On Wed, Apr 05, 2006 at 09:58:56PM -0400, Justin Pryzby wrote:
For the record, I like the intent of this patch, but I think it is a
little too long for inclusion in the Developers reference. Perhaps a
reference to the Securing Debian section where it will be included
will be sufficient?
It's
On Fri, Apr 07, 2006 at 03:01:28PM +0200, Wolfgang Lonien wrote:
* Package name: zenoss
Version : x.y.z
Version?
Description : Zenoss is a powerful, integrated, easy-to-use IT
infrastructure monitoring software product.
That's too long for a short a description
On Wed, Nov 02, 2005 at 05:07:34PM +0100, Andreas Barth wrote:
Hi,
* Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]) [051102 17:04]:
Attached is a patch that provides a list of best practices for security
review and designed. If there is no intention to add this to the Developer
Package: installation-reports
Boot method: RARP/TFTP
Image version:
http://http.us.debian.org/debian/dists/sarge/main/installer-sparc/current/images/sparc64/netboot/2.6/
07-Mar-2005 01:32 5.3M boot.img
Date: 2nd April 2006
Machine: Sun Netra X1
Processor:
# cat /proc/cpuinfo
cpu
On Tue, Apr 04, 2006 at 01:13:12PM +0200, Frans Pop wrote:
Thanks for your extensive, well researched and well written report
The merit is not mine, I translated (and edited) the report from a co-worker
:-)
That said, this won't be fixed for Sarge anymore and the installer for
Etch no
On Sat, Apr 01, 2006 at 09:00:45AM -0500, Jay Berkenbilt wrote:
At this point, diff1 is still under development and depends upon the
utm (Universal Truth Machine) and dwim (Do What I Mean) libraries.
The eventual goal is that diff1 should be self-hosting -- the final,
bug-free version of diff1
On Tue, Mar 28, 2006 at 07:20:24PM -0500, Justin Pryzby wrote:
Your cheops NMU ftbfs.
What's this? Where's the patch?
Javier
signature.asc
Description: Digital signature
On Tue, Mar 28, 2006 at 08:02:18AM +0200, Christian Perrier wrote:
Thanks for taking care of warning translators before uploading a new
version with string changes. It's highly appreciated.
...which is not true, you didn't..:-). But I didn't want to send you
my standard BR template which
Package: nmap
Version: 4.00
Priority: wishlist
Tags: l10n
With the new reference Guide being made available in Nmap, a huge translation
effort has been done by translation teams all over the world. As a
consequence it is now translated to ten different languages:
Chinese, Croatian, French,
Lichtmaier [EMAIL PROTECTED], 1999.
# Tinguaro Barreno Delgado [EMAIL PROTECTED], 1999.
# Tomás Bautista [EMAIL PROTECTED], 2000.
# Javier Fernández-Sanguino Peña [EMAIL PROTECTED], 2000.
# Santiago Vila [EMAIL PROTECTED], 2000, 2001, 2004.
#
msgid
msgstr
Project-Id-Version: Debian dpkg 1.10.18\n
Package: alexandria
Version: 0.6.1-0.2
Severity: wishlist
Tags: l10n patch
Please use the attached PO file for the Spanish translation of Alexandria, I
reviewed it recently (January 21st) and provided to the spanish translator
which commited it to CVS [1] a few months ago.
Since a new release of
I forgot to attach the translation, here it is.
Javier
# Alexandria en Español.
# This file is distributed under the same license as Alexandria.
# Miguel Ãngel GarcÃa [EMAIL PROTECTED], 2004
#
# Revisión: Javier Fernández-Sanguino [EMAIL PROTECTED], 2006
#
msgid
msgstr
Project-Id-Version:
merge 356651 356807
thanks
On Tue, Mar 14, 2006 at 09:20:36AM +0100, Bastian Blank wrote:
There was an error while trying to autobuild your package:
Already reported, see 356651
Regards
Javier
signature.asc
Description: Digital signature
(Note: I missed Kurt's reply since he mailed the BTS but did not mail me
directly a copy...)
Hi, just a short message to let you guys know that the Nessus server -
client communication is working perfectly fine with OpenSSL version 0.9.8a-7.
Thanks!
Javier
signature.asc
Description: Digital
On Thu, Mar 09, 2006 at 07:18:43AM +0100, Ola Lundqvist wrote:
- don't reload if the daemon is down
Do it start instead then?
No, reload should just reload the daemon. If it's down it should do nothing
(i.e. it does not make sense to 'reload' a daemon which is not active.
After reporting lots of SPAM in the debian-lsb mailing list I've found these
which I cannot report due to the lack of a button:
http://lists.debian.org/debian-lsb/2005/07/msg0.html
http://lists.debian.org/debian-lsb/2005/07/msg2.html
On Wed, Mar 08, 2006 at 10:21:25PM +0100, Ola Lundqvist wrote:
Thanks a lot for the patch.
You are welcome.
A even better solution would be to set the interface configured as defult
value if eth0 can not be found.
But there is no way you can know which interface the user might want to use.
On Wed, Mar 08, 2006 at 10:25:11PM +0100, Ola Lundqvist wrote:
Hi
Hi.
- don't reload if the daemon is down
Do it start instead then?
No, reload should just reload the daemon. If it's down it should do nothing
(i.e. it does not make sense to 'reload' a daemon which is not active.
- I've
Package: ntop
Version: 3:3.2-1
Priority: normal
Tags: patch
Ntop package default answer to the 'Which interface do you want to use?'
debconf question is eth0 and set to 'medium' priority. This is usually OK.
However, in a system which does not have 'eth0' (either because the default
interface is
Package: ntop
Version: 3:3.2-1
Priority: wishlist
Tags: patch
I find the init.d script provided for ntop somewhat lacking proper checks, so
I have included some sanity checks:
- check if the interfaces defined are UP, if they are not, abort with an error.
Rationale: ntop will fail to start if
On Mon, Mar 06, 2006 at 04:12:06AM +1100, David Murn wrote:
Package: initscripts
Version: 2.86.ds1-12
Severity: important
Like many others Im sure, I use my /tmp partition for storing files that I
dont necessarily want to keep forever, but may for a short period of
time. As such, I
On Sat, Mar 04, 2006 at 11:07:25AM +0100, Loïc Minier wrote:
I'm doing my final pass on the deb-sec part of this discussion, I don't
intend to participate much further, no new arguments are popping up.
Quite sincerily, this discussion is getting nowhere. There are sufficient
arguments in this
Package: rhythmbox
Version: 0.9.3.1-1
Severity: normal
Rhythmbox maintainer said [1] that one of the important features of
rhythmbox, and the reason why it tries to pull in avahi-daemon through
Recommends:, is that the music sharing feature is very important in this
software.
However:
- there
Package: rhythmbox
Version: 0.9.3.1-1
When a user that has installed rhythmbox (through apt-get, which does not
pull in Recommends:) starts up the application he gets a warning in STDERR:
(rhythmbox:25826): Rhythmbox-WARNING **: Unable to start mDNS browsing
If the user goes to
Package: rhythmbox
Version: 0.9.3.1-1
Package: wishlist
To a 'standard' user of rhythmbox [1], that just wants to play music, there is
really no need to share music services on a LAN. Base on #355234 this does
not seem to be even a documented or required feature but the fact that the
package
On Sat, Mar 04, 2006 at 12:29:18PM +0100, Loïc Minier wrote:
On Sat, Mar 04, 2006, Javier Fernández-Sanguino Peña wrote:
The application should, when that option is enabled, show a popup window
stating that it cannot do music sharing and (in Debian) state that you need
to have 'avahi-daemon
On Sat, Mar 04, 2006 at 01:41:14PM -0500, Joey Hess wrote:
- a default GNOME install should *not* install a network service, even if
that
enabled new features to the users. Consequently, if rhythmbox is part of
the GNOME task, it should not pull in ahavi-daemon automatically
(a
On Sun, Mar 05, 2006 at 02:06:45AM +0100, Nicolas François wrote:
Javier Fernandez-Sanguino Pen~a [EMAIL PROTECTED]
samhain-2.0.10a/init/samhain.start.in
That (upstream) code is not used in the Debian package (the init script used
is samhain-2.0.10a/debian/samhain.init
Regards
Javier
On Tue, Feb 28, 2006 at 10:45:10PM +0100, Robert Millan wrote:
Hi!
Could you please add !kfreebsd-amd64 as well?
Weird, didn't knew that arch. Ok. I will.
Javier
signature.asc
Description: Digital signature
Package: grip
Version: 3.3.1-4
Priority: wishlist
Tags: l10n
After starting using Grip on Debian I've found some typoes in the Spanish
translation. As I'm the coordinator for the Spanish translation group there,
I've taken the latest sources (from Debian: 3.3.1-4) and reviewed the es.po
file
On Sat, Feb 25, 2006 at 08:53:41PM +0100, Manolo Díaz wrote:
Hi,
After install the new package mozilla-thunderbird is still in English,
even removing .mozilla-thunderbird dir. Afteward, I've tried to remove
or reinstall the package with no success.
Yes, the prerm script is not correct, but
On Tue, Feb 21, 2006 at 04:11:40PM -0800, Sebastien Delafond wrote:
Should the similarities between PADS and lanmap prevent the latter
from being packaged for Debian ? I understand they both rely on
Of course not!
passive network monitoring to produce info, but I still don't see that
as an
After two months of no reponse I wonder if anybody is working on this. I have
just reported loads of spam in the debian-doc mailing list and implementing
this could cut back somewhat the spam I've seen there...
Regards
Javier
signature.asc
Description: Digital signature
Package: lists.debian.org
Version: N/A reported 2006-02-22
Priority: wishlist
Please, make the debian-devel-spanish mailing list open only to subscribers.
The load of spam there, vs. posting from regular users, is very high. For
example, july last year had 4 valid e-mails out of 34 postings to
Package: lists.debian.org
Version: N/A reported 2006-02-22
Priority: wishlist
Please, make the debian-doc mailing list open only to subscribers.
The amount of spam there vs. posting from regular users, is very high. For
example, january this year, there were 23 spam emails and 45 valid:
I also would like to note that the following (spam) mails don't have
the Report spam button either:
http://lists.debian.org/debian-devel-spanish/2005/07/msg1.html
http://lists.debian.org/debian-devel-spanish/2005/07/msg2.html
On Tue, Feb 21, 2006 at 01:22:57PM -0800, Sebastien Delafond wrote:
* Package name: lanmap
Version : 0.1
Upstream Author : Ryan Flynn [EMAIL PROTECTED]
* URL : http://parseerror.com/lanmap/
* License : GPL
Description : lanmap sits quietly on a
Package: gthumb
Version: 3:2.6.6-1
Severity: normal
For some reason, gthumb stopped displaying thumbnails for any of the files in
the directory where I hold pictures (actually, for any directory). I first
suspected a bug in the ~/.thumbnails/ directory and renamed it to have it be
recreated. To
severity 353108 wishlist
merge 353151 353108
thanks
On Thu, Feb 16, 2006 at 10:20:40AM +0100, Robert Lemmen wrote:
hi,
just wanted to let you know (you probably already do) that a new upstream
version is available
We are aware of this, and, actually, it is now available in the
On Fri, Feb 17, 2006 at 04:20:02PM +0100, Daniel Rodriguez Garcia wrote:
I have built a package that fixes the problem.
I include attached the source and binary files for the package.
It would have been best if you provided a patch against the current Debian
sources. The BTS should not be used
On Sat, Feb 18, 2006 at 02:47:33PM +1300, Matt Brown wrote:
I did however discover one minor bug that occurred when the stop target
of the init script was run twice in a row and resulted in some ugly
error output from trying to read the non-existant pidfile. The
functionality was still
On Thu, Feb 16, 2006 at 09:52:24PM +1300, Matt Brown wrote:
On Wed, 2006-02-15 at 15:14 +0100, Javier Fernández-Sanguino Peña wrote:
The patch is now back down to the size/scope that I consider appropriate
for a NMU, I agree that the previous patch was getting a little unwieldy
and rough, my
Package: john
Version: 1.6-39
Priority: wishlist
This is just a reminder that Solar Designer has released a new version of
John the Ripper (1.7).
From http://www.openwall.com/john/doc/CHANGES.shtml :
* Bitslice DES code for x86 with MMX: more than twice faster than older
* non-bitslice MMX
On Thu, Feb 16, 2006 at 01:22:20AM +1300, Matt Brown wrote:
Hi Javier,
Hi there. I hope you don't mind me being a little bit picky, but I think it
helps you hone your skills :-)
* there's a buffer overflow if 'fname' is longer than 512 chars. buf should
*not* be of a static size
severity 353064 normal
thanks
On Wed, Feb 15, 2006 at 11:46:45PM +0100, Moritz Muehlenhoff wrote:
Package: honeyd
Severity: important
Tags: security
Quoting from http://www.honeyd.org/adv.2006-01:
| A bug in the IP reassembly codes causes Honeyd to reply to illegal
| fragments that other
On Wed, Feb 15, 2006 at 12:09:43AM +1300, Matt Brown wrote:
Hi,
I have prepared a NMU patch to fix this bug as a part of the T S
portion of my NM application.
Thanks for doing this.
Additionally the running function never succeeded because portreserve
doesn't create a pid file. This is
The latest OpenSSL version (0.9.8-6) does not seem to fix the problem with
Nessus, actually, it makes it work since now the workaround of using a
restricted set of ciphers no longer works either:
If you try to connect the Nessus client with the server you get this:
[26753] SSL_connect:
On Wed, Feb 01, 2006 at 05:14:26PM +0100, Ruben Porras wrote:
That is correct, but nobody else did nothing until today, sorry, if you
send me and email, it got lost, so last week I sent an update and now we
have two different up to date translations.
:-(
I'm also doing the general aptitude's
merge 347947 197898
tags 197898 help
severity 197898 serious
thanks
On Wed, Jun 18, 2003 at 02:47:03PM +0200, Cristian Ionescu-Idbohrn wrote:
Package: smb-nat
Version: 1.0-3woody.0-1
Severity: important
This is the latest unstable version built on a woody box.
Here is the backtrace from
On Tue, Jan 24, 2006 at 09:46:27PM +0100, Nicolas François wrote:
Package: bastille
Version: 1:2.1.1-12
Severity: minor
Tags: patch
Hi,
The attached patch recodes the manpages in ascii.
Thanks for the patch. I'll review it and apply it.
Javier
signature.asc
Description: Digital
On Thu, Jan 19, 2006 at 12:11:55PM +0100, Wolfram Quester wrote:
Package: openuniverse
Version: 1.0beta3.1-2
Severity: grave
Justification: renders package unusable
Hi,
during the last update I got:
Preparing to replace openuniverse 1.0beta3.1-2 (using
tags 348841 pending
thanks
On Thu, Jan 19, 2006 at 12:11:55PM +0100, Wolfram Quester wrote:
Package: openuniverse
Version: 1.0beta3.1-2
That is not correct, the package you are installin is 1.0beta3.1-3
during the last update I got:
Preparing to replace
On Wed, Jan 18, 2006 at 06:50:42AM +, Keith Edmunds wrote:
Package: tiger
Version: 1:3.2.1-24
Severity: wishlist
Currnently lines in templates have to exactly match those reported by Tiger
to be surpressed. This leads to multiple similar lines, for example to cause
Tiger not to
Based on the comment made by Jim Paris to bug #338006 I've found that adding
the following line to nessusd.conf makes the client able to talk with the
server:
ssl_cipher_list = SSLv2:-LOW:-EXPORT:RC4+RSA
I'm going to add this to the default nessusd.conf to implemente a workaround
fix for
On Sat, Jan 14, 2006 at 11:48:44AM -0500, Justin Pryzby wrote:
I intend to NMU a fix for this bug sponsored by Thomas Viehmann; the
attached patch simply drops the dependency on xlibs-dev, because there
is no actual direct dependency.
Please don't, I already uploaded an updated package.
Package: chrkootkit
Version: 0.46a-2
Priority: normal
Tags: security
I have started noticing some errors generated by Tiger which were emailed to
me every 8 hours and included this:
usr/bin/strings: 'write': No such file
/bin/ls: write: No such file or directory
Digging into it, this turns out
Package: kdelibs-data
Version: 4:3.4.3-2
Priority: important
The latest version of kdelibs includes a file
(/usr/share/mimelnk/image/x-djvu.desktop) which is also present in the
libdjvulibre1 package, making it impossible to install both. This just caused
a breakage in my unstable system
Package: samba
Version: 3.0.21a-1
Priority: wishlist
Currently samba's postinst does this if the user says 'yes' to generate
automatically the smbpasswd file:
getent passwd | /usr/sbin/mksmbpasswd /etc/samba/smbpasswd
pdbedit -i smbpasswd -e tdbsam
rm
FWIW, this bug causes the Nessus client to be unable to contact the server
(since they use server side certificates with OpenSSL) and is the root cause
of #343487. Please fix this bug as soon as possible or, otherwise, Nessus
users will not be able to use Nessus at all in sid/testing.
Thanks
On Thu, Dec 29, 2005 at 11:17:41AM +0100, Marc Haber wrote:
The resulting packages naturally only depend on libssl0.9.7, and seem
to work fine. This might be a workaround.
Great, yes, this is a workaround. Unfortunately it's a *local* workaround.
Even if I can generate i386 packages compiled
On Wed, Dec 28, 2005 at 02:16:26AM -0800, Steve Langasek wrote:
The issue should be fixed by recompiling the client against a set of the
libraries, and should affect only the 2.2.5-3 version under i386. Notice,
also that the package has an undeclared dependency on libssl0.9.7 (the
binary
On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fernández-Sanguino Peña wrote:
* nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
0.9.8
Just found out why this happened. The Nessus server gets compile against
both versions since libnasl depends on 0.9.7, I did not notice
On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:
Since there is no libssl097-dev any longer I guess I'll have to recompile
all
packages.
It should actually be possible to fix this with binNMUs on the autobuilders,
I think. I'll go ahead and queue those now.
Please
On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote:
* nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
0.9.8
Ok, I don't see this either:
$ ldd /tmp/nessus/usr/sbin/nessusd|grep ssl
libssl.so.0.9.8 = not found
$
Funny, it seems that ldd output varies
Package: listarchives
Severity: wishlist
(Note: CC'ing listmasters as this might make sense to be applied as a
global rule for mailing lists from now on too)
I have been reporting for a while e-mail in the mailing list archives which
is spam sent in a foreign language (to the list, that is,
On Sun, Dec 18, 2005 at 03:09:18PM +, Stuart Langridge wrote:
At the time that this message appears, there is no
/usr/share/doc/snort-mysql and therefore running the commands is
impossible (presumably it will be there once package installation is
complete). However, package installation
reassign 344057 ftp.debian.org
thanks
On Mon, Dec 19, 2005 at 08:04:21PM +0100, Martin Zobel-Helas wrote:
Package: snare
Hi,
is this package still needed? It FTBFS, had only one upload (to
experimental) nearly 3years ago and according to popcon about 5 users.
No, as far as I know, it is
On Mon, Dec 19, 2005 at 11:53:40PM -0700, dann frazier wrote:
user [EMAIL PROTECTED]
usertag 322264 + intend-to-nmu
stop
As this bug has had a patch filed for over 30 days without a response
from the maintainer, I intend to NMU it in 1 week (or earlier, at the
maintainer's request).
On Tue, Dec 20, 2005 at 09:27:53AM -0700, dann frazier wrote:
No real rush - I just hadn't seen any response since I filed it want
to make sure it doesn't slip through the cracks.
Understood.
Would it help if I file this bug at http://bugs.nessus.org/ (and tag it
as forwarded)?
Yes,
On Thu, Dec 15, 2005 at 05:17:36PM +0100, Marc Haber wrote:
Package: nessusd
Version: 2.2.5-3
Severity: important
When I try to connect to a 2.2.5-3 server from a 2.2.5-2 or 2.2.5-3
client, the client says after hitting the Login button SSL Error
and says on stdout [8157] SSL_connect:
On Thu, Dec 15, 2005 at 06:44:18PM +0100, Marc Haber wrote:
libssl.so.0.9.8 = /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40115000)
libssl.so.0.9.7 = /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b4000)
NACK.
Err... Is this i386 or some other arch?
Those are *not* the binaries I
On Thu, Dec 15, 2005 at 07:18:04PM +0100, Marc Haber wrote:
[2/[EMAIL PROTECTED] sid]:~$ md5sum nessusd_2.2.5-3_i386.deb
5540b1f4dfd81c4ba3c71ac4e2dbecfa nessusd_2.2.5-3_i386.deb
[3/[EMAIL PROTECTED] sid]:~$
That is correct, however, with that one, as I said:
$ ldd /usr/sbin/nessusd |grep
On Sat, Apr 09, 2005 at 03:43:56AM -0400, Filipus Klutiero wrote:
Package: wordtrans
Severity: normal
This error appears when i2e is not installed. When started from CLI,
kwordtrans and others warn with File /usr/share/wordtrans/Engtospa.dic
doesn't exist but this is not visible when
On Sat, Dec 03, 2005 at 01:52:30PM +0100, Friedrich Delgado Friedrichs wrote:
Hiho!
As I suspected the bug occured again after I updated my system with aptitude.
Strange..
At 13:45:01 cron tried to start the cronjob and the child process received
a segmentation fault.
The segmentation
Package: openssh-server
Version: 1:4.2p1-5
Severity: minor
Tags: l10n patch
(Note: Last-Translator on CC:)
The spanish translation of OpenSSH has a typo a patch is attached please
apply.
Regards
Javier
PS: I'm wondering how Santiago got to update this translation without having
it peer
On Tue, Nov 29, 2005 at 10:54:41PM -0500, Chris Lawrence wrote:
I am confused as to why you have rated this bug as important. As
you point out, there is no real way to make this determination in
software without breaking the automated sid-etch migration process;
the best that can be hoped for
On Wed, Nov 30, 2005 at 09:05:54AM +0100, Friedrich Delgado Friedrichs wrote:
Package: cron
Version: 3.0pl1-93
Followup-For: Bug #260789
Hi!
I see very similar phenomena to what the OP reported. Cronjobs from
personal crontabs are not executed.
(...)
Cronjobs do not run, although cron
On Wed, Nov 30, 2005 at 09:20:36AM -0500, Chris Lawrence wrote:
More importantly, there is no real heuristic for figuring out whether
or not a system is testing or unstable. Even if
/etc/debian_version was modified in etch, that's no guarantee the
system is actually etch - and no guarantee
Package: lsb-release
Version: 3.11
Priority: important
The lsb_release is currently useless in 'etch' because it will always return
'sid' as the codename for the distribution when it's not. This is because it
depends on the /etc/debian_version to determine if it's etch or not, and
because the
On Sat, Nov 19, 2005 at 06:03:13PM -0500, Filipus Klutiero wrote:
Hi Javier,
I'd like to be sure about which claim you refer to. The current claim is
the one that says that Debian *does* issue fixes for most problems under
48 hours, right? I'm asking since if I understand right the
On Sat, Nov 19, 2005 at 03:46:23PM +, MJ Ray wrote:
I think the statistic is questionable, so there should be
verification/substantiation of the statistic, but I don't know
whether it's right or wrong. I think it's prejudging things to
delete the first paragraph as suggested.
I don't know
On Sat, Nov 19, 2005 at 01:17:04PM +0100, Joost van Baal wrote:
Hi,
The list of iptables frontends in the Securing Debian Manual is getting
out of date fast. I guess it's better to maintain such a list on a
wiki. (See also
http://lists.debian.org/debian-firewall/2005/10/msg00045.html .)
On Tue, Nov 15, 2005 at 01:10:55AM -0800, Karl Chen wrote:
Package: tiger
Version: 1:3.2.1-28
Followup-For: Bug #148274
Hi, any progress on this? It seems very simple to change to a
/etc/cron.daily script. The only difference for non-anacron users
It's not that simple (package-wise).
Package: console-data
Version: 2002.12.04dbs-50
Priority: wishlist
Tags: l10n patch
Attached is an updated translation of console-data's po to Spanish as
requested by Christian Perrier.
Regards
Javier
#
# console-data translation to Spanish
# Copyright (C) 2004 Software in the Public Interest
On Wed, Aug 24, 2005 at 01:56:51PM -0700, jeremy avnet wrote:
Package: cron
Version: 3.0pl1-87
Severity: normal
If you place a file in /etc/cron.d whose name contains a dot ('.'),
the file will not be run. E.g., some.name.
That's expected behaviour. Notice that configuration files, when
Package: note
Version: 1.3.1-2
Priority: important
Tag: security
The 'note' program sets up temporary files in an unsafe way which leads to
race conditions since it first generates a temporary filename (but does not
create the file), removes it (twice, first race condition) and then tries to
Package: developers-reference
Version: 3.3.6
Tags: patch
Attached is a patch that provides a list of best practices for security
review and designed. If there is no intention to add this to the Developer
Reference please say so, if that is the case, I will simply create a new
section in the
Package: gnupg
Version: 1.4.2-2
Priority: wishlist
There are some MUAs (like mutt) that do not encrypt mails you send with your
own key, which makes them unreadable to you once stored in a folder. Since
this issue can be prevented by the use of the 'encrypt-to' option in GnuPG it
would be nice if
Package: mutt
Version: 1.5.11-2
Priority: wishlist
(This bug has been reported upstream as bug #2122, I'm sending this to the
Debian maintainer in case he thinks it would be reasonable to include this
into sid to get wider testing)
Currently, GPG only encrypts messages to the To:, CC: or Bcc:
On Fri, Oct 28, 2005 at 01:39:17PM -0500, Kyle Wheeler wrote:
Why not simply add yourself to the pgp_encrypt_sign_command and
pgp_encrypt_command? For example, I use:
Because that needs to be done on a per-user basis.
This seems like something to be handled in the muttrc, not something to
Package: mgdiff
Version: 1.0-27
Priority: minor
Tags: security
While doing a source code audit looking for security bugs I've found that the
viewpatch script (distributed by mgdiff in /usr/share/doc/mgdiff/ and thus,
not provided as a binary) does not use /tmp safely and can, consequentely,
be
Package: mgdiff
Version: 1.0-27
Severity: normal
Tags: patch
Mgdiff will happily allow users to set '-' as both files which will not work
(since stdin is only read once) and makes it generate two temporary files
(although only the last one will be removed on exit).
The attached patch fixes this
On Wed, Oct 19, 2005 at 11:09:58AM +0200, Moritz Muehlenhoff wrote:
Hi,
as the attack is based on overflowing buf1[] through crafted len values
taken from the packet header in BoGetDirection() and this function isn't
present in 2.3 Debian doesn't seem to vulnerable.
Yes, based on the source
On Fri, Oct 21, 2005 at 11:44:58AM +0200, Moritz Muehlenhoff wrote:
Hi,
while I agree that running yiff with lesser privileges is desirable
I can't see a RC security problem in this case. You can't crash
a system be reading from /dev, /proc or /sys, even reading from raw
hard disk devices
reassign 335099 net-tools
merge 145004 186208 180367 122792 87784 335099
tags upstream patch
thanks
On Fri, Oct 21, 2005 at 11:35:04PM +0100, Carlos Rodrigues wrote:
Let me extend this a bit:
This Debian machine has other interfaces configured statically. These
interfaces have private
On Wed, Oct 19, 2005 at 08:48:49AM +0100, Phil Brooke wrote:
The yiff server, by default, will run as the root user, even though it
only requires privileges to access the audio devices (/dev/dsp and
/dev/mixer), no effort is make by the package to create an specific user
and run the server
Package: snort
Severity: critical
Version: 2.3.3-2
Justification: remote compromise
Well, I have just read both an X-force and a CERT alert related to Snort,
it seems that it is possible to make a preprocessor (bo) crash and run code
remotely through a single UDP traffic.
I'm still
On Sun, Oct 16, 2005 at 01:33:15AM -0500, Adam Porter wrote:
Package: tiger
Version: 1:3.2.1-28
Severity: minor
Tiger's cron scripts don't run with a nice value, so they run at normal
priority. This can cause the system to really slow down, especially
when checking md5sums. It would seem
severity 333837 wishlist
thanks
On Fri, Oct 14, 2005 at 12:51:30AM +0200, Erich Schubert wrote:
Package: cron
Version: 3.0pl1-91
Severity: normal
Cron tries to backup shadow and gshadow, but cron doesn't have read
access to these files. On SELinux, this backup should be handled by a
On Sun, Aug 28, 2005 at 08:06:08AM -0700, Sean Champ wrote:
Package: cron
Version: 3.0pl1-91
Severity: important
Hello,
I've been running a command like the following from within my user crontab.
/sbin/ifconfig ppp0 /dev/null fetchmail --slient
It worked fine, until I
901 - 1000 of 1252 matches
Mail list logo