Re: [SECURITY] [DSA 1222-1] New proftpd packages fix several vulnerabilities

Hi! I've just saw the DSA and I cannot find amd64 on it, furthermore, when I tried to update a sarge amd64 machine it cannot find the update is ut delayed or has amd64 been forgotten? Regards... -- Manty/BestiaTester -> http://manty.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a sub

Re: Mass update deployment strategy

On Mon, Nov 27, 2006 at 08:37:42PM +0100, mario wrote: > Do you have a strategy or anything to automate this task a little more? > The server farm is growing and i might have to look after 20 or 30 > installations soon. I can already see myself updating ubuntu/debian > installations all day long :(

Re: ProFTPD still vulnerable (Sarge)

On Thu, Nov 30, 2006 at 09:05:54PM +, Neil McGovern wrote: > On Thu, Nov 30, 2006 at 12:57:53PM +0100, Stefan Fritsch wrote: > > NOTE: Users of etch/sid should upgrade to 1.3.0-16 *NOW*. > > > > For users of etch, the fixed packages should be going in in two days. If > it doesn't, I'll issue

Re: ProFTPD still vulnerable (Sarge)

On Thu, Nov 30, 2006 at 12:57:53PM +0100, Stefan Fritsch wrote: > NOTE: Users of etch/sid should upgrade to 1.3.0-16 *NOW*. > For users of etch, the fixed packages should be going in in two days. If it doesn't, I'll issue a DTSA. Neil -- [..] But, up to now, this Friday was the best Debconf day

Re: ProFTPD still vulnerable (Sarge)

On Thu, 2006-11-30 at 15:10 +0100, Francesco P. Lovergine wrote: > This is unfortunately an effect of an issue with the old mod_delay patch. > It's not an exploiting of the known issue. You have to either disable > mod_delay or use > 1.2.10-20sarge1 which is available at > http://people.debian.o

Re: ProFTPD still vulnerable (Sarge)

Stefan Fritsch wrote: > yes, there are two open vulnerabilites in proftpd. A DSA should be in the > works, but I don't know the current status. It's been released a few minutes ago. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? C

Re: ProFTPD still vulnerable (Sarge)

On Thu, Nov 30, 2006 at 07:28:53AM +0100, Lupe Christoph wrote: > Hi! > > On 23. November I updated the proftpd package on a Sarge machine that > regretably has to have FTP open to the world. Soon after, somebody ran > many attempts to log in as 'Administrator'. These attempts ran again on > the 2

Re: ProFTPD still vulnerable (Sarge)

On Thursday, 2006-11-30 at 13:49:44 +0100, Stefan Fritsch wrote: > Oh, that's bad. You don't have ftps enabled explicitly either? No, just plain ftp. > This probably means that there is at least some exploit to DoS sarge's 1.2.x. As I said, the FTP access from "outside" is disabled now. So I c

Re: ProFTPD still vulnerable (Sarge)

Hi, >> One is CVE-2006-5815 and the other is a mod_tls vulnerability without >> CVE >> id yet. AFAIK there is no exploit for sarge's 1.2.x for CVE-2006-5815 >> yet. >> So I would expect this to be the mod_tls vulnerability. Do you have >> mod_tls enabled? Try connecting to your server with telnet

Re: ProFTPD still vulnerable (Sarge)

OT: There seems to be something strange with your MUA. Look at this header: Cc: "Lupe Christoph"@murphy.debian.org, " <[EMAIL PROTECTED]>"@murphy.debian.org On Thursday, 2006-11-30 at 12:57:53 +0100, Stefan Fritsch wrote: > > The attacks ceased before I noticed, so I was not able to capt

Re: ProFTPD still vulnerable (Sarge)

Hi, > The attacks ceased before I noticed, so I was not able to capture a TCP > stream. I would just like to alert people that there is still some > vulnerability in the ProFTPD code that was not fixed by DSA-1218-1. yes, there are two open vulnerabilites in proftpd. A DSA should be in the works,

Re: ProFTPD still vulnerable (Sarge)

On Thu, 30 Nov 2006 07:28:53 +0100, Lupe Christoph wrote: > The attacks ceased before I noticed, so I was not able to capture a TCP > stream. I would just like to alert people that there is still some > vulnerability in the ProFTPD code that was not fixed by DSA-1218-1. Indeed, see