Re: thank *you*, team@security.d.o!
Hello Security Team, Holger Levsen (Tue 2021-11-02 00:07:36 +) : > that's *something* to *celebrate*!! Indeed ! There are so many teams and people to thank and celebrate in FLOSS, but this time it is you, Debian Security Team. A big sincere thank you ! -- Emmanuel Halbwachs, Observatoire de Paris, ✆ +33 1 45 07 75 54 DIO / CASTORS [1] / PANDA [2] [1] CAlcul, STOckage, Réseau, Système [2] Pool of Awesome Network Devices Administrators
Re: fun with mailinglists (was Re: Is chromium updated?)
John Runyon (Fri 2020-11-13 05:26:56 -0500) : > Why do we have such messages on the security mailing list? Is there a way to > get actual security team announcements without all this spam? Yes, there is such a list [1]. This list [2] is for (quote): Discussion about security issues, including cryptographic issues, that are of interest to all parts of the Debian community. Please note that this is NOT an announcement mailing list. If you're looking for security advisories from Debian, subscribe to debian-security-announce instead. This list is not moderated; posting is allowed by anyone. [1] https://lists.debian.org/debian-security-announce/ [2] https://lists.debian.org/debian-security/ -- Emmanuel
Re: Is chromium updated?
Hello, Pavlos Ponos (Fri 2020-11-13 10:20:36 +0200) : > BUT we should not forget to say a THANK YOU to these guys and gals > which give their best in order all of us to use this OS for free ;-) I was about to write the same thing: a big thank you to all volunteers. -- Emmanuel
Re: mysql-dfsg-5.0 CVE-2007-6303
Hello, Jan Christoph Ebersbach a écrit (Mon, Sep 29, 2008 at 03:08:10PM +0200) : Hello Security Team, I was looking at the security issues regarding the mysql-server and I'm wondering why CVE-2007-6303 does not seem to be fixed in Debian but in all other major distributions. According to http://security-tracker.debian.net/tracker/CVE-2007-6303, it is fixed. Cheers, -- Emmanuel Halbwachs Resp. Réseau/SécuritéObservatoire de Paris-Meudon tel : (+33)1 45 07 75 54 5 Place Jules Janssen fax : (+33)1 45 07 76 13F 92195 MEUDON CEDEX -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Squirrelmail archive compromission and version 1.4.9a-2 (in etch)
Hello everybody, We run squirrelmail as our production webmail for ~ 1k users. Now we can see that the squirrelmail team has discovered that 1.4.11 have also been compromised. A colleague on another list points out the fact that they have removed from the download archive all versions from 1.4.9 to 1.4.12. If there is suspicion on 1.4.9, I guess we can suspect the version currently in etch. Can somebody (maybe Thijs Kinkhorst who is a Debian Developper and apparently member of the squirrelmail team) enlight us on this subject, please? TIA, -- Emmanuel Halbwachs Resp. Réseau/SécuritéObservatoire de Paris-Meudon tel : (+33)1 45 07 75 54 5 Place Jules Janssen fax : (+33)1 45 07 76 13F 92195 MEUDON CEDEX -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems after sendmail security upgrade
Hello, Richard A Nelson a écrit (Mon, Apr 03, 2006 at 09:53:43AM -0700) : - is it mandatory to use /etc/mail/sendmail.conf? No, not at all - is there a way to manually configure sendmail the classical way set this variable in /etc/mail/sendmail.conf HANDS_OFF=Yes; After setting that, the scripts become non-functional; any and all changes must be done manually Thank you very much for this information. Sorry to all subscribers for the noise on this topic that was finally not security-related. Cheers, -- Emmanuel Halbwachs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems after sendmail security upgrade
Hello, Sorry for the delay, I was abroad and off-line for a week. So I just talked with the sysadmin in charge of the mailhost (he is in cc:). We're going slightly out of topic for debian-security but I keep it there for the record. A file in /etc that was overwritten silently is a bug. Please file one with the bug tracking system if this is the case. But please make sure first you didn't actually answer Yes to dpkg asking whether to overwrite the file, and that you don't have --force-confnew or similar in /etc/dpkg/dpkg.cfg. No interactive questions was asked during the upgrade. Richard A Nelson a écrit (Sun, Mar 26, 2006 at 11:47:29AM -0800) : Can you mail me more details... there is support in /etc/mail/sendmail.conf to automagically support the type of queue aging that you are doing... After a look in the preinst scripts, there is something like : mesiog /var/lib/dpkg/info# grep cron.d/sendmail sendmail*preinst sendmail-base.preinst: if [ -f /etc/cron.d/sendmail ]; then sendmail-base.preinst: echo #preinst /etc/cron.d/sendmail; sendmail-bin.preinst: if [ -f /etc/cron.d/sendmail ]; then sendmail-bin.preinst: echo #preinst /etc/cron.d/sendmail; Indeed, in our configuration, the /etc/cron.d/sendmail has been hand edited in spite of the warning : # This file is automagically generated -- edit at your own risk For some reasons, the admins didn't configure sendmail the Debian way and didn't use the queue aging feature in /etc/mail/sendmail.conf. - is it mandatory to use /etc/mail/sendmail.conf? - is it OK to say A file in /etc that was overwritten silently is a bug as this was the case here? - is there a way to manually configure sendmail the classical way without using the Debian configuration wrappers but cleanly against the package upgrade? (no offense, just for people accustomed to other OS like *BSD) Cheers, -- Emmanuel Halbwachs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1018-1] New Linux kernel 2.4.27 packages fix several vulnerabilities
Hello, dann frazier a écrit (Fri, Mar 24, 2006 at 09:18:19AM -0700) : The Packages file looks fine to me.. Do you have kernel-image-2.6-k7 installed? The updated version of this package should pull in the kernel-image-2.6.8-3-k7 update. I am in this configuration. Try explicitly running: apt-get install kernel-image-2.6-k7 I did it with aptitude (interactive) : the package was candidate for upgrade. It went fine. I just had the scary you'are replacing a kernel with the same version, do it only if you know what you are doing. Everything seems fine till there. HTH, -- Emmanuel Halbwachs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Problems after sendmail security upgrade
Hello, We are experiencing problems after the sendmail security upgrade on our mailhost. - do some other people out there are experiencing some troubles after this upgrade ? - is there a way to downgrade the sendmail packages to the previous version before the security fix ? (i. e. something with apt-pinning) Thanks in advance, -- Emmanuel Halbwachs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems after sendmail security upgrade
Hans a écrit (Fri, Mar 24, 2006 at 12:38:01PM -0500) : Can you be more specific about the problems you are having? I am not the guy who administer the mailhost, but I just talk to my fellow postmaster. I'll try: - the sendmail config uses 6 queues: in, out, in.hourly, out.hourly, in.daily, out.daily - after the upgrade : in some cases (more on this below), incoming mail goes to /var/spool/mqueue/daily and is stuck there - this happens for : - mail inside - inside (95 % of the time) - mail from outside (sometimes) - the config has not changed, and is still the same after the upgrade - only the binary has changed (of course) We will try the dpkg -i to go the previous version. Thanks to all. -- Emmanuel Halbwachs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems after sendmail security upgrade
Hello again, Emmanuel Halbwachs a écrit (Fri, Mar 24, 2006 at 06:57:43PM +0100) : - after the upgrade : in some cases (more on this below), incoming mail goes to /var/spool/mqueue/daily and is stuck there OK, the problem was on our side: /etc/cron.d/sendmail has been tailored to our needs and has been reverted to a standard Debian one by the upgrade. Very sorry for the noise and thanks for your collaboration. -- Emmanuel Halbwachs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
