possibly failed cottonmouth attack on Amilo Xi2550 notebook

is that it was already attacked by several software rootkits as detected by debcheckroot or file-wise comparison of an old and new installation of the same version of Debian from the exactly same unaltered source BD-DL in times when the machine had still been online. Yours Sincerely, Elmar

Re: bitches kann kiss my ass

> Re: bitches kann kiss my ass Am 11.05.15 um 22:33 schrieb Johannes Wolpers: I will dominate this world one day what a kind of perverse longing? *Gesendet:* Montag, 11. Mai 2015 um 22:05 Uhr *Von:* "Salvatore Bonaccorso" *An:* debian-security-annou...@lists.debian.org *Betreff:* [SECURITY]

Re: [SECURITY] [DSA 3211-1] iceweasel security update

Am 2015-05-18 um 01:12 schrieb Pedro Worcel: Keep in mind that if you use a non-tor browser in order to browse through Tor you would still be trackable to a degree. I would guess that there is no anonymity with tor anyway unless you use a virtual machine based solution like f.i. Whonix. Oth

Re: Debian Desktop Environment

I would believe that it will heavily depend on how you configure your desktop environment: * One feature I do always turn off is desktop auto indexing because otherwise even storing an email attachement just for invoking it with an online view-as-jpeg service could cause an infection. Note that

Re: Debian Desktop Environment

highly prefer if you were ready to incur the work of generating an own throw-away key for the communication. Best Regards, Elmar Stellnberger On 27.10.2015 17:36, Jason Fergus wrote: I'm curious about how you were infected by a rootkit, which one it was, and what you did to discover it? Us

Re: Debian Desktop Environment

turned by Google). As any gpg-key may either be lost or get in touch with an infected computer any time I would highly prefer if you were ready to incur the work of generating an own throw-away key for the communication. Best Regards, Elmar Stellnberger On 27.10.2015 17:36,

Re: Mandatory Access Control

SELinux is more elaborate and more complicated than Apparmor; tomoyo relatively new. I would personally regard none of those MAC systems as ultimate remedy to hard security problems. In 2011 I had a RedHat/SELinux system in its default configuration and it was compromised within minutes by simp

Re: Mandatory Access Control

retical in practice as this description may make you believe.). Regards, Elmar On 29.11.2015 22:05, Patrick Schleizer wrote: Elmar Stellnberger: If you wanna ask me for my security solution it is qemu based and puts the most vulnerable system components like browsers and email programs into

Re: Mandatory Access Control

urity by virt. Are you using this mode to get some security or is there no way around a full virtualization to improve security? Best Henriette Am Sun, 29 Nov 2015 21:26:41 +0100 schrieb Elmar Stellnberger : SELinux is more elaborate and more complicated than Apparmor; tomoyo relatively new. I

Re: Mandatory Access Control

c-0.3.pdf It has a chapter "Secure GUI". Elmar Stellnberger: No actually it is not Qubes what I am using. I am using full blown qemu virtualization including a virtual wrapper device for the graphics. It is for sure that even here the weakest point is the emulation of the graphics card

Re: [SECURITY] [DSA 3454-1] virtualbox security update

Could anyone give us a direct link to CVE-2015-5307, CVE-2015-8104 CVE-2016-0495 and CVE-2016-0592 so that we do not have to 'google' for it? One search via such an engine costs as much as a light bulb being turned on for an hour besides the work of copying all the CVEs to your favourite search

Re: Should Debian ask for a CPE when a CVE in Debian is found?

Am 2016-02-15 um 10:02 schrieb Holger Levsen: If debian-security@lists.debian.org should not be used to discuss security topics related to Debian (with and without the security team) this should be clarified, though I doubt this is the case. Why not? I believe we had some fruitful discussion/co

SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

Dear Readers of Debian-Security, While being connected via an insecure VPN I had once more left my email client open by accident (Thunderbird). Though access to imap.gmail.com shall be secured by SSL/TLS my gmail password was malversated within a few seconds; i.e. I got a login attempt from

Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

Am 2016-04-11 um 00:00 schrieb Brandon Vincent: TLS properly implemented is secure. The insecure VPN (as you so describe it) may have been stripping out the offer of STARTTLS by the IMAP server. This is pretty trivial to do when you control all of the data flowing through the VPN [1]. This has

Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

Am 2016-04-11 um 08:55 schrieb Evgeny Kapun: On 10.04.2016 19:22, Elmar Stellnberger wrote: my gmail password was malversated within a few seconds; i.e. I got a login attempt from HongKong and had to change the password after disconnecting. Is it possible that it was YOUR login attempt

Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

> But I cannot resist one question - why you use suspicious VPNs at all? > Well once upon a day I had to notice that I can not upload updates for my website (which is at http://www.elstel.org). I noticed that it was not possible to ping my webserver, to traceroute it or view web pages via htt

Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

Am 2016-04-11 um 20:50 schrieb Vaughn Graham: Well once upon a day I had to notice that I can not upload updates for my website (which is at http://www.elstel.org ). I noticed that it was not possible to ping my webserver, to traceroute it or view web pag

Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

laint it had not yet resettled (i.e. the link may be dead when you test it nowadays but that time it was not.).). Elmar Stellnberger

Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

Am 2016-04-11 um 21:40 schrieb Elmar Stellnberger: have the Google warning; now I want to see the proof for it myself once more ... Unfortunately I found two login attempts from 2015 on 1.November 10:44 (likely that of the VPN) from Vienna and on 30.August 2015 22:58 from Vienna / Safari. I

bug reports for grub need to be re-posted

. Many Thanks, Elmar Stellnberger

Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?

Just wanted to tell that I am quite happy not to have boringSSL in Debian - main. I think it is depeerable there apart from the security risk of adopting the SSL package from a company which was largely funded by intelligence services and the Pentagon. I would rather like to see OpenBSD`s lib

Re: bug reports for grub need to be re-posted

Am 2016-05-15 um 08:53 schrieb Paul Wise: On Fri, May 13, 2016 at 8:12 PM, Elmar Stellnberger wrote: Hi! Would anyone mind to re-post the following bug reports at https://savannah.gnu.org/bugs/? That URL gives a 404 message. Unfortunately my email program seems having stripped the end

Re: Debian SHA-1 deprecation

Am 2016-05-18 um 15:20 schrieb Daniel Pocock: Can anybody comment on how Debian users will be impacted by SHA-1 deprecation? In particular: - will libraries like OpenSSL and GnuTLS continue to support it in stretch and beyond? - will web servers like Apache support it in server certificates

Re: debcheckroot v1.0 released

my projects, first. If there should in deed be a non-refittable problem with it I am ready to retract it in favour of a BSD-like license (however for debcheckroot, only). Am 2016-05-18 um 17:29 schrieb Patrick Schleizer: Elmar Stellnberger: Here is a wishlist of mine: - put your code in

Re: Which Debian packages leak information to the network?

Am 2016-05-20 um 10:34 schrieb donoban: I am running Debian on Qubes OS, I use gnome-calculator on a vault domain (a VM without any network device) because I though it does not need Internet or data/files from another domain. So without any knowledge I was protecting myself from this privacy l

Re: CVE-2004-0230 RST DoS vulnerability in Lenny?

4.dotplex.com (91.102.11.177): icmp_seq=2 ttl=53 time=39.5 ms Yours, Elmar Stellnberger Am 2016-07-13 um 08:00 schrieb Justin Steven: JW said (in 2010): Recently we've had a scanning vendor tell us our Debian Lenny 5.0.3 is vulnerable to CVE-2004-0230: TCP/IP Sequence Prediction Blind

Re: DSA for CVE-2016-5696 (off-path blind TCP session attack)

Has anyone every thought of an in-path TCP session attack and of encrypting sequence numbers by a given secret negotiated in advance between both endpoints? If an intelligence service ever wanted to do so I guess they could drive an in-path attack against TCP (as they tend to sit on the interne

Re: Which one is better solution?

what is u+S? On 15.12.18 17:24, Ruslanas Gžibovskis wrote: u+S on a scr

Re: harbian-audit v0.2 for Debian "Stretch" 9 is released

Can anyone tell what kind of program harbian is? On 25.12.18 15:11, Samson wrote: Hello everyone, I'm Samson-W, the "Captain" of the harbian-audit project in the HardenedLinux community. Harbian-audit is a collection of two security deployment compliance references to achieve STIG and CIS.

Re: harbian-audit v0.2 for Debian "Stretch" 9 is released

s On Wed, 26 Dec 2018 at 00:54, Elmar Stellnberger <mailto:estel...@gmail.com>> wrote: Can anyone tell what kind of program harbian is? On 25.12.18 15:11, Samson wrote: Hello everyone, I'm Samson-W, the "Captain" of the harbian-audit project in t

Re: Intel Microcode updates

  Just because you disable Javascript in your browser I would not trust that you will be save from arbitrary code execution. I am using Thunderbird as an email client and it has the same intrusion problem as the browsers running Javascript. The arbitrary binary code execution problem does to my

Re: Intel Microcode updates

Perhaps you could add a bash script that does automatically download the microcode like f.i. winetricks does with windows code. That way one could be more sure to use the right url for it. I also still have quite a lot of Core 2 computers and would thus profit from such a provision. Am 12.06.1

Re: Intel Microcode updates

  Just because you disable Javascript in your browser I would not trust that you will be save from arbitrary code execution. I am using Thunderbird as an email client and it has the same intrusion problem as the browsers running Javascript. The arbitrary binary code execution problem does to my

Re: Intel Microcode updates

Perhaps you could add a bash script that does automatically download the microcode like f.i. winetricks does with windows code. That way one could be more sure to use the right url for it. I also still have quite a lot of Core 2 computers and would thus profit from such a provision. Am 12.06.1

Re: Intel Microcode updates

  Just because you disable Javascript in your browser I would not trust that you will be save from arbitrary code execution. I am using Thunderbird as an email client and it has the same intrusion problem as the browsers running Javascript. The arbitrary binary code execution problem does to my

Re: Intel Microcode updates

Perhaps you could add a bash script that does automatically download the microcode like f.i. winetricks does with windows code. That way one could be more sure to use the right url for it. I also still have quite a lot of Core 2 computers and would thus profit from such a provision. Am 12.06.1

Re: Intel Microcode updates

: On Tue, 18 Jun 2019, Elmar Stellnberger wrote: Perhaps you could add a bash script that does automatically download the microcode like f.i. winetricks does with windows code. That way one could be more sure to use the right url for it. I also still have quite a lot of Core 2 computers and would

Re: PGP/GnuPG unsecure, should be replaced?

Why do you think that TwoFish is bad? It was invented by Bruce Schneier and was in the last round of the AES competition. I believe it to be the better choice than AES. Am 20.07.19 um 21:41 schrieb Iain Grant: 2 fish... that in it's self is bad.  AES, sure lets all be ok about that. I also re

Re: Two HDD on Desktop PC

I would not recommend find -delete as it deletes files. You can easily remove/change a HDD if it is an USB adapter for an M.2 drive. That is the most secure solution. If you want to be really secure you would need to take your computer offline and take the M.2 drive always with you. Booting

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

Dear Rebecca Am 13.08.19 um 09:14 schrieb Rebecca N. Palmer: (b), physical access attack, would require an attacker breaking into my home.  (It has been several years since I last took the affected flash drive anywhere else or plugged it into any other computer.) If they're willing to do that,

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

I have only seen intelligence visiting my home when I left an offline computer around with HDD. If you feel safe answering: what country was this in?  Your name and time zone suggest Germany/Austria/Switzerland, which I wouldn't have thought of as the kind of places that do this. Though

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

I have only seen intelligence visiting my home when I left an offline computer around with HDD. If you feel safe answering: what country was this in?  Your name and time zone suggest Germany/Austria/Switzerland, which I wouldn't have thought of as the kind of places that do this. With t

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

Am 15.08.19 um 22:57 schrieb Rebecca N. Palmer: That would suggest it's not them, as the obvious reason to target me is to trick me into uploading malware. If that is the case you would have to take hellish care. I have read articles of the compiler as attack vector, i.e. an altered compil

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

Another potential home for this script is tiger, which also currently has an MD5-only checker: https://sources.debian.org/src/tiger/1:3.2.4%7Erc1-1/systems/Linux/2/deb_checkmd5sums/ It may be more probable that they simply infect a hidden file in your home directory[...]    I would presum

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

Read only switches are a security feature because you can read the content without the fear that it may be altered.[...] The read-only switch makes it as safe as a read only burnt dvd. The physical read-only switch on SD cards isn't: it's enforced at software level, not hardware level.

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

The key question about it is how the archive keys are handled. I believe that keeping such a key offline would be a whole lot of work. It would perhaps also help to have it on a gpg-Smartcard. Am 23.08.19 um 09:10 schrieb Rebecca N. Palmer: On 17/08/2019 12:18, Elmar Stellnberger wrote: to

Re: about older security advisories

I would not rely on the wayback machine to preserve old content. Why don´t you host it at debian? web content should not need much space. Why shall the old content not be usable any more? Am 28.10.19 um 22:45 schrieb Moritz Mühlenhoff: Thomas Lange schrieb: On Mon, 28 Oct 2019 17:31:22 +000

debcheckroot v2.0 released

Dear readers of debian-security   I have just released debcheckroot-v2.0: https://www.elstel.org/debcheckroot/ The new tool can be used to check a Debian installation also against previously unknown rootkits. It has many improvements towards debcheckroot-v1.0: # usage of direct comparison

Re: Verified Boot, Secure Boot, dm-verity, debcheckroot

There are tools that can help with checking all files on the hard drive such as `debsums`. However, while `debsums` is more popular, it is unsuitable. Quote https://www.elstel.org/debcheckroot/ ... During development of Verifiable Builds experiences were made with verification of MBR, VBR, bo

Re: Verified Boot, Secure Boot, dm-verity, debcheckroot

There are tools that can help with checking all files on the hard drive such as `debsums`. However, while `debsums` is more popular, it is unsuitable. Quote https://www.elstel.org/debcheckroot/ ... During development of Verifiable Builds experiences were made with verification of MBR, VBR, bo

Re: debcheckroot v2.0 released

Am 19.11.19 um 13:29 schrieb Patrick Schleizer: Anyone using this yet? I would speculate, not many are using it. It needs step by step instructions. Otherwise, most users are lost at hello. Well, I have a couple of downloads every day, the more serious ones with wget. Things debcheckro

Re: debcheckroot v2.0 released

Am 21.11.19 um 13:59 schrieb Odo Poppinger: Am 20.11.19 um 12:29 schrieb Elmar Stellnberger: debcheckroot is targeted at technically experienced users. No way to hunt rootkits authored by the NSA otherwise. You have to be a tough user to take this challenge! Well you can of course also use it

Re: debcheckroot v2.0 released

Am 25.11.19 um 12:35 schrieb Patrick Schleizer: How often did you see initrd being infected? recently only once. So the attackers may change their vector; they have already done so multiple times. Not using apt/dpkg comes at the expense of not being able to fully verify the whole system.

Re: debcheckroot v2.0 released

Am 21.11.19 um 13:59 schrieb Odo Poppinger: Am 20.11.19 um 12:29 schrieb Elmar Stellnberger: debcheckroot is targeted at technically experienced users. No way to hunt rootkits authored by the NSA otherwise. You have to be a tough user to take this challenge! Well you can of course also use it

Re: debcheckroot v2.0 released

Am 25.11.19 um 12:35 schrieb Patrick Schleizer: Yes, forget about NSA and alike. Let's not assume quasi-omnipotent attackers. That leads to defeatist mindset which isn't productive.   I would not let myself be defeated easily. Who has thought about emails in your inbox which are deleted befo

Re: debcheckroot v2.0 released

Am 25.11.19 um 17:52 schrieb Elmar Stellnberger: Not using apt/dpkg comes at the expense of not being able to fully verify the whole system. What if there are outdated packages on the system which aren't available from anymore from repository? Using snapshot.debian.org? I have just ext

Re: Why no security support for binutils? What to do about it?

Am 01.01.20 um 03:14 schrieb Paul Wise: On Tue, Dec 31, 2019 at 9:47 AM Florian Weimer wrote: BFD and binutils have not been designed to process untrusted data. Usually, this does not matter at all. For example, no security boundary is crossed when linking object files that have been just be

Re: Why no security support for binutils? What to do about it?

Am 01.01.20 um 10:48 schrieb PJ: Maybe ultimately one needs monitors and diff-machines built in hardware (and more or less by oneself). If compilers can be subverted, so can assemblers. It would be really worthwhile to have a decompiler! It is not assemblers that are subverted but machine i

Re: debcheckroot v2.0 released

vote or comment for/on this bug. Elmar Am 17.01.20 um 14:29 schrieb Cindy Sue Causey: On 11/27/19, Elmar Stellnberger wrote: Am 25.11.19 um 12:35 schrieb Patrick Schleizer: Yes, forget about NSA and alike. Let's not assume quasi-omnipotent attackers. That leads to defeatist mindset which

Re: debcheckroot v2.0 released

The programs which I use for secure DANE web browsing should be uploaded at: https://www.elstel.org/DANE/ documentation follows later Am 17.01.20 um 16:52 schrieb Elmar Stellnberger: Hi Cindy Sue! Hi folks!   I must confess there is little you can do about missing emails with debcheckroot

Re: debcheckroot v2.0 released

Hi folks You can now download the indicated program at https://www.elstel.org/atea/ and read some documentation at https://www.elstel.org/DANE/. Kind Regards, Elmar Am 17.01.20 um 16:52 schrieb Elmar Stellnberger: Hi Cindy Sue! Hi folks!   I must confess there is little you can do

Re: debcheckroot v2.0 released

reported several infected packages like mkinitramfs, ispell and several pam-modules though mounting the squashfs may already have triggered some malware. Yours Sincerely Elmar Stellnberger Am 04.03.20 um 20:04 schrieb Elmar Stellnberger: Hi folks   You can now download the indicated program at

Re: debcheckroot v2.0 released

rogue certificate). The only domain where I have never succeeded is cdimage.debian.org. Is it permanently spoofed or did the Debian maintainers just enter a wrong hash in the TLSA record? Am 04.03.20 um 20:41 schrieb Elmar Stellnberger: It would be a question if anyone has tried to download a

Re: debcheckroot v2.0 released

If anyone wants to play with atea use it under GPLv3. I forgot to add the license header in the file but this email should entitle you to use the program under GPLv3. Elmar Am 04.03.20 um 20:51 schrieb Elmar Stellnberger: Hint: You can use -v to get a more verbose output if atea fails which

Re: debcheckroot v2.0 released

https://www.elstel.org/Teorema.html.en Teorema - a modern portuguese short story, freshly translated into English and German :: Debianopolis - o povo cristão Am 04.03.20 um 20:41 schrieb Elmar Stellnberger: It would be a question if anyone has tried to download a SHA512SUMS file from

Re: debcheckroot v2.0 released

rogue cert! Am 04.03.20 um 20:57 schrieb Elmar Stellnberger: If anyone wants to play with atea use it under GPLv3. I forgot to add the license header in the file but this email should entitle you to use the program under GPLv3. Elmar Am 04.03.20 um 20:51 schrieb Elmar Stellnberger: Hint: You can

Re: debcheckroot v2.0 released

Am 24.03.20 um 11:18 schrieb Paul Wise: On Tue, Mar 24, 2020 at 3:33 AM Paul Wise wrote: I've forwarded this to the Debian sysadmins IRC channel. I think it is related to the fact that the cdimage.d.o server is not managed by the Debian sysadmins, so the UMU ACC admins probably used Lets Encryp

Re: debcheckroot v2.0 released

Am 25.03.20 um 02:50 schrieb Paul Wise: On Tue, 2020-03-24 at 15:48 +0100, Elmar Stellnberger wrote: I hope this is gonna happen anytime soon. DANE and thus a valid TLSA record is of very high value and importance for getting a genuine download of Debian. As I have mentioned before downloads

Re: debcheckroot v2.0 released

Am 26.03.20 um 03:50 schrieb Paul Wise: On Wed, 2020-03-25 at 11:27 +0100, Elmar Stellnberger wrote: OpenPGP is no solution to the issue. DANE is not gonna disappear. I guess we will have to agree to disagree, end of thread for me. I am far from not having to say more about it

Re: debcheckroot v2.0 released

Am 02.04.20 um 01:57 schrieb Paul Wise: On Wed, Apr 1, 2020 at 6:01 PM vi...@vheuser.com wrote: Did the discussion of continuing support for DANE end?? In case I mislead anyone, a clarification: Debian itself isn't going to actively work on removing support for DANE from anything nor removin

Re: debcheckroot v2.0 released

Am 02.04.20 um 11:15 schrieb Lewis Yarema: But we have the atea tool now. Haven't we? You can use it to download via DNSSEC/DANE. And I believe Elmar is going to continue support for it. Debian itself can always support DANE as long as there are working DNSSEC impementations. Just provide a TLSA

Re: debcheckroot v2.0 released

Am 02.04.20 um 20:50 schrieb Lee: On 4/1/20, Paul Wise wrote: On Wed, Apr 1, 2020 at 6:01 PM vince@ wrote: Did the discussion of continuing support for DANE end?? In case I mislead anyone, a clarification: Debian itself isn't going to actively work on removing support for DANE from anythin

Re: debcheckroot v2.0 released

Am 02.04.20 um 16:55 schrieb Elmar Stellnberger: Am 02.04.20 um 11:15 schrieb Lewis Yarema: But we have the atea tool now. Haven't we? You can use it to download via DNSSEC/DANE. And I believe Elmar is going to continue support for it. Debian itself can always support DANE as long as

Re: debcheckroot v2.0 released

  There are a few reasons why I believe that DANE / TLSA DNS RR answers are quite trustworthy: * DNS responses are much faster than establishing a TCP connection (1.5RTT), usually only about 40ms also because DNS servers tend to be near the user if not provided by the ISP while the server you

Re: debcheckroot v2.0 released

Am 04.04.20 um 00:46 schrieb Lee: On 4/3/20, Elmar Stellnberger wrote: Encryption can be a source of arbitrary code execution exploits if not implemented properly. Encrypting DNS would have other application purposes and makes sense as long as you use a proxy. If you connect directly hiding

Re: debcheckroot v2.0 released

Am 02.04.20 um 16:49 schrieb Elmar Stellnberger: Am 02.04.20 um 01:57 schrieb Paul Wise: On Wed, Apr 1, 2020 at 6:01 PM vi...@vheuser.com wrote: Did the discussion of continuing support for DANE end?? In case I mislead anyone, a clarification: Debian itself isn't going to actively wo

Re: debcheckroot v2.0 released

Am 04.04.20 um 09:47 schrieb Elmar Stellnberger: Am 02.04.20 um 16:49 schrieb Elmar Stellnberger: Am 02.04.20 um 01:57 schrieb Paul Wise: On Wed, Apr 1, 2020 at 6:01 PM vi...@vheuser.com wrote: Did the discussion of continuing support for DANE end?? In case I mislead anyone, a

arbitrary code execution on unformatted usb stick

installation. Downloading singleton files in a batch via tor is conspicuous to secret services and thus not viable. They would simply alter the download as they have done many times. I wonder how the people at the Iranian nuclear progam do their things? Yours Sincerely, Elmar Stellnberger

Re: arbitrary code execution on unformatted usb stick

Am 25.04.20 um 15:38 schrieb Elmar Stellnberger: Dear readers of the debian-security mailing list   The first time I had lost my new coreboot i7 notebook when I plugged a vfat formatted usb stick into the notebook run merely offline where I developed the a̅tea. Suddenly low level

Fwd: Re: AW:webhosting mit DANE

rtet haben waren die FSFE, die aber selbst naheliegenderweise im Gegensatz zu anderen keine Ressourcen für die Analyse haben (Obwohl ein debcheckroot log anschauen auch nicht so viel Arbeit sein kann.). Schöne Grüße, Elmar Stellnberger

Re: Scripts that run insecurely-downloaded code

https isn´t any more secure than http as long as you do not have a verifiably trustworthy server certificate that you can check for. As we know the certification authority system is totally broken. It is a bug if a build script tries to download something. It must work offline as well. I do not

Re: arbitrary code execution on unformatted usb stick

Am 25.04.20 um 15:38 schrieb Elmar Stellnberger: Dear readers of the debian-security mailing list   The first time I had lost my new coreboot i7 notebook when I plugged a vfat formatted usb stick into the notebook run merely offline where I developed the a̅tea. Suddenly low level operating

Re: arbitrary code execution on unformatted usb stick

GPG but use a typewriter and snail-mail. I can also imagine how I would end up after my studies. I have already received an offer to work for the people who have been terrorizing me (but that is another tale) ... Am 02.05.20 um 16:50 schrieb Elmar Stellnberger: Am 25.04.20 um 15:38 schrieb Elmar

Re: rkhunter finds something suspicious

I always use > netstat -atupn That shows all open tcp and udp ports. Invoke this before you start Firefox. The list should be empty or only contain sockets on the loopback network interface (127.0.0.*, ::1). To disable unnecessary network daemons use: > systemctl disable avahi-daemon/other-da

Re: rkhunter finds something suspicious

Am 07.05.20 um 19:14 schrieb shirish शिरीष: Dear all, Today my system was slowing much more than ever. Hence decided to run rkhunter. It seems to have found some issues, could somebody take a look and see if these are false positives or what ? I don't know the hash sums it quotes are current o

Re: rkhunter finds something suspicious

inhibited if you try to analyze fromout of an infected system. Am 08.05.20 um 15:48 schrieb Elmar Stellnberger: Am 07.05.20 um 19:14 schrieb shirish शिरीष: Dear all, Today my system was slowing much more than ever. Hence decided to run rkhunter. It seems to have found some issues, could

Re: rkhunter finds something suspicious

You should execute the commands below when you install a new system. Closing unnecessary ports makes your system less susceptible to cracking, rootkit infection and/or malware infection. Am 08.05.20 um 14:33 schrieb Elmar Stellnberger:  I always use > netstat -atupn That shows all o

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On 09.04.22 23:31, Moritz Mühlenhoff wrote: > Friedhelm Waitzmann wrote: >>> For the oldstable distribution (buster), these problems have >>> been fixed in version 91.8.0esr-1~deb10u1. >> >> Where can I get this from for buster and architecture i386? >>

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Wed, Apr 13, 2022 at 09:52:13PM +0200, Elmar Stellnberger wrote: > On 09.04.22 23:31, Moritz Mühlenhoff wrote: > > Friedhelm Waitzmann wrote: > >>> For the oldstable distribution (buster), these problems have > >>> been fixed in version 91.8.0esr-1~deb10u1. >

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 14.04.22 10:37, Paul Wise wrote: On Tue, 2022-04-12 at 05:59 +0200, Friedhelm Waitzmann wrote: And if it is indeed possible, how can I switch from i386 to amd64?  Can this be done with the apt tools?  Then during the migrating some packages will be from amd64 already while others will be sti

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

gt; On 14.04.22 10:52, Elmar Stellnberger wrote: > >Could it be that also other programs are affected by this issue? > > > I have been building Coan (one of my programs) recently on the OBS and it > > > did not build on Debian10/i586 giving an error at /usr/lib/qt5/bin

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On Wed, Apr 13, 2022 at 03:11:04PM -0400, Michael Stone wrote: > On Wed, Apr 13, 2022 at 08:18:30PM +0200, Levis Yarema wrote: > > What about Spectre /Meltdown? P3/P4/Pentium M systems don´t have that? Core > > 2 > > systems to my knowledge can. > > There's no reason to believe netburst systems a

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Sat, Apr 09, 2022 at 11:31:01PM +0200, Moritz Mühlenhoff wrote: > Friedhelm Waitzmann wrote: > >> For the oldstable distribution (buster), these problems have > >> been fixed in version 91.8.0esr-1~deb10u1. > > > > Where can I get this from for buster and architecture i386? > >

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Thu, Apr 14, 2022 at 02:50:32PM +0200, Elmar Stellnberger wrote: > On Sat, Apr 09, 2022 at 11:31:01PM +0200, Moritz Mühlenhoff wrote: > > Friedhelm Waitzmann wrote: > > >> For the oldstable distribution (buster), these problems have > > >> been fix

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On 14.04.22 14:52, Elmar Stellnberger wrote: I am also running Debian 10 on my Asus eeePC (Pentium M). I am mainly using it as a dictionary. Although I am performing security updates quite regularly I have not run into this issue. Having updated just now I am with Firefox 78.15.0-esr-1

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 15.04.22 04:50, Lennart Sorensen wrote: On Thu, Apr 14, 2022 at 03:45:37PM +0200, Levis Yarema wrote: Is there in deed any reason to prefer amd64 over i586 if you have the choice and a machine with 2GB RAM or less, apart from perhaps long term support? Twice the registers and sse instructio

Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)

On 14.04.22 15:45, Levis Yarema wrote: Is there in deed any reason to prefer amd64 over i586 if you have the choice and a machine with 2GB RAM or less, apart from perhaps long term support? Depends on the application. Encryption and decryption requiring the simulation of very larger integers

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On Fri, Apr 15, 2022 at 04:52:55PM +0200, Elmar Stellnberger wrote: > ... > exist. It truely is this g++ bug that prevents Firefox and any > Qt programs from building under Buster/i586. I have noted that > there are also some amd64 targets on the OBS that expose the > exact s

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

uld not be possible for some reason, please share your knowledge about these bugs, so that people like me can try to find a fix. Elmar On Fri, Apr 15, 2022 at 06:37:33PM +0200, Elmar Stellnberger wrote: > On Fri, Apr 15, 2022 at 04:52:55PM +0200, Elmar Stellnberger wrote: > > ... > >

Re: amd64 running on Intel Celeron and Pentium?

I haven´t heard yet of a Pentium IV supporting amd64. Likely it does not exist. On Sun, Apr 17, 2022 at 10:05:39AM +0200, Friedhelm Waitzmann wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > piorunz: > > On 12/04/2022 04:59, Friedhelm Waitzmann wrote: > > > You mean, that it is poss

  1   2   >