-BEGIN PGP SIGNED MESSAGE-
-
Debian Security Advisory DSA-138-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Wichert Akkerman
August 1, 2002
-
Hi,
For some time, I've been toying w/ the idea of putting together
something that would allow me to trigger the starting/stopping of
various services [1] via a mail message containing some kind of OTP.
It seems like a fairly straightforward thing to implement but I'm not
itching to maintain any
Yo!
Would it make sense if new packages uploaded as part of handling a DSA
would include the DSA number in the changelog.Debian? When I do an
upgrade after seeing a DSA, it's sometimes not enirely clear to me if
it's already the version mentioned in the DSA or if my mirror did not
pick it up yet.
Hi there,
some of you suggested to remove portmap in order close some more port
and thereby increase security. Since I never really understood what the
pormapper was doing, I though I could do without it. However, once I
tried to uninstall the package with dselect, I got a dependency issue
saying
On Wed, 31 Jul 2002, Dale Amon wrote:
Since you brought the subject up... :-)
Does anyone have a good way of dealing with daemons that use unpredictable
port
numbers? I have particular headaches with NFS, gdomap, and just recently
SmokePing
started doing it.
I like to start off with a
To my knowledge you can safely ignore it. I'm always purging
the package on every server installation I did since I know
my servers don't use rpc at all.
- Markus
On Wed, Jul 31, 2002 at 08:46:38AM +0200, Jens Hafner wrote :
some of you suggested to remove portmap in order
Jens Hafner [EMAIL PROTECTED] writes:
some of you suggested to remove portmap in order close some more port
and thereby increase security. Since I never really understood what the
pormapper was doing, I though I could do without it. However, once I
tried to uninstall the package with dselect,
Previously Adrian 'Dagurashibanipal' von Bidder wrote:
Would it make sense if new packages uploaded as part of handling a DSA
would include the DSA number in the changelog.Debian?
Half the time we don't know the DSA number when creating the package.
Wichert.
--
hello people,
i was talking to a friend, and he was describing the inability of PC
based security devices to have proper pseudo-random number generation.
This sounds to me that i needed some investigation. My general question
is: does someone ever heard about any type of cryptographic attack
On Wed, Jul 31, 2002 at 08:24:50AM +0900, [EMAIL PROTECTED] wrote:
Hi,
From: Rick Moen [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date: Tue, 30 Jul 2002 16:21:18 -0700
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
Kind of off-topic here, but I've been
Hi,
From: Mathias Palm [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 11:23:55 +0200
On Wed, Jul 31, 2002 at 08:24:50AM +0900, [EMAIL PROTECTED] wrote:
Hi,
From: Rick Moen [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date:
On 30 Jul 02 23:24:50 GMT, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Ah, that would be nice too. I know that the first thing I usually do
when I boot my laptop is to stop a bunch of daemons that started
up at boot (-;
# update-rc.d -f somedaemon remove
AIUI the reasoning is that if you
On Wed, Jul 31, 2002 at 07:51:03PM +1000, Jean-Francois Dive wrote:
hello people,
i was talking to a friend, and he was describing the inability of PC
based security devices to have proper pseudo-random number generation.
This sounds to me that i needed some investigation. My general
Quoting Jay Kline ([EMAIL PROTECTED]):
I maay be wrong, but dont the SSH clients need that banner to be able to
identify what version to use?
Yes; the major/minor combination tells the client which protocol versions
can be used. The latest phrack has some interesting information about that
as
On Wed, Jul 31, 2002 at 01:58:59PM +0200, Robert van der Meulen wrote:
Quoting Jay Kline ([EMAIL PROTECTED]):
I maay be wrong, but dont the SSH clients need that banner to be able to
identify what version to use?
Yes; the major/minor combination tells the client which protocol versions
Hi,
From: Frank Copeland [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 10:33:37 + (UTC)
On 30 Jul 02 23:24:50 GMT, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Ah, that would be nice too. I know that the first thing I usually do
when I boot my
On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote:
On Wed, Jul 31, 2002 at 01:37:30PM +0900, [EMAIL PROTECTED] wrote:
Hi,
For some time, I've been toying w/ the idea of putting together
something that would allow me to trigger the starting/stopping of
various services [1]
On Wed, Jul 31, 2002 at 07:06:09PM +0900, [EMAIL PROTECTED] imagined:
On a related note, I just ran dselect and noticed rcconf --
may be that's what I want (-; I'll have to check that out.
rcconf is simple and works very well for me - FYI.
Cheers,
Raymond
--
You deserve to be able to
On Wed, 31 Jul 2002 [EMAIL PROTECTED] wrote:
Hi,
From: Frank Copeland [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 10:33:37 + (UTC)
On 30 Jul 02 23:24:50 GMT, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Ah, that would be nice too. I
On Wed, Jul 31, 2002 at 09:25:40PM +0900, [EMAIL PROTECTED] wrote:
I don't think that's what I want -- I want the software installed,
just not started by default.
(...)
FYI:
http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.6
I wonder why I wrote it? :)
On Wed, Jul 24, 2002 at 08:03:44PM -0400, Phillip Hofmeister wrote:
All,
I am doing a college Honor's project on different distributions. Data on
Debian and it's security fixes would be helpful if it is available. I would
be looking for anythings useful in particular, the following:
How
On Wed, 31 Jul 2002 at 09:25:40PM +0900, [EMAIL PROTECTED] wrote:
Perhaps update-rc.d or rcconf (as I posted earlier) can be used to get
the desired behavior -- but I do think that being asked by default at
installation time whether to start stuff up at boot time is better
behavior than the
Here's the link to the Phrack article.
http://www.phrack.org/show.php?p=59a=11
It's a really good read, and what they are
suggesting would affect the entire implementation
of SSH, not just OpenSSH or SSH.com.
It can't be fixed from the config file, as
they are not talking about the protocols 1
On Wednesday 31 July 2002 06:08, Adam Olsen wrote:
Short answer: Linux mainly uses interrupt timings as an entropy
source, from devices that are fairly unpredictable. Assuming those
are secure, the entropy pool is protected by a SHA hash of it's state
when something needs random bits.
Jean-Francois Dive [EMAIL PROTECTED] wrote:
i was talking to a friend, and he was describing the inability of PC
based security devices to have proper pseudo-random number generation.
This sounds to me that i needed some investigation. My general question
is: does someone ever heard about
The most recent CERT advisory is about a vulnerability in OpenSSL. At
the end of the advisory there's a link to RedHat who already has a patch
ready.. Does anyone know what it would take to let the Debian community
in the loop? I suppose this might let information out in the open before
it was
This one time, S?ren Hansen wrote:
The most recent CERT advisory is about a vulnerability in OpenSSL. At
the end of the advisory there's a link to RedHat who already has a patch
ready.. Does anyone know what it would take to let the Debian community
in the loop? I suppose this might let
Søren, please visit http://www.debian.org/security/
More specifically: http://www.debian.org/security/2002/dsa-136
On 31 Jul 2002, Søren Hansen wrote:
The most recent CERT advisory is about a vulnerability in OpenSSL. At
the end of the advisory there's a link to RedHat who already has a
On Wed, Jul 31, 2002 at 08:12:00AM -0700, Anne Carasik wrote:
Here's the link to the Phrack article.
http://www.phrack.org/show.php?p=59a=11
It's a really good read, and what they are
suggesting would affect the entire implementation
of SSH, not just OpenSSH or SSH.com.
It can't be
## Anne Carasik ([EMAIL PROTECTED]):
$ openssl version
OpenSSL 0.9.6e 30 Jul 2002
$ uname -a
Linux swamp 2.4.17 #1 Fri Feb 22 11:08:36 PST 2002 i686 unknown unknown
GNU/Linux
I'm running Woody on my boxes.
On that box, you are faster than security.debian.org. I have 0.9.6c
(from
Hi there,
This one time, Dale Amon wrote:
Perhaps, but one should always change
Protocol 1,2
to just
Protocol 2
in both ssh_config and sshd_config. If someone
only speaks P1, you really don't want to talk
to them at all.
There's no debating that. The article doesn't
Søren Hansen [EMAIL PROTECTED] writes:
The most recent CERT advisory is about a vulnerability in OpenSSL. At
the end of the advisory there's a link to RedHat who already has a patch
ready.. Does anyone know what it would take to let the Debian community
in the loop?
There is no update from
Funny. We were just discussing about portmap, and now this:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
Is Debian vulnerable?
regards,
Thiemo Nagel
Hi,
From: Thomas J. Zeeman [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 14:55:25 +0200 (CEST)
On Wed, 31 Jul 2002 [EMAIL PROTECTED] wrote:
Hi,
From: Frank Copeland [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date: Wed, 31
Hi,
From: Phillip Hofmeister [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 10:49:44 -0400
On Wed, 31 Jul 2002 at 09:25:40PM +0900, [EMAIL PROTECTED] wrote:
Perhaps update-rc.d or rcconf (as I posted earlier) can be used to get
the desired behavior --
Hi,
From: Javier Fernández-Sanguino Peña [EMAIL PROTECTED]
Subject: Re: Some more port closing questions
Date: Wed, 31 Jul 2002 15:00:51 +0200
On Wed, Jul 31, 2002 at 09:25:40PM +0900, [EMAIL PROTECTED] wrote:
I don't think that's what I want -- I want the software installed,
just not
On Wed, Jul 31, 2002 at 10:26:36AM -0500, Orlando wrote:
On Wednesday 31 July 2002 06:08, Adam Olsen wrote:
Short answer: Linux mainly uses interrupt timings as an entropy
source, from devices that are fairly unpredictable. Assuming those
are secure, the entropy pool is protected by a
Hi,
From: Karl E. Jorgensen [EMAIL PROTECTED]
Subject: Re: service enablement via mail and otp?
Date: Wed, 31 Jul 2002 13:47:16 +0100
On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote:
On Wed, Jul 31, 2002 at 01:37:30PM +0900, [EMAIL PROTECTED] wrote:
Hi,
For some time,
Hi,
- Original Message -
From: Thiemo Nagel [EMAIL PROTECTED]
To: Debian-security@lists.debian.org
Sent: Wednesday, July 31, 2002 4:03 PM
Subject: SunRPC Vulnerability
Funny. We were just discussing about portmap, and now this:
On Thu, Aug 01, 2002 at 08:09:31AM +0900, [EMAIL PROTECTED] wrote:
Hi,
From: Karl E. Jorgensen [EMAIL PROTECTED]
Subject: Re: service enablement via mail and otp?
Date: Wed, 31 Jul 2002 13:47:16 +0100
On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote:
On Wed, Jul 31, 2002
41 matches
Mail list logo