Geoff Crompton wrote:
CAN-2003-0020 is a vulnerability in apache that mentions how apache
allows escape sequences into the error logs, which might exploit a
terminal program viewing them.
More detail is at http://www.securityfocus.com/bid/9930. The
securityfocus page lists Debian as being
CAN-2003-0020 is a vulnerability in apache that mentions how apache
allows escape sequences into the error logs, which might exploit a
terminal program viewing them.
More detail is at http://www.securityfocus.com/bid/9930. The
securityfocus page lists Debian as being vulnerable, and I can't
Geoff Crompton a écrit :
I can't find a
DSA that corresponds to CAN-2003-0020.
Woody isnt affected[1] :
CAN-2003-0020: Apache:
Missing filter for terminal escape sequences from error logs
Ch.
[1] Non-Vulnerability Security Information for woody
http://www.nl.debian.org/security/nonvulns-woody
On Mon, 19 Apr 2004, Jan Minar wrote:
On Mon, Apr 19, 2004 at 11:18:41AM -0700, Matt Zimmerman wrote:
On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote:
Come on, Matt: Virtually all terminal emulators are vulnerable, and the
vulnerability is a common knowledge. The
On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote:
untrusted source. This is a fundamental Unix feature (or flaw). Terminal
control sequences may be contained in the data.
I've read this [1]analysis by by H D Moore. No matter how convenient
the escape sequences that allow
On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote:
On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote:
untrusted source. This is a fundamental Unix feature (or flaw). Terminal
control sequences may be contained in the data.
I've read this [1]analysis by by H D Moore.
On Mon, Apr 19, 2004 at 09:32:47AM -0700, Matt Zimmerman wrote:
On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote:
On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote:
untrusted source. This is a fundamental Unix feature (or flaw). Terminal
control sequences may be
On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote:
Come on, Matt: Virtually all terminal emulators are vulnerable, and the
vulnerability is a common knowledge. The abovementioned paper was on
Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do
something about it
On Mon, Apr 19, 2004 at 11:18:41AM -0700, Matt Zimmerman wrote:
On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote:
Come on, Matt: Virtually all terminal emulators are vulnerable, and the
vulnerability is a common knowledge. The abovementioned paper was on
Bugtraq 2003-02-24
On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
And as a part of this community, I am...
[doing more pointing and whining]
Did you miss the bit where I said that didn't help?
Haha, I can feel the free spirit of the computer labs of the late
sixties:
This one time, at band camp, Matt Zimmerman said:
On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
% ssh kh
[EMAIL PROTECTED]'s password:
Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown
% echo 'Morning, Mister root, welcome to a jail 8-)' /dev/tty63
I believe that the permissions are changed to allow a logged in user to
access that terminal. The permissions are handled and reset by the
appropriate log in service.
[EMAIL PROTECTED]:~$ ls -lh /dev/pts/3
crw---1 plhofmei tty 136, 3 Apr 19 16:47 /dev/pts/3
[EMAIL PROTECTED]:~$
On Mon, Apr 19, 2004 at 01:07:59PM -0700, Matt Zimmerman wrote:
On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
And as a part of this community, I am...
[doing more pointing and whining]
We are going astray. Maybe a time to rephrase...
We have security issues in Debian stable
On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote:
untrusted source. This is a fundamental Unix feature (or flaw). Terminal
control sequences may be contained in the data.
I've read this [1]analysis by by H D Moore. No matter how convenient
the escape sequences that allow
On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote:
On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote:
untrusted source. This is a fundamental Unix feature (or flaw). Terminal
control sequences may be contained in the data.
I've read this [1]analysis by by H D Moore.
On Mon, Apr 19, 2004 at 09:32:47AM -0700, Matt Zimmerman wrote:
On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote:
On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote:
untrusted source. This is a fundamental Unix feature (or flaw). Terminal
control sequences may be
On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote:
Come on, Matt: Virtually all terminal emulators are vulnerable, and the
vulnerability is a common knowledge. The abovementioned paper was on
Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do
something about it
On Mon, Apr 19, 2004 at 11:18:41AM -0700, Matt Zimmerman wrote:
On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote:
Come on, Matt: Virtually all terminal emulators are vulnerable, and the
vulnerability is a common knowledge. The abovementioned paper was on
Bugtraq 2003-02-24
On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
And as a part of this community, I am...
[doing more pointing and whining]
Did you miss the bit where I said that didn't help?
Haha, I can feel the free spirit of the computer labs of the late
sixties:
This one time, at band camp, Matt Zimmerman said:
On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
% ssh kh
[EMAIL PROTECTED]'s password:
Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown
% echo 'Morning, Mister root, welcome to a jail 8-)' /dev/tty63
I believe that the permissions are changed to allow a logged in user to
access that terminal. The permissions are handled and reset by the
appropriate log in service.
[EMAIL PROTECTED]:~$ ls -lh /dev/pts/3
crw---1 plhofmei tty 136, 3 Apr 19 16:47 /dev/pts/3
[EMAIL PROTECTED]:~$
On Mon, Apr 19, 2004 at 01:07:59PM -0700, Matt Zimmerman wrote:
On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote:
And as a part of this community, I am...
[doing more pointing and whining]
We are going astray. Maybe a time to rephrase...
We have security issues in Debian stable
On Mon, Apr 19, 2004 at 11:18:51PM +0200, Jan Minar wrote:
It's not about Eterm, or the console.c in Linux, or the tty permissions,
it's about the bigger picture.
The bigger picture is that there are security problems and there are
security problems. The only specific problem you pointed out
On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote:
what about http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ?
Is debian finally going to fix it?
Current consensus between the security team and the Apache maintainers is
that it is not necessary to fix this in woody
Greetings,
Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman:
On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote:
what about
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is
debian finally going to fix it?
Current consensus between the security team
On Sun, Apr 18, 2004 at 08:47:16PM +0200, Jan L?hr wrote:
Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman:
On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote:
what about
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is
debian finally going to fix
On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote:
what about http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ?
Is debian finally going to fix it?
Current consensus between the security team and the Apache maintainers is
that it is not necessary to fix this in woody
Greetings,
Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman:
On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote:
what about
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is
debian finally going to fix it?
Current consensus between the security team
On Sun, Apr 18, 2004 at 08:47:16PM +0200, Jan L?hr wrote:
Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman:
On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote:
what about
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is
debian finally going to fix
Greetings,
what about http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ?
Is debian finally going to fix it?
keep smiling
yanosz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Greetings,
what about http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ?
Is debian finally going to fix it?
keep smiling
yanosz
31 matches
Mail list logo
