mon Jan 5 22:49:37 2004 +++ b/mm/mremap.c Mon Jan 5 22:49:37 2004 @@ -315,6 +315,10 @@ old_len = PAGE_ALIGN(old_len); new_len = PAGE_ALIGN(new_len); + /* Don't allow the degenerate cases */ + if (!(old_len | new_len)) + goto out; + /* new_addr is only valid if MREMAP_FIXED is specified */ if (flags MREMAP_FIXED) { if (new_addr ~PAGE_MASK) Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.1-rc1)
GnuPG can not read some pgp signatures
Hello! I have installed KMail a few days ago, and with it I've installed the GnuPG program too. But some of the signatures can not be read by gpg. There are some messages, which has a signature.asc attached, but KMail writes this in the messages window: The message is signed, but the validity of the signature can't be verified. Reason: No appropriate crypto plug-in was found. And when I Save the attached signature, and run cat signature.asc | gpg --import, I get this messages: gpg: no valid OpenPGP data found. gpg: Total number processed: 0 But, sometimes I get messages, which has also a signature file attached, and it can be verified by KMail, and the signatures can be imported with gpg. For example these keys: http://www.debian.org/security/keys.txt I can import those keys, and KMail can verify these keys, when I'm getting emails from those guys. What could be the problem with the other signature files? If it helps, I can send you a signature, which is not working. Thanks for the help! Daniel -- LeVA
Re: 2.4.18-bf2.4 version confusion, patches?
On Tue, Jan 06, 2004 at 12:29:41PM +0100, kuene wrote: On Mon, 2004-01-05 at 16:57, Matt Zimmerman wrote: On Mon, Jan 05, 2004 at 02:26:12PM +0100, kuene wrote: [snip] You are still wrong. What you do not understand is, when you install Debian, you do not have the package kernel-image-2.4.18-bf2.4 installed. You have a copy of some of the files in that package, but the package itself is not installed, and so will never be automatically upgraded. [snip] I know that the kernel is not installed. but if you install it (apt-get install kernel-image-2.4.18-bf2.4) it will be an old one, with security holes! is this true? No, that is completely false. -- - mdz
unsubscribe
Re: GnuPG can not read some pgp signatures
On Tue, Jan 06, 2004 at 19:06:50 +0100, LeVA wrote: But there are not any gpg-idea packages anywhere. IDEA is patent encumbered in much of Europe, including The Netherlands where non-us.debian.org is hosted and apparently Germany where ftp.gnupg.org is hosted (AFAIK). On the www.gnupg.org site, there aren't any info about this plugin. ftp://ftp.gnupg.org/gcrypt/contrib/README.idea leads you to ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz and ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz.sig Comments in the .c file explain how to build/use it. HTH, Ray -- Text processing doesn't matter. Fortran. Larry Wall on common fallacies of language design
Re: GnuPG can not read some pgp signatures
2004. január 06. 19:17 dátummal J.H.M. Dassen (Ray) ezt írta: On Tue, Jan 06, 2004 at 19:06:50 +0100, LeVA wrote: But there are not any gpg-idea packages anywhere. IDEA is patent encumbered in much of Europe, including The Netherlands where non-us.debian.org is hosted and apparently Germany where ftp.gnupg.org is hosted (AFAIK). On the www.gnupg.org site, there aren't any info about this plugin. ftp://ftp.gnupg.org/gcrypt/contrib/README.idea leads you to ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz A quote from that .c file: however we suggest to avoid this algorithm entirely due to interoperability problems. Then it is not about my wrong configuration, or my problem if I can not use those signatures, right? This is the other partner's problem, that he/she uses an algorithm, which is not international? Am I right? Daniel and ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz.sig Comments in the .c file explain how to build/use it. HTH, Ray -- Text processing doesn't matter. Fortran. Larry Wall on common fallacies of language design -- LeVA
Re: GnuPG can not read some pgp signatures
2004. január 06. 18:26 dátummal Lukas Ruf ezt írta: I assume the keys you try to make use of are for PGP 2.x -- thus they require idea. As far as I found on the web, the gpg-idea package somehow vanished. See my question I posted five minutes ago. But there are not any gpg-idea packages anywhere. I mean, aren't there a hp for that idea plugin? On the www.gnupg.org site, there aren't any info about this plugin. Where can I download the sources of this idea plugin? Daniel wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? - http://www.rawip.org | eMail Style Guide: http://www.rawip.org/style.html| -- LeVA
Re: GnuPG can not read some pgp signatures
Quoting Lukas Ruf ([EMAIL PROTECTED]): I assume the keys you try to make use of are for PGP 2.x -- thus they require idea. As far as I found on the web, the gpg-idea package somehow vanished. See my question I posted five minutes ago. You probably already realise this, but idea.c is still available at ftp://ftp.gnupg.dk/pub/contrib-dk/ for anyone who really needs it -- though it's been dropped from the upstream tarball. -- Cheers, * Contributing Editor, Linux Gazette * Rick Moen -*- See the Linux Gazette in its new home: -*- [EMAIL PROTECTED] http://linuxgazette.net/
Re: GnuPG can not read some pgp signatures
LeVA [EMAIL PROTECTED] [2004-01-06 18:22]: Hello! I have installed KMail a few days ago, and with it I've installed the GnuPG program too. But some of the signatures can not be read by gpg. There are some messages, which has a signature.asc attached, but KMail writes this in the messages window: The message is signed, but the validity of the signature can't be verified. Reason: No appropriate crypto plug-in was found. And when I Save the attached signature, and run cat signature.asc | gpg --import, I get this messages: gpg: no valid OpenPGP data found. gpg: Total number processed: 0 I assume the keys you try to make use of are for PGP 2.x -- thus they require idea. As far as I found on the web, the gpg-idea package somehow vanished. See my question I posted five minutes ago. wbr, Lukas -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? - http://www.rawip.org | eMail Style Guide: http://www.rawip.org/style.html|
Re: Content-Type in DSAs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Clinging to sanity, Alexander Neumann mumbled in his beard: Hi Lupe, * Lupe Christoph [EMAIL PROTECTED] wrote: Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign - PGP/MIME No. PGP/MIME is multipart/signed on the top level, whatever the mime type of the message is in the first MIME part, and application/pgp-signature in the second MIME part. application/pgp is a never standardized text/plain variant of an inline signed message, with the main problem that some Mailers do not render it correctly (since they assume that unknown application/... is binary, not text). cheers - -- vbi - -- Protect your privacy - encrypt your email: http://fortytwo.ch/gpg/intro -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: get my key from http://fortytwo.ch/gpg/92082481 iKcEARECAGcFAj/66Z1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw NzFiMjVlYjcwMDZkYTNlAAoJEIukMYvlp/fW+fIAmwfWDDM5RrsGtL24ODdRR3F4 pcMjAJ4iMmHa57/EfFh6bzjHSmnWB1k8jw== =FjWH -END PGP SIGNATURE-
Re: [SECURITY] [DSA 407-1] New ethereal packages fix several vulnerabilities
On Mon, Jan 05, 2004 at 10:36:28AM -0700, s. keeling wrote: Incoming from Martin Schulze: - -- Debian Security Advisory DSA 407-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 5th, 2004 http://www.debian.org/security/faq - -- Package: ethereal This showed up this morning with a couple of others (lftp, screen), so I did apt-get update ; apt-get upgrade. That picked up the others but not ethereal. Why is that? I had ethereal installed, though I've never used it. It was easily sorted out with apt-get install ethereal; I just wonder why it didn't come along with the other two updates. Perhaps you installed ethereal from testing or unstable at one point, and so your version is newer than the provided security update. -- - mdz
Re: unsubscribe
Hi Listreaders, I just found exim's(3) config file in woody is installed with 0644 file permission by default. This might be okay for standard-installation, but might that not rise a security bug as soon, as you use either - client side authentification and have to insert the password there somewhere? - an other backend as /etc/passwd or simmilar? For example getting eMail-adresses from ldap or any other database needs some password to connect to it. Might it be not more secure installing /etc/exim/exim.conf 0640 with root:mail file-permission? I am not shure about that, so i did not open a bug at the BTS yet. Please give me advice. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
exim.conf file permmission
Hi Listreaders, sorry for the double-post, but after accidently writing my prior email with the worng subject, and someone noted (PM) that some of you might drop mails with 'unsubcribe' subject, i do a repost of my message. Here is what i wrote: I just found exim's(3) config file in woody is installed with 0644 file permission by default. This might be okay for standard-installation, but might that not rise a security bug as soon, as you use either - client side authentification and have to insert the password there somewhere? - an other backend as /etc/passwd or simmilar? For example getting eMail-adresses from ldap or any other database needs some password to connect to it. Might it be not more secure installing /etc/exim/exim.conf 0640 with root:mail file-permission? I am not shure about that, so i did not open a bug at the BTS yet. Please give me advice. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature