* Paul Gear:
It makes perfect sense to me... All it's saying is that IP-to-MAC
mappings are cached in the 'Recent' set for each interface for
$MACLIST_TTL seconds without requiring them to be passed through the MAC
filter for every packet.
The problem is this sentence: Subsequent connection
* Michael Stone:
On Tue, Aug 30, 2005 at 12:17:22AM +0200, Florian Weimer wrote:
I think this part of the diff is pretty instructive, together with
upstream's explanation:
Frankly, no, it's not.
if [ -n $MACLIST_TTL ]; then
chain1=$(macrecent_target $interface)
Florian Weimer wrote:
...
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist.
If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent
Frans Pop wrote:
On Monday 29 August 2005 22:23, Florian Weimer wrote:
I've obtained permission from tbm to quote the message reproduced
below in public. This should make it clear that the intent was to
delegate: Nach [URL] hat debian-admin klar die Authorität --
according to [URL],
[Frans Pop]
IMO the status of the security team is not changed by that mail: if
it was delegated before that time, it still is, and similar if it
was not.
Personally, I only find it reasonable that all groups in Debian with
special privileges within the Debian community are delegates. It
On Tuesday 30 August 2005 10:34, Antti-Juhani Kaijanaho wrote:
Frans Pop wrote:
On Monday 29 August 2005 22:23, Florian Weimer wrote:
I've obtained permission from tbm to quote the message reproduced
below in public. This should make it clear that the intent was to
delegate: Nach [URL] hat
Florian Weimer wrote:
...
If we're going to have another crack at it, then, what track should we
take? Reopen the bug as Florian suggested,
...
email the security team, just keep pestering Joey?
IMHO, the first step would be to convince the shorewall maintainer
that a security update for
Florian Weimer wrote:
...
It seems that shorewall generates an ACL that ACCEPTs all traffic once
a MAC rule matches. Further rules are not considered. The
explanations in version 2.2.3 seem to indicate that this was the
intended behavior, but its implications surprised upstream, and a
* Paul Gear:
The maintainer is not the problem. Lorenzo has prepared 2.2.3-2 for
sarge [1] and has tested the before and after situations and found that
the bug is fixed. The problem is no response from Martin Schulze.
[1] http://idea.sec.dico.unimi.it/~lorenzo/tmp/
This information
* Paul Gear:
Florian Weimer wrote:
...
It seems that shorewall generates an ACL that ACCEPTs all traffic once
a MAC rule matches. Further rules are not considered. The
explanations in version 2.2.3 seem to indicate that this was the
intended behavior, but its implications surprised
Greetings,
Am Freitag, 26. August 2005 01:57 schrieb Ralph Katz:
On 08/25/2005 06:10 PM, Stefan Fritsch wrote:
Do they have some monitoring script? Or some monitoring people?
(Might be interesting to know who: [disgruntled users? the
competition?])
cron-apt will send you a mail.
* Paul Gear:
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.
Is this #318946? This one is tagged
On Mon, 29 Aug 2005, Paul Gear wrote:
if it's important... they will post dsa ??
There certainly have been exceptions to that rule. The maintainer of
there will always be exceptions ...
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have
Goswin von Brederlow wrote:
...
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it. (I don't understand this
Alvin Oga wrote:
...
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it. (I don't understand this - how can
Joey even *try* to understand every security bug?) Repeated attempts
Michael Stone wrote:
...
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.
...
I disagree that
Florian Weimer wrote:
* Paul Gear:
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.
Is this
* Paul Gear:
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.
Is this #318946?
Correct.
There is
On Mon, Aug 29, 2005 at 09:53:15PM +1000, Paul Gear wrote:
Michael Stone wrote:
I also disagree with the characterization that much effort
has been put into describing the bug.
I don't know upon what you're basing your characterization
I reviewed the security team mail before I responded.
* Paul Gear:
I don't know upon what you're basing your characterization, but i'm
party to at least 3 emails to Joey describing the nature of the bug
in sufficient detail to understand it as a security flaw.
Was this pre- or post-disclosure? In the latter case, such discussion
should be Cc:ed
On Mon, 29 Aug 2005, Paul Gear wrote:
... [ prev procss/proceedure snipped ]
What makes you think that this didn't occur?
sounds like a normal thing .. good
joey and crew can't possibly examine, review, fix, verify all bugs
no matter how good of an expert security coder they were
My
On Fri, Aug 26, 2005 at 04:39:04PM +, W. Borgert wrote:
On Fri, Aug 26, 2005 at 05:36:26PM +0200, martin f krafft wrote:
Heck, we *should* have a responsive and communicative security team.
Do we have a security team for stable? I know, that we have a
security team for testing
On Sat, Aug 27, 2005 at 10:40:36PM +0200, martin f krafft wrote:
Following the debate around LinuxTag, Branden put a trusted and very
active and skilled developer on the task to research the security
problems. Unfortunately, he has not been able to get far with this
job yet, probably due to
On Mon, Aug 29, 2005 at 11:46:24AM -0500, Branden Robinson / Debian Project
Leader wrote:
As far as I know, the stable/oldstable security team was never (recently)
down to Joey S. alone. Mike Stone and Steve Kemp have been active members
for some time (Steve was, as I understand it, promoted
* Branden Robinson:
2) I bring the Debian Security Team under delegation[2].
Martin Michlmayr has made the security team a delegate by this
message:
http://lists.debian.org/debian-devel-announce/2003/05/msg5.html
Have you withdrawn this delegation in the meantime? AIUI, DPL
elections
On Monday 29 August 2005 20:13, Florian Weimer wrote:
Martin Michlmayr has made the security team a delegate by this
message:
http://lists.debian.org/debian-devel-announce/2003/05/msg5.html
Huh? I read no formal delegation in that message.
It just states that he talked to some people and
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.29.2013 +0200]:
2) I bring the Debian Security Team under delegation[2].
Martin Michlmayr has made the security team a delegate by this
message:
http://lists.debian.org/debian-devel-announce/2003/05/msg5.html
Have you withdrawn
* Frans Pop:
On Monday 29 August 2005 20:13, Florian Weimer wrote:
Martin Michlmayr has made the security team a delegate by this
message:
http://lists.debian.org/debian-devel-announce/2003/05/msg5.html
Huh? I read no formal delegation in that message.
There are no formal requirements
On Monday 29 August 2005 21:40, Florian Weimer wrote:
I see no (as DPL) I appoint or I delegate in that mail.
This is not necessary.
I'm sorry, but I still think you're doing creative reading. There is only
an announcement of the addition of a new member to an existing team.
There is
* Frans Pop:
On Monday 29 August 2005 21:40, Florian Weimer wrote:
I see no (as DPL) I appoint or I delegate in that mail.
This is not necessary.
I'm sorry, but I still think you're doing creative reading. There is only
an announcement of the addition of a new member to an existing team.
Could we move this thread to -project or -curiosa?
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Florian Weimer wrote:
* Paul Gear:
I don't know upon what you're basing your characterization, but i'm
party to at least 3 emails to Joey describing the nature of the bug
in sufficient detail to understand it as a security flaw.
Was this pre- or post-disclosure?
There was no
* Paul Gear:
In the latter case, such discussion should be Cc:ed to the bug
report, IMHO.
Is that a policy issue, common convention, or just a suggestion?
It's a suggestion (IMHO). I would like to see it as a common
convention.
I think there are many little things which should be
Michael Stone wrote:
...
I also disagree with the characterization that much effort
has been put into describing the bug.
If we're going to have another crack at it, then, what track should we
take? Reopen the bug as Florian suggested, email the security team,
just keep pestering Joey?
I
* Paul Gear:
If we're going to have another crack at it, then, what track should we
take? Reopen the bug as Florian suggested,
According to a recent discussion on -devel, this bug is still open.
The BTS web is a bit confusing.
email the security team, just keep pestering Joey?
IMHO, the
On Monday 29 August 2005 22:23, Florian Weimer wrote:
I've obtained permission from tbm to quote the message reproduced
below in public. This should make it clear that the intent was to
delegate: Nach [URL] hat debian-admin klar die Authorität --
according to [URL], debian-admin clearly has
* Michael Stone:
Contact the security team. Describe the bug in such a way that the
security team understands its severity and impact. It is not sufficient
to say just trust me and issue an advisory. From what I've seen so far
this is not the obvious buffer overflow sort of bug, it's a
Florian Weimer wrote:
* Michael Stone:
Contact the security team. Describe the bug in such a way that the
security team understands its severity and impact. It is not sufficient
to say just trust me and issue an advisory. From what I've seen so far
this is not the obvious buffer overflow sort
On Mon, Aug 29, 2005 at 11:44:59PM +0200, Florian Weimer wrote:
IMHO, Debian should publish at least a DSA that explains this
discrepancy, especially if the package maintainer also thinks that
it's necessary.
Thank you for your input. Would anyone else like to register their
opinion? BTW, did
* Steve Wray:
Another example is fwbuilder which *silently* fails to overwrite its
generated script at compile time if the user doesn't have write
permissions on the existing script.
Most bugs in security tools are security bugs. We have to draw a line
somewhere, otherwise stable becomes
* Michael Stone:
On Mon, Aug 29, 2005 at 11:44:59PM +0200, Florian Weimer wrote:
IMHO, Debian should publish at least a DSA that explains this
discrepancy, especially if the package maintainer also thinks that
it's necessary.
Thank you for your input. Would anyone else like to register their
Florian Weimer wrote:
* Steve Wray:
Another example is fwbuilder which *silently* fails to overwrite its
generated script at compile time if the user doesn't have write
permissions on the existing script.
Most bugs in security tools are security bugs. We have to draw a line
somewhere,
Florian Weimer wrote:
* Steve Wray:
I view this as a security problem because what if you *think* you've
made changes to your firewall and are now protected only... you arn't
and the firewall hasn't been updated?
Is that enough of a security problem for the fix to get into stable?
[snip]
On Tue, Aug 30, 2005 at 12:17:22AM +0200, Florian Weimer wrote:
I think this part of the diff is pretty instructive, together with
upstream's explanation:
Frankly, no, it's not.
if [ -n $MACLIST_TTL ]; then
chain1=$(macrecent_target $interface)
createchain
* Petter Reinholdtsen:
[Florian Weimer]
Correct me if I'm wrong, but the current team doesn't seem to want
new members.
I've been told that the current stable security team consist of one
person doing the work, Martin Schulze. If this team do not want new
members, something strange is
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.28.1154 +0200]:
Or are there many packages with backported security patches, ready
for upload, and the security team does not act on them? I don't
think so.
This was the case throughout June.
Maybe that's because it was a non-issue which
* martin f. krafft:
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.28.1154 +0200]:
Or are there many packages with backported security patches, ready
for upload, and the security team does not act on them? I don't
think so.
This was the case throughout June.
AFAIK, you can only
On Sun, 28 Aug 2005, Florian Weimer wrote:
AFAIK, you can only blame the security team for lack of communication.
nah ... they're doing fine .. to the extent is needed ??
if it's important... they will post dsa ??
They were ready to upload the packages, but the infrastructure to
process
also sprach Alvin Oga [EMAIL PROTECTED] [2005.08.28.1328 +0200]:
nah ... they're doing fine .. to the extent is needed ??
if it's important... they will post dsa ??
Where have you been?
what i think is needed is an automated script that checks
debian against known exploits or a way to verify
Alvin Oga wrote:
On Sun, 28 Aug 2005, Florian Weimer wrote:
AFAIK, you can only blame the security team for lack of communication.
nah ... they're doing fine .. to the extent is needed ??
if it's important... they will post dsa ??
There certainly have been exceptions to that rule.
On Mon, Aug 29, 2005 at 07:40:23AM +1000, Paul Gear wrote:
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue
Paul Gear [EMAIL PROTECTED] writes:
Alvin Oga wrote:
On Sun, 28 Aug 2005, Florian Weimer wrote:
AFAIK, you can only blame the security team for lack of communication.
nah ... they're doing fine .. to the extent is needed ??
if it's important... they will post dsa ??
There
* martin f. krafft:
I think Alvin was alluding to how it *should* be solved. As in: we
should have more than one security server, globally spaced.
security.debian.org already is a Single Point of Ownership. I don't
think we need multiple ones, so this is definitely a post-etch thing.
--
To
* W. Borgert:
Do we have a security team for stable? I know, that we have a
security team for testing consisting of nine DDs and ten
non-DDs, but it seems to me, that stable is handled by Joey
alone. Has this changed since the havoc a few months ago?
I don't think so. Joey seems to be
[Florian Weimer]
I don't think so. Joey seems to be satisfied with this situation,
and apart from unanswered email messages to [EMAIL PROTECTED],
there are few complaints, AFAIK.
I'm not sure if the satisfaction of Martin Schulze is a good measuring
stick to judge the quality of the stable
On Sat, 27 Aug 2005, Florian Weimer wrote:
* martin f. krafft:
I think Alvin was alluding to how it *should* be solved. As in: we
should have more than one security server, globally spaced.
security.debian.org already is a Single Point of Ownership. I don't
think we need multiple ones,
On Sat, 27 Aug 2005, Florian Weimer wrote:
I don't think so. Joey seems to be satisfied with this situation, and
apart from unanswered email messages to [EMAIL PROTECTED], there
are few complaints, AFAIK. The email part is very unfortunate indeed,
but it probably doesn't warrant drastic
also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.1540
+0200]:
security.debian.org already is a Single Point of Ownership. I don't
think we need multiple ones, so this is definitely a post-etch thing.
Irrelevant if secure apt is deployed correctly.
No. Imagine exim
On Sat, Aug 27, 2005 at 11:07:21AM +0200, Florian Weimer wrote:
apart from unanswered email messages to [EMAIL PROTECTED], there
are few complaints, AFAIK. The email part is very unfortunate indeed,
I'm not entirely happy with the lack of redundance.
Given the (not only commercial)
* Henrique de Moraes Holschuh:
On Sat, 27 Aug 2005, Florian Weimer wrote:
I don't think so. Joey seems to be satisfied with this situation, and
apart from unanswered email messages to [EMAIL PROTECTED], there
are few complaints, AFAIK. The email part is very unfortunate indeed,
but it
Am Samstag, 27. August 2005 15:44 schrieb martin f krafft:
No. Imagine exim gets a root exploit and I spoof the DNS to some
mirror of s.d.o. That mirror will be consistent wrt secure APT, but
it won't get updates, so admins who don't follow DSAs and run
apt-get upgrade consciously and
also sprach Rudolf Lohner [EMAIL PROTECTED] [2005.08.27.1651 +0200]:
This scenario could be avoided if s.d.o would authenticate itself.
Is authentication of the server something which has been considered
with secure apt?
I'v suggested this before but never had the time to implement it.
Patches
* Petter Reinholdtsen:
The count of open security issues in stable and oldstable is probably
a better measuring meter, and it does not look too good.
Security support is a task for Debian as a whole, not just the
security team. IMHO, the main role of the security team is
information sharing,
* Henrique de Moraes Holschuh:
On Sat, 27 Aug 2005, Florian Weimer wrote:
* martin f. krafft:
I think Alvin was alluding to how it *should* be solved. As in: we
should have more than one security server, globally spaced.
security.debian.org already is a Single Point of Ownership. I
Hi martin!
On Sat, 27 Aug 2005, martin f krafft wrote:
also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.1540
+0200]:
security.debian.org already is a Single Point of Ownership. I don't
think we need multiple ones, so this is definitely a post-etch thing.
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.27.1648 +0200]:
Correct me if I'm wrong, but the current team doesn't seem to want
new members. If you nevertheless force new members upon them, you
are in fact looking for a complete replacement. This is what
I call drastic.
When a
* martin f. krafft:
FWIW, Florian sent me this interesting link:
http://www.cs.berkeley.edu/~nweaver/0wn2.html
This is was only intended as an explanation of the term single point
of ownership. I don't agree with Nicholas Weaver's analysis.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
On Sat, 27 Aug 2005, Henrique de Moraes Holschuh wrote:
For this to work, you need a master s.d.o mirror, and automatic signing (so
that you can keep the timestamping as low as a few hours). This gives you a
mirror network, with the same single owning point of failure we have right
now.
Add
On Sat, 27 Aug 2005, Florian Weimer wrote:
* Henrique de Moraes Holschuh:
On Sat, 27 Aug 2005, Florian Weimer wrote:
I don't think so. Joey seems to be satisfied with this situation, and
apart from unanswered email messages to [EMAIL PROTECTED], there
are few complaints, AFAIK. The
* martin f. krafft:
also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.1540
+0200]:
security.debian.org already is a Single Point of Ownership. I don't
think we need multiple ones, so this is definitely a post-etch thing.
Irrelevant if secure apt is deployed
also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.1720
+0200]:
Huh? They probably do, for all I know. Whether they have people
they trust for the job right now is something else, though. We
can probably expect
It's hard to tell for the requirements are not publicly
On Sat, 27 Aug 2005, martin f krafft wrote:
security; ever additional day hurts the project reputation severely,
at least here in Germany and Switzerland. I have clients (one of
which is a major German bank) voicing their concerns and considering
switching away from Debian to Solaris because
also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.2019
+0200]:
Show how much they know about Solaris security. Still, why don't you drop
by IRC and try to talk to Branden and Joey?
Branden is offline, and Joey can't be bothered to talk about this
stuff with me, it seems.
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.27.1107 +0200]:
Do we have a security team for stable? I know, that we have a
security team for testing consisting of nine DDs and ten
non-DDs, but it seems to me, that stable is handled by Joey
alone. Has this changed since the havoc
[Florian Weimer]
Correct me if I'm wrong, but the current team doesn't seem to want
new members.
I've been told that the current stable security team consist of one
person doing the work, Martin Schulze. If this team do not want new
members, something strange is afoot.
And prospective
also sprach Petter Reinholdtsen [EMAIL PROTECTED] [2005.08.27.2255 +0200]:
I've been told that the current stable security team consist of one
person doing the work, Martin Schulze. If this team do not want new
members, something strange is afoot.
At least one other member is working
[Martin F Krafft]
And prospective security team members should start working in the
testing security team. There are no need to keep secrets (all is done
in public),
Which doesn't address the problem that embargoed bugs are possibly
handled suboptimally in Debian.
And it does not address
also sprach Petter Reinholdtsen [EMAIL PROTECTED] [2005.08.28.0025 +0200]:
In short, I see no downsides to helping out the testing security team
while we at the same time try to address the issues with stable
security work.
I was not trying to suggest so. The testing security team is a true
Alvin Oga schrieb:
either case can be solved by: security1.debian.org in LA
and security2.debian.org in NYC and security3.debian.org in berlin :-)
This is interessting but:
Reading Package Lists... Done
Building Dependency Tree
Reading extended state information
Initializing package
Yep, that is bad, even here from LA.
[EMAIL PROTECTED] ~]$ dig security1.debian.org @samosa.debian.org.
; DiG 9.2.5 security1.debian.org @samosa.debian.org.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 14151
;; flags: qr aa rd;
also sprach Timo Veith [EMAIL PROTECTED] [2005.08.26.1726 +0200]:
either case can be solved by: security1.debian.org in LA
and security2.debian.org in NYC and security3.debian.org in berlin :-)
Reading Package Lists... Done
Building Dependency Tree
Reading extended state information
perhaps instead of security2.d.o securyN.d.o it should be done like
the ftp aliases:
security.us.d.o (or better by location like: security.us.ny.d.o)
security.de.d.o, etc...
I guess once GPG signed packages (now in Sid) become a reality, these
things can be done more safely.
--
)(-
also sprach Luis M [EMAIL PROTECTED] [2005.08.26.1750 +0200]:
perhaps instead of security2.d.o securyN.d.o it should be done like
the ftp aliases:
security.us.d.o (or better by location like: security.us.ny.d.o)
security.de.d.o, etc...
No matter what they are called, it should be possible
martin f krafft wrote:
also sprach Timo Veith [EMAIL PROTECTED] [2005.08.26.1726 +0200]:
either case can be solved by: security1.debian.org in LA
and security2.debian.org in NYC and security3.debian.org in berlin :-)
Reading Package Lists... Done
Building Dependency Tree
Reading extended
On Fri, Aug 26, 2005 at 05:36:26PM +0200, martin f krafft wrote:
Heck, we *should* have a responsive and communicative security team.
Do we have a security team for stable? I know, that we have a
security team for testing consisting of nine DDs and ten
non-DDs, but it seems to me, that stable
also sprach tomasz abramowicz [EMAIL PROTECTED] [2005.08.26.1836 +0200]:
why arent all redundant security servers included in the sources.list,
or why doesnt it ask at install time to include all backup security servers?
as well as security.debian.org?
security.debian.org is not a server, it's
also sprach martin f krafft [EMAIL PROTECTED] [2005.08.26.1907 +0200]:
security.debian.org is not a server, it's a DNS A record. It's
a whole lot easier to point that elsewhere in case of problems than
expecting users to make sense of the errors they get when some
servers can't be reached.
On Thu, 25 Aug 2005, Jan Luehr wrote:
Again the debian security infrastructure has proofed to be accident
sensitive.
This night, power supply broke down,
taking security.debian.org being
responsible for delivering updates offline. The power cut off happend in the
data center rack the
On Thu, 25 Aug 2005, Jan Luehr wrote:
again the debian security infrastructure has proofed to be accident sensitive.
[...]
Sometimes it's just bothers me to read this news on heise.de first.
Nothing on deb-ann dev-ann or sec-ann.
What's wrong here?
Maybe you can plug into the same
On Thursday 25 August 2005 23:33, Peer Janssen wrote:
Do they have some monitoring script? Or some monitoring people?
(Might be interesting to know who: [disgruntled users? the
competition?])
cron-apt will send you a mail.
Aug 25 05:16:31 xxx cron-apt: Failed to fetch
On 08/25/2005 06:10 PM, Stefan Fritsch wrote:
Do they have some monitoring script? Or some monitoring people?
(Might be interesting to know who: [disgruntled users? the
competition?])
cron-apt will send you a mail.
Aug 25 05:16:31 xxx cron-apt: Failed to fetch
91 matches
Mail list logo