Re: Changing the "Reply-To:" for debian-security-announce

Andrew Vaughan wrote: > I'm wondering why the body of the email doesn't include instructions on how > to unsubscribe? Most modern email clients [...] > Just adding "To unsubscribe email:debian-security-requ...@lists.debian.org > with the subject unsubscribe" at

Re: Changing the "Reply-To:" for debian-security-announce

Alexander Wirt wrote: > Because people expect that they can answer a DSA. Okay, but what's the point? If someone has something valuable to say in response to a DSA: 1) he can find the debian-security list; 2) if he replies to the -announce list and gets a bounce

Re: [SECURITY] [DSA 3500-1] openssl security update

Carsten Aulbert wrote: > Would it make sense to add that to the DSA 3500-1 page, like for > DSA-3481[1]? Probably (if not already the case---didn't check). But frankly, *every* library with a security update falls in this case AFAICT, so if you're going to do that,

Re: [SECURITY] [DSA 3501-1] perl security update

Noah Meyerhans wrote: > He replied to a post to debian-security-annou...@lists.debian.org yet > everybody who replied to him how to unsubscribe from > debian-security@lists.debian.org. Amazing how he's still on the list, > isn't it? Yup. Wouldn't it be possible to set the

Re: About GPG-signing the public RSA keys of Debian machines

Hi, I appreciate your help (Joerg, David and Kurt), but there is still a problem to solve before I can trust my connection to db.debian.org via HTTPS. Kurt Roeckx [EMAIL PROTECTED] wrote: So Joerg just replaced them with the new ones: http://www.spi-inc.org/secretary/spi-ca.crt

Re: About GPG-signing the public RSA keys of Debian machines

Kurt Roeckx [EMAIL PROTECTED] wrote: The certificate for db.debian.org is still signed by the old key. Mmmm. They're both part of the ca-certificates package in testing and unstable: new: /etc/ssl/certs/SPI_CA_2006-cacert.pem old: /etc/ssl/certs/spi-ca.pem It appears that

Re: About GPG-signing the public RSA keys of Debian machines

Hi, Joerg Jaspert [EMAIL PROTECTED] wrote: 1. There is also: * Entry created: /00/00 00:00:00 UTC * Entry modified: /00/00 00:00:00 UTC Those fields could be removed and not shown, that would fix this. Its just that in the past we had those filled in, now we

Re: About GPG-signing the public RSA keys of Debian machines

Hi, David Clymer [EMAIL PROTECTED] wrote: With a signature, he just has to trust that signer f00's key has not been compromised, thus the published host key info is trustworthy and a MITM is not happening. To be honest, I believe the MITM attack problem could be mitigated by the certificate

Re: About GPG-signing the public RSA keys of Debian machines

[ I think debian-admin have read enough about my request by now, so if you reply about verifying certificates and such, please consider dropping the CC. Thanks. ] Kurt Roeckx [EMAIL PROTECTED] wrote: See: http://lists.debian.org/debian-project/2006/07/msg00056.html Which has the key in

About GPG-signing the public RSA keys of Debian machines

Hi, I wanted to login on gluck today and stumbled on that: @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING

Re: su - and su - what is the real difference?

Goswin von Brederlow [EMAIL PROTECTED] wrote: if (isatty (0) (cp = ttyname (0))) { For this to succeed the stdin must be a terminal. But nothing stops you from using a pseudo terminal (pty). You're right, that works. Thanks. My conclusion is that whether using su or su - from a

Re: su - and su - what is the real difference?

Florent Rougon [EMAIL PROTECTED] wrote: Is it possible for a malicious su wrapper to: 1. record root's password (of course, yes); 2. *and then* feed this password to the real su. I suspect the real su empties the stdin buffer (or something like that) to avoid such attacks, but would

Re: su - and su - what is the real difference?

Michael Marsh [EMAIL PROTECTED] wrote: What this means is that if you just run su, you'll be left with the environment of the user from whose account you entered root's. In particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset. If the user is malicious, he can get you to run

Re: su - and su - what is the real difference?

LeVA [EMAIL PROTECTED] wrote: And can you tell me why the $USER and the $LOGNAME variables gets resetted by su, no matter if I've invoked it with or without the '-' option? Which suite are you testing this on? Here, on sarge, using su with the - sets USER to root but doesn't modify

Re: su - and su - what is the real difference?

Oops! Florent Rougon [EMAIL PROTECTED] wrote: Here, on sarge, using su with the - sets USER to root but doesn't without modify LOGNAME. Sorry for the confusion. (of course, with su -, LOGNAME is set to 'root') -- Florent

Re: .desktop arbitrary program execution

Florian Weimer [EMAIL PROTECTED] wrote: mutt and Gnus are, in typical configurations. Most distributions kindly add all these helpful mailcap entries. Could you point out a mailcap entry that causes the file to be *executed*? Because running gqview $file.jpg is very different from running

Re: Security FAQ

[ I'm not subscribed to debian-www ] Johan Haggi [EMAIL PROTECTED] wrote: Maybe you want to add this at security faq: === Question === To use sarge's security updates I write this line in sources.list: deb http://security.debian.org/ sarge/updates main contrib non-free Why they don't say

Re: Security FAQ

[ I'm not subscribed to debian-www ] Johan Haggi [EMAIL PROTECTED] wrote: Maybe you want to add this at security faq: === Question === To use sarge's security updates I write this line in sources.list: deb http://security.debian.org/ sarge/updates main contrib non-free Why they don't say

Re: apt-get upgrade and kernel images

Andris Kalnozols [EMAIL PROTECTED] wrote: lpans1# dpkg -l | grep kernel-image ii kernel-image-2 2.4.23-1 Linux kernel image for version 2.4.23 on PPr ii kernel-image-2 2.4.24-2 Linux kernel image for version 2.4.24 on PPr ^^ Note that the package name is

Re: apt-get upgrade and kernel images

Andris Kalnozols [EMAIL PROTECTED] wrote: lpans1# dpkg -l | grep kernel-image ii kernel-image-2 2.4.23-1 Linux kernel image for version 2.4.23 on PPr ii kernel-image-2 2.4.24-2 Linux kernel image for version 2.4.24 on PPr ^^ Note that the package name is

Re: Mail processing tool

Jonas J Linde [EMAIL PROTECTED] wrote: Procmail is a big tool, I need something different: small, reliable, secure. Big? The gzipped source tar ball is 227kB. If you want something that processes mail in a fully customizable way I'm pretty sure you won't find anything much smaller than

Re: Mail processing tool

Jonas J Linde [EMAIL PROTECTED] wrote: Procmail is a big tool, I need something different: small, reliable, secure. Big? The gzipped source tar ball is 227kB. If you want something that processes mail in a fully customizable way I'm pretty sure you won't find anything much smaller than

Re: secure FTP clients [was: recommendations for FTP server]

Nick Boyce [EMAIL PROTECTED] wrote: Don't forget FileZilla http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. The way I

Re: secure FTP clients [was: recommendations for FTP server]

Nick Boyce [EMAIL PROTECTED] wrote: Don't forget FileZilla http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. The way I

Re: AW: export problems on security updates?

Marcel Weber [EMAIL PROTECTED] wrote: I think he meant France with the limitation of 56 bit encription. It doesn't exist any more. It used to be 128 bits for some time (I think it's still 128 bits for undeclared secret-key crypto-systems, but IANAL), and since the 15th of July 2002, the key

Re: AW: export problems on security updates?

Marcel Weber [EMAIL PROTECTED] wrote: I think he meant France with the limitation of 56 bit encription. It doesn't exist any more. It used to be 128 bits for some time (I think it's still 128 bits for undeclared secret-key crypto-systems, but IANAL), and since the 15th of July 2002, the key

Re: Bug#149714: libfam0 Does not depend on fam

Hi, Anthony DeRobertis [EMAIL PROTECTED] wrote: There is a package for doing that (setting up those pseudo-packages) but I don't remember the name. Sorry :-( I think you mean equivs. -- Florent

Re: NEWS RELEASE

Christoph Moench-Tegeder [EMAIL PROTECTED] wrote: It's your fault if you don't filter on X-Spam-Status. FYI (sorry for the long line), it was: X-Spam-Status: No, hits=4.3 required=4.7

ssh and password authentication

Hi, I have read several times, including on this list, that password authentication with ssh does not send the password in clear text (it is sent in the encrypted tunnel). This is confirmed by the ssh(1) man page: If other authentication methods fail, ssh prompts the user for a