On Dec 8, 2003, at 07:14, Julian Mehnle wrote:
Apart from that, as soon as the use of IPv6 broadens, dynamically
assigned IP addresses will diminish.
Stateless autoconfig + privacy extensions means quite the opposite is
likely to occur.
On Tue, Dec 09, 2003 at 01:12:13AM +, Colin Watson wrote:
> . Could you please try
> to keep debian-devel posts to well-thought-out [1] technical content,
Sure. I'd also ask everyone to keep their anti-American, anti-Bush SIGs
and random comments out of both lists. I have acted like a jack
On Tue, Dec 09, 2003 at 11:45:58PM +1100, Russell Coker wrote:
>
> As for acting like a Jackass, the Johnny Knoxville and his colleagues are
> very
> talented entertainers who work hard. I wouldn't compare them to you in any
> way.
Oh, I dunno. I got *your* attention.
But chill the hell out
On Tue, 9 Dec 2003 22:52, Tom <[EMAIL PROTECTED]> wrote:
> On Tue, Dec 09, 2003 at 01:12:13AM +, Colin Watson wrote:
> > . Could you please try
> > to keep debian-devel posts to well-thought-out [1] technical content,
>
> Sure. I'd also ask everyone to keep their anti-American, anti-Bush SIGs
On Mon, Dec 08, 2003 at 01:28:20PM +1100, Russell Coker wrote:
> Another problem is that host keys require SUID ssh client in the
> default configuration.
This hasn't been true since OpenSSH 3.3, and therefore since before
woody. See ssh-keysign(8).
openssh (1:3.3p1-0.0woody1) testing-security; u
On Thu, Dec 04, 2003 at 03:29:02PM -0800, Tom wrote:
> Just rambling... I'm sure there's tons of holes in what I just said.
All this rambling is getting pretty damn tedious as I try to read
through two weeks' worth of debian-devel backlog. Could you please try
to keep debian-devel posts to well-th
Russell Coker wrote:
> On Mon, 8 Dec 2003 23:14, "Julian Mehnle" <[EMAIL PROTECTED]> wrote:
> > You cannot verify the IP address *exactly*, but you can verify
> > whether the IP address lies within a range. Dial-up users could at
> > least register a certain address range, so as to vastly mitigate
On Mon, 8 Dec 2003 23:14, "Julian Mehnle" <[EMAIL PROTECTED]> wrote:
> > One problem with this is developer's machines that are on dial-up
> > Internet connections. ÂIn the case of such machines you can verify the
> > host key but not the IP address.
>
> You cannot verify the IP address *exactly*,
Russell Coker wrote:
> On Mon, 8 Dec 2003 13:16, Patrick Ouellette <[EMAIL PROTECTED]> wrote:
> > Instead of a smartcard/token/whatever physical device, this incident
> > could possibly have been thwarted by requiring developers to
> > pre-register their machine with the project (using ssh host key
On Sun, Dec 07, 2003 at 09:16:58PM -0500, Patrick Ouellette wrote:
> Instead of a smartcard/token/whatever physical device, this incident
> could possibly have been thwarted by requiring developers to pre-register
> their machine with the project (using ssh host key for example). The
> attacker wo
On Mon, Dec 08, 2003 at 01:28:20PM +1100, Russell Coker wrote:
>
> But this still leaves the issue of how to deal with dial-up machines. Even
> if
> we restrict connections to a single ISP as often dial-up machines are not
> used with multiple machines, this still isn't necessarily much good,
On Mon, 8 Dec 2003 13:16, Patrick Ouellette <[EMAIL PROTECTED]> wrote:
> On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
> > instance is the hacker sniffed the password, and then logged on to
> > Debian's servers later at his leisure from a different PC. With a
>
> Instead of a smartcard/toke
On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
> instance is the hacker sniffed the password, and then logged on to
> Debian's servers later at his leisure from a different PC. With a
Instead of a smartcard/token/whatever physical device, this incident
could possibly have been thwarted by
On Thu, Dec 04, 2003 at 06:13:49PM -0500, Matt Zimmerman wrote:
>
> Not really; he just has to set things up ahead of time. This is like
> claiming the attacker has to be present in order to sniff your password from
> a telnet session (he doesn't; he just has to have been around at any time
> bef
On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
> Yes, but the reason it would have been efficiacious in this *particular*
> instance is the hacker sniffed the password, and then logged on to
> Debian's servers later at his leisure from a different PC. With a
> smartcard, he would have had t
On Thu, Dec 04, 2003 at 02:23:54PM -0500, Matt Zimmerman wrote:
> On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
> You must be joking. If the developer's system is compromised, and he logs
> into another system after that time, that system can be easily compromised
> also.
Yes, but the rea
On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
> Smartcards would have avoided the Debian compromise: merely having a
> compromised DD box would have prevented bad guy from getting on the box.
>
> It's all about layers of defense.
>
> I think the DD's should seriously think about requirin
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
> On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> > The only way to have avoided this kernel vulnerability from day-0 of
> > discovery/fix release would have been to be constantly upgrading to
> > pre-release kernels
On Thu, Dec 04, 2003 at 10:18:44AM +1100, Russell Coker wrote:
> > > What about RSA tokens? This solution does not require any special
> > > hardware to connect on the client side.
> > This also means it does not provide any additional security, besides the
> > costs.
> What makes you think that?
On Wed, Dec 03, 2003 at 11:42:06PM +0100, Bernd Eckenfels wrote:
> On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
> > What about RSA tokens? This solution does not require any special hardware
> > to connect on the client side.
> This also means it does not provide any additio
On Thu, 4 Dec 2003 09:42, Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
> On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
> > What about RSA tokens? This solution does not require any special
> > hardware to connect on the client side.
>
> This also means it does not provide any a
On Thu, 4 Dec 2003 05:02, Andreas Schuldei <[EMAIL PROTECTED]> wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031203 04:03]:
> > I have sent a message to Werner asking if the GPG smart-card device could
> > be re-implemented with a USB interface. I think that a USB dongle with
> > GPG technology wo
On Thu, Dec 04, 2003 at 12:03:52AM +1100, Russell Coker wrote:
> For an initial order of 1200 units and the potential for other larger orders
> they may reconsider this.
There are some more tokens, which are baed on the open X9.9 DES protcol and
not the secret SecureID stuff.
Greetings
Bernd
--
On Wed, Dec 03, 2003 at 10:34:13AM +0100, Artur R. Czechowski wrote:
> What about RSA tokens? This solution does not require any special hardware
> to connect on the client side.
This also means it does not provide any additional security, besides the costs.
Greetings
Bernd
--
(OO) -- [EM
On Tue, 2 Dec 2003 23:46:45 +, Geoff Richards <[EMAIL PROTECTED]> said:
> On Tue, Dec 02, 2003 at 01:28:28PM -0800, Tom wrote:
>> I read all the words but took a completely different meaning :-)
>> I'm from the South, we have different speech patterns...
> South of where?
The Mason-
On Wed, 3 Dec 2003 08:30:55 +0100, Bernd Eckenfels <[EMAIL PROTECTED]> said:
> Hehe, well I am sorry. I had the impression 2.4.23 was older. Should
> have checked my facts.
> BTW: I do have checked the kernel version of the major distros, all
> ship newer kernels than debian (if you look at the
Andreas Schuldei wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031203 04:03]:
> > I have sent a message to Werner asking if the GPG smart-card device
> > could be re-implemented with a USB interface. I think that a USB
> > dongle with GPG technology would be a good option as most developer's
> > m
I demand that Tom may or may not have written...
> On Wed, Dec 03, 2003 at 08:45:49AM -0600, Steve Langasek wrote:
>> Share the crack.
> In my experience kids in college and right out tend to freak out over the
> thought of having to spend a few dollars of disposable income, because they
> don't
* Russell Coker ([EMAIL PROTECTED]) [031203 04:03]:
> I have sent a message to Werner asking if the GPG smart-card device could be
> re-implemented with a USB interface. I think that a USB dongle with GPG
> technology would be a good option as most developer's machines already have
> USB suppor
On Wed, Dec 03, 2003 at 09:06:07AM -0600, Graham Wilson wrote:
>
> So you've aided telemarketers and worked for Microsoft? Is your last
> name Darkness, middle name Prince of?
Satan fell because he wanted to know. So do I.
I'm a contrarian. I believe the opposite of whatever I'm confronted
wit
On Wed, Dec 03, 2003 at 05:42:20AM -0800, Tom wrote:
> Let me tell you a story about a job I had one time: I worked for a guy
> (in his basement -- don't ask) who bought your personal credit card data
> and other publicly available information. He would pay about $10,000 or
> $15,000 for lists
On Wed, Dec 03, 2003 at 08:45:49AM -0600, Steve Langasek wrote:
>
> Share the crack.
In my experience kids in college and right out tend to freak out over
the thought of having to spend a few dollars of disposable income,
because they don't have any :-)
Hey, laugh if you want, most organizatio
On Wed, Dec 03, 2003 at 01:24:50AM -0800, Tom wrote:
> On Wed, Dec 03, 2003 at 01:16:39AM -0800, Tom wrote:
> >
> > If something could have prevented something that actually happened, I
> > say go for it.
> Oh, one last thing: each DD should pay for the device him/her self and
> should be requi
On Thu, 4 Dec 2003 00:19:36 +1100, Hamish Moffatt <[EMAIL PROTECTED]>
wrote:
>On Wed, Dec 03, 2003 at 01:06:08PM +0100, Marc Haber wrote:
>> I seriously doubt that the server-side software is DFSG-free. The only
>> Linux Agent that is available from rsa.com is for RedHat 7.3, and I
>> would be asto
On Thu, Dec 04, 2003 at 12:20:57AM +1100, Hamish Moffatt wrote:
>
> How about including your full name somewhere in your posts too then?
> I find it a bit off-putting to discuss security with someone who's
> obscuring their identity.
Ha Ha Ha what a joke. I don't want to be googled for all etern
On Wed, Dec 03, 2003 at 01:16:39AM -0800, Tom wrote:
> On Wed, Dec 03, 2003 at 01:03:16AM -0800, Don Armstrong wrote:
> > [NB: I wanted to take this OT discussion off [EMAIL PROTECTED] and into
> > private
> > mail, but your e-mail address was munged in some sort of anti-spam
> > measure, and not
On Wed, Dec 03, 2003 at 01:06:08PM +0100, Marc Haber wrote:
> On Wed, 3 Dec 2003 22:27:39 +1100, Hamish Moffatt <[EMAIL PROTECTED]>
> wrote:
> >The RSA SecurID tokens are a bit smarter than that; the output for a
> >given input changes every minute. My employer uses them for remote
> >access to the
On Wed, 3 Dec 2003 23:06, Marc Haber <[EMAIL PROTECTED]> wrote:
> >I have no idea what they cost. Also the newest ones are not exactly fit
> >for carrying around in your wallet. They last 3 years on internal
> >batteries.
>
> I seriously doubt that the server-side software is DFSG-free. The only
>
On Wed, 3 Dec 2003 22:27:39 +1100, Hamish Moffatt <[EMAIL PROTECTED]>
wrote:
>The RSA SecurID tokens are a bit smarter than that; the output for a
>given input changes every minute. My employer uses them for remote
>access to their intranet; you have a fixed pin number which you enter
>into the car
On Wed, Dec 03, 2003 at 12:06:33PM +0100, Artur R. Czechowski wrote:
> > What is a "RSA token"?
> Device used in some internet banks. You have a device, which has only
> chipset, digital pad with on/off switch and display, all embedded in small
> case. Authentication is made using C/R algorithm: yo
On Wed, Dec 03, 2003 at 12:10:28PM +0100, Wouter Verhelst wrote:
>
> Are you going to pay for all those smartcards plus their readers?
> Including any smartcards for possible future DD's?
>
> If not, I suggest we forget about this, as it won't be feasible.
I don't think the USB models cost that
On Wed, Dec 03, 2003 at 12:06:33PM +0100, Artur R. Czechowski wrote:
> > What is a "RSA token"?
> Device used in some internet banks. You have a device, which has only
> chipset, digital pad with on/off switch and display, all embedded in small
> case. Authentication is made using C/R algorithm: yo
On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
> On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> > On Wed, Dec 03, 2003 at 11:17:19AM +1100, Russell Coker wrote:
>
> >
> > The only way to have avoided this kernel vulnerability from day-0 of
> > discovery/fix release would
On Wed, Dec 03, 2003 at 09:49:21PM +1100, Russell Coker wrote:
> On Wed, 3 Dec 2003 20:34, "Artur R. Czechowski" <[EMAIL PROTECTED]> wrote:
> > On Wed, Dec 03, 2003 at 02:00:51PM +1100, Russell Coker wrote:
> > > I agree that smartcards would help a lot. However as has been previously
> > > sugges
On Wed, 3 Dec 2003 20:34, "Artur R. Czechowski" <[EMAIL PROTECTED]> wrote:
> On Wed, Dec 03, 2003 at 02:00:51PM +1100, Russell Coker wrote:
> > I agree that smartcards would help a lot. However as has been previously
> > suggested the cost of 1200+ smart-card readers is probably prohibitive.
>
> W
On Wed, 03 Dec 2003, Tom wrote:
> each DD should pay for the device him/her self and should be required
> to fly to meet wherever they can pick them up. Why do you assume
> somebody has to pay for everything? What's wrong with bearing some
> of the costs yourself?
Could it possibly be because eq
On Wed, Dec 03, 2003 at 02:00:51PM +1100, Russell Coker wrote:
> I agree that smartcards would help a lot. However as has been previously
> suggested the cost of 1200+ smart-card readers is probably prohibitive.
What about RSA tokens? This solution does not require any special hardware
to connect
On Wed, Dec 03, 2003 at 01:16:39AM -0800, Tom wrote:
>
> If something could have prevented something that actually happened, I
> say go for it.
Oh, one last thing: each DD should pay for the device him/her self and
should be required to fly to meet wherever they can pick them up. Why
do you a
On Wed, Dec 03, 2003 at 01:03:16AM -0800, Don Armstrong wrote:
> [NB: I wanted to take this OT discussion off [EMAIL PROTECTED] and into
> private
> mail, but your e-mail address was munged in some sort of anti-spam
> measure, and not trivially un-mungeable. Please consider providing
> information
[NB: I wanted to take this OT discussion off [EMAIL PROTECTED] and into private
mail, but your e-mail address was munged in some sort of anti-spam
measure, and not trivially un-mungeable. Please consider providing
information on how to demunge it in some X- header, or not using
munging at all.]
On
On Wed, Dec 03, 2003 at 12:20:59AM -0800, Don Armstrong wrote:
> On Tue, 02 Dec 2003, Tom wrote:
> > Yes but the attacker did not "steal" the DD's computer. He rooted it
> > remotely.
>
> So the machine is rooted remotely, the DD logs into a debian box even
> using our new fangled smart cards, an
On Tue, 02 Dec 2003, Tom wrote:
> Yes but the attacker did not "steal" the DD's computer. He rooted it
> remotely.
So the machine is rooted remotely, the DD logs into a debian box even
using our new fangled smart cards, and the attacker still can control
the connection.
In this particular intrus
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
> On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> > The only way to have avoided this kernel vulnerability from day-0 of
> > discovery/fix release would have been to be constantly upgrading to
> > pre-release kernels
On Tue, Dec 02, 2003 at 05:34:05PM -0800, Don Armstrong wrote:
> On Tue, 02 Dec 2003, Tom wrote:
> > I think the DD's should seriously think about requiring smartcards.
> > It would have prevented the proxmiate cause of our recent troubles.
>
> Smartcards are not a magical panacea either. The prob
On Wed, Dec 03, 2003 at 01:54:22PM +1100, Matthew Palmer wrote:
> >Nov 28 22:39 Linux 2.4.23 released
> > ^
>
> Bernd is correct, though - if the machines had been running 2.4.23, they
> wouldn't have been vulnerable. The fact that it was impossible to
On Wed, Dec 03, 2003 at 02:11:59PM +1100, Russell Coker wrote:
> Every DD needs to have immediate access to servers running each of the
> supported architectures.
Yes of course. But this does not mean they have to have access to
infrastructure of the project. A box for a DD to debug and test the
On Wed, 3 Dec 2003 12:34, Don Armstrong <[EMAIL PROTECTED]> wrote:
> Smartcards are not a magical panacea either.
True.
> The problems associated
> with them aren't too terribly different from those associated with
> keys or other forms of physical security, notably, that they can be
> stolen, or
On Tue, Dec 02, 2003 at 08:47:10PM -0600, Steve Langasek wrote:
> On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
> > On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> > > The only way to have avoided this kernel vulnerability from day-0 of
> > > discovery/fix relea
On Wed, 3 Dec 2003 13:02, Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
> Even if it is painful to decide: more priveledges to DDs on a need-to-have
> base.
Every DD needs to have immediate access to servers running each of the
supported architectures.
I use mainly i386. If I have to jump through
On Wed, 3 Dec 2003 12:19, Tom <[EMAIL PROTECTED]> wrote:
> Smartcards would have avoided the Debian compromise: merely having a
> compromised DD box would have prevented bad guy from getting on the box.
>
> It's all about layers of defense.
>
> I think the DD's should seriously think about requirin
On Wed, Dec 03, 2003 at 02:57:11AM +0100, Bernd Eckenfels wrote:
> On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> > The only way to have avoided this kernel vulnerability from day-0 of
> > discovery/fix release would have been to be constantly upgrading to
> > pre-release kernels
On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
> I think the DD's should seriously think about requiring smartcards. It
> would have prevented the proxmiate cause of our recent troubles.
No, we have to deal with a large population of untrusted individuals. Even
if we can keep outsiders out
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> The only way to have avoided this kernel vulnerability from day-0 of
> discovery/fix release would have been to be constantly upgrading to
> pre-release kernels.
Yes but also the debian servers would not have been vulnerable if they
On Tue, 02 Dec 2003, Tom wrote:
> I think the DD's should seriously think about requiring smartcards.
> It would have prevented the proxmiate cause of our recent troubles.
Smartcards are not a magical panacea either. The problems associated
with them aren't too terribly different from those associ
On Wed, Dec 03, 2003 at 10:54:24AM +1000, Andrew Pollock wrote:
> On Wed, Dec 03, 2003 at 11:17:19AM +1100, Russell Coker wrote:
>
> The only way to have avoided this kernel vulnerability from day-0 of
> discovery/fix release would have been to be constantly upgrading to
> pre-release kernels.
>
On Wed, Dec 03, 2003 at 11:17:19AM +1100, Russell Coker wrote:
> Of course someone could look at the MS fixes and do some decompilation for a
> similar result. Sure it would be more difficult to analyse the assembler
> code produced from decompilation than to analyse C source, but OTOH there is
On Tue, Dec 02, 2003 at 11:46:45PM +, Geoff Richards wrote:
>
> South of where?
USA. North Carolina. Not South Carolina. Remember that.
Redhat is in North Carolina. I always wonder if those
mascara-wearing Cure-listening long-haired Linux skater punks ever get
into trouble out in thos
On Wed, 3 Dec 2003 10:20, Andrew Pollock <[EMAIL PROTECTED]> wrote:
> What bugs the hell out of me is that people with nothing better to do with
> their time can sit on the lkml and watch what's getting fixed, and put more
> analysis into individual fixes than the kernel maintainers themselves can,
On Tue, Dec 02, 2003 at 01:28:28PM -0800, Tom wrote:
> On Tue, Dec 02, 2003 at 08:51:50PM +0100, Andreas Rottmann wrote:
> > Tom <[EMAIL PROTECTED]> writes:
> >
> > > On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> > >> rather far from changing anything in the kernel memory. Andreas i
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
>
> Apparently nobody knew it was comparable to ptrace, it looked like a
> simple bugfix and not like a local root exploit.
>
What bugs the hell out of me is that people with nothing better to do with
their time can sit on the lkml
Henning Makholm wrote:
Scripsit Tom <[EMAIL PROTECTED]>
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
rather far from changing anything in the kernel memory. Andreas is
definitely right that the hole doesn't look like that it is that dangerous.
If it wasn't a big deal we wouldn't be
On Tue, Dec 02, 2003 at 08:51:50PM +0100, Andreas Rottmann wrote:
> Tom <[EMAIL PROTECTED]> writes:
>
> > On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> >> rather far from changing anything in the kernel memory. Andreas is
> >> definitely right that the hole doesn't look like that it
Tom <[EMAIL PROTECTED]> writes:
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
>> rather far from changing anything in the kernel memory. Andreas is
>> definitely right that the hole doesn't look like that it is that dangerous.
>
[snip]
>
> If it wasn't a big deal we wouldn't be talk
On Tue, 2003-12-02 at 17:31, Tom wrote:
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> > rather far from changing anything in the kernel memory. Andreas is
> > definitely right that the hole doesn't look like that it is that dangerous.
>
> It messed up your life for a couple weeks.
Scripsit Tom <[EMAIL PROTECTED]>
> On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> > rather far from changing anything in the kernel memory. Andreas is
> > definitely right that the hole doesn't look like that it is that dangerous.
> If it wasn't a big deal we wouldn't be talking abo
On Tue, Dec 02, 2003 at 11:06:44PM +0800, Isaac To wrote:
> rather far from changing anything in the kernel memory. Andreas is
> definitely right that the hole doesn't look like that it is that dangerous.
It messed up your life for a couple weeks.
Jesus, it's not the end of the world, but that's
> "Jonathan" == Jonathan Dowland <[EMAIL PROTECTED]> writes:
Jonathan> On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler
Jonathan> wrote:
>> Afaik: 2.4.23 contains literally 100s of changes, one of these was a
>> small change to do_brk(), which looked like a normal non-
On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler wrote:
> Afaik: 2.4.23 contains literally 100s of changes, one of these was a
> small change to do_brk(), which looked like a normal non-critical
> bugfix to everybody involved. Some time later Debian was hacked and
> backtracing how the i
Tom <[EMAIL PROTECTED]> wrote:
> On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
>> Apparently nobody knew it was comparable to ptrace, it looked like a
>> simple bugfix and not like a local root exploit.
> Well, I just downloaded 2.4.23 from kernel.org and installed it.
You cou
On Tue, Dec 02, 2003 at 10:08:03AM +0100, Andreas Metzler wrote:
>
> Apparently nobody knew it was comparable to ptrace, it looked like a
> simple bugfix and not like a local root exploit.
>
Well, I just downloaded 2.4.23 from kernel.org and installed it.
[obGrumble] I never got hit by any of t
Frederik Dannemare <[EMAIL PROTECTED]> wrote:
> just curious: any particular reason why we didn't see a backport any sooner
> of
> the integer overflow in the brk system call (see recent announcement by
> Wichert Akkerman:
> http://lists.debian.org/debian-security-announce/debian-security-annou
Frederik Dannemare wrote:
Hi everybody,
just curious: any particular reason why we didn't see a backport any
sooner of the integer overflow in the brk system call (see recent
announcement by Wichert Akkerman:
http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212
82 matches
Mail list logo
