Re: How to securely verify that package-installed files match originals?

2021-01-14 Thread Georgi Guninski
On Thu, Jan 14, 2021 at 12:57 PM Erik Poupaert wrote: > > So, I mount the disk of this computer as folder /mnt/audit in my second > computer, which I still trust. Now, I want to audit the installation foot > print of dpkg in /mnt/audit from this second computer. > As pointed by others, integrit

Merry Christmas and please fix the bugs in 2021!

2020-12-24 Thread Georgi Guninski
Merry Christmas and all the best in 2021! Please fix the chromium and other vulnerabilities in 2021.

Re: fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread Georgi Guninski
On Fri, Nov 13, 2020 at 12:27 PM John Runyon wrote: > > Imagine calling yourself a “Debian contributor” because you... reported a few > bugs? Guess I’m a Debian contributor too. > I was wrong about being _contributor_, sorry (misunderstood the definition).

Re: Is chromium updated?

2020-11-13 Thread Georgi Guninski
On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos wrote: > BUT we should not forget to say a THANK YOU to these guys which give their > best in order all of us to use this OS for free ;-) I believe I am debian contributor too, search in google for: "georgi guninski" site:debian

Re: Is chromium updated?

2020-11-12 Thread Georgi Guninski
So debian are distributing vulnerable Chromium since nearly a month? There is exploit (not sure about which OSes) in the wild. Debian are not commenting on this on this mailing list. Right?

Re: /home/loser is with permissions 755, default umask 0022

2020-11-12 Thread Georgi Guninski
Some more exploit vectors from the FD list: https://seclists.org/fulldisclosure/2020/Nov/13 Partial results: 1. mutt (text email client) exposes ~/.mutt/muttrc, which might contain the imap password in plaintext. 2. Some time ago on a multiuser debian mirror we found a lot of data, including the

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski
On Wed, Nov 11, 2020 at 9:46 PM wrote: > > Regarding CVE-2020-16009 , it > seems that some distros like Arch [1] have already updated their chromium > packages but no Debian yet. Right? > Right. > Is it just a matter of extracting the security fi

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski
On Thu, Nov 12, 2020 at 2:15 AM Lou Poppler wrote: > > You can follow debian's progress on this here: > > https://security-tracker.debian.org/tracker/CVE-2020-16009 > Hi, thanks for the link. I think your advice is incomplete and we should monitor the union of all vulnerabilities and CVEs, not ju

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski
On Mon, Nov 9, 2020 at 6:31 PM Georgi Naplatanov wrote: > Chromium project doesn't provide > binaries for any OS. > Aren't these trustworthy daily builds?: https://download-chromium.appspot.com/

FYI: Ransomware trojan targets gnu/linux

2020-11-10 Thread Georgi Guninski
https://www.theregister.com/2020/11/09/linux_ransomware_kaspersky/ RansomEXX trojan variant is being deployed against Linux systems, warns Kaspersky, Mon 9 Nov 2020 Comments: gnu/linux has enough userbase to be targeted by malware. probably it will work in the cloud too. consider contracting me

Re: Is chromium updated?

2020-11-08 Thread Georgi Guninski
https://www.theregister.com/2020/11/04/google_chrome_critical_updates/ Wed 4 Nov 2020 If you're an update laggard, buck up: Chrome zero-days are being exploited in the wild Desktop and Android versions both at risk On Sat, Oct 17, 2020 at 9:31 PM wrote: > > Hi, > > 17 oct. 2020 à 14:28 de gguni

Is chromium updated?

2020-10-17 Thread Georgi Guninski
On Debian stable, I have chromium Version: 83.0.4103.116-1~deb10u3 >From Arch advisory on 2020-10-10: The package chromium before version 86.0.4240.75-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, information disclosure and insufficient validatio

/home/loser is with permissions 755, default umask 0022

2020-10-07 Thread Georgi Guninski
/home/loser is with permissions 755, default umask 0022 on multiuser machines this sucks much. on a multiuser debian mirror we found a lot of data, including the wordpress password of the admin.

Some potential security bugs in djbdns 1.05

2020-06-04 Thread Georgi Guninski
Some potential security bugs in djbdns 1.05, we didn't test them on hardware. djbdns [1] is an "ancient" dns server. It still have $1K bounty for an exploit [2]. Are these bugs vulnerabilities? in cdb_make.c: cdb_make_finish: 100 memsize += c->numentries; /* no overflow possible up to

Mitigating malicious packages in gnu/linux

2019-11-19 Thread Georgi Guninski
As end user and contributor of gnu/linux, I am concerned about malicious packages (either hostile developers or hacked developers or another reason) and have two questions: * What do linux vendors to avoid malicious packages? * As end user what can I do to mitigate malicious packages? Some thoug

Does net install cryptographically verify downloaded data?

2018-07-05 Thread Georgi Guninski
Does net install cryptographically verify downloaded data? Searching the iso for gpg/keyrings didn't return any results for me.