Niko Tyni wrote:
Hi security team,
I'm very sorry that you have to hear from me again :(
There's a regression in the patch for DSA-960-1, for both woody and sarge.
When $HOME is not set, Mail::Audit is now creating logfiles in cwd and
dying if it's not writable. This happens even if
Neil McGovern wrote:
On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
Lionel Elie Mamane wrote:
I've tried to backport the upstream patch for kronolith 2, but most
files touched don't actually exist in kronolith 1, as well as a
sizeable part of the code touched
Daniel Kobras wrote:
On Fri, Jan 27, 2006 at 10:59:34PM +0100, Martin Schulze wrote:
Daniel Kobras wrote:
Gnah. You are correct. I'm extending the list of forbidden characters
by $().
Upstream has reverted the blacklist and instead went for an improved
version of the symlink
Alexander Wirt wrote:
Hi Michael,
this security bug in xlockmore is still present in all xlockmore versions in
the archive and is open for now 190 days. In the meantime we organized a CVE
number and a patch that fixes that problem. But still no reaction from you. I
know that aren't MIA at
Daniel Kobras wrote:
found 345238 4:5.4.4.5-1woody7
found 345238 6:6.0.6.2-2.5
thanks
On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote:
On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote:
With some user interaction, this is exploitable through Gnus and
Daniel Kobras wrote:
Gnah. You are correct. I'm extending the list of forbidden characters
by $().
Upstream has reverted the blacklist and instead went for an improved
version of the symlink fix I added to ImageMagick in unstable. The patch
is more involved, but also more robust and
Stefan Pfetzing wrote:
Package: lsh-server
Version: 2.0.1cdbs-3
Severity: grave
Tags: security
Tags: sarge
Tags: confirmed
Tags: pending
Justification: denial of service
As reported by Niels Möller, the author of lsh-utils, a user is able to
access fd:s used by lsh.
When logging in
vulnerabilities [templates/edit/edit.inc,
+templates/view/view.inc, templates/delete/one.inc,
+templates/delete/delete.inc, CVE-2005-4189, Bug#342943, Bug#349261]
+
+ -- Martin Schulze [EMAIL PROTECTED] Sun, 22 Jan 2006 11:30:50 +0100
+
kronolith (1.1.4-2) unstable; urgency=low
* Fixed
Hilko Bengen wrote:
Micah Anderson [EMAIL PROTECTED] writes:
The Drupal package is vulnerable to the following to CVE advisories:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3975
Do you intend to have these fixed
Stefan Pfetzing wrote:
Please let us know which version in sid will fix the problem.
I've requested a CVE name and will provide it asap.
lsh-utilis 2.0.1cdbs-4 includes a dpatch file in debian/patches which
fixes the problem.
Please use CVE-2006-0353 for this vulnerability.
Regards,
Thijs Kinkhorst wrote:
On Mon, 2005-12-19 at 13:41 +0100, Thijs Kinkhorst wrote:
For stable:
I've extracted the right patch from the unstable version (which has been
present without any bugreports since the end of October), and that is
attached. I've also prepared updated packages here:
Gunnar Wolf wrote:
Martin Schulze dijo [Sat, Jan 14, 2006 at 08:43:57AM +0100]:
Gunnar Wolf wrote:
Hi,
The bug is indeed important, even if it is not easily exploitable, and
the fix is trivial. I am pushing it to the security team so they can
apply it to the version in Sarge
Gunnar Wolf wrote:
Hi,
The bug is indeed important, even if it is not easily exploitable, and
the fix is trivial. I am pushing it to the security team so they can
apply it to the version in Sarge as well.
Please use CVE-2005-4536 for this problem.
Are you in contact with upstream?
Martin Pitt wrote:
I still think that the current sid version is broken: it does nothing
to fix this vulnerability for similar cases (JAVA_TOOL_OPTIONS,
PYTHONHOME, RUBYLIB, etc. pp) in existing installations and upgrades
from stable, and for new installations it disables environment passing
Hi Alexis!
Alexis Sukrieh wrote:
* Martin Schulze ([EMAIL PROTECTED]) disait :
Do you happen to know about the package in woody?
Well, I don't know. Where can I grab woody's source packages?
a) what about woody
As soon as I know where to fetch woody's sources, I will tell you.
I
Martin Schulze wrote:
Alexis Sukrieh wrote:
* Martin Schulze ([EMAIL PROTECTED]) disait :
Do you happen to know about the package in woody?
Btw. this issue has been assigned CVE-2005-4534, so please add it to the
changelog if you prepare a fixed package for woody as well.
Regards
/JBIG2Stream.cc, debian/patches/patch-CVE-2005-3191]
+
+ -- Martin Schulze [EMAIL PROTECTED] Thu, 15 Dec 2005 17:02:52 +0100
+
+tetex-bin (2.0.2-30sarge3) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Added more precautionary checks by Martin Pitt
+
+ -- Martin Schulze
Jutta Wrage wrote:
Am 09.01.2006 um 15:09 schrieb Eduardo Trapani:
The attached list of locales was not right. Even though eo_EO is not
supported by glibc, it was being used by the esperanto pages.
looks like adding a line
eo_EO.UTF-8 UTF-8
Generating now.
Regards,
Joey
Package: gifsicle
Version: current
Severity: minor
- Description: Tool for manipulationg GIF images
+ Description: Tool for manipulating GIF images
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to
Bdale Garbee wrote:
On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
It's a box of pandora. You can hardly hit all variables.
Bdale, what's your opinion?
One of the workarounds suggested by upstream in the p12 release
announcement is:
Alternately, the administrator
Moritz Muehlenhoff wrote:
Martin Schulze wrote:
Moritz Muehlenhoff wrote:
Package: ethereal
Version: 0.10.13-1
Severity: important
Tags: security
Justification: user security hole
Another security problem has been discovered in Ethereal. This time it's
a buffer overflow
/dissectors/packet-ospf.c, CVE-2005-3651]
+
+ -- Martin Schulze [EMAIL PROTECTED] Sat, 10 Dec 2005 15:03:54 +0100
+
ethereal (0.10.10-2sarge3) stable-security; urgency=high
* Security fixes for sarge:
only in patch2:
unchanged:
--- ethereal-0.10.10.orig/epan/dissectors/packet-ospf.c
+++ ethereal
Alexis Sukrieh wrote:
Hi,
I'm the maintainer of the backup manager package.
There are currently one security issue in our sarge package (0.5.7-7sarge1).
I made a package with the patch submitted against the bug #329387 which
closes the issue.
Umh... I don't have a CVE name to share
Moritz Muehlenhoff wrote:
Martin Schulze wrote:
The attached patch only uses the variables listed in env_check to
be passed to the setuid environment. This will preserve language
settings by default, but nothing more.
What do people think about this?
The patch itself looks fine
Matthias Andree wrote:
are you using multidrop mode? If so, please test if the attached patch
fixes the bug. It is an untested backport from 6.3.1-rc1.
If you are not using multidrop mode, please provide your configuration
details (passwords masked!) and a stack backtrace.
Thanks a lot
Jeroen van Wolffelaar wrote:
On Tue, Dec 20, 2005 at 06:54:18AM +0100, Martin Schulze wrote:
Thijs Kinkhorst wrote:
On Mon, 2005-12-19 at 06:53 +0100, Martin Schulze wrote:
Thanks. Could somebody explain the issues that were fixed which have no
security relevance? From
Matthias Andree wrote:
Martin Schulze wrote:
The patch does not apply though, since xfree() is unknown in version 6.2.5.
I assume that the xfree only frees the memory when it is not NULL and sets
the variable to NULL again, so the attached patch should do the same and
apply
You didn't mention CVE-2005-3417. Is the version in sarge not vulnerable
to it? Or did you miss it? Or did you just didn't document this?
Regards,
Joey
--
Open source is important from a technical angle. -- Linus Torvalds
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
Thijs Kinkhorst wrote:
On Mon, 2005-12-19 at 08:49 +0100, Martin Schulze wrote:
You didn't mention CVE-2005-3417. Is the version in sarge not vulnerable
to it? Or did you miss it? Or did you just didn't document this?
This has been fixed but indeed isn't documented in the changelog
Hi Michael,
now that /etc/host.conf is obsoleted it may be worth to add a
reference to /etc/nsswitch.conf to gethostbyname(3). This is
Debian Bug#308397.
Index: man3/gethostbyname.3
===
RCS file:
Hi Michael,
you may also want to add a reference to resolver(5) in resolver(3).
Index: man3/resolver.3
===
RCS file: /var/cvs/debian/manpages/man3/resolver.3,v
retrieving revision 1.2
diff -u -p -r1.2 resolver.3
--- man3/resolver.3
Justin Pryzby wrote:
Is there anything I can do to convince you to add the reference?
Yes, free the files.
Regards,
Joey
--
We all know Linux is great... it does infinite loops in 5 seconds.
-- Linus Torvalds
Please always Cc to me when replying to me on the lists.
--
To
Hi Frank!
Frank Küster wrote:
I looked at both, and it seems that Martin's does more. I'm speaking of
the patch attached to
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342292;msg=136
It introduces limits.h and does the same we did for the xpdf patches at
the beginning of the year,
Martin Pitt wrote:
After discovering that the same flawed multiplication is also present
in upstream's other two patches, I decided to completely rework the
patch.
I attach the debdiff with separated out changelog. Florian, maybe you
can peer-review the patch?
Martin and
Moritz Muehlenhoff wrote:
Package: sudo
Severity: important
Tags: security
Quoting from http://www.sudo.ws/sudo/alerts/perl_env.html :
| The PERL5LIB and PERLLIB environment variables can be used to provide a
list of
| directories in which to look for perl library files before the system
Martin Schulze wrote:
It's been fixed upstream in 1.6.8p12.
This is true, but it becomes rediculous.
Finally allocated some time to develop a minimal patch.
The attached patch only uses the variables listed in env_check to
be passed to the setuid environment. This will preserve language
Martin Schulze wrote:
Martin Schulze wrote:
It's been fixed upstream in 1.6.8p12.
This is true, but it becomes rediculous.
Finally allocated some time to develop a minimal patch.
The attached patch only uses the variables listed in env_check to
be passed to the setuid environment
Moritz Muehlenhoff wrote:
Package: ethereal
Version: 0.10.13-1
Severity: important
Tags: security
Justification: user security hole
Another security problem has been discovered in Ethereal. This time it's
a buffer overflow in the OSPF dissector. Please see
Domenico Andreoli wrote:
http://www.hardened-php.net/advisory_242005.109.html
Stefan Esser discovered several off-by-one errors in libcurl, a
multi-protocol file transfer library, that allows local users to
trigger a buffer overflow and cause a denial of service or bypass PHP
security
; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Adjusted the former patch
+ * Applied missing bits found by Ludwig Nussel
+
+ -- Martin Schulze [EMAIL PROTECTED] Fri, 9 Dec 2005 11:25:16 +0100
+
+tetex-bin (2.0.2-30sarge1) stable-security; urgency=high
+
+ * Non-maintainer upload
Package: curl
Severity: important
Tags: security woody sarge etch sid
Found: 7.9.5-1
found: 7.13.2-2
found: 7.15.1-1
http://www.hardened-php.net/advisory_242005.109.html
Stefan Esser discovered several off-by-one errors in libcurl, a
multi-protocol file transfer library, that allows local users
Frank Küster wrote:
Hi Joey,
Martin Schulze [EMAIL PROTECTED] wrote:
The original patch was not sufficient. I'm attaching the entire and the
incremental patch. Please apply the incremental patch to the version in
sid as well.
Did you see Martin Pitt's enhanced patch - do both
Package: mpd
Version: 0.11.5-5.1
I'm asked:
on boot. Note that is not necessary to run mpd as a system service
I assume that this should read that it's not necessary.
Regards,
Joey
--
Life is too short to run proprietary software. -- Bdale Garbee
--
To UNSUBSCRIBE, email to
Package: hypermail
Version: 2.1.8-1
hmrc(4) says:
antispam_at = string
Set this to 1 make hypermail use something like _at_ instead
of the RFC 2822 @ address separator.
However, this option needs to be set to the string that should be
used instead of the @
Mikko Rapeli wrote:
On Thu, Dec 01, 2005 at 03:32:45AM +0200, Mikko Rapeli wrote:
fakeroot combined with dpkg-source uses original source package permissions.
If the original source has insecure permissions on files and/or directories
dpkg-source -x should override them with umask, but:
Joey Hess wrote:
Mikko Rapeli wrote:
Joey Hess wrote:
Yes, the installation-report package owns the logs post sarge. In sarge,
purging base-config will remove the logs, but users may not want to do
that.
Great, but may I propose that base-config adopts installation logs in
sarge?
Adam D. Barratt wrote:
On Tuesday, November 29, 2005 2:27 PM, Wolfram Schlich [EMAIL PROTECTED]
wrote:
Package: security.debian.org
/debian-non-US/ can only be found on one of the three
security.debian.org mirror servers:
[...]
Is that by design?!
There's no reason at all why any
Package: knemo
Version: current
Severity: minor
- Description: Network interfaces monitor for KDEs systray
+ Description: Network interfaces monitor for KDE's systray
or
+ Description: Network interfaces monitor for the KDE systray
An genetive 's' in English requires an apostrophe
Regards,
Jeroen van Wolffelaar wrote:
retitle 341241 RM: partimage-doc/sarge -- RoM; Useless without partimage
itself
tags 341241 sarge
thanks
No reason for a removal, there are other packages that some people
consider useless as well, and we don't remove them either.
On Tue, Nov 29, 2005 at
Adam D. Barratt wrote:
On Wed, 2003-11-26 at 10:08 +0200, Oskar Pearson wrote:
Package: security.debian.org
Hi there
I used to mirror security.debian.org via rsync, but since the
recent security compromise, the config appears to have changed.
It seems that rsync is no longer
Ola Lundqvist wrote:
Is there any CVE number or similar that I can refer this to?
Please use
==
Name: CVE-2005-3759
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3759
Reference: MLIST:[horde-announce] 20051122
Loic Minier wrote:
On Mon, Nov 21, 2005, Martin Schulze wrote:
I found the vulnerability matrix by Moritz Muehlenhoff useful:
Woody gtk2 Woody gdk-pixbuf Sarge gtk2 Sarge
gdk-pixbuf
CVE-2005-29751170 2841170 284
CVE-2005
Ola Lundqvist wrote:
I assume that this applies to the sarge version as well.
It seems so.
I'm not sure this should be considered grave as this only can occur
when a fatal error occur.
Better be save than sorry, also error pages can be referenced.
I'm not even sure that this is possible to
Stefan Hornburg wrote:
pam_tally allow logins even after the pre-defined threshold is exceeded;
and pam_tally counter continues to increase upon successful login
following a failed login
How is this a bug in courier-imap-ssl?
It is, courier-authdaemon didn't call pam_acct_mgmt. Does
Thijs Kinkhorst wrote:
On Thu, 2005-10-27 at 15:49 +0200, Moritz Muehlenhoff wrote:
All affect Sarge.
I've prepared updated packages for sarge. My updated package for sid is
still pending with my sponsor Luk Claes. The updated packages for sarge
are available here:
David Härdeman wrote:
I am still seeing this problem in the version of courier included in
sarge. Courier seems to happily ignore the result of the pam check and
continue anyway (when using the pam_tally module).
I would suggest that this warrants the security tag and a security
update
Horms wrote:
On Fri, Oct 28, 2005 at 01:56:19PM +0200, Dagfinn Ilmari Mannsaaker wrote:
Package: heartbeat
Version: 1.2.3-9sarge3
Severity: normal
The 'hacluster' system user is added without the --system flag, thus
placing it in the normal user range.
Policy 9.2.2. says:
Loic Minier wrote:
Sorry for the delay. You can grab the proposed fixes in:
http://people.dooz.org/~lool/debian/gtk-gdk-cves.tgz (87M)
MD5: 56148df50af6e28beaca57e4fa3bf6cc
Thanks a lot! Packages are building already.
I found the vulnerability matrix by Moritz Muehlenhoff
Hi!
Steve Langasek wrote:
I've tracked this bug in centericq down to a failure to deal with short
packets (or packets declaring their own length to be zero). The attached
patch fixes this segfault, by stopping without further processing of the
packet when its length is determined to be zero.
Piotr Roszatycki wrote:
Dnia Wednesday 16 of November 2005 13:17, Martin Schulze napisa?:
Vuln 1:
Full Path Disclosures in the following files:
Vuln 2:
Http Response Splitting in libraries/header_http.inc.php
Do you know if this is the same vulnerability as the first one above
Florian Ragwitz wrote:
On Tue, Nov 15, 2005 at 11:24:32AM +0100, Bastian Blank wrote:
On Tue, Nov 15, 2005 at 01:45:54AM +0100, Florian Ragwitz wrote:
I'm aware of the unportability of parrot and working on it.
Unfortunately I don't have a s390 machine where I can log into
currently.
Nico Golde wrote:
Hi,
* Loic Minier [EMAIL PROTECTED] [2005-11-14 17:28]:
tags 336096 + patch pending
thanks
Hi,
On Sat, Oct 29, 2005, Nico Golde wrote:
i will provide a security update asap.
It has been two weeks, unless you object, and if the security team
Mark Brown wrote:
The enclosed bug was filed by Leafnode upstream. I believe this patch
contains the relevant fix:
Err, could you explain the security implication?
Regards,
Joey
--
No question is too silly to ask, but, of course, some are too silly
to answer. -- Perl book
Thomas Zeitlhofer wrote:
It seems that this bug has been reintroduced with the last security
update for sarge (cpio 2.5-1.3 on i386).
You might have to take that up with the security team.
It has never been fixed for cpio 2.5-1 according to the changelog,
so the bug cannot be
Jonas Smedegaard wrote:
Jonas Smedegaard wrote:
A package has now been uploaded to
ftp://security.debian.org/pub/SecurityUploadQueue
Hope it is correctly understood that when a firt-timer on
security-debian-org source needs to be incuded.
In general this was correct...
Steve Kemp wrote:
On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote:
Due to a bug in the environment variable substitution code it is
possible to inject environment variables such as LD_PRELOAD and gain a
root shell.
Confirmed.
Joey we'll need an ID for it.
Jonas Smedegaard wrote:
A package has now been uploaded to
ftp://security.debian.org/pub/SecurityUploadQueue
Hope it is correctly understood that when a firt-timer on
security-debian-org source needs to be incuded.
In general this was correct... However, what's this part in the
diff:
only
Thomas Zeitlhofer wrote:
- Forwarded message from Clint Adams [EMAIL PROTECTED] -
From: Clint Adams [EMAIL PROTECTED]
Subject: Re: Bug#153036: reintroduced by last security update
To: Thomas Zeitlhofer [EMAIL PROTECTED], [EMAIL PROTECTED]
Date: Mon, 31 Oct 2005 13:21:28 -0500
It
Steve Kemp wrote:
Due to a bug in the environment variable substitution code it is
possible to inject environment variables such as LD_PRELOAD and gain a
root shell.
Charles Stevenson discovered that osh, the operator's shell for
executing defined programs in a privileged environment, does
Moritz Muehlenhoff wrote:
Martin Schulze wrote:
Due to a bug in the environment variable substitution code it is
possible to inject environment variables such as LD_PRELOAD and gain a
root shell.
Confirmed.
Joey we'll need an ID for it.
Please use CVE-2005-3344
Steve Langasek wrote:
On Tue, Nov 08, 2005 at 10:15:26PM -0500, Charles Fry wrote:
Version 6.4-1.1 of awstats was uploaded to unstable in response to
CVE-2005-1527. However, it was never uploaded to stable-security, even
though version 6.4.1 is the current stable version of awstats.
Moritz Muehlenhoff wrote:
Package: openvpn
Severity: grave
Tags: security
Justification: user security hole
A format string vulnerability has been found in openvpn's option parsing
code, which indirectly may be exploited remotely as well. Please see
Loic Minier wrote:
On Wed, Oct 26, 2005, Martin Schulze wrote:
Indeed, they're missing. Your source package is in the archive, though,
and looks good.
There's something wrong, still no buildd logs appear for libgnomeprint.
Would you please have a look at wanna-build?
Hmm, that's
found 335843 1.58-2
thanks
There seems to be a bug in the prerm script:
Preparing to replace libxml-libxml-perl 1.58-1 (using
.../libxml-libxml-perl_1.58-2_i386.deb) ...
/var/lib/dpkg/info/libxml-libxml-perl.prerm: line 10: [: missing `]'
/var/lib/dpkg/info/libxml-libxml-perl.prerm: line 10:
Package: irssi-text
Version: 8.9-3.1
Severity: wishlist
Tags: upstream
Moin,
I'd like to issue two feature requests. With all the comfort irssi
provides, I even found two items that would make me even more
comfortable with this irc client.
1. Configure colors per channel/window
Currently
Moritz Muehlenhoff wrote:
Thijs Kinkhorst wrote:
Another security problem has been found in mantis. Insufficient
input sanitising of the t_core_path parameter may be exploited to perform
arbitrary file inclusion. Please see
http://secunia.com/secunia_research/2005-46/advisory/ for
Loic Minier wrote:
On Wed, Oct 26, 2005, Martin Schulze wrote:
That looks a lot better. There's one more thing, though, you'll have to
do before you can upload: bump up the version number since you had already
uploaded the other package with the large diff. After that, it should be
fine
Loic Minier wrote:
Hi,
I'm willing to do a stable-proposed-updates upload of
libgnomeprint2.2-0 to address #334450. It is an important usability
bug, but I know that important bugs can not always be addressed in
stable. Joey: please check the severity of #334450 and the length
Loic Minier wrote:
Hi,
On Tue, Oct 25, 2005, Martin Schulze wrote:
If I understand the problem correctly, for some reason libgnomeprint does
not use the proper lpr command. However, the patch does not implicate
the execution location.
Actually, the problem is not the PATH
Loic Minier wrote:
On Tue, Oct 25, 2005, Martin Schulze wrote:
Please upload a fixed package based on the patch you attached.
Uploaded. Attached are the relevant interdiff and debdiff.
I'm afraid the huge debdiff exposes that:
- the Uploaders were updated with the latest version
Loic Minier wrote:
On Tue, Oct 25, 2005, Martin Schulze wrote:
BOTH PARTS ARE VERY EASY TO AVOID.
cp patch foo/debian/patches
dch -i / emacs debian/changelog
fine.
I'm sorry, but please reupload with only the patch you provided in the
last mail, the onliner.
That should be followed
Loic Minier wrote:
Hi,
On Tue, Oct 25, 2005, Martin Schulze wrote:
That should be followed by dpkg-source -b, of course.
Ok, I didn't knew about that, and it offered a shorter debdiff at the
end indeed. I did:
That looks a lot better. There's one more thing, though, you'll
This one is CAN-2005-3257.
Regards,
Joey
--
Never trust an operating system you don't have source for!
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Package: gspot
Version: current
Severity: minor
- Description: gspot: A GNOME applet to query the Net
+ Description: A GNOME applet to query the network
No need to repeat the package name in the short description of said
package.
Regards,
Joey
--
Life is too short to run proprietary
Jeroen van Wolffelaar wrote:
tags 318286 sarge
thanks
On Thu, Jul 14, 2005 at 05:36:34PM +0300, Joey Hess wrote:
oftpd is vulnerable to anothere security hole. This time a crafted FTP
USER command can cause a crash. Since a buffer overflow is involved,
it's possible that this can be
Ola Lundqvist wrote:
Hello
On Wed, Oct 05, 2005 at 01:17:37PM -0400, Mike O'Connor wrote:
Package: horde3
Version: 3.0.5-1
Severity: critical
Tags: security
Justification: root security hole
As part of the installation procedure in README.Debian, you are told to
configure
Ola Lundqvist wrote:
I also would recommend that a password be required do use the
Administration interface.
The administration thing will be kept there as it do not have any write
permission to any of the configuration files.
Or do you have a good suggestion on how to
Sven Mueller wrote:
Hence, it's rather one mail falls through or something. Doesn't sound
security-relevant to me.
Well, it's more of an indirect DoS. The mails are rejected with an SMTP
temporary failure code according to my quick test. This means that those
mails fill up the sending
==
Candidate: CAN-2005-3178
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3178
Reference: BUGTRAQ:20051005 xloadimage buffer overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraqm=112862493918840w=2
Buffer overflow in
Could somebody explain the security implication for me?
being able to write arbitrary strings into valid records without
overwriting any other data in utmp/wtmp can hardly be classified
as a security vulnerability.
(Apart from that, I'm only slightly annoyed as I had to learn about
this via
Arthur Korn wrote:
Hi
1.19-1 source and binary packages work on stable, and the
differences to 1.18.4-2 are all local bugfixes, so I figure it
doesn't make any sense to separate bugfixes from bugfixes for a
special security fix for stable. Well, we could split out
Since the diff between
Moritz Muehlenhoff wrote:
1.19-1 source and binary packages work on stable, and the
differences to 1.18.4-2 are all local bugfixes, so I figure it
doesn't make any sense to separate bugfixes from bugfixes for a
special security fix for stable. Well, we could split out
storeBackupSync,
severity 329156 normal
thanks dude
Loïc Minier wrote:
Hi,
On Fri, Oct 07, 2005, Martin Schulze wrote:
Could somebody explain the security implication for me?
You can record in the utmp/wtmp logs something which is wrong, for
example that an user is currently connected
Moritz Muehlenhoff wrote:
Sounds correct, my manpage says:
-h, --no-dereference
affect each symbolic link instead of any referenced file (useful only on
systems that can change the ownership of a symlink)
However, I think that this hunk is missing for CAN-2005-3148:
diff -Naur
Loïc Minier wrote:
Hi,
On Fri, Oct 07, 2005, Martin Schulze wrote:
severity 329156 normal
thanks dude
You didn't Cc: control, I've bounced it to control.
I usually use Bcc for that, so that group replies don't annoy
our control dude. :)
Ok, so unless somebody proves us
Sven Mueller wrote:
I created a fixed package (actually two: one for sid/etch and one for
sarge), available at https://mail.incase.de/spampd/sarge-security/
respectively at https://mail.incase.de/spampd/sid/ (until my sponsor
finds the time to upload the latter to sid). Personally, I'm
Santiago Vila wrote:
Christian, I received this patch from Ubuntu, so if I'm not mistaken,
there are now three different ways to fix this bug (two of them from
discussions that were not cc:ed to the Debian BTS), but so far none of
these patches have been blessed by upstream (i.e. you).
Is
Martin Pitt wrote:
The bug description is quite vague, but I believe it aims at this bug:
http://sourceforge.net/tracker/index.php?func=detailaid=1207023group_id=12694atid=112694
which is fixed in
Steve Feehan wrote:
On Wed, Sep 28, 2005 at 03:34:22PM +0900, Horms wrote:
Hi Martin,
I have prepared packages that include this fix, from upstream,
and no other changes, and you can find them at
http://packages.vergenet.net/sarge-proposed-updates/heartbeat/
Steve, can you please
Steve Kemp wrote:
On Mon, Sep 26, 2005 at 09:23:16AM -0500, John Goerzen wrote:
Attached are the patches that Joey (Schulze) approved.
Can you (or Joey) comment: did you use a different patch because you
believe mine to be insecure, or for a different reason? (That's an
important
301 - 400 of 524 matches
Mail list logo
