Re: where to submit low security vulnerability in .profile?

t; such as ~/bin/sudo that will be run instead of the system's sudo. > > Then, some use of social engineering might get an admin or some other > > user to type in a password to run a command using su or sudo. > > > > That said, no, it is not usually considered a security &

Re: where to submit low security vulnerability in .profile?

Le primidi 1er messidor, an CCXXV, Greg Wooledge a écrit : > Henrique, I believe, was describing an attack that works like this: > > 2) PATH=~/bin:$PATH > 3) vi ~/bin/su (insert malicious code); chmod 755 ~/bin/su > 4) Call the system administrator, and get him/her to come to your desk. I do not

Re: where to submit low security vulnerability in .profile?

me use of social engineering might get an admin or some other > user to type in a password to run a command using su or sudo. > > That said, no, it is not usually considered a security > vulnerability, because NOT using the full path to run commands such > as "su" and "s

Re: where to submit low security vulnerability in .profile?

On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote: > Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit : > > That said, no, it is not usually considered a security vulnerability, > > because NOT using the full path to run commands such as "s

Re: where to submit low security vulnerability in .profile?

Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit : > That said, no, it is not usually considered a security vulnerability, > because NOT using the full path to run commands such as "su" and "sudo" > in the first place IS considered gross negligen

Re: where to submit low security vulnerability in .profile?

udo. That said, no, it is not usually considered a security vulnerability, because NOT using the full path to run commands such as "su" and "sudo" in the first place IS considered gross negligence. So, train your fingers! There is no "su", it *is* /bin/su. And there

Re: where to submit low security vulnerability in .profile?

On Sun, Jun 18, 2017 at 06:56:07AM +0200, David Bunch wrote: > I'm not sure where or how or even if i should submit a bug small security > vulnerability in the default .profile that is created in each users home > directory. That file comes from /etc/skel/.profile which is

Re: where to submit low security vulnerability in .profile?

On Sun 18 Jun 2017 at 07:55:32 (-0400), RavenLX wrote: > On 06/18/2017 12:56 AM, David Bunch wrote: > >Hi, > > > >I'm not sure where or how or even if i should submit a bug small security > >vulnerability in the default .profile that is created in each users ho

Re: where to submit low security vulnerability in .profile?

On 06/18/2017 05:05 AM, Nicolas George wrote: Le decadi 30 prairial, an CCXXV, David Bunch a écrit : This could be a potential security vulnerability because if the user account of a uesr with 'su' power, an attacker could place a malicious 'su', 'ls', and 'wh

Re: where to submit low security vulnerability in .profile?

On 06/18/2017 12:56 AM, David Bunch wrote: Hi, I'm not sure where or how or even if i should submit a bug small security vulnerability in the default .profile that is created in each users home directory. .profile searches for a ~/bin directory and if it finds it prepends it to PATH li

Re: where to submit low security vulnerability in .profile?

Le decadi 30 prairial, an CCXXV, David Bunch a écrit : > This could be a potential security vulnerability because if the user account > of a uesr with 'su' power, an attacker could place a malicious 'su', 'ls', > and 'which' in their ~/bi

where to submit low security vulnerability in .profile?

Hi, I'm not sure where or how or even if i should submit a bug small security vulnerability in the default .profile that is created in each users home directory. .profile searches for a ~/bin directory and if it finds it prepends it to PATH like so: PATH='$HOME/bin':$PATH

Re: Firefox: security vs flexibility or rtfm?

On Fri, Apr 28, 2017 at 9:14 PM, Andy Smith wrote: > Hi Mark, > > I think Mozilla's position is reasonable since if you allow this > sort of thing to remain possible, nobody will fix anything. Broken > software will ship with instructions for the users to "just make an > exception". > > Would it b

Re: Firefox: security vs flexibility or rtfm?

Original Message Subject: Re: Firefox: security vs flexibility or rtfm? From: mcop...@straitcity.com >We only need one browser to work as these >tasks are all performed in house. Just seemed like there must be a lot >of old equipment with embedded HTTP servers out t

Re: Firefox: security vs flexibility or rtfm?

Hi Mark, I think Mozilla's position is reasonable since if you allow this sort of thing to remain possible, nobody will fix anything. Broken software will ship with instructions for the users to "just make an exception". Would it be feasible to put a proxy in front of the HTTP-only service, that

Re: Firefox: security vs flexibility or rtfm?

On Fri, Apr 28, 2017 at 8:35 PM, Mark Copper wrote: >> Would mozilla.support.firefox on news.mozilla.org be more productive as your >> description suggests an OS independent problem? > > I think the issue has been raised and rejected at Firefox. Although OS > independent, I was thinking a work-aro

Re: Firefox: security vs flexibility or rtfm?

> Would mozilla.support.firefox on news.mozilla.org be more productive as your > description suggests an OS independent problem? I think the issue has been raised and rejected at Firefox. Although OS independent, I was thinking a work-around might involve the distro--Chromium is gone but maybe the

Re: Firefox: security vs flexibility or rtfm?

a Firefox bug thread where these concerns were summarily dismissed, but there must be a lot of shops like ours out there. How do they handle this security issue? Thanks for reading. Mark Would mozilla.support.firefox on news.mozilla.org be more productive as your description suggests an OS independent problem?

Firefox: security vs flexibility or rtfm?

summarily dismissed, but there must be a lot of shops like ours out there. How do they handle this security issue? Thanks for reading. Mark

Re: Security hole in LXDE?

On Mon, Feb 27, 2017 at 09:00:15PM +1100, Davor Balder wrote: > Hi Hans, > > Question 1 which one: stable, testing or unstable? IMHO if it's not stated then stable is to be assumed. Users who run testing/sid are generally expected to have some degree of troubleshooting knowledge (the clue is in

Re: [SOLVED] Re: Security hole in LXDE?

On Tue 07 Mar 2017 at 09:05:03 +0100, to...@tuxteam.de wrote: > On Mon, Mar 06, 2017 at 08:53:39PM +, Brian wrote: > > [...] > > > I'll reconstruct my previous response. If there is no root password, > > (a bad idea, see my other post) > > > sudo is installed and the "first user" is put in

Re: [SOLVED] Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Mar 06, 2017 at 08:53:39PM +, Brian wrote: [...] > I'll reconstruct my previous response. If there is no root password, (a bad idea, see my other post) > sudo is installed and the "first user" is put into the sudo group. I've no proof

Re: [SOLVED] Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Mar 06, 2017 at 08:58:25PM +, Joe wrote: [...] > A member of the sudo group has permanent root privileges. He might as > well simply login as root every day, and not bother with another user. Sorry, I've to disagree. It's a question of e

Re: [SOLVED] Re: Security hole in LXDE?

tive privileges. If not, how would or does the > person installing the OS (who is therefore, ipso facto, IMO, the > administrator of the machine) do anything administratively? And what > difference would it make security-wise to put the "first user" in the > sudo group when she or h

Re: [SOLVED] Re: Security hole in LXDE?

On Mon 06 Mar 2017 at 19:57:25 +, Joe wrote: > On Mon, 6 Mar 2017 19:36:40 + > Brian wrote: > > > On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > > > > > On Mon, 6 Mar 2017 13:40:45 -0500 > > > Greg Wooledge wrote: > > > > > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote

Re: [SOLVED] Re: Security hole in LXDE?

) do anything administratively? And what difference would it make security-wise to put the "first user" in the sudo group when she or he could have gotten there anyway by simply creating a root password and foregoing sudo altogether? Or am being stupid here, missing something obvious? -- &qu

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, 6 Mar 2017 19:36:40 + Brian wrote: > On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > > > On Mon, 6 Mar 2017 13:40:45 -0500 > > Greg Wooledge wrote: > > > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > > > Debian appears to use the group 'sudo' as an administrat

Re: [SOLVED] Re: Security hole in LXDE?

Greg Wooledge: > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: >> Debian appears to use the group 'sudo' as an administrative group, >> where some other distributions use 'wheel'. >> >> I would not have thought that users would be added to it by default, >> there are no members on my sid/xfc

Re: [SOLVED] Re: Security hole in LXDE?

On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote: > On Mon, 6 Mar 2017 13:40:45 -0500 > Greg Wooledge wrote: > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > > Debian appears to use the group 'sudo' as an administrative group, > > > where some other distributions use 'wheel'. > > >

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, 6 Mar 2017 13:40:45 -0500 Greg Wooledge wrote: > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > > Debian appears to use the group 'sudo' as an administrative group, > > where some other distributions use 'wheel'. > > > > I would not have thought that users would be added to it by

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote: > Debian appears to use the group 'sudo' as an administrative group, > where some other distributions use 'wheel'. > > I would not have thought that users would be added to it by default, > there are no members on my sid/xfce4 workstation. Indee

Re: [SOLVED] Re: Security hole in LXDE?

On Mon, 06 Mar 2017 18:28:25 +0100 Hans wrote: > Closing my first report. When I deleted the user from the group > "sudo", everything worked back as normal. > > Debian appears to use the group 'sudo' as an administrative group, where some other distributions use 'wheel'. I would not have thou

[SOLVED] Re: Security hole in LXDE?

Closing my first report. When I deleted the user from the group "sudo", everything worked back as normal. However, IMO the user must additionally be in /et/suders to get the described behaviour working. What is sure: Either KDE or LXDE gave me the opportunity (by using the root password), to

Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 02, 2017 at 08:01:38AM -0600, David Wright wrote: [...] > If you're trying to clarify things, you have to tighten that up > considerably. Any regular user can start synaptics without a password, > as I already posted in this thread. Yes.

Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 02, 2017 at 02:32:19PM +0100, Hans wrote: [snip snip] OK, given your answers, the recommended path would be to remove your user (hans) from group sudo, perhaps so: deluser hans sudo (you've to be root for that, perhaps with -ahem- sud

Re: Security hole in LXDE?

On Thu 02 Mar 2017 at 14:12:59 (+0100), to...@tuxteam.de wrote: > On Thu, Mar 02, 2017 at 01:19:00PM +0100, Hans wrote: > > Hi Tomas > > > Hm. I'm not sure I've got that one right. Who has allowed the standard > > > user to execute applications with root rights? How? > > It was me, beeing haven ask

Re: Security hole in LXDE?

> OK, to recap: you started synaptics (as regular user), and for the first > time you were asked a password. You gave the root (not the user's) > password, and from then on you could start synaptics as a regular user > without having to enter a password. Is that right? > Correct. Howver, this is

Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 02, 2017 at 01:19:00PM +0100, Hans wrote: > Hi Tomas > > Hm. I'm not sure I've got that one right. Who has allowed the standard > > user to execute applications with root rights? How? > It was me, beeing haven asked by of the root password

Re: Security hole in LXDE?

Hi Tomas > Hm. I'm not sure I've got that one right. Who has allowed the standard > user to execute applications with root rights? How? It was me, beeing haven asked by of the root password and (of course) gave the correct one, I allowed the user, to start applications with root rights (besides,

Re: Security hole in LXDE?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 02, 2017 at 11:40:10AM +0100, Hans wrote: > Checked my system again. > It looks like have allowed the standard user to execute applications like > synaptic with root rights. I know, this is going to be asked in KDE, when you > start a h

Re: Security hole in LXDE?

Checked my system again. It looks like have allowed the standard user to execute applications like synaptic with root rights. I know, this is going to be asked in KDE, when you start a higher privileged application as a normal user. You can then decide (as root), if the user is allowed to star

Re: Security hole in LXDE?

On Tuesday 28 February 2017 17:45:57 David Wright wrote: > Both aptitude and synaptic can run by an ordinary user, and it's a > very safe way to run them when you don't yet fully understand their > abilities. To extend for the sake of pedantic ultra-clarity, and not to contradict: aptitude can b

Re: Security hole in LXDE?

I delete x11 and install MATE, or I install a package that > has dependency conflicts and replaces what is essential for the other > users' packages. > > Live systems allow you to install whatever you like as they assume you > are the root or sysadmin. > > At least that is h

Re: Security hole in LXDE?

On Tue 28 Feb 2017 at 11:02:14 (+0100), Hans wrote: > I am not sure, if I some day allowed the normal user to start synaptic as a > normal user. Sometimes this option is offered at the first start. I wouldn't know how to _prevent_ and ordinary user from running synaptic by typing /usr/sbin/synapt

Re: Security hole in LXDE?

at is essential for the other users' packages. Live systems allow you to install whatever you like as they assume you are the root or sysadmin. At least that is how I understand security policy for this system. David Wright: > On Mon 27 Feb 2017 at 11:13:00 (+), GiaThnYgeia wrote: >&g

Re: Security hole in LXDE?

I am not sure, if I some day allowed the normal user to start synaptic as a normal user. Sometimes this option is offered at the first start. If I have done this (which I was at that moment wiling to do), where do I have to look, to make this thing back to normal? Please note, that I am not usi

Re: apache2 security update

On Mon, 27 Feb 2017, Dr. John A. Zoidberg MD wrote: This post concerns: Debian Security Advisory DSA-3796-1 (appended below) The package involved is apache2. I have two "live" internet webservers, one an uptodate jessie, the other a long-maintained wheezy. The jessie machine upgra

Re: apache2 security update

On Mon, 27 Feb 2017, Dan Ritter wrote: No, the version in wheezy is probably also affected. However, wheezy is now supported by the Long Term Support project, and you need to make changes to get those packages. https://wiki.debian.org/LTS/Using THANK YOU! I'm trying desperately to get out

Re: Security hole in LXDE?

On Mon 27 Feb 2017 at 11:13:00 (+), GiaThnYgeia wrote: > testingAmd64LXDE > > I have never, not once, been able to run synaptic in any similar system > without a root or a sudo password. Not to execute a command, just to > get the gui up you need a password. Why would that be? You should be

Re: apache2 security update

On Mon, Feb 27, 2017 at 12:48:46PM -0500, Dr. John A. Zoidberg MD wrote: > This post concerns: > > Debian Security Advisory DSA-3796-1 (appended below) > > The package involved is apache2. > > I have two "live" internet webservers, one an uptodate jessie, the o

apache2 security update

This post concerns: Debian Security Advisory DSA-3796-1 (appended below) The package involved is apache2. I have two "live" internet webservers, one an uptodate jessie, the other a long-maintained wheezy. The jessie machine upgraded easily to the new apache2 packages, but apt on

Re: Security hole in LXDE?

Hans: > Hi, > I am just clickingin LXDE menu on the icon to start, then a popup menu opens > and asks for my password (the user password NOT root) and I can install just But is that user a member in the sudo group? I had to use root till I added the user to the group > Best > > Hans >> >> Wha

Re: Security hole in LXDE?

Den 2017-02-27 kl. 12:20, skrev Hans: If so, then why not working so in KDE? And if this is intended, then this is a bug and a security hole, which should be fixed. Hans A fresh vanilla install of testing with LXDE installs both sudo and gksu. Without configuring any, starting synaptic from

Re: Security hole in LXDE?

udoers. > > > > As I said: I do NOT use sudoers, and there is no entry or the > user /etc/ sudoers. > > > I suspect what you're seeing is as intended. > > If so, then why not working so in KDE? And if this is intended, then > this is a bug and a secu

Re: Security hole in LXDE?

hat you're seeing is as intended. If so, then why not working so in KDE? And if this is intended, then this is a bug and a security hole, which should be fixed. Hans

Re: Security hole in LXDE?

testingAmd64LXDE I have never, not once, been able to run synaptic in any similar system without a root or a sudo password. Not to execute a command, just to get the gui up you need a password. I don't know whether creating a user with 100% admin privileges will still require a pass or not, I su

Re: Security hole in LXDE?

> As I do not know, if this is a problem on my system (I have no second > one to confirm this)., maybe please someone else could check this. > > If I am correct, this is a security hole. If I am wrong, I have to > recheck my system. > > Check how synaptic is being started b

Re: Security hole in LXDE?

Am Montag, 27. Februar 2017, 21:00:15 CET schrieb Davor Balder: > Hi Hans, > > Question 1 which one: stable, testing or unstable? testing/amd64 > > Generally (to aid in your investigation): > I did, but found nothing unusual. If no one can confirm this, it is a problem on my system! Hans

Re: Security hole in LXDE?

Hi, I am just clickingin LXDE menu on the icon to start, then a popup menu opens and asks for my password (the user password NOT root) and I can install just as I am root. Best Hans > > What, exactly, do you do to start synaptic? Click on something, or run a > command in a terminal? What promp

Re: Security hole in LXDE?

root password. > > I do not have sudo in use. > > As I do not know, if this is a problem on my system (I have no second one to > confirm this)., maybe please someone else could check this. > > If I am correct, this is a security hole. If I am wrong, I have to recheck my >

Re: Security hole in LXDE?

On Mon, Feb 27, 2017 at 10:19:47AM +0100, Hans wrote: > Hi folks, > > on my system /debian-amd64/testing) I can start Synaptic as a normal user, > just by using the user password. In KDE this is not possible, there I need > the > root password. > > I do not have sudo in use. What, exactly, do

Security hole in LXDE?

this)., maybe please someone else could check this. If I am correct, this is a security hole. If I am wrong, I have to recheck my system. Thank you for your help. Best Hans

Web Security Users DB

Hello there, Might want to know whether you are keen on obtaining Web Security Users DB for your marketing effort. Data Fields: Name, Title, Email, Phone Numbers, Company Name, and Company Details like Physical Address, Web Address, Revenue Size, Employee Size and industry. Please

Finding a good compromise in automating security updates

Hi list, I want to automate security updates on Stretch desktops and servers, using unattended-upgrades. I remember that under Wheezy I was receiving an email when my intervention was needed (i.e. when a WARNING was written in the log file). I can't get this anymore with my current te

Re: Can't install security update: server name not resolved

On Fri, 21 Oct 2016 07:35:28 -0400 Carl Fink wrote: > Anyone else seeing this? > > E: Failed to fetch > http://security.debian.org/pool/updates/main/l/linux/linux-headers-3.16.0-4-amd64_3.16.36-1+deb8u2_amd64.deb > Could not resolve 'security-cdn.debian.org > It w

Re: Can't install security update: server name not resolved

On 10/21/2016 02:36 PM, Morten Bergman wrote: I was seeing that too. Tried again, this time through a VPN, and it worked. It was apparently temporary. Worked when I got home from, well, work. Thanks. -- Carl Fink c...@finknetwork.com

Re: Can't install security update: server name not resolved

I was seeing that too. Tried again, this time through a VPN, and it worked. Morten

Can't install security update: server name not resolved

Anyone else seeing this? E: Failed to fetch http://security.debian.org/pool/updates/main/l/linux/linux-headers-3.16.0-4-amd64_3.16.36-1+deb8u2_amd64.deb Could not resolve 'security-cdn.debian.org Any suggestions? -- Carl Fink nitpick...@nitpicking.com Read my

Re: uswsusp - security hole fixed?

Teemu Likonen wrote: > I think the usual and better way is to have an unencrypted /boot and a > single other LUKS partition which contains LVM logical volumes for > everything else (swap, / and whatever). So swap is encrypted too. I have > had this setup for ages on desktop and laptop and it has a

Re: uswsusp - security hole fixed?

Hans [2016-10-15 13:44:41+02] wrote: > as I am a little security aimed, my /usr, /var and /home (each on a > separate partition) are enrypted with luks. > I would be happy, when someone could make some things for me a little > bit clearer, I think the usual and better way i

uswsusp - security hole fixed?

Hello list, as I am a little security aimed, my /usr, /var and /home (each on a separate partition) are enrypted with luks. Some time ago, I discovered, that when I suspend my system (suspend-to-disk), and resume it again, I did not need to enter the password for /usr. Well, my computer

OpenSSH security update? was Re: Issues with SSH pubkey authentication at remote server

mponent in use within the package openssh Debian >>> Jessie is one step behind. "Standalone" OpenSSL package is now at >>> version 1.0.1t-1+deb8u5 since September 23. >>> >>>> me@mymachine:~/.ssh$ ssh -vv me@theremoteserver >>>> OpenSSH_6.7p1

Re: Security Updates

states: >> >>"If you use APT, add the following line to /etc/apt/sources.list to be >> able >>to access the latest security updates: >> >>deb http://security.debian.org/ jessie/updates main contrib non-free >> >>After that, run a

Re: Security Updates

>> >>> >> "If you use APT, add the following line to /etc/apt/sources.list to >>> >> be able >>> >> to access the latest security updates: >>> >> >>> >> deb http://security.debian.org/ jessie/update

Re: Security Updates

he considers them irrelevant to his original question. > >Lisi Of course, that is not what I said at all. Here is a copy of the message I sent to Lisi: - To: Lisi Reisz Subject: Re: Security Updates From: Larry Dighera D

Re: Security Updates

On Wednesday 31 August 2016 16:16:45 Larry Dighera wrote: > Have you even looked at the information here: > ?  After reading > that announcement, how can you continue to insist that I am not running > Debian Jessie? That page (URL) confirm

Re: Security Updates

w been updated to the new stable version of Debian, which is called Jessie." Note that it says "based on Debian". It isn't Debian. It's a derivative. Attempting to use security packages from Debian on a derivative system (which is *not* Debian) may not work properly.

Re: Security Updates

-0700, Larry Dighera wrote: >> >> >> >> This page <https://www.debian.org/releases/stable/errata> states: >> >> >> >> "If you use APT, add the following line to /etc/apt/sources.list to >> >> be able >> >

Re: Security Updates

On Wed, Aug 31, 2016 at 10:18 PM Lisi Reisz wrote: > On Wednesday 31 August 2016 10:39:53 Lisi Reisz wrote: > > Since you are not replying to anyhting, you may not be subscribed, > > I had a reply off list that said that Larry is not replying to our > questions > because he considers them irrelev

Re: Security Updates

On Tue, Aug 30, 2016 at 12:58:47PM -0700, Larry Dighera wrote: This page <https://www.debian.org/releases/stable/errata> states: "If you use APT, add the following line to /etc/apt/sources.list to be able to access the latest security updates: deb http://security.debian.

Re: Security Updates

ases/stable/errata> states: > >> > >> "If you use APT, add the following line to /etc/apt/sources.list to be > >> able > >> to access the latest security updates: > >> > >> deb http://security.debian.org/ je

Re: Security Updates

is what I said again: > > On Tuesday 30 August 2016 20:58:47 Larry Dighera wrote: > > This page <https://www.debian.org/releases/stable/errata> states: > > > > "If you use APT, add the following line to /etc/apt/sources.list to > > be able to access

Re: Security Updates

/apt/sources.list to be > able to access the latest security updates: > > deb http://security.debian.org/ jessie/updates main contrib non-free > > After that, run apt-get update followed by apt-get upgrade." > > Adding that entry to /etc/apt/sources.list on the Ra

Re: Security Updates

On Tuesday 30 August 2016 20:58:47 Larry Dighera wrote: > This page <https://www.debian.org/releases/stable/errata> states: > > "If you use APT, add the following line to /etc/apt/sources.list to be > able to access the latest security updates: > > deb http:

Re: Security Updates

On 8/30/16, Tim McDonough wrote: > > On Tue, Aug 30, 2016 at 2:58 PM, Larry Dighera wrote: >> >> This page <https://www.debian.org/releases/stable/errata> states: >> >> "If you use APT, add the following line to /etc/apt/sources.list to >>

Re: Security Updates

On Tue, Aug 30, 2016 at 12:58:47PM -0700, Larry Dighera wrote: > > This page <https://www.debian.org/releases/stable/errata> states: > > "If you use APT, add the following line to /etc/apt/sources.list to be > able > to access the latest securi

Re: Security Updates

Larry Dighera wrote: > > This page <https://www.debian.org/releases/stable/errata> states: > > "If you use APT, add the following line to /etc/apt/sources.list to be > able > to access the latest security updates: > > deb http://security.debian.o

Security Updates

This page <https://www.debian.org/releases/stable/errata> states: "If you use APT, add the following line to /etc/apt/sources.list to be able to access the latest security updates: deb http://security.debian.org/ jessie/updates main contrib non-free After that,

Re: Recent flex security announcement

On Fri, Aug 26, 2016 at 9:52 PM Greg Wooledge wrote: > On Fri, Aug 26, 2016 at 12:41:54PM +, Mark Fletcher wrote: > > Stretch and sid are quoting version 2.6.1 and I can't see where they got > > that from, as upstream (sourceforge) latest version seems to be 2.6.0. > And > > 2.6.1 claims to b

Re: Recent flex security announcement

On Fri, Aug 26, 2016 at 12:41:54PM +, Mark Fletcher wrote: > Stretch and sid are quoting version 2.6.1 and I can't see where they got > that from, as upstream (sourceforge) latest version seems to be 2.6.0. And > 2.6.1 claims to be the version with the fix. *sigh* ... it just figures, as soon

Re: Recent flex security announcement

so > > I wanted to get the source tarball of the fixed version (v2.6.1) so I > could > > build it for there too. > > Debian security fixes in stable (or oldstable/LTS) releases aren't done > by switching to a new upstream version. They're done by backporting the &g

Re: Recent flex security announcement

could > build it for there too. Debian security fixes in stable (or oldstable/LTS) releases aren't done by switching to a new upstream version. They're done by backporting the smallest possible fix to the same version that stable (or oldstable/LTS) is already using. The curren

Recent flex security announcement

I have a feeling I'm about to embarrass myself by displaying either ignorance or a failure to spot the obvious, but here goes... The other day there was a Debian security advisory about the flex package. In my Debian machines, the fix can be installed by the usual apt commands. However I

Re: Konqueror - security hole or bug?

On Wed, Jun 15, 2016 at 09:32:18AM +0200, Hans wrote: > Dear community, > > I found a strange behaviour with konqueror (does anyone use it?) and I > believe > it is either a bug or a security problem. > > the problem is the following: > > I discovered, that my net

Re: Konqueror - security hole or bug?

d to the nvidia-driver, then IMO it is a security problem. Who knows, what data is sent in the background! I hope, other people read this first message and check, if their systems behave strange as mine. Maybe some people did still not notice it. This behaviour now appears since about hal

Re: Konqueror - security hole or bug?

On 06/15/2016 04:22 AM, to...@tuxteam.de wrote: > On Wed, Jun 15, 2016 at 09:32:18AM +0200, Hans wrote: > > Dear community, > > > I found a strange behaviour with konqueror (does anyone use it?) and > I believe > > it is either a bug or a security problem. > &g

Re: Konqueror - security hole or bug?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jun 15, 2016 at 09:32:18AM +0200, Hans wrote: > Dear community, > > I found a strange behaviour with konqueror (does anyone use it?) and I > believe > it is either a bug or a security problem. > > the problem is the

Konqueror - security hole or bug?

Dear community, I found a strange behaviour with konqueror (does anyone use it?) and I believe it is either a bug or a security problem. the problem is the following: I discovered, that my network card is doing a lot of traffic, although I did nothing with my computer (heavy blinking of my

Re: Squid security

Hi there Rob van der Putten wrote: The libs are different. So I build a backport. And a libecap3 backport. It wants libecap3. Regards, Rob

Call for testing: regression update for samba security update (DSA-3548-1)

Hi The last Samba security update issued as DSA-3548-1 introduced several upstream regressions, which are addressed in this update. Before we release the packages we would like to call for additional testing. The packages can be found on https://people.debian.org/~carnil/tmp/samba/jessie

<    5   6   7   8   9   10   11   12   13   14   >