Re: Setting APT::Default-Release prevents installation of security updates in bookworm!?

On Sat, 2023-07-22 at 17:45 +0200, Hannes von Haugwitz wrote: > What about to add a warning to apt if *-security or *-updates is > configured in the sources list and `APT::Default-Release` is set but > does not match the security or updates repo? That seems like the right solution here, please

Re: Setting APT::Default-Release prevents installation of security updates in bookworm!?

On Fri, 2023-07-21 at 11:04 +0200, Daniel Gröber wrote: > Do you have any references on how this decision came to be? I think it was about making the suite naming more intuitive, consistent with other suites and possibly also some dak implementation concerns. > One mention I found is in Raphaël

Re: Setting APT::Default-Release prevents installation of security updates in bookworm!?

On Thu, 2023-07-20 at 22:12 +0200, Daniel Gröber wrote: > It seems packages from the debian-security repository are not affected by > this increased priority and will not get intalled as a result. This was documented in the release notes for Debian bullseye:

bookworm nearly ready

Dear readers, The bookworm release is in it's final stages. Please expect the release to happen in several hours from now which means that updates of systems will see new metadata, e.g. switching bullseye from stable to oldstable. On behalve of the Release Team. Paul OpenPGP_signature

should the Release Notes be updated concerning bookworm security

versions and dates. Is that all? Paul Current version jumping straight to the security section: https://www.debian.org/releases/testing/amd64/release-notes/ch-information.en.html#limited-security-support or the source: https://salsa.debian.org/ddp-team/release-notes/ OpenPGP_signature Description

Re: Should singularity-container make it to next release?

, or even backports. Obviously that will only be solved if it's more used (and/or if eventually it can be moved to the debian.org namespace.) But indeed. Paul OpenPGP_signature Description: OpenPGP digital signature

Re: Should singularity-container make it to next release?

supportable, let's keep it out of stable. I guess fasttrack [1] is currently the best forum to supply singularity-container to our users. Paul [1] https://fasttrack.debian.net/ OpenPGP_signature Description: OpenPGP digital signature

Re: Vulnerability in pcs or is it in more generic code?

On Fri, 2022-09-09 at 22:41 +0200, Ola Lundqvist wrote: > I see that I was not clear what I meant with "in general" :-) Woops, sorry for the noise :) > Here I found how the generic source code looks like: > https://rubydoc.info/gems/thin/1.3.1/Thin%2FBackends%2FUnixServer:connect > > You can

Re: Vulnerability in pcs or is it in more generic code?

On Mon, 2022-09-05 at 21:38 +0200, Ola Lundqvist wrote: > I agree that it is good to fix the pcs package, but shouldn't we fix > the default umask in general? > I would argue that the default umask is insecure. bookworm login sets new user home directories to secure permissions: $ grep -E

Re: Concerns about Security of packages in Debain OS and the Operating system itself.

On Tue, 2022-05-24 at 16:27 +0100, piorunz wrote: > Important note: Disabling bullseye-updates is actually causing > point-release updates to be delivered on one, predetermined date, > bundled all together. By disabling this entry you still get them all, > but in controlled fashion, you are not

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Tue, 2022-04-12 at 05:59 +0200, Friedhelm Waitzmann wrote: > And if it is indeed possible, how can I switch from i386 to > amd64?  Can this be done with the apt tools?  Then during the > migrating some packages will be from amd64 already while others > will be still i386.  How does that go

Re: Compiled list

STIGs are maintained by DISA, not by Debian Paul On Wed, Mar 2, 2022 at 9:42 AM Stephanie Hall wrote: > Good morning, > > Do you have an excel version of a STIG for Debian 9 & 10 that you would be > willing to share? > > Thank you in advance! > > -- > > Step

Re: A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security

On Fri, 2022-01-28 at 20:23 +, Zoom Video Communications wrote: > if a critical CVE is discovered at some point after we release, it’s > best not to publish which specific Zoom client version contains the > vulnerability, as that essentially gives a roadmap to exploitation > for hackers.

Bug#1001451: Candidate script updates

On Tue, 2022-01-11 at 11:20 +, Neil Williams wrote: > I might need to brush up on my Perl and make a patch for lintian which > downloads the sec tracker JSON and checks the CVE list in the .changes > file - warnings from lintian are more likely to get fixed prior to > upload. Depends if you

Re: replacing misleading debian.org/security claims

On Thu, 2021-12-30 at 11:04 -0500, Silas Cutler wrote: > I'd also like to see information on both how to submit > vulnerabilities as well as how to contribute to getting them fixed. These are addressed in the FAQ: https://www.debian.org/security/faq#discover

Re: replacing misleading debian.org/security claims

On Tue, 2021-12-28 at 19:46 +0100, max wrote: > Debian's security updates are created by volunteers working in their > spare time. Some packages may receive more attention than others. To > view the current list of known unfixed vulnerabilities see >

Bug#1001191: security-tracker: include more information in page titles

Package: security-tracker Severity: wishlist It would be nice to include some more information in page titles, so that records of those page titles in search engine results, browser tabs and browser history are more useful to visitors to the site. Here are examples of the potential changes that

Re: sources.list 4 bullseye-security

On Sat, Jul 3, 2021 at 9:31 PM Salvatore Bonaccorso wrote: > I have pushed > https://salsa.debian.org/webmaster-team/webwml/-/commit/4ca2253325130f7e96bf2644d31cf5a95fdf7bcc Note that updating translations at the same time as the English page causes more work for the translation teams, who have

Re: Is this the right place to discuss no-dsa choices?

On Tue, May 11, 2021 at 11:12 PM Andrew Bartlett wrote: > I'm keen to discuss the thought process behind a number of the no-dsa > flags on Samba security releases. Does this list reach those involved > in that, or is this more a general 'interest in security' list? It tends to be more of a

Re: Guest Post Request for lists.debian.org

On Tue, Mar 16, 2021 at 4:42 AM Gunnar Wolf wrote: > Thank you for your offer. The Debian project is not interested in this > kind of collaboration. That was clearly a spammer, best get listmasters to ban them rather than responding. -- bye, pabs https://wiki.debian.org/PaulWise

Re: Misuse/Abuse

On Tue, Oct 13, 2020 at 7:14 AM Knieling, Christian (IANM) wrote: > I don't know if this messages reaches the right persons, but someone may > forward it. You may at least remove the files which are accessible on > paste.debian.net. I forwarded this to the paste.d.n admin and they removed them.

Re: Scripts that run insecurely-downloaded code

On Fri, May 1, 2020 at 7:12 PM Rebecca N. Palmer wrote: > Around 200 packages [0] include upstream scripts that download code via > (non-secure) http, then run it without an integrity check. A lot of these appear to be in documentation, dependency installation scripts (such as in docker) or

Re: Scripts that run insecurely-downloaded code

On Fri, May 1, 2020 at 8:18 PM Rebecca N. Palmer wrote: > This is already policy (and enforced by blocking network access) for > official Debian package builds: dependencies must be installed by the > package manager, not the build script. Correction: the debian.org buildds do not at this time

Re: debcheckroot v2.0 released

On Wed, Apr 1, 2020 at 6:01 PM vi...@vheuser.com wrote: > Did the discussion of continuing support for DANE end?? In case I mislead anyone, a clarification: Debian itself isn't going to actively work on removing support for DANE from anything nor removing our DANE/DNSSEC records. Support for

Re: debcheckroot v2.0 released

On Tue, 2020-03-24 at 15:48 +0100, Elmar Stellnberger wrote: > I hope this is gonna happen anytime soon. DANE and thus a valid TLSA > record is of very high value and importance for getting a genuine > download of Debian. As I have mentioned before downloads via Tor can be > spoofed like my

Re: debcheckroot v2.0 released

On Tue, Mar 24, 2020 at 3:33 AM Paul Wise wrote: > I've forwarded this to the Debian sysadmins IRC channel. I think it is > related to the fact that the cdimage.d.o server is not managed by the > Debian sysadmins, so the UMU ACC admins probably used Lets Encrypt to > get certs, and th

Re: debcheckroot v2.0 released

On Mon, Mar 23, 2020 at 4:00 PM Elmar Stellnberger wrote: > The only site which is still making problems is cdimage.debian.org. > Could any good Christ from the Debian community have a look at this > issue. The server maintainers would need to complain about the rogue cert! I've forwarded this

Re: package for security advice

On Sat, Mar 7, 2020 at 9:30 AM Russell Coker wrote: > I think it would be good to have a package for improving system security. ... > What do you think about this idea? There are a number of other tools for this sort of thing already, usually they get written and become outdated at some point

Bug#949260: security-tracker: add cvedetails.com to Source?

On Sun, Jan 19, 2020 at 3:05 AM Dmitry Smirnov wrote: > It might be nice to add "cvedetails.com" to CVE Source links. > https://www.cvedetails.com/cve/CVE-2019-13072/ This doesn't appear to add any details that aren't on Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13072 --

Re: Why no security support for binutils? What to do about it?

On Wed, 2020-01-01 at 10:29 +0100, Elmar Stellnberger wrote: >Up to now I did not see any notable effort to support malware reverse > engineering under Linux. The only program I knew was boomerang for > decompiling malware but it seems to be unsupported since long. I would > really be in

Re: Why no security support for binutils? What to do about it?

On Wed, Jan 1, 2020 at 1:00 PM Florian Weimer wrote: > Doesn't lintian on ftp-master use disposable VMs? No mention of qemu/kvm in dak.git nor any qemu processes running on ftp-master.d.o, so I don't think so. > Some of its checks look inherently dangerous, e.g. the bash -n check for > shell

Re: Why no security support for binutils? What to do about it?

On Tue, Dec 31, 2019 at 9:47 AM Florian Weimer wrote: > BFD and binutils have not been designed to process untrusted data. > Usually, this does not matter at all. For example, no security > boundary is crossed when linking object files that have been just been > compiled. There are definitely

Re: Mitigating malicious packages in gnu/linux

On Tue, Nov 19, 2019 at 7:30 PM Georgi Guninski wrote: > * What do linux vendors to avoid malicious packages? Some folks do audits of changes to upstream code, some folks run static analysis tools on upstream code. > * As end user what can I do to mitigate malicious packages? Compartmentalise

Re: Open Source

On Mon, Nov 4, 2019 at 7:57 AM Lindsey Lassen wrote: > Hello, I am unsure if I am contacting the correct department for my concern. > I have had your open source software added on my cell phone and I have never > authorized your company nor anyone else for that matter. It would be a great >

Re: I forgot my password and Debian need password when booting

On Sun, Oct 27, 2019 at 05:05:44PM -0400, Craig wrote: >Can you get grub to appear? If you can an easy way to get in > >Go to the end of the line with options and add to the end I think >shell=/bin/sh `init=/bin/sh` is what you're thinking of, but it won't work here, since the drive

Re: I forgot my password and Debian need password when booting

On Sun, 2019-10-27 at 10:24 +0330, Mostaf Faridi wrote: > After type password several times. Busybox boot. > Can busybox solve this problem? That sounds like an initramfs shell, which isn't helpful here. You will need to boot a Debian live image, install bruteforce-luks and then try to crack the

Re: I forgot my password and Debian need password when booting

On Sat, Oct 26, 2019 at 8:51 PM Mostaf Faridi wrote: > I installed Debian on HDD with encryption two years ago and when Debian want > boot need password. > I forgot that password. > Do I have chance for recover my Data? If you remember some part of your password it might be possible to use the

Re: request for changing SUSE reference URL

On Tue, Sep 17, 2019 at 11:48 PM Alexandros Toptsoglou wrote: > Could you please change this and from now on point to SUSE bugs using > bugzilla.suse.com which is the correct and basically the one that we > always reference? I've made a commit changing all bugzilla.novell.com references to

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

quot;. But all those aspects are a > relatively minor detail IMO. in the discussion that Pirate had with the backports masters, it was my interpretation that they didn't like it. Paul signature.asc Description: OpenPGP digital signature

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

On Tue, Aug 13, 2019 at 3:30 PM Rebecca N. Palmer wrote: > but at least some USB flash drives instead use an SCSI command [1], > which usbguard won't catch. This seems like a significant missing feature, but I guess it would require a fair bit of Linux kernel work to support filtering such

Re: Reg: secure boot in debian 9 stretch

On Wed, Mar 13, 2019 at 11:00 AM Paul Wise wrote: > Debian 10 buster will ship with secure boot support and I seem to > remember that there are plans to backport that to Debian 9 stretch. PS: if you would like to test this, details are here: https://wiki.debian.org/SecureBoot/Testing -

Re: Reg: secure boot in debian 9 stretch

On Wed, Mar 13, 2019 at 7:00 AM Matthew Crews wrote: > On 3/12/19 5:37 AM, Srinivas Rao wrote: > > could you please tell me , secure boot is available in Debian 9 stretch > > or not ? > > It is not. Debian 10 buster will ship with secure boot support and I seem to remember that there are plans to

Re: Should easter eggs be disabled in Debian's php packages?

On Fri, Jan 18, 2019 at 1:55 PM Reed Black wrote: > To answer my own question, after PHP 5.5 the easter egg was removed already. So the issue would only be present in wheezy. I guess the ELTS folks might like to disable them. -- bye, pabs https://wiki.debian.org/PaulWise

Re: Should easter eggs be disabled in Debian's php packages?

On Fri, Jan 18, 2019 at 2:00 AM Reed Black wrote: > PHP includes an easter egg. On any PHP page, one can add any of these after > the .php part of the path in order to display special results: I can't seem to reproduce this with Debian's PHP pages, I wonder if it is already disabled by default:

Re: Questions

On Tue, 2018-12-04 at 21:34 +0100, Ruslanas Gžibovskis wrote: > Paul Wise, what help is needed? I would like to commit, but not sure > how, never done that, but would LOVE TO! Could you guide? Check the pages I mentioned and look through each of them, there should be enough documen

Re: Questions

On Mon, Dec 3, 2018 at 7:10 PM Jérôme Bardot wrote: > Why debian is not more harden by default ? We need more people who are interested in working on this topic, some links for anyone who is interested in contributing: https://security-tracker.debian.org/tracker/data/report

Re: Gaps in security coverage?

On Wed, Nov 7, 2018 at 6:28 AM Moritz Mühlenhoff wrote: > E.g. your specific example of busybox/CVE-2011-5325 is fixed in the > upcoming stretch point release. I noticed that this isn't reflected in the security tracker website but it is in data/next-point-update.txt. If anyone wants to get

Re: Gaps in security coverage?

On Tue, Nov 6, 2018 at 7:01 PM Holger Levsen wrote: > is there a bug or wiki page describing the issues/requirements for that and > what has been tried / the status? Woops, I should have included that in the mail: Bug#908678: security-tracker - Breaks salsa.d.o https://bugs.debian.org/908678

Re: Gaps in security coverage?

On Mon, 2018-11-05 at 20:52 -0600, John Goerzen wrote: > That is good advice, thanks. I've been a DD for a long while, but it's > been awhile (years) since I've been involved in the security process and > wasn't quite sure what the flow was anymore. It is still mostly the same but the security

Re: Gaps in security coverage?

On Mon, Nov 5, 2018 at 10:29 PM John Goerzen wrote: > Hi folks, FTR, in case you were trying to contact the Debian Security Team directly I suggest using secur...@debian.org or t...@security.debian.org instead, debian-security is more of a general security discussion list than a Debian Security

Re: Debian HTTP repo got manipulated , Debian HTTPs repo doesnt work

On Tue, Oct 23, 2018 at 12:33 AM bo0od wrote: > yay! , yeah it worked thx alot :) In addition, we have some Tor-based Onion services available: https://onion.debian.org/ PS: this mailing list is about the security-tracker.debian.org site, not about Debian mirrors or their security so please

Bug#908678: security-tracker - Breaks salsa.d.o

On Thu, Sep 13, 2018 at 7:37 PM, Salvatore Bonaccorso wrote: > Do you have any hints at us on what we could look at to faciliate/help > more salsa maintainers? I think I read on IRC that the main thing is that the design of git is not optimised for having large and growing files that change on

Re: Bug#907723: link package versions on security-tracker to source packages

On Sat, Sep 1, 2018 at 5:53 PM, Holger Levsen wrote: > On Sat, Sep 01, 2018 at 12:43:58PM +0800, Paul Wise wrote: >> > So, I always go to [1] with my web browser, copy the URL of the .dsc file >> > and then dget that .dsc file. >> This misses out verifying apt si

Bug#907723: link package versions on security-tracker to source packages

On Sat, Sep 1, 2018 at 5:48 AM, Mike Gabriel wrote: > when working for the LTS team, I regularly need to download source packages > from the LTS version of Debian. My development machine normally runs a newer > Debian version, having deb-src URLs for Debian LTS in sources.list is > possible but

Re: what do people think about having sandsifter in debian ?

On Thu, Aug 16, 2018 at 8:50 AM, shirish शिरीष wrote: > First of all thank you for the whole team for keeping Debian as secure > as the people on the team do to keep Debian free from controversy ( at > least from the security viewpoint) . A few clarifications: debian-security@lists.debian.org

Bug#898196: python-arrow: New version breaks autopkgtests of python-jsonext and rekall in testing

Source: python-arrow Version: 0.12.1-1 Severity: serious Control: affects -1 src:python-jsonext Control: affects -1 src:rekall User: debian...@lists.debian.org Usertags: breaks On 08-05-18 13:28, Paul Gevers wrote: > Dear maintainers, > > [This e-mail is automatically sent. V1

Re: New version of python-arrow breaks autopkgtests of rekall in testing

Resent again because the original e-mail bounced for the Debian Forensic team and the second address I got was wrong. On 08-05-18 13:28, Paul Gevers wrote: > Dear maintainers, > > [This e-mail is automatically sent. V1 (20180508)] > > As recently announced [1] Debian is now runni

Re: [SECURITY] [DSA 4187-1] linux security update

On Thu, May 3, 2018 at 4:53 PM, richard lucassen wrote: > There is also an big increase in time before random is initialized: ... > One of the consequences is that openntpd (or a program like > rdate) hangs until the crng is initialized. What do these two programs require entropy for? -- bye,

Re: RFS: zodbpickle/0.6.0-1 [ITP]

On Mon, 2018-04-23 at 22:17 +0200, Julien Muchembled wrote: > I suggest to update embedded-code-copies because this package forks > the 'pickle' modules of Python 2.7.6 and 3.3.2 > python2.7 > - zodbpickle (embed) > NOTE: embeds stdlib modules: pickle, cpickle > > I am

Re: pulling in other vulnerability databases

On Thu, 2018-01-25 at 11:05 -0500, Antoine Beaupré wrote: > I'm not sure what to say to nodesecurity.io folks I've already contacted them multiple times in 2014 and once in 2016, about incorporating CVEs into their workflow. The responses were positive but didn't result in much change, except

[PATCH] Accept more variants of standard CVE identifier format

Transform the given identifier to a standard one and redirect to the standard form if it is in the database: * convert spaces to dashes * convert lowercase to uppercase --- bin/tracker_service.py | 21 - 1 file changed, 12 insertions(+), 9 deletions(-) diff --git

Re: Security Tracker Frame Options Header

On Fri, Jan 12, 2018 at 4:59 PM, Mattia Dorigatti wrote: > I have a question. Why do the security tracker sites have the > X-Frame-Options:sameorigin header set? Because I've wanted to keep an eye on > some CVEs I've created a simple html site with three iframes and the refresh > meta tag so

Re: Is packages build without verifying the source package signatures?

On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote: > If I don't mistake the automatic package build system don't require that the > source signature is verified correctly. To clarify what Adam said; there are two times where source package verification can happen during builds. The first is

Re: HTTPS enabled Debian Security repository

On Thu, 2017-11-09 at 11:30 +0100, Marek Sebera wrote: > Is this up-to-date repository or manually synced mirror? Neither, it is a pair of CDNs, hosted by Fastly and Amazon, although only the Amazon CDN supports https. > Also note I had to set ... as trused in system certificates Normally it

Re: HTTPS enabled Debian Security repository

On Thu, Nov 9, 2017 at 5:57 PM, Marek Sebera wrote: > Thank you for support, so is the https enabled repository coming up? One of the CDNs backing deb.d.o supports https, see the last para here: http://deb.debian.org/ -- bye, pabs https://wiki.debian.org/PaulWise

Re: HTTPS enabled Debian Security repository

On Thu, Oct 26, 2017 at 4:43 PM, Marek Sebera wrote: > please advise, is there any repository, that is both official mirror of > security.debian.org and enabled with SSL (HTTPS) access? One of the CDNs backing deb.d.o supports https, see the last para here: http://deb.debian.org/ -- bye, pabs

Re: Different MD5 from same kernel module tun.ko on different servers same distro

On Sun, Sep 3, 2017 at 9:17 AM, x9p wrote: > the differences between both files doesn't look that much (vimdiff on xxd > output below), just wondering what might have caused such differences > between the same kernel module, from the same package, same distribution. A better tool to compare

Re: STIG-4-Debian for Debian "Stretch" 9

On Thu, Jun 29, 2017 at 6:19 PM, Samson wrote: > I'm Samson-W, the "Captain" of the STIG-4-DEBIAN project in the > HardenedLinux community. We basically implemented the similar functions of > STIG RHEL-07 v1r1 to Debian 9. The project is located at github at: >

Re: heads-up: stretch release and changes to security-tracker

On Mon, Jun 12, 2017 at 3:37 AM, Salvatore Bonaccorso wrote: > I'm attaching the *preliminary* set of changes which I plan to > activate once stretch is released. Wow, there really is a horribly large amount of hard-coding of things that should be fetched from the archive instead. I've added a

Re: heads-up: stretch release and changes to security-tracker

On Sat, May 27, 2017 at 5:06 PM, Chris Lamb wrote: > Can you briefly explain what changes you are refering to? If appropriate, please document the hard-coding here too: https://wiki.debian.org/SuitesAndReposExtension -- bye, pabs https://wiki.debian.org/PaulWise

Re: Certificate errors with security.debian.org

On Sun, Jan 15, 2017 at 1:41 PM, Tea Wrex wrote: > I am unable to make HTTPS connections to https://security.debian.org/ security.d.o has never supported https. Some of the machines behind it also host other services, some of which support https, which is why you get certificate errors. --

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On Fri, Dec 16, 2016 at 4:33 AM, Patrick Schleizer wrote: > Is it possible to disable InRelease processing by apt-get? The answer from #debian-apt is that there is no setting for this. Your options are: Use an intercepting proxy that replies with 404 to InRelease files. Do an apt update to

Re: Handling of "malware" in Debian

On Wed, 2016-11-09 at 16:17 +0100, W. Martin Borgert wrote: > Would NEWS.Debian be sufficient? My intuition says that there are users who don't have apt-listchanges installed or don't read the NEWS files. The most likely place folks will see the notification is in the UI of the malware package

Re: how to apply the fix for CVE-2016-5195

On Mon, Oct 24, 2016 at 9:02 PM, Omar Abu Ajamieh wrote: > i have multiple Debian servers with this kernel version ( 3.2.0-4-amd64 #1 > SMP Debian 3.2.63-2 ) and i’m trying to fix the CVE-2016-5195 on it ,so > could please help me in how i can determine if my server is vulnerable or > not and

Re: Activate your GlobalTestMarket membership

On Sun, Oct 2, 2016 at 7:28 PM, jm33_m0 wrote: > What the hell... Please don't reply to spam nor quote it. -- bye, pabs https://wiki.debian.org/PaulWise

Re: [SECURITY] [DSA 3660-1] chromium-browser security update

On Tue, Sep 6, 2016 at 7:32 AM, Raúl Cuza wrote: > Is there a web link with this info? https://www.debian.org/security/2016/dsa-3660 (not yet online) https://security-tracker.debian.org/tracker/DSA-3660-1 -- bye, pabs https://wiki.debian.org/PaulWise

Re: Reserved CVEs

On Fri, Sep 2, 2016 at 5:59 PM, Ivan Vasylivskyi wrote: > Why some vulnerabilities listed by Ubuntu Security Tracker which are public > and populated marked as RESERVED on mitre.org ? This mailing list is for the Debian Security Tracker, not the Ubuntu security tracker. A lot of the time the

Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)

On Tue, Aug 16, 2016 at 2:42 AM, Sam Morris wrote: > And if you like the article, consider subscribing to LWN! Especially since they are in need of new subscribers: https://lwn.net/Articles/696017/ > I'm pretty sure there's a group membership available to all DDs anyway. That is for both

Re: flashplugin-nonfree and latest Flash security updates

On Wed, Aug 3, 2016 at 8:29 AM, Nick Boyce wrote: > I have emailed the maintainer (Bart Martens, at his debian.org address) > twice about this (30th.July and 1st.Aug), but there has been no reply as > yet. Do I need to post to the bug report Francesco mentioned: >

Re: Call for testing: upcoming wordpress security update

On Tue, Aug 2, 2016 at 11:27 PM, donoban wrote: > Not so world-writable: > "Account creation failed: Due to an ongoing spam attack, this wiki is > configured to not automatically create wiki accounts for some users. > Please contact w...@debian.org first if you wish to create an account, > and

Re: "Ian Murdock" Death

Yeah. https://twitter.com/CVaillance/status/752613020325425153 Either a solid troll, keeping this up as a 24/7 persona, or isn't there, mentally. Please stop responding. On Jul 16, 2016 10:25 AM, "Jakub Wilk" wrote: > * Kyle Lussier , 2016-07-16,

Re: [SECURITY] [DSA 3613-1] libvirt security update

Am 2016-07-02 um 15:00 schrieb Edgar Pettijohn: Can we remove Jung from the list. This is quite annoying. Sent from my iPhone I'd appreciate it if someone who is responsible for the debian-security-announcements mailing list could care for bug #821113 [1]. The amount of auto-responder spam

Re: 9n216.13.107.82

On Thu, Jun 9, 2016 at 5:50 PM, Joel Rees wrote: > Can I suggest to those who responded to these that kneejerk reactions > aren't useful? The people who got the spam with a spoofed address are unlikely to be subscribed to this list. > FTR, we assume that someone was spoofing luciano's email

Re: DMCRYPT question

On Sat, May 21, 2016 at 1:34 PM, Ralph Sanchez wrote: > I was just wandering, as what Ive read thus far doesn't explicitly > say, when you configure encryption during the install, does that > implement LUKS or must that be done after wards during normal use??> It uses LUKS, you can read more

Re: Which Debian packages leak information to the network?

On Fri, May 20, 2016 at 12:42 AM, Paul Wise wrote: > Debian probably needs a privacy team to audit all packages that send > data to the network and develop mitigation, configuration or patches > to counter these. Looks like there are a few related teams but they are mostly about tool

Re: Which Debian packages leak information to the network?

On Wed, May 18, 2016 at 11:50 PM, Patrick Schleizer wrote: > Hello we are a privacy-centric distro based on Debian and wanted to know > what Debian packages leak information about the system to the network > without a user's consent/expectation. Debian probably needs a privacy team to audit all

Re: Which Debian packages leak information to the network?

On Thu, May 19, 2016 at 7:56 AM, georg wrote: > On 16-05-18 16:54:27, Holger Levsen wrote: >> gnome-calculator contacts a web page/service with currency exchange >> information *on every start*, > > Is this "publicly" known? Is this discussed with the upstream devs?

Re: Debian SHA-1 deprecation

On Wed, May 18, 2016 at 9:20 PM, Daniel Pocock wrote: > Can anybody comment on how Debian users will be impacted by SHA-1 > deprecation? There is some info related to that in these two wiki pages: https://wiki.debian.org/SHA-1 https://wiki.debian.org/Teams/Apt/Sha1Removal -- bye, pabs

Re: please add icdiff to embedded-code-copies

On Mon, May 16, 2016 at 5:17 AM, Sascha Steinbiss wrote: > as the maintainer, I’d like to let you know the package ‘icdiff’ (new in > unstable) contains a modified fork of Python’s difflib code. According to > upstream, it’s "based on Python's difflib.HtmlDiff, with changes to provide >

Re: bug reports for grub need to be re-posted

On Fri, May 13, 2016 at 8:12 PM, Elmar Stellnberger wrote: > Hi! Would anyone mind to re-post the following bug reports at > https://savannah.gnu.org/bugs/? That URL gives a 404 message. > * https://debbugs.gnu.org/cgi/bugreport.cgi?bug=23498 > *

Re: tracking security issues without CVEs

On Mon, Mar 28, 2016 at 10:34 PM, Andrew Deck wrote: > On a related note, does anyone know what happened to OSF and the OSVDB? > There still seem to be blog updates, but I remember OSVDB having a web > UI, and the OSF website seems to be down. They have officially closed the OSVDB site:

Re: tracking security issues without CVEs

On Mon, Mar 28, 2016 at 10:34 PM, Andrew Deck wrote: > On a related note, does anyone know what happened to OSF and the OSVDB? > There still seem to be blog updates, but I remember OSVDB having a web > UI, and the OSF website seems to be down. They have officially closed the OSVDB site:

Re: [SECURITY] [DSA 3558-1] openjdk-7 security update

Unsubscribe please On 26 Apr 2016 10:28 pm, "Moritz Muehlenhoff" wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > - - > Debian Security Advisory DSA-3558-1 secur...@debian.org

Re: fighting spam

On Mon, Apr 25, 2016 at 6:28 PM, Davide Prina wrote: > I think this is a very bad solution. .. > I think the actual policy is the best one. Debian already uses RBLs to block spam from the lists, another one wouldn't be anything new. -- bye, pabs https://wiki.debian.org/PaulWise

Re: fighting spam

On Fri, Apr 22, 2016 at 6:14 PM, SZÉPE Viktor wrote: > Please consider using http://psky.me/ to keep spam out of the list. The people running the Debian lists can be contacted here: https://www.debian.org/MailingLists/#maintenance I've forwarded your suggestion to them. -- bye, pabs

Re: Urgent Card REF#726925

On Fri, Apr 22, 2016 at 6:56 AM, james robinson wrote: > Oooo Please do not reply to spam and especially do not quote spam in your own mails. The from address in the spam you received was obviously forged. Press the junk button in your MUA and move on. -- bye, pabs

Re: Github users

On Fri, Apr 15, 2016 at 2:40 AM, jack wrote: > Has this subscriber (list-abuser) been de-listed and banned, or do I > need to take action on my own behalf? Please do not reply to spam and especially do not quote spam in your own mails. To report spam on the mailing lists, please click the

Re: Call for testing: upcoming samba security update

On Thu, Apr 14, 2016 at 6:03 PM, Vladislav Kurz wrote: > I have noticed that samba-common-bin now depends on samba. It didn't before > the upgrade. Is there any special reason for that? I just need nmblookup on > some servers (and smbclient/cifs) but not the server package. This has been fixed

Re: [SECURITY] [DSA 3541-1] roundcube security update

On Wed, Apr 6, 2016 at 2:08 AM, donoban wrote: > Of course I would like to help Some links to ways you can help with Debian security: https://security-tracker.debian.org/tracker/data/report https://www.debian.org/security/audit/

Re: Remove email

Thanks! Paul On Thu, Mar 31, 2016 at 11:07 AM, DANIEL ROMO <danielromogar...@gmail.com> wrote: > mv tiffanyryan2...@gmail.com /dev/null > > 2016-03-31 9:42 GMT-05:00 Tiffany Ryan <tiffanyryan2...@gmail.com>: > >> Please remove my email from you system &

  1   2   3   4   5   >