** Please hold with approving this one before Monday, if possible.
** This is a forced release.
Author: Michal Zalewski [EMAIL PROTECTED]
Topic:
Insufficient parameter validation and unsafe default configuration
make numerous systems running samba SMB file sharing daemon vulnerable
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --
PACKAGE : samba
SUMMARY : Remote root vulnerability
All current secure-mail standards specify, as their
high-security option, a weak use of the public-key
sign and encrypt operations. ...
i've received permission from usenix to release the
paper on saturday (6/23):
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps
On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
This is espacially anoying if you
use pam_limits.so to set rlimits. Every user could
cirrcumvent them easily by calling ssh in this way:
ssh user@server /bin/sh
The same problem was present in SSH 1.2.x some time ago and
Don Davis [EMAIL PROTECTED] writes:
Suppose Alice and Bob are business partners, and are setting
up a deal together. Suppose Alice decides to call off the
deal, so she sends Bob a secure-mail message: The deal is off.
Then Bob can get even with Alice:
* Bob waits until Alice has a new
Lyal Collins [EMAIL PROTECTED] wrote:
To: David Howe [EMAIL PROTECTED]; [EMAIL PROTECTED]
One significant issue is that an expert witness can cast doubt, not
only on the digital signature in question, but upon _every_ digitally
signed document each party received.
Yes - An expert witness
Does anybody know why openssh (openssh-2.9p1) on a linux system does not call
pam_open_session if no pty is used? In this way the session modules (in
/etc/pam.d) are not activated.
There are other problems with the interaction between openssh and PAM as
well. For instance, if you have users
On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
This is espacially anoying if you
use pam_limits.so to set rlimits. Every user could
cirrcumvent them easily by calling ssh in this way:
ssh user@server /bin/sh
True. Fwiw you can work around this by putting ulimit calls in
John Percival wrote:
I'm going to try and throw another issue into this discussion now too:
denial of service. We have discussed it for attacking remote servers, but
not for the client viewing the image. It's something else that I spotted
while I was playing around with this issue just now.
Thank you for bringing this to our attention. Unfortunately, due to the
complexity that is javascript, it took us a few days to fix our
interpreter and test it enough to satisfy us. A new build of safeweb.com
was put up today that fixes the problem described below. Undoubtably, the
astute
I really noticed many people (not only small servers, also some realyl big
ones who should know better) are still running vulnerable verions of Apache
and noticed some things I disliked when testing this exploit, so I rewrote
a
lot of it's code. Now it will also work if executed from a Windows
-BEGIN PGP SIGNED MESSAGE-
-
Debian Security Advisory DSA-065-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Wichert Akkerman
June 23, 2001
-
this is Jun-ichiro Hagino from KAME project (*BSD IPv6 impementer).
there are some issues with some of the IPv6 specifications:
- RFC2553 (IPv6 API), section 4.2
AF_INET6 socket receives IPv4 traffic as IPv4 mapped address
(like
Derek Atkins [EMAIL PROTECTED] wrote:
The problem is not at all with the crypto. The problem is with the
integration of the crypto with applications like e-mail.
In this spirit, I have produced a patch for Mutt that adds an option
to include the To:, From:, CC:, and Subject: headers at the
14 matches
Mail list logo