On Sun, Jul 03, 2022 at 03:49:12PM +, Ben Hutchings wrote:
>
> For the oldstable distribution (buster), these problems have been
> fixed in version 4.19.249-2.
It seems that linux-image-amd64 does not depend on
linux-image-4.19.0-21-amd64 but still on linux-image-4.19.0-20-amd64,
so the
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote:
>
> > If I don't mistake the automatic package build system don't require that the
> > source signature is verified correctly.
>
> To clarify what Adam said; there are two times where
On Fri, Nov 03, 2017 at 07:51:34PM +, Salvatore Bonaccorso wrote:
> CVE-2017-15721
>
> Joseph Bisch discovered that Irssi does not properly handle
> incorrectly formatted DCC CTCP messages. A malicious IRC server can
> take advantage of this flaw to cause Irssi to crash, resulting
On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> Hello,
>
> Just wondering if there is some other way we can track security issues
> for when CVEs are not available.
>
> Thinking of imagemagick here, it has a lot of security issues, and
> requests for CVEs are not getting any
On Sat, Jun 20, 2015 at 07:35:14PM -0400, Bryan L. Gay wrote:
Your email for CVE-2015-1851 does not verify against your GPG signature:
Wrong signature of Sebastien Delafond
It worked perfectly for me. On the other hand, for your message I get:
gpg: no valid OpenPGP data found.
gpg:
On Mon, Jun 08, 2015 at 10:00:00AM +, Thorsten Glaser wrote:
Stefan Fritsch sf at sfritsch.de writes:
And custom DH groups are not that easy to handle in an automated way.
Right. I'm currently suggesting each site to generate one and
roll that out for the whole site (e.g. company,
On Fri, Jun 05, 2015 at 01:56:18PM +0200, Thorsten Glaser wrote:
OpenSSL upstream is said (citation needed) to wish to require a
1024 bit minimum in some later version but require 768 bits now.
http://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
I cannot find this in
On Fri, Dec 26, 2014 at 02:02:31PM +0100, Luciano Bello wrote:
BTW, the situation with elfutils is somewhat similar, the bug report is
here:
https://bugzilla.redhat.com/show_bug.cgi?id=1170810
I'm reporting this issue to our elfutils maintainer to keep the track of it.
Do
you know if
On Mon, Dec 08, 2014 at 09:16:45AM +0100, Daniel Pocock wrote:
Hi all,
I've made some changes to TLS code in reSIProcate
- setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method()
This has no effect in jessie. SSLv2 and SSLv3 are disabled if you
use the SSLv23_* methods.
On Mon, Dec 08, 2014 at 01:20:39PM +0100, Daniel Pocock wrote:
Just one other point: if somebody is trying sending the client hello
using SSL v2 record layer but indicating support for TLS v1.0, should
TLSv1_method or SSLv23_method accept that?
I would expect that both should support that.
On Mon, Dec 08, 2014 at 02:35:00PM +0100, Daniel Pocock wrote:
I have no idea what technology is in use in the remote/client system.
If my server socket is using TLSv1_method it is rejecting the connection
and logging those errors on my server:
error:1408F10B:SSL
On Mon, Dec 08, 2014 at 07:22:33PM +0100, Daniel Pocock wrote:
Will the TLSv1 method be removed in jessie or while jessie is still
supported?
This is something post jessie.
Kurt
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble?
On Mon, Dec 08, 2014 at 07:42:54PM +0100, Daniel Pocock wrote:
Is it something that is going to happen with Ubuntu releases next year
(e.g. April 2015)?
If so, it means that the repro package in jessie won't talk to a repro
package in Ubuntu.
I think there is some misunderstanding.
On Mon, Dec 08, 2014 at 08:17:53PM +0100, Daniel Pocock wrote:
If I understand your reply correctly, the version in Ubuntu and Fedora
will still talk TLS 1.0 with the version now waiting in jessie?
Yes.
Do you believe it would be reasonable for me to request a smaller
unblock that just
On Thu, Jun 05, 2014 at 05:13:33PM +0100, Adam D. Barratt wrote:
On 2014-06-05 15:46, Florian Zumbiehl wrote:
Hi,
Package: openssl
CVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470
is it intentional that you didn't fix CVE-2014-0198
That was fixed last
On Sat, May 31, 2014 at 10:25:28AM -0400, Michael Gilbert wrote:
On Sat, May 31, 2014 at 5:27 AM, Georgi Naplatanov wrote:
When I choose About Chromium menu item it says:
Version 35.0.1916.114 Built on Debian 7.1, running on Debian 7.5 (270117)
Is that true that package for AMD64 is
On Sat, May 31, 2014 at 11:53:23AM -0400, Michael Gilbert wrote:
On Sat, May 31, 2014 at 11:28 AM, Kurt Roeckx wrote:
It could be nice if the stable buildds were kept more up to date.
I've CC'd am...@buildd.debian.org to get their opinion on that.
I've just updated the chroots
On Sat, May 31, 2014 at 12:26:45PM -0400, Michael Gilbert wrote:
On Sat, May 31, 2014 at 12:19 PM, Kurt Roeckx wrote:
This is a manual, I currently see no need to automate it.
Does buildd.debian.org provide any information about the up to
dateness of its chroots? If this kind
On Sun, Jun 01, 2014 at 03:46:35AM +1000, Andrew McGlashan wrote:
We may see certificate stapling as an answer, but that won't be enough
if it cannot be certified to /require/ stapling in the cert itself.
I've mailed the TLS workgroup about this very issue but didn't get
any reply.
Kurt
--
On Sat, May 31, 2014 at 05:28:59PM +0200, Kurt Roeckx wrote:
I've just updated the chroots. But there is reason to be
concerned that it was build against when there were some
older packages installed.
That should have said no reason.
Kurt
--
To UNSUBSCRIBE, email to debian-security-requ
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also
On Tue, May 06, 2014 at 11:39:48PM +0200, Cyril Brulebois wrote:
https://security-tracker.debian.org/tracker/CVE-2014-0198
I'm waiting for upstream to ACK the patch, not sure which one
Ubuntu used.
Kurt
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of
On Mon, Dec 30, 2013 at 06:45:48PM +0100, Florian Weimer wrote:
* Kurt Roeckx:
On Sun, Dec 15, 2013 at 03:15:03AM +, adrelanos wrote:
When you implement this, please ensure it isn't vulnerable to any
duplicate-keyid problems:
http://debian-administration.org/users/dkg/weblog
On Sun, Dec 15, 2013 at 03:15:03AM +, adrelanos wrote:
When you implement this, please ensure it isn't vulnerable to any
duplicate-keyid problems:
http://debian-administration.org/users/dkg/weblog/105
Damn, I wasn't aware of the latest news that long key ids are now also
insecure.
On Sun, Dec 01, 2013 at 11:18:47PM +0900, Joel Rees wrote:
optimizer's excuse to silently kill undefined behavior code.
As far as I know, all examples I have seen this is not what
happens. What happens is that the compiler assumes you write code
that has defined behavior and optimises based on
On Wed, Jun 19, 2013 at 08:44:02AM +0200, Roland Karch wrote:
Hi,
I have noticed that my wheezy install has this package installed which was
not updated by the packages in this advisory:
ii libtiff4:armel3.9.6-11
armelTag Image File Format (TIFF) library
On Wed, Jun 19, 2013 at 06:55:57PM +, Roland Karch wrote:
Indeed I am. And I got it from wheezy:
http://packages.debian.org/wheezy/libtiff4
And me running the version just between those was, well... part of why I
asked my original question.
So it seems we have those source
Hi,
I just found this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Does anybody know if all the problems mentioned in that document
are tracked somewhere?
Kurt
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On Thu, Jul 28, 2011 at 06:23:46PM +0200, Luciano Bello wrote:
For the oldstable distribution (lenny), this problem has been fixed in
version 1.2.27-2+lenny5. Due to a technical limitation in the Debian
archive processing scripts, the updated packages cannot be released
in paralell with the
On Sun, Apr 10, 2011 at 11:55:28PM +0200, Nico Golde wrote:
We recommend that you upgrade your isc-dhcp packages.
I'm guessing that for the update to be active we need to bring
down any interface that is using the client? (Or reboot.)
The server seems to be restarted on upgrade.
Kurt
--
On Wed, Jan 26, 2011 at 05:18:12PM +0100, Martin Schulze wrote:
For the upcoming stable distribution (squeeze) these problems have
been fixed in version 3.2.1-11+squeeze1.
For the unstable distribution (sid) these problems have been fixed in
version 3.2.1-11+squeeze1.
When will those
On Wed, Jan 26, 2011 at 07:49:48PM +, Adam D. Barratt wrote:
On Wed, 2011-01-26 at 19:06 +0100, Kurt Roeckx wrote:
On Wed, Jan 26, 2011 at 05:18:12PM +0100, Martin Schulze wrote:
For the upcoming stable distribution (squeeze) these problems have
been fixed in version 3.2.1-11
On Mon, Jan 03, 2011 at 03:42:42AM +0100, Naja Melan wrote:
You've downloaded a bunch of certificates that came with your web browser.
Why do you trust them?
As I pointed out above there are many problems associated with https.
Trusting the root certificates is one of those. Still the
On Mon, Jan 03, 2011 at 12:24:16AM +0100, Naja Melan wrote:
Arto Artinian artin...@fastmail.fm :
Hi Naja,
I am not sure what your point is here? You don't trust pgp webs of trust,
nor https, nor md5 checksums of debian sources. I mean, at some point if
you want to use software
On Fri, Oct 01, 2010 at 12:26:31AM +0200, Kurt Roeckx wrote:
On Wed, Sep 29, 2010 at 02:13:37PM -0700, Kyle Bader wrote:
Debian, being a volunteer organization, has it's upsides and
downsides. The downside here being without an active volunteer
interested in this problem, nothing has
On Wed, Sep 29, 2010 at 02:13:37PM -0700, Kyle Bader wrote:
Debian, being a volunteer organization, has it's upsides and
downsides. The downside here being without an active volunteer
interested in this problem, nothing has happened.
What is needed here is someone to step up to the
On Thu, Sep 09, 2010 at 10:36:58AM -0700, Kyle Bader wrote:
I saw the security tag on bug #555829, I meant that the package page
should reflect the current security situation:
http://packages.debian.org/lenny/openssl
Shouldn't it show a [security] tag similar to:
On Wed, Sep 08, 2010 at 10:20:11AM -0700, Kyle Bader wrote:
Hello Deb-sec!
I'd like to bring to the attention of the developers and the Debian
community that CVE-2009-3555 has not been completely addressed in
Debian/stable as we are meant to believe here:
On Sun, May 02, 2010 at 09:06:46PM +0200, Francesco Poli wrote:
Hi,
I received DSA-2040-1 and verified its GPG signature, as I always do.
I found out that I am unable to correctly verify the signature.
Works for me:
gpg: Signature made Sun 02 May 2010 02:55:15 PM CEST using DSA key ID 4E2ECA5A
On Wed, Apr 14, 2010 at 10:35:41PM +0100, Adam D. Barratt wrote:
The clamav project have announced that they will be publishing a
specially formed virus signature which disables older versions of the
software, including the version in lenny. If you have not yet migrated
to using the
On Thu, Apr 15, 2010 at 12:52:47PM -0700, Jason Self wrote:
Kurt Roeckx k...@roeckx.be wrote ..
What does this mean exactly?
It means that versions older than 0.95 will be remotely disabled by the
ClamAV
folks once your copy of ClamAV gets the CVD update that includes what I like
On Sun, Sep 06, 2009 at 08:45:12PM +0200, Moritz Muehlenhoff wrote:
Please test the openssl packages from
http://people.debian.org/~kroeckx/openssl
and report success/failure briefly to j...@debian.org. This update deprecates
MD-2 (CVE-2009-2409) and we'd like to hear about affected
There seems to be some confusion going around about the effect of the
openssl issue on dsa keys.
From what I understand, when using a DSA key and the random number used
to generate a signature is known, predictable, or used twice the private
key can be calculated.
So it seem to me that if a DSA
On Thu, Nov 02, 2006 at 11:33:49PM -0700, Scott Edwards wrote:
Does this affect sarge?
bind9 in sarge is dynamicly linked to libssl0.9.7. Sarge has a fixed
version of openssl. You only need to restart your daemon.
The fixed version of libssl0.9.7 is 0.9.7e-3sarge4.
Kurt
--
To
On Wed, Oct 11, 2006 at 09:22:49PM +0200, Florent Rougon wrote:
Hi,
I appreciate your help (Joerg, David and Kurt), but there is still a
problem to solve before I can trust my connection to db.debian.org via
HTTPS.
Kurt Roeckx [EMAIL PROTECTED] wrote:
So Joerg just replaced them
On Mon, Oct 09, 2006 at 08:19:33PM +0200, Florent Rougon wrote:
2. I have to trust the integrity of db.debian.org.
I think it would be much better if someone from debian-admin would be so
kind to GPG-sign the public RSA keys of Debian hosts. This way, I'd only
have to trust that James
On Tue, Oct 10, 2006 at 06:37:16PM +0200, Florent Rougon wrote:
Hi,
David Clymer [EMAIL PROTECTED] wrote:
With a signature, he just has to trust that signer f00's key has not
been compromised, thus the published host key info is trustworthy and a
MITM is not happening.
To be honest,
On Tue, Oct 10, 2006 at 09:57:33PM +0200, Florent Rougon wrote:
For those that don't know those files:
http://www.spi-inc.org/secretary/spi-ca.crt
http://www.spi-inc.org/secretary/spi-ca-fingerprint.txt
So Joerg just replaced them with the new ones:
On Mon, Feb 20, 2006 at 06:25:47PM -0800, Michael Sabala wrote:
host -t a security.debian.org
security.debian.org has address 82.94.249.158 - slow
I checked traceroute to 82.94.249.158 from two different ISPs.
When the route goes through:
ameritech-sbcglobal-he.net-xs4all.net
On Sat, Nov 12, 2005 at 02:24:21PM +0100, Adrian von Bidder wrote:
Yo!
The sending end:
Nov 11 16:48:27 papillon postfix/smtp[8145]: setting up TLS connection to
10.48.13.1
Nov 11 16:48:27 papillon postfix/smtp[8145]: SSL_connect error to 10.48.13.1:
-1
Nov 11 16:48:27 papillon
On Thu, Nov 10, 2005 at 12:35:22PM -0800, alex black wrote:
hi all,
I'm running a locally patched version of libsasl2, look here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328879
to see why. (basically, once you compile libsasl2 --with-authdaemond,
authentication with virtual
On Sun, Jul 10, 2005 at 03:59:43PM +0200, Florian Weimer wrote:
On my system, the following packages contain statically linked copies
of zlib-related code:
I'm still interested in a full list of pacakges staticly linked
to any version of zlib.
We had a few advisories about zlib so far:
DSA-763
Hi Florian,
Thanks for doing all of this, since it was rather manual work for me.
Afaik, there are 3 kind of problems with zlib:
- It's build-depending zlib, but linking staticly
- It has it's own copy of zlib, and links staticly to it
- It has it's own copy of the zlib package (ia32-libs,
On Sat, Oct 16, 2004 at 01:39:29PM +0200, Benjamin Goedeke wrote:
Henrique de Moraes Holschuh wrote:
Well, I have seen ARP overflows on very big flat networks (e.g.
172.16.0.0/16) for example. Is any of yours that big? Otherwise, why
would
the firewall be trying to resolve so many ARP
54 matches
Mail list logo