Request for help with Kernel, Ethereal and Lesstif
Lesstif --- We have a bunch of patches for libxpm which is also part of lesstif1-1 in woody that need to be applied and tested. It needs to be investigated whether the version in sarge needs patches as well. This refers to only a single bug (CAN-2004-0914) but results in quite a large patch that does not cleanly apply. A good C coder with a lesstif test environment is required. Ethereal The test program, Red Hat and iDEFENSE discovered several (read 24) flaws in various disssectors of Ethereal. The patches need to be reviewed and applied to the versions in woody, sarge and sid. For sid the maintainer could yuo some help, hence, I've mentioned it above. The advisory text should be proposed as well. Kernel -- I have prepared an updated kernel package for woody's 2.4.18 kernel for a number of vulnerabilities (some 40). This work needs to be reviewed and ported to 2.4.16, 2.4.17 and 2.4.19 including testing. The 2.4.18 kernel is running on a test machine and under a real environment during LinuxTag and from time to time afterwards without problems. For all set of packages it needs to be documented which bugs exist in which version. All three issues have escaped the time frame of the security team in the past, hence, I'm now calling for help. The volunteer is required to be a registered Debian developer. If you are interested and sure that you can work on one of these issues, please get in touch with me. If you are not 100% sure that your skills are sufficient, please don't contact me, since I would probably only waste time needed for other stuff. Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier Please always Cc to me when replying to me on the lists. signature.asc Description: Digital signature
Re: [SECURITY] [DSA 794-1] New polygen packages fix denial of service
* Martin Schulze: > Debian-specific: no Shouldn't this be "yes"? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 794-1] New polygen packages fix denial of service
I will be out of the office from Thursday, September 1st through Monday September 5th. If you have an urgent need, please call me on my cell phone. Also, please note that Cingular, my cellular provider, is experiencing unusually high outages due to the aftermath of hurricane Katrina. Russell Harvey (318) 426-5921 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anonftpsync (was: security archive defective!?)
Andreas Barth wrote: > That all the neccessary directories and symlinks are mirrored, including > project/trace. Also, AFAIUI debmirror creates a much higher load on the > server you're pulling from than anonftpsync (as debmirror opens lots of > rsync-connections, whereas anonftpsync just does two). debmirror handles trace files properly and can use a single ftp connection. Or at least it did when I wrote it. -- see shy jo signature.asc Description: Digital signature
Re: AW: [SECURITY] [DSA 779-2] New Mozilla Firefox packages fix several vulnerabilities
On Thu, 1 Sep 2005 16:36:54 +0200 "Felix Schrader" <[EMAIL PROTECTED]> wrote: > Hallo, Hi, > ich weiß nicht warum, aber ich bekomme > mehrmals täglich solche E-Mails von Ihnen. > Vielleicht könnten Sie das Problem lösen. ich weiß warum. Deine eMail Adresse ist auf der debian-security-anounce Mailingliste eingetragen. Wie man sich austrägt, steht in der Mail selbst. Wo ist also das Problem? > Danke! > > Felix Schrader Bitte, Evgeni Golov > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -- ^^^| Evgeni -SargentD- Golov ([EMAIL PROTECTED]) d(O_o)b | PGP-Key-ID: 0xAC15B50C >-|-< | WWW: www.die-welt.net ICQ: 54116744 / \| IRC: #sod @ irc.german-freakz.net pgpUo3AeAdWqy.pgp Description: PGP signature
AW: [SECURITY] [DSA 779-2] New Mozilla Firefox packages fix several vulnerabilities
Hallo, ich weiß nicht warum, aber ich bekomme mehrmals täglich solche E-Mails von Ihnen. Vielleicht könnten Sie das Problem lösen. Danke! Felix Schrader -Ursprüngliche Nachricht- Von: Martin Schulze [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 1. September 2005 16:07 An: Debian Security Announcements Betreff: [SECURITY] [DSA 779-2] New Mozilla Firefox packages fix several vulnerabilities -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 779-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 1st, 2005 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270 BugTraq ID : 14242 Debian Bug : 318061 We experienced that the update for Mozilla Firefox from DSA 779-1 unfortunately was a regression in several cases. Since the usual praxis of backporting apparently does not work, this update is basically version 1.0.6 with the version number rolled back, and hence still named 1.0.4-*. For completeness below is the original advisory text: Several problems have been discovered in Mozilla Firefox, a lightweight web browser based on Mozilla. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005-2260 The browser user interface does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. CAN-2005-2261 XML scripts ran even when Javascript disabled. CAN-2005-2262 The user can be tricked to executing arbitrary JavaScript code by using a JavaScript URL as wallpaper. CAN-2005-2263 It is possible for a remote attacker to execute a callback function in the context of another domain (i.e. frame). CAN-2005-2264 By opening a malicious link in the sidebar it is possible for remote attackers to steal sensitive information. CAN-2005-2265 Missing input sanitising of InstallVersion.compareTo() can cause the application to crash. CAN-2005-2266 Remote attackers could steal sensitive information such as cookies and passwords from web sites by accessing data in alien frames. CAN-2005-2267 By using standalone applications such as Flash and QuickTime to open a javascript: URL, it is possible for a remote attacker to steal sensitive information and possibly execute arbitrary code. CAN-2005-2268 It is possible for a Javascript dialog box to spoof a dialog box from a trusted site and facilitates phishing attacks. CAN-2005-2269 Remote attackers could modify certain tag properties of DOM nodes that could lead to the execution of arbitrary script or code. CAN-2005-2270 The Mozilla browser familie does not properly clone base objects, which allows remote attackers to execute arbitrary code. The old stable distribution (woody) is not affected by these problems. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge3. For the unstable distribution (sid) these problems have been fixed in version 1.0.6-1. We recommend that you upgrade your Mozilla Firefox packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firef ox_1.0.4-2sarge3.dsc Size/MD5 checksum: 1001 e9e343d5899bc10b64650464839db1dc http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firef ox_1.0.4-2sarge3.diff.gz Size/MD5 checksum: 323682 3e07c7d42de155ed01210386bc2f06f7 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firef ox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firef ox_1.0.4-2sarge3_alpha.deb Size/MD5 checksu
Re: [SECURITY] [DSA 779-2] New Mozilla Firefox packages fix several vulnerabilities
I will be out of the office from Thursday, September 1st through Monday September 5th. If you have an urgent need, please call me on my cell phone. Also, please note that Cingular, my cellular provider, is experiencing unusually high outages due to the aftermath of hurricane Katrina. Russell Harvey (318) 426-5921 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe....asychronous error...10060
please am having problems with this(asychronous socket error 10060)...i will be very grateful if it would be taken off my system..it keeps popping up any time my pc is on.. Thanks ___ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 793-1] New sqwebmail packages fix cross-site scripting
I will be out of the office from Thursday, September 1st through Monday September 5th. If you have an urgent need, please call me on my cell phone. Also, please note that Cingular, my cellular provider, is experiencing unusually high outages due to the aftermath of hurricane Katrina. Russell Harvey (318) 426-5921 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anonftpsync (was: security archive defective!?)
* martin f krafft ([EMAIL PROTECTED]) [050901 09:58]: > also sprach Andreas Barth <[EMAIL PROTECTED]> [2005.09.01.0858 +0200]: > > I strongly recommend to use anonftpsync for mirroring any of the debian > > archives > What's the advantage over debmirror? That it "just works"? :) That all the neccessary directories and symlinks are mirrored, including project/trace. Also, AFAIUI debmirror creates a much higher load on the server you're pulling from than anonftpsync (as debmirror opens lots of rsync-connections, whereas anonftpsync just does two). I have seen lots of "interessting" issues with debmirror, but none with anonftpsync till now (and I'm working on the debian mirrors, so I've seen lots of different mirrors all over the world, with lots of "interessting" failures). Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
anonftpsync (was: security archive defective!?)
also sprach Andreas Barth <[EMAIL PROTECTED]> [2005.09.01.0858 +0200]: > I strongly recommend to use anonftpsync for mirroring any of the debian > archives What's the advantage over debmirror? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! an avocado-tone refrigerator would look good on your resume. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
* Paul Gear: > It makes perfect sense to me... All it's saying is that IP-to-MAC > mappings are cached in the 'Recent' set for each interface for > $MACLIST_TTL seconds without requiring them to be passed through the MAC > filter for every packet. The problem is this sentence: "Subsequent connection attempts from that IP address occurring within $MACLIST_TTL seconds will be accepted without having to scan all of the entries.". What does "accepted" mean in this context? Accepted without further checks? Of course, the intent was that only MAC list checks are skipped. But the same developer who implemented the maclist feature probably wrote that documentation, and missed the crucial RETURN/ACCEPT distinction. > "Not documented at all" is not a phrase i've *ever* heard used about > Shorewall. The syntax is documented, but not the semantics. 8-) > What you do in your lab is up to you, but isn't that a bit of a waste of > time when Lorenzo has already done it? The guidelines in the Developer's Reference suggest that the communication with the security team is not archived in the relevant bug report, even if the bug itself is public. So I didn't know about his activities. > He just told me that he sent the results of his testing to the > security team in his original request for a DSA. Yes, in the meantime, I've been told that, too. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]