Re: Broken signature for DSA-2040-1

2010-05-02 Thread Sebastien Delafond 
On May/02, Francesco Poli wrote:
> Could it be a Sylpheed bug?

We've narrowed it down to an encoding issue: the original DSA email was
sent as ISO-8859-1, and mutt was able to verify it just fine; however,
on a system using UTF-8, any kind of pasting of the original text will
produce a file that gpg does not verify: that'll teach me to include the
"é" in my firstname instead of a plain "e" ;)

Cheers,

--Seb


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2040-1] New squidguard packages fix several vulnerabilities

2010-05-02 Thread Juan Rossi 
che bertolini, por ahi mi viejo te va a contactar, tenes tu cel, pasalo por aca

decime si me podes ayudar con unos papeles que necesito unos tramites,
todavia no, pero lo voy a necesitar. Te puedo pagar con tranferencia
bancaria por el favor.

Saludos

Juan.-

On Mon, May 3, 2010 at 12:56 AM, Sebastien Delafond  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> - 
> Debian Security Advisory DSA-2040-1                  secur...@debian.org
> http://www.debian.org/security/                       Sébastien Delafond
> May 02, 2010                          http://www.debian.org/security/faq
> - 
>
> Package        : squidguard
> Vulnerability  : buffer overflow
> Problem type   : remote
> Debian-specific: no
> CVE Ids        : CVE-2009-3700, CVE-2009-3826
> Debian Bug     : 553319
>
> It was discovered that in squidguard, a URL redirector/filter/ACL plugin
> for squid, several problems in src/sgLog.c and src/sgDiv.c allow remote
> users to either:
>
>  * cause a denial of service, by requesting long URLs containing many
>    slashes; this forces the daemon into emergency mode, where it does
>    not process requests anymore.
>
>  * bypass rules by requesting URLs whose length is close to predefined
>    buffer limits, in this case 2048 for squidguard and 4096 or 8192 for
>    squid (depending on its version).
>
> For the stable distribution (lenny), this problem has been fixed in
> version 1.2.0-8.4+lenny1.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 1.2.0-9.
>
> We recommend that you upgrade your squidguard package.
>
> Upgrade instructions
> - 
>
> wget url
>        will fetch the file for you
> dpkg -i file.deb
>        will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
>        will update the internal database
> apt-get upgrade
>        will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 5.0 alias lenny
> - 
>
> Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
> mips, mipsel, powerpc, s390 and sparc.
>
> Source archives:
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1.diff.gz
>    Size/MD5 checksum:    96388 0686b02bc2cee2af916b5bbcb6cf
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0.orig.tar.gz
>    Size/MD5 checksum:  1852659 f7044a2151827a2070e4c2be82b944b0
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1.dsc
>    Size/MD5 checksum:     1064 72e5eea602be70def18b97ce364ee3bb
>
> alpha architecture (DEC Alpha)
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_alpha.deb
>    Size/MD5 checksum:   144380 fad02a30f87a187d7ff4d155d12544c4
>
> amd64 architecture (AMD x86_64 (AMD64))
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_amd64.deb
>    Size/MD5 checksum:   140890 b38e94f8a1b380d4ae40255896cd5332
>
> arm architecture (ARM)
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_arm.deb
>    Size/MD5 checksum:   138620 77992d03a14fe075bf1c8e739498497d
>
> armel architecture (ARM EABI)
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_armel.deb
>    Size/MD5 checksum:   137416 9b2568cc9566ba6b50592e21306f1d88
>
> hppa architecture (HP PA RISC)
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_hppa.deb
>    Size/MD5 checksum:   141646 eb2dcf7aaf9336236a9c3d3275600bfb
>
> i386 architecture (Intel ia32)
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_i386.deb
>    Size/MD5 checksum:   136670 50b26027612e70912d15cbae5123b5c8
>
> ia64 architecture (Intel ia64)
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_ia64.deb
>    Size/MD5 checksum:   152770 3e3b4404993efb1c5167119d2edf1fa9
>
> mips architecture (MIPS (Big Endian))
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_mips.deb
>    Size/MD5 checksum:   142754 3baf8a5cccba3817a5a0214362ea988c
>
> mipsel architecture (MIPS (Little Endian))
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_mipsel.deb
>    Size/MD5 checksum:   141380 e2ed223a4d502ae0b9145cc6b5e680ed
>
> powerpc architecture (PowerPC)
>
>  http://security.debian.org/pool/updates/main/s/squidguard/squidguard_1.2.0-8.4+lenny1_powerpc.deb
>    Size/MD5 checksum:   141494 e887ab8682e8ba9abf3c0cb09b9cb8ee
>
> s390 architecture (IBM S/390)
>
>  http:

Re: Broken signature for DSA-2040-1

2010-05-02 Thread Martin Schulze 
Kurt Roeckx wrote:
> On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote:
> > Hi,
> > I received DSA-2040-1 and verified its GPG signature, as I always do.
> > I found out that I am unable to correctly verify the signature.
> 
> Works for me:
> gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
> gpg: Good signature from "Moritz Muehlenhoff "
> gpg: aka "Moritz Muehlenhoff "

Without a working signature the mail wouldn't be transported through
debian-security-announce.  A valid ecurity team member's signature is
required.

Regards,

Joey

-- 
Beware of bugs in the above code; I have only proved it correct,
not tried it.  -- Donald E. Knuth


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20100502194941.gb31...@finlandia.home.infodrom.org

Re: Broken signature for DSA-2040-1

2010-05-02 Thread Francesco Poli 
On Sun, 2 May 2010 21:14:55 +0200 Kurt Roeckx wrote:

> On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote:
> > Hi,
> > I received DSA-2040-1 and verified its GPG signature, as I always do.
> > I found out that I am unable to correctly verify the signature.
> 
> Works for me:
> gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
> gpg: Good signature from "Moritz Muehlenhoff "
> gpg: aka "Moritz Muehlenhoff "
> 
> 

Thanks for checking, Kurt.

Could it be a Sylpheed bug?

Is there a way to download the DSA in mbox format (just like I can
download bug reports with "querybts -m"), so that I can report the bug
against package sylpheed?


-- 
 http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html
 Need some pdebuild hook scripts?
. Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4


pgpUYSUurCaPa.pgp
Description: PGP signature

Re: Broken signature for DSA-2040-1

2010-05-02 Thread Kurt Roeckx 
On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote:
> Hi,
> I received DSA-2040-1 and verified its GPG signature, as I always do.
> I found out that I am unable to correctly verify the signature.

Works for me:
gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
gpg: Good signature from "Moritz Muehlenhoff "
gpg: aka "Moritz Muehlenhoff "


Kurt



signature.asc
Description: Digital signature

Broken signature for DSA-2040-1

2010-05-02 Thread Francesco Poli 
Hi,
I received DSA-2040-1 and verified its GPG signature, as I always do.
I found out that I am unable to correctly verify the signature.

I got confirmation that I am not the only one who sees this issue with
DSA-2040-1: see the following thread on debian-security-trac...@l.d.o
for further details
http://lists.debian.org/debian-security-tracker/2010/05/msg0.html

What went wrong?
Did the quoted-printable encoding mess up with the signature?


P.S.: please Cc: me on replies, as I am not subscribed to
debian-secur...@l.d.o

-- 
 http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html
 Need some pdebuild hook scripts?
. Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4


pgpkrmIITKOmy.pgp
Description: PGP signature