On Mon, 01 Apr 2024 13:50:22 -0500
John Hasler wrote:
> Joe writes:
> > I think this was amply demonstrated by Heartbleed, where the
> > offending code was examined by *one* other pair of eyes, before
> > approval was granted for inclusion in OpenSSL.
>
> The "many eyes" phase comes after
Hi,
On Mon, Apr 01, 2024 at 03:33:37AM -0500, Nate Bargmann wrote:
> From what I have read, lzma is not a direct dependency of openssh. It
> turns out that it lzma is a dependency of libsystemd and that
> relationship affected openssh.
>
> Jacob Bachmeyer in analysis
>
Joe writes:
> I think this was amply demonstrated by Heartbleed, where the offending
> code was examined by *one* other pair of eyes, before approval was
> granted for inclusion in OpenSSL.
The "many eyes" phase comes after release.
--
John Hasler
j...@sugarbit.com
Elmwood, WI USA
On Mon, 1 Apr 2024 01:45:07 +
Andy Smith wrote:
> "enough eyes make all bugs shallow"
> doesn't hold true unless the process is actually providing those
> eyes.
>
I think this was amply demonstrated by Heartbleed, where the offending
code was examined by *one* other pair of eyes, before
On Mon, Apr 1, 2024 at 4:34 AM Nate Bargmann wrote:
>
> * On 2024 31 Mar 20:46 -0500, Andy Smith wrote:
> > In the xz case the further you go looking for a root cause the wider
> > the implications are:
> >
> > Q: Why was there a back door in sshd?
> > A: Because some malicious code was linked to
t we in the "western world" hold dear.
BTW, I don't want to start a systemd bashing subthread, but I think it
bears some scrutiny give this latest event (disclaimer, yes I use
systemd as PID 1 on Debian Stable).
Finally, I am still involved with a project (hamlib) that is pack
Debian-user is a mailing list provided for support for Debian users,
and to facilitate discussion on relevant topics.
Codes of Conduct
* The list is a Debian communication forum. As such, it is subject to both
the Debian mailing list Code of Conduct and the main Debian Code
I filed bug report 1068122. I feel fine, despite my concern over my data.
Heartfelt thanks for all the advice!
On Mon, Apr 01, 2024 at 01:45:07AM +, Andy Smith wrote:
> Hi,
>
> On Sun, Mar 31, 2024 at 07:19:41PM -0500, Nicholas Geovanis wrote:
> > I would think A Smith's comment here was directed to this interesting bit
> > from the report he cited:
> >
> > Given the activity over several weeks, the
Hi,
On Sun, Mar 31, 2024 at 07:19:41PM -0500, Nicholas Geovanis wrote:
> I would think A Smith's comment here was directed to this interesting bit
> from the report he cited:
>
> Given the activity over several weeks, the committer is either directly
> involved or there was some quite severe
you have a lie down in a cool,
> > shaded room, but which of us had this on our 2024 bingo card?
> >
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > (Upstream xz/lzma project compromised, hostile code inserted into
> > sshd in Debian s
On 3/31/24 17:16, Andy Smith wrote:
Hello,
On Sun, Mar 31, 2024 at 04:27:52PM -0400, gene heskett wrote:
On 3/31/24 15:26, Roberto C. Sánchez wrote:
https://lists.debian.org/debian-security-announce/2024/msg00058.html
Does this mean its now safe to update our bookworm installs?
I am
Hello,
On Sun, Mar 31, 2024 at 04:27:52PM -0400, gene heskett wrote:
> On 3/31/24 15:26, Roberto C. Sánchez wrote:
> > https://lists.debian.org/debian-security-announce/2024/msg00058.html
> Does this mean its now safe to update our bookworm installs?
I am not aware of a time when it
/fulldisclosure/2024/Mar/35
where they're talking about grabbing other users sudo password.
I note that "write" and "wall" in Debian had setgid removed after this.
https://salsa.debian.org/debian/util-linux/-/commit/c4be137b4b09a855713c1f4d052dfee773c4ad3b
https://metadata.f
24/Mar/35
> > where they're talking about grabbing other users sudo password.
>
> I note that "write" and "wall" in Debian had setgid removed after this.
>
>
> https://salsa.debian.org/debian/util-linux/-/commit/c4be137b4b09a855713c1f4d052dfee773c4ad3
that "write" and "wall" in Debian had setgid removed after this.
https://salsa.debian.org/debian/util-linux/-/commit/c4be137b4b09a855713c1f4d052dfee773c4ad3b
https://metadata.ftp-master.debian.org/changelogs//main/u/util-linux/util-linux_2.39.3-11_changelog
Thank
On Sun 31 Mar 2024 at 09:42:37 (+0300), Antti-Pekka Känsälä wrote:
> I'm mounting and unmounting through the stick icon's menu on Xfce desktop.
> Maybe a fancy file chooser dialogue stays around analyzing the directory,
> as you suspect? But I'm worried my Gmail in Firefox is capable of stealing
>
I'm mounting and unmounting through the stick icon's menu on Xfce desktop.
Maybe a fancy file chooser dialogue stays around analyzing the directory,
as you suspect? But I'm worried my Gmail in Firefox is capable of stealing
files off my USB stick.
On 31/03/2024 11:46, David Wright wrote:
Double-clicking on the directory
mounts it and displays the files in it. Opening a text file
displays it. At least for a small file, FF does not hold the
file open, so I can immediately unmount the stick.
Gmail may do something more fancy
-
On Sat 30 Mar 2024 at 21:06:27 (+0200), Antti-Pekka Känsälä wrote:
> I was able to replicate this, by trying to send gmail to myself in Firefox,
> attaching a binary on a mounted USB stick.
Did you mount the stick yourself as a user (ie there's an
fstab entry for it), or as root, or does an
On 3/30/24 08:17, Antti-Pekka Känsälä wrote:
What could be the deal, when Firefox tries to stop me from unmounting a
stick, after I've accessed files on it through Firefox? I worry about my
stick security. Thanks.
Linux knows what files are open on each file system. If you try to
unmount
I'd just like to add that I have seen the problem despite reinstalls with
Debian stable minor versions. Thanks!
On Sat, Mar 30, 2024 at 07:32:16PM +0200, Antti-Pekka Känsälä wrote:
> Yes, closing Firefox does allow the stick to unmount cleanly, but I still
> worry.
To get an idea of what's going on, you can use "lsof":
tomas@trotzki:~$ lsof /dev/sda1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE
I can replicate this, by trying to send Gmail to myself in Firefox,
attaching a binary on a mounted USB stick. After the attachment supposedly
was uploaded, I tried to unmount the stick, but it blocked. "lsof | grep -i
KINGSTON" then shows a total of 129 lines from "x-www-browser". This lasted
for
I was able to replicate this, by trying to send gmail to myself in Firefox,
attaching a binary on a mounted USB stick. After the attachment supposedly
was uploaded, I tried to unmount the stick, but it blocks. "lsof | grep -i
KINGSTON" then shows a total of 129 lines from "x-www-browser". This
rit :
>
>> VirtualBox est libre (les paquets sont dans Debian "contrib" pour
>> unstable, car ils dépendent d'un autre paquet non libre), mais Oracle
>> refuse de fournir des détails sur les problèmes de sécurité, ce qui rend
>> impossible une intégrat
On Sat, 30 Mar 2024 17:17:52 +0200
Antti-Pekka Känsälä wrote:
> What could be the deal, when Firefox tries to stop me from unmounting
> a stick, after I've accessed files on it through Firefox? I worry
> about my stick security. Thanks.
It sounds like Firefox has a file open on the stick. To
On Sat, Mar 30, 2024 at 1:19 PM gene heskett wrote:
>
> On 3/30/24 11:36, Antti-Pekka Känsälä wrote:
> > What could be the deal, when Firefox tries to stop me from unmounting a
> > stick, after I've accessed files on it through Firefox? I worry about
> > my stick security. Thanks.
>
> Since
Yes, closing Firefox does allow the stick to unmount cleanly, but I still
worry.
On 3/30/24 11:36, Antti-Pekka Känsälä wrote:
What could be the deal, when Firefox tries to stop me from unmounting a
stick, after I've accessed files on it through Firefox? I worry about
my stick security. Thanks.
Since this is normally a root operation, I'm confused. Likely what it
means
On 2024-03-29, Andy Smith wrote:
> I wasn't trying to bait you in any way. The above was what I thought
> was a light-hearted way to say that I genuinely think you need to
> relax a little about things that are outside of your control. I'm
> sorry it wasn't taken that way and I get that you
What could be the deal, when Firefox tries to stop me from unmounting a
stick, after I've accessed files on it through Firefox? I worry about my
stick security. Thanks.
Hello,
On Fri, Mar 29, 2024 at 07:02:54PM +0100, Kamil Jo?ca wrote:
> O-o, is there any simple test to check if I have infected version or
> not?
For example, under root:
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q
Hola,
Pues eso, mando la noticia para quien quiera instalar (o usar) esta
versión y no la encuentre en las réplicas habituales:
Debian 10 "buster" moved to archive.debian.org
https://lists.debian.org/debian-devel-announce/2024/03/msg3.html
Quien todavía use esta versión segurame
On Fri 29 Mar 2024 at 10:31:09 (+0100), Emanuel Berg wrote:
> David Wright wrote:
>
> >> Ah, surely it can't refer to that as that would be
> >> completely ridiculous as it would imply "wanna install
> >> stuff? sure, but then it isn't secure anymore".
> >
> > It's not clear what "isn't secure
Curt wrote:
> On 2024-03-28, to...@tuxteam.de wrote:
> >
> > Security, as Bruce Schneier [1] says, is a process. Not a product.
>
> A process that is essentially out of your control.
I would hope it is, given how little I or most people understand about
security.
> This is the elephant in
Hello,
On Fri, Mar 29, 2024 at 07:02:54PM +0100, Kamil Jońca wrote:
> Andy Smith writes:
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > (Upstream xz/lzma project compromised, hostile code inserted into
> > sshd in Debian sid and other lead
Hi,
On Fri, Mar 29, 2024 at 05:43:22PM -, Curt wrote:
> On 2024-03-29, Andy Smith wrote:
> >>
> >> It makes no fucking difference, because your important data is elsewhere
> >> and completely out of your control.
> >
> > I WAS going to gently suggest that you have a lie down in a cool,
> >
On Thu, Mar 28, 2024 at 5:17 PM Lee wrote:
>
> > Hope this helps a little bit.
>
> Yes, it does. I was hoping for something simple but it's becoming
> clear to me that there's no simple "make Debian secure for dummies"
> checklist to follow.
Robert Morris S
> Yes, it does. I was hoping for something simple but it's becoming
> clear to me that there's no simple "make Debian secure for dummies"
> checklist to follow.
I think to a significant extent, Debian maintainers do aim to make Debian
"secure by default", to th
On Fri, Mar 29, 2024 at 07:02:54PM +0100, Kamil Jońca wrote:
> Andy Smith writes:
>
> [...]
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > (Upstream xz/lzma project compromised, hostile code inserted into
> > sshd in Debian s
Andy Smith writes:
[...]
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> (Upstream xz/lzma project compromised, hostile code inserted into
> sshd in Debian sid and other leading edge distros.)
>
> Thanks,
> Andy
O-o, is there any simple test to check if I
On 2024-03-29, Joe wrote:
>
> He's actually referring to credentials stored externally being
Jesus, what a genius.
On 2024-03-29, Andy Smith wrote:
>>
>> It makes no fucking difference, because your important data is elsewhere
>> and completely out of your control.
>
> I WAS going to gently suggest that you have a lie down in a cool,
> shaded room, but which of us had this on our 2024 bingo card?
>
This is
s://www.openwall.com/lists/oss-security/2024/03/29/4
>
> (Upstream xz/lzma project compromised, hostile code inserted into
> sshd in Debian sid and other leading edge distros.)
>
Hah! Most of us remember Heartbleed.
He's actually referring to credentials stored externally being
compro
out of your control.
I WAS going to gently suggest that you have a lie down in a cool,
shaded room, but which of us had this on our 2024 bingo card?
https://www.openwall.com/lists/oss-security/2024/03/29/4
(Upstream xz/lzma project compromised, hostile code inserted into
sshd in Debian sid and ot
On 2024-03-28, to...@tuxteam.de wrote:
>
> Security, as Bruce Schneier [1] says, is a process. Not a product.
>
A process that is essentially out of your control.
This is the elephant in the room that you do not wish to address.
Anyway, dream on.
become more conscious of various security risks, there is a trend to
> remove write access by default, at least for the primary login shell.
> To make sure your ttys are set the way you want them to be set, mesg
> should be executed in your login scripts.
>
&g
Le jeu. 28 mars 2024 à 09:00, Lucas Nussbaum a écrit :
> VirtualBox est libre (les paquets sont dans Debian "contrib" pour
> unstable, car ils dépendent d'un autre paquet non libre), mais Oracle
> refuse de fournir des détails sur les problèmes de sécurité, ce qui re
On Fri, Mar 29, 2024 at 11:49:06AM +0100, Bernard wrote:
> Hi to Everyone,
>
> The text quoted below has already been sent to the list, 2-3 days ago,
> someone had replied to it (but the message has been lost, I no longer see it
> on the list. I had replied again, which reply disappeared too.)
>
Hi to Everyone,
The text quoted below has already been sent to the list, 2-3 days ago,
someone had replied to it (but the message has been lost, I no longer
see it on the list. I had replied again, which reply disappeared too.)
So, I want to say again that the errors shown in the text below (S
David Wright wrote:
>> Ah, surely it can't refer to that as that would be
>> completely ridiculous as it would imply "wanna install
>> stuff? sure, but then it isn't secure anymore".
>
> It's not clear what "isn't secure anymore" means. [...]
It means as soon as you start doing stuff with the
On Thu, 2024-03-28 at 14:12 -0400, Lee wrote:
>
> Yes, it does. I was hoping for something simple but it's becoming
> clear to me that there's no simple "make Debian secure for dummies"
> checklist to follow.
Making "Debian secure for dummies" and having a mu
/SecurityManagement
> > https://wiki.debian.org/Hardening -- says it's for package maintainers
> >
> > Anyone who is serious about such a project probably has a long road ahead
> > of them.
>
> Is there a generally preferred web link checker program for Debian?
> I too
wrote:
> [1] https://xkcd.com/1200/
Here in the UK the most important part of that xkcd for most people
simply isn't true. Anything financial has a separate login procedure
and all that I use time out after a period of inactivity (even some
stupid non-important government things). I expect the
On 28 Mar 2024 20:30 +, from dnomh...@gmx.com (Richmond):
> I always thought it strange that debian has no firewall on by
> default. Why not offer to enable one during installation? Opensuse
> offers to enable one and offers to allow ssh.
That sounds like a good idea to file as
to accept.
> Also no one can agree on which documentation is canonical,
another area I'm struggling to accept. Seeing referrals to the Arch
wiki on a debian mailing list just seems wrong..
> > Is there really nothing better than sudo find / > files with uid or gid perms> and
s.
It's not particularly meaningful to make a threat assessment for
"Debian". (It might very well be meaningful to make a threat
assessment for _the Debian project_, but that's something very
different.) What certainly _is_ meaningful is to make a threat
assessment for your computer, your
Lee writes:
>
> oof. Are there instructions somewhere on how to make Debian secure by
> default?
>
> Thanks, Lee
I always thought it strange that debian has no firewall on by
default. Why not offer to enable one during installation? Opensuse
offers to enable one and offers to allow ssh.
On Thu 28 Mar 2024 at 12:36:56 (+0100), Emanuel Berg wrote:
> Michael Kjörling wrote:
>
> >> "Secure by default" is an OpenBSD slogan BTW. Or they have
> >> made it into one at least. But I'm not sure it is any more
> >> secure than Debian -
On Thu, Mar 28, 2024 at 2:32 PM Andy Smith wrote:
>
> Hello,
>
> On Thu, Mar 28, 2024 at 11:24:08AM -0400, Greg Wooledge wrote:
> > On Thu, Mar 28, 2024 at 01:30:32PM +, Andy Smith wrote:
> > > https://www.debian.org/doc/manuals/debian-handbook/
> > >
On Thu, Mar 28, 2024 at 03:23:48PM -0400, Lee wrote:
[...]
> I disagree. I don't think I'm qualified to make an adequate threat
> analysis for a Debian system and yet
Nobody is. The threat analysis for my virtual server "out there" is
totally different (sshd, exim, http
On Thu, Mar 28, 2024 at 1:48 PM Curt wrote:
>
> On 2024-03-28, Greg Wooledge wrote:
> >
> > A more proactive endeavor would be to document known best practices
>
> It makes no fucking difference, because your important data is elsewhere
> and completely out of your control.
Agreed - your
On Thu, Mar 28, 2024 at 03:23:48PM -0400, Lee wrote:
> so apparently somebody else has done a threat analysis and decided
> apparmor is the appropriate mitigation strategy?
*An* appropriate mitigation strategy. Not "the".
There are many, many layers.
Hence the request for 'secure by default' instructions
> > for Debian. Even better would be a secure by default installation
> > option.
>
> This makes little sense. No threat analysis -- no security. Security
> is always a relative (to the threat model) term, "security by
> Hope this helps a little bit.
Yes, it does. I was hoping for something simple but it's becoming
clear to me that there's no simple "make Debian secure for dummies"
checklist to follow.
Thanks,
Lee
On Thu, Mar 28, 2024 at 11:43 AM Hans wrote:
>
> Hello,
> personally
re might be
> > a bug in a binary that is setgid tty" before yesterday's reveal that
> > there is such a bug in "wall".
> >
> > The more general advice to audit every setuid/setgid binary is more
> > likely to be present.
> [...]
> > If the maintainer o
On 2024-03-28, Greg Wooledge wrote:
>
> A more proactive endeavor would be to document known best practices
It makes no fucking difference, because your important data is elsewhere
and completely out of your control.
On Thu, Mar 28, 2024 at 12:22:57PM -0400, Lee wrote:
> On Thu, Mar 28, 2024 at 1:11 AM tomas wrote:
[...]
> > Security means first and foremost understanding the threat.
>
> Which I don't. Hence the request for 'secure by default' instructions
> for Debian. Even better
Le 28/03/2024, Greg Wooledge a écrit:
> You can't stop root from writing to your terminal. Root has write
> privileges on all devices.
>
> The purpose of mesg is to allow *other regular users* to send you
> messages, or not. (...)
Indeed, I understood that after running 'ls -la $(tty)', as
...
> 47 4 * * * (apt update >> apt-update.log 2>/dev/null) && \
> (apt list --upgradable 2>/dev/null |\
> egrep -v '^Listing' >| /etc/motd)
You may like to look in to "apticron-systemd" for a systemd timer
that does the above. (dr
sed to be talk(1). I have a POSIX man page
for it, but not a Debian one, and the program itself doesn't appear to
be installed. Maybe it's in a separate package.
I have write(1) from the bsdextrautils package. There is a talk package
but I haven't installed it.
Le 28/03/2024, Florent Rougon a écrit:
> Did I miss the point of 'mesg n'?..
Ugh, sorry. Thanks to the 'ls -la $(tty)' command Andy Smith wrote in
another message, I understood:
'mesg n' does prevent users from writing to your terminal using e.g.
'wall', *except* if said users are either
ch is not possible
> >if wall is not installed setguid OR if people have sane permissions
> >on their terminals (e.g. set to mesg n)
>
> Found in /etc/login.defs :
Is login.defs actually used by modern Debian with PAM? I seem to
recall lots of things in there are controlled by PAM instea
OR if people have sane permissions
on their terminals (e.g. set to mesg n)
b) in addition, for this exploit to run, command-not-found must be
started with the not found command as argument: in the two Debian
releases I just tried (buster and bookworm), with bash,
command-not-found
Hi,
Le 27/03/2024, Andy Smith a écrit:
> You could put a call to "mesg n" into a file in /etc/profile.d so
> that all users execute it.
Did anyone try 'mesg n' here? I tried:
$ mesg n
$ mesg; echo $?
is n
1
Broadcast
they're talking about grabbing other users sudo password.
>
> Are there any users logged in to your computer you dont't trust?
>
> Thought so.
>
> Relax.
>
> Security means first and foremost understanding the threat.
Which I don't. Hence the request for 'secure by default' i
ch owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
# However, the default and recommended value for TTYPERM is sti
Hello,
On Thu, Mar 28, 2024 at 11:24:08AM -0400, Greg Wooledge wrote:
> On Thu, Mar 28, 2024 at 01:30:32PM +, Andy Smith wrote:
> > https://www.debian.org/doc/manuals/debian-handbook/
> >
> > This has a chapter on security, so possibly it would be appropriate
&g
is the doc "securing debian", and then, after you did
this, think of, what you have forgotten and what did the docu not tell.
IT-Security is no software, it is a process, and you will have to learn for
years, which is normal. The attackers learn, the defenders, too.
There is no straight,
al that
> there is such a bug in "wall".
>
> The more general advice to audit every setuid/setgid binary is more
> likely to be present.
[...]
> If the maintainer of util-linux doesn't agree, then the next thing
> I'd try is a bug against the Debian Administrator's Han
On 2024-03-28, wrote:
>
> Security means first and foremost understanding the threat. Randomly
The threat here is that some pharmacist in the provinces falls for a
phishing email, gives black hats access to the system, and reveals my
sensitive data to these people who devised the alluringly
l-linux wall (CVE-2024-28085)
> > > https://seclists.org/fulldisclosure/2024/Mar/35
> > > where they're talking about grabbing other users sudo password.
> >
> > It doesn't work by default on Debian as it relies on
> > command-not-found automatically running on
Michael Kjörling wrote:
>> "Secure by default" is an OpenBSD slogan BTW. Or they have
>> made it into one at least. But I'm not sure it is any more
>> secure than Debian - maybe.
>>
>> https://www.openbsd.org/security.html
>
> If I'm not mis
On 28 Mar 2024 06:16 +0100, from in...@dataswamp.org (Emanuel Berg):
> "Secure by default" is an OpenBSD slogan BTW. Or they have
> made it into one at least. But I'm not sure it is any more
> secure than Debian - maybe.
>
> https://www.openbsd.org/security.html
If
als (e.g. set to mesg n)
b) in addition, for this exploit to run, command-not-found must be
started with the not found command as argument: in the two Debian
releases I just tried (buster and bookworm), with bash,
command-not-found was not installed.
The idea of the exploit is that you
On Thu, Mar 28, 2024 at 10:36:01AM +0100, Bernard wrote:
> But I've found more problems, concerning $_REQUEST, $_GET...
>
> The old way that I used 11 yrs ago no longer works :
>
> $nom = S_GET [‘nom’] ;
>
> no longer operates with php 7.4. This code is simply ignored. S_REQUEST,
> $_POST do
Yes, this list (exactly the same here) shows that mysqli.so is loaded.
In any case, as said before, this function does operate as I have checked.
But I've found more problems, concerning $_REQUEST, $_GET...
The old way that I used 11 yrs ago no longer works :
$nom = S_GET [‘nom’] ;
no longer
On 28/03/24 at 03:57 +0100, hamster wrote:
> Le 27/03/2024 à 10:29, Alex PADOLY a écrit :
> > Bonsoir à tous,
> >
> >
> > Peut-on installer VirtualBox par les dépôts Debian, en effet
> > l'installation à partir du paquet Debian sur le site d'Oracle génère des
On 27/03/24 at 12:29 +0300, Alex PADOLY wrote:
> Bonsoir à tous,
>
> Peut-on installer VirtualBox par les dépôts Debian, en effet l'installation
> à partir du paquet Debian sur le site d'Oracle génère des erreurs difficiles
> à résoudre.
Bonjour,
Des paquets pour VirtualBox s
On Thu, Mar 28, 2024 at 06:16:32AM +0100, Emanuel Berg wrote:
> "Secure by default" is an OpenBSD slogan BTW. Or they have
> made it into one at least. But I'm not sure it is any more
> secure than Debian - maybe.
That depends.
Cheers
--
t
signature.asc
Description: PGP signature
"Secure by default" is an OpenBSD slogan BTW. Or they have
made it into one at least. But I'm not sure it is any more
secure than Debian - maybe.
https://www.openbsd.org/security.html
--
underground experts united
https://dataswamp.org/~incal
On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> I just saw this advisory
> Escape sequence injection in util-linux wall (CVE-2024-28085)
> https://seclists.org/fulldisclosure/2024/Mar/35
> where they're talking about grabbing other users sudo password.
Are there any users logged in
On Wed, Mar 27, 2024 at 10:22 PM Andy Smith wrote:
>
> Hello,
>
> On Thu, Mar 28, 2024 at 07:37:13AM +0800, jeremy ardley wrote:
> > Some distros, like Debian, do not seem to have a command like
> > command-not-found by default.
>
> […]
>
> > Which i
r/35
> > where they're talking about grabbing other users sudo password.
>
> It doesn't work by default on Debian as it relies on
> command-not-found automatically running on the user's input.
> command-not-found can be installed, however…
>
> > oof. Are there instructio
Le 27/03/2024 à 10:29, Alex PADOLY a écrit :
Bonsoir à tous,
Peut-on installer VirtualBox par les dépôts Debian, en effet
l'installation à partir du paquet Debian sur le site d'Oracle génère des
erreurs difficiles à résoudre.
Je suis pas sur d'avoir bien compris mais j'ai lu un truc du
Hello,
On Thu, Mar 28, 2024 at 07:37:13AM +0800, jeremy ardley wrote:
> Some distros, like Debian, do not seem to have a command like
> command-not-found by default.
[…]
> Which implies that Debian is secure by default against this particular
> exploit
I suspect if OP is w
On 28/3/24 05:30, Lee wrote:
oof. Are there instructions somewhere on how to make Debian secure by default?
Further down the advisory is
"
Some distros, like Debian, do not seem to have a command like
command-not-found by default. There does not seem to be a way to
leak a
k by default on Debian as it relies on
command-not-found automatically running on the user's input.
command-not-found can be installed, however…
> oof. Are there instructions somewhere on how to make Debian secure by
> default?
Between the fact that "secure" means differen
.
To make sure your ttys are set the way you want them to be set, mesg
should be executed in your login scripts.
oof. Are there instructions somewhere on how to make Debian secure by default?
Thanks,
Lee
301 - 400 of 154901 matches
Mail list logo