Greetings,
Am Freitag, 26. August 2005 01:57 schrieb Ralph Katz:
On 08/25/2005 06:10 PM, Stefan Fritsch wrote:
Do they have some monitoring script? Or some monitoring people?
(Might be interesting to know who: [disgruntled users? the
competition?])
cron-apt will send you a mail.
* Paul Gear:
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.
Is this #318946? This one is tagged
On Mon, 29 Aug 2005, Paul Gear wrote:
if it's important... they will post dsa ??
There certainly have been exceptions to that rule. The maintainer of
there will always be exceptions ...
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have
Goswin von Brederlow wrote:
...
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it. (I don't understand this
Alvin Oga wrote:
...
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it. (I don't understand this - how can
Joey even *try* to understand every security bug?) Repeated attempts
Michael Stone wrote:
...
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.
...
I disagree that
Florian Weimer wrote:
* Paul Gear:
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.
Is this
* Paul Gear:
There certainly have been exceptions to that rule. The maintainer of
shorewall has been trying for weeks to get a DSA issued about a
vulnerability, and it seems we have to convince Joey that it *is* a
vulnerability before he'll issue it.
Is this #318946?
Correct.
There is
On Mon, Aug 29, 2005 at 09:53:15PM +1000, Paul Gear wrote:
Michael Stone wrote:
I also disagree with the characterization that much effort
has been put into describing the bug.
I don't know upon what you're basing your characterization
I reviewed the security team mail before I responded.
* Paul Gear:
I don't know upon what you're basing your characterization, but i'm
party to at least 3 emails to Joey describing the nature of the bug
in sufficient detail to understand it as a security flaw.
Was this pre- or post-disclosure? In the latter case, such discussion
should be Cc:ed
On Mon, 29 Aug 2005, Paul Gear wrote:
... [ prev procss/proceedure snipped ]
What makes you think that this didn't occur?
sounds like a normal thing .. good
joey and crew can't possibly examine, review, fix, verify all bugs
no matter how good of an expert security coder they were
My
On Fri, Aug 26, 2005 at 04:39:04PM +, W. Borgert wrote:
On Fri, Aug 26, 2005 at 05:36:26PM +0200, martin f krafft wrote:
Heck, we *should* have a responsive and communicative security team.
Do we have a security team for stable? I know, that we have a
security team for testing
On Sat, Aug 27, 2005 at 10:40:36PM +0200, martin f krafft wrote:
Following the debate around LinuxTag, Branden put a trusted and very
active and skilled developer on the task to research the security
problems. Unfortunately, he has not been able to get far with this
job yet, probably due to
On Mon, Aug 29, 2005 at 11:46:24AM -0500, Branden Robinson / Debian Project
Leader wrote:
As far as I know, the stable/oldstable security team was never (recently)
down to Joey S. alone. Mike Stone and Steve Kemp have been active members
for some time (Steve was, as I understand it, promoted
* Branden Robinson:
2) I bring the Debian Security Team under delegation[2].
Martin Michlmayr has made the security team a delegate by this
message:
http://lists.debian.org/debian-devel-announce/2003/05/msg5.html
Have you withdrawn this delegation in the meantime? AIUI, DPL
elections
On Monday 29 August 2005 20:13, Florian Weimer wrote:
Martin Michlmayr has made the security team a delegate by this
message:
http://lists.debian.org/debian-devel-announce/2003/05/msg5.html
Huh? I read no formal delegation in that message.
It just states that he talked to some people and
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.29.2013 +0200]:
2) I bring the Debian Security Team under delegation[2].
Martin Michlmayr has made the security team a delegate by this
message:
http://lists.debian.org/debian-devel-announce/2003/05/msg5.html
Have you withdrawn
* Frans Pop:
On Monday 29 August 2005 20:13, Florian Weimer wrote:
Martin Michlmayr has made the security team a delegate by this
message:
http://lists.debian.org/debian-devel-announce/2003/05/msg5.html
Huh? I read no formal delegation in that message.
There are no formal requirements
On Monday 29 August 2005 21:40, Florian Weimer wrote:
I see no (as DPL) I appoint or I delegate in that mail.
This is not necessary.
I'm sorry, but I still think you're doing creative reading. There is only
an announcement of the addition of a new member to an existing team.
There is
* Frans Pop:
On Monday 29 August 2005 21:40, Florian Weimer wrote:
I see no (as DPL) I appoint or I delegate in that mail.
This is not necessary.
I'm sorry, but I still think you're doing creative reading. There is only
an announcement of the addition of a new member to an existing team.
Could we move this thread to -project or -curiosa?
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Florian Weimer wrote:
* Paul Gear:
I don't know upon what you're basing your characterization, but i'm
party to at least 3 emails to Joey describing the nature of the bug
in sufficient detail to understand it as a security flaw.
Was this pre- or post-disclosure?
There was no
* Paul Gear:
In the latter case, such discussion should be Cc:ed to the bug
report, IMHO.
Is that a policy issue, common convention, or just a suggestion?
It's a suggestion (IMHO). I would like to see it as a common
convention.
I think there are many little things which should be
Michael Stone wrote:
...
I also disagree with the characterization that much effort
has been put into describing the bug.
If we're going to have another crack at it, then, what track should we
take? Reopen the bug as Florian suggested, email the security team,
just keep pestering Joey?
I
* Paul Gear:
If we're going to have another crack at it, then, what track should we
take? Reopen the bug as Florian suggested,
According to a recent discussion on -devel, this bug is still open.
The BTS web is a bit confusing.
email the security team, just keep pestering Joey?
IMHO, the
On Monday 29 August 2005 22:23, Florian Weimer wrote:
I've obtained permission from tbm to quote the message reproduced
below in public. This should make it clear that the intent was to
delegate: Nach [URL] hat debian-admin klar die Authorität --
according to [URL], debian-admin clearly has
* Michael Stone:
Contact the security team. Describe the bug in such a way that the
security team understands its severity and impact. It is not sufficient
to say just trust me and issue an advisory. From what I've seen so far
this is not the obvious buffer overflow sort of bug, it's a
Florian Weimer wrote:
* Michael Stone:
Contact the security team. Describe the bug in such a way that the
security team understands its severity and impact. It is not sufficient
to say just trust me and issue an advisory. From what I've seen so far
this is not the obvious buffer overflow sort
On Mon, Aug 29, 2005 at 11:44:59PM +0200, Florian Weimer wrote:
IMHO, Debian should publish at least a DSA that explains this
discrepancy, especially if the package maintainer also thinks that
it's necessary.
Thank you for your input. Would anyone else like to register their
opinion? BTW, did
* Steve Wray:
Another example is fwbuilder which *silently* fails to overwrite its
generated script at compile time if the user doesn't have write
permissions on the existing script.
Most bugs in security tools are security bugs. We have to draw a line
somewhere, otherwise stable becomes
* Michael Stone:
On Mon, Aug 29, 2005 at 11:44:59PM +0200, Florian Weimer wrote:
IMHO, Debian should publish at least a DSA that explains this
discrepancy, especially if the package maintainer also thinks that
it's necessary.
Thank you for your input. Would anyone else like to register their
Florian Weimer wrote:
* Steve Wray:
Another example is fwbuilder which *silently* fails to overwrite its
generated script at compile time if the user doesn't have write
permissions on the existing script.
Most bugs in security tools are security bugs. We have to draw a line
somewhere,
Florian Weimer wrote:
* Steve Wray:
I view this as a security problem because what if you *think* you've
made changes to your firewall and are now protected only... you arn't
and the firewall hasn't been updated?
Is that enough of a security problem for the fix to get into stable?
[snip]
On Tue, Aug 30, 2005 at 12:17:22AM +0200, Florian Weimer wrote:
I think this part of the diff is pretty instructive, together with
upstream's explanation:
Frankly, no, it's not.
if [ -n $MACLIST_TTL ]; then
chain1=$(macrecent_target $interface)
createchain
34 matches
Mail list logo
