-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco IOS Software RSVP Vulnerability
Advisory ID: cisco-sa-20140924-rsvp
Revision 1.0
For Public Release 2014 September 24 16:00 UTC (GMT)
Summary
+==
A vulnerability in the implementation of the Resource Reservation Protocol
(RSVP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco IOS Software Metadata Vulnerabilities
Advisory ID: cisco-sa-20140924-metadata
Revision 1.0
For Public Release 2014 September 24 16:00 UTC (GMT)
Summary
+==
Two vulnerabilities in the metadata flow feature of Cisco IOS Software could
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Multiple Vulnerabilities in Cisco IOS Software Multicast Domain Name System
Advisory ID: cisco-sa-20140924-mdns
Revision 1.0
For Public Release 2014 September 24 16:00 UTC (GMT)
Summary
+==
The Cisco IOS Software implementation
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco IOS Software DHCP Version 6 Denial of Service Vulnerability
Advisory ID: cisco-sa-20140924-dhcpv6
Revision 1.0
For Public Release 2014 September 24 16:00 UTC (GMT)
Summary
+==
A vulnerability in the DHCP version 6 (DHCPv6) server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
Advisory ID: cisco-sa-20140924-sip
Revision 1.0
For Public Release 2014 September 24 16:00 UTC (GMT)
Summary
+==
A vulnerability in the Session Initiation
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco IOS Software Network Address Translation Denial of Service Vulnerability
Advisory ID: cisco-sa-20140924-nat
Revision 1.0
For Public Release 2014 September 24 16:00 UTC (GMT)
Summary
+==
A vulnerability in the Network Address
Curious if anyone can tell me, or point me to a link, on how 2002::/16
is actually implemented for 6to4? Strictly for curiosity.
We had a customer ask about blocking spam from their wordpress blog that
we host and the spammer was using 2002:af2c:785::af2c:785, which was the
first time I'd seen
2002::/16 would be advertised by anyone *still *operating a 6to4 relay.
A host w/ only IPv4 connectivity could use 6to4 to get access to an
IPv6-only resource, thanks to automatic IPv6-in-IPv4 encapsulation
(Protocol41) and with a helping hand from publicly operated relays.
Someone with (only?)
Hi David,
6to4 is a stateless tunnel network. The tunnel entry node advertises
2002::/16 into the native IPv6 network and relays received IPv6
packets inside an IPv4 packet. The tunnel exit node's IPv4 address is
encoded in the 6to4 IPv6 destination address.
No IPv6 addresses are changed in the
On 2014-09-24 20:09, William Herrin wrote:
Hi David,
6to4 is a stateless tunnel network. The tunnel entry node advertises
2002::/16 into the native IPv6 network and relays received IPv6
packets inside an IPv4 packet. The tunnel exit node's IPv4 address is
encoded in the 6to4 IPv6 destination
Thanks Bill, TJ and Owen; it's much clearer now.
David
there is an update out you want. badly.
debian/ubuntu admins may want to apt-get update/upgrade or whatever
freebsd similarly
can not speak for other systems
Can I presume you’re talking about the bash CVE-2014-6271?
- jared
On Sep 24, 2014, at 3:05 PM, Randy Bush ra...@psg.com wrote:
there is an update out you want. badly.
debian/ubuntu admins may want to apt-get update/upgrade or whatever
freebsd similarly
can not speak for other systems
See: http://seclists.org/oss-sec/2014/q3/650
sigh. i am well aware of it but saw no benefit for further blabbing a
vuln
randy
See: http://seclists.org/oss-sec/2014/q3/650
Regards,
SG
On 9/24/2014 1:05 PM, Randy Bush wrote:
there is an update out you want. badly.
debian/ubuntu admins may want to apt-get update/upgrade or whatever
freebsd similarly
can not speak for other systems
Keeping silent after the embargo is over isn't doing anyone any favors.
I think Florian said it best in his most recent message:
In this particular case, I think we had to publish technical details so
that those who cannot patch immediately can at least try to mitigate
this vulnerability
As an FYI, it looks like Amazon is doing a mass reboot of the physical
hosts in us-west-2 across all AZ's and it is scheduled to start tomorrow
and take a couple days.
Go to *https://console.aws.amazon.com/ec2/v2/home?region=us-west-2#Events
Bash related?
On Sep 24, 2014, at 4:47 PM, Grant Ridder shortdudey...@gmail.com wrote:
As an FYI, it looks like Amazon is doing a mass reboot of the physical
hosts in us-west-2 across all AZ's and it is scheduled to start tomorrow
and take a couple days.
Go to
Likely not, since it's affecting Windows instances as well.
Also not just us-west-2 -- we have tons of instances scheduled for
downtime in us-east-1 and eu-west-1 as well.
-Peter
On 09/24/2014 04:51 PM, Gabriel Blanchard wrote:
Bash related?
On Sep 24, 2014, at 4:47 PM, Grant Ridder
Doubt it since a bash patch shouldn't require a reboot
On Wed, Sep 24, 2014 at 1:51 PM, Gabriel Blanchard g...@teksavvy.ca wrote:
Bash related?
On Sep 24, 2014, at 4:47 PM, Grant Ridder shortdudey...@gmail.com
wrote:
As an FYI, it looks like Amazon is doing a mass reboot of the
debian/ubuntu admins may want to apt-get update/upgrade or whatever
debian/ubuntu aren't really all that immediately impacted.
$ grep bash$ /etc/passwd | wc -l
2
^^ both of those are user accounts, not system/daemon accounts.
-Jim P.
The scope of the issue isn't limited to SSH, that's just a popular
example people are using. Any program calling bash could potentially
be vulnerable.
On Wed, Sep 24, 2014 at 6:11 PM, Jim Popovitch jim...@gmail.com wrote:
debian/ubuntu admins may want to apt-get update/upgrade or whatever
On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley redkr...@gmail.com wrote:
The scope of the issue isn't limited to SSH, that's just a popular
example people are using. Any program calling bash could potentially
be vulnerable.
Agreed. My point was that bash is not all that popular on
Hi NANOG,
I'm hoping someone out there has had some experience with Oi
Telecommunications. We've been struggling to work with them to get a couple of
circuits in Sao Paulo live. The primary problem is mostly a language barrier.
Is anyone aware of an English speaking NOC email address or
Just got the same email. Not just US. Servers in Sydney we have also. Why
such short notice?
On Sep 24, 2014 4:58 PM, Grant Ridder shortdudey...@gmail.com wrote:
Doubt it since a bash patch shouldn't require a reboot
On Wed, Sep 24, 2014 at 1:51 PM, Gabriel Blanchard g...@teksavvy.ca
wrote:
On 9/24/14, 3:27 PM, Jim Popovitch wrote:
On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley redkr...@gmail.com wrote:
The scope of the issue isn't limited to SSH, that's just a popular
example people are using. Any program calling bash could potentially
be vulnerable.
Agreed. My point was
On Sep 24, 2014 6:39 PM, Michael Thomas m...@mtcc.com wrote:
On 9/24/14, 3:27 PM, Jim Popovitch wrote:
On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley redkr...@gmail.com
wrote:
The scope of the issue isn't limited to SSH, that's just a popular
example people are using. Any program calling
On 09/24/14 18:50, Jim Popovitch wrote:
On Sep 24, 2014 6:39 PM, Michael Thomas m...@mtcc.com wrote:
On 9/24/14, 3:27 PM, Jim Popovitch wrote:
On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley redkr...@gmail.com
wrote:
The scope of the issue isn't limited to SSH, that's just a popular
example
On Wed, 24 Sep 2014 18:50:05 -0400, Jim Popovitch said:
If someone is already invoking #!/bin/bash from a cgi, then they are
already doing it wrong (bash has massive bloat/overhead for a CGI script).
You sure you don't have *any* cgi's that do something like
system(mail -s 'cgi program xxyz
On Sep 24, 2014 7:00 PM, valdis.kletni...@vt.edu wrote:
On Wed, 24 Sep 2014 18:50:05 -0400, Jim Popovitch said:
If someone is already invoking #!/bin/bash from a cgi, then they are
already doing it wrong (bash has massive bloat/overhead for a CGI
script).
You sure you don't have *any*
On 09/24/2014 07:22 PM, Jim Popovitch wrote:
That won't automatically invoke bash on Debian/Ubuntuunless someone
intentionally changed default shells
-Jim P.
People seem not to know that Debian and derivatives use a variant
Almquist shell rather than bash for system accounts.
On Wed, Sep 24, 2014 at 3:56 PM, Grant Ridder shortdudey...@gmail.com wrote:
Doubt it since a bash patch shouldn't require a reboot
Unless you have a long-running bash script in the background providing
a vital system service, and that service is so important in your
environment that you might
Once upon a time, Daniel Jackson f...@mindspring.com said:
On 09/24/2014 07:22 PM, Jim Popovitch wrote:
That won't automatically invoke bash on Debian/Ubuntuunless someone
intentionally changed default shells
People seem not to know that Debian and derivatives use a variant
Almquist
On Wed, Sep 24, 2014 at 7:41 PM, Chris Adams c...@cmadams.net wrote:
Has anybody looked to see if the popular web software the users install
and don't maintain (e.g. Wordpress, phpBB, Joomla, Drupal) use system()
Wouldn't it be great if it was JUST system()? It's also popen(),
shell_exec(),
Likely some sort of potentially serious bug or flaw in EC2 or Xen. AWS
Security is really on the ball on such things and do everything they can to
make invisible fixes with no customer impact, but sometimes a reboot is
required in order to apply the changes necessary to keep customer instances
On Wed, Sep 24, 2014 at 7:36 PM, Daniel Jackson f...@mindspring.com wrote:
On 09/24/2014 07:22 PM, Jim Popovitch wrote:
That won't automatically invoke bash on Debian/Ubuntuunless someone
intentionally changed default shells
People seem not to know that Debian and derivatives use a
Hi Brian... I am not from oi( asn 7738), i am a customer from oi... But, can i
try to help you?!
I don't have any dificult with oi( estabilish bgp peer, route filters, ipv6
peering with 7738 etc).
what you want?
Could you help?!
Enviado via iPhone
Grupo Connectoway
Em 24/09/2014, às
On Wed, Sep 24, 2014 at 10:29 PM, William Herrin b...@herrin.us wrote:
On Wed, Sep 24, 2014 at 7:36 PM, Daniel Jackson f...@mindspring.com wrote:
On 09/24/2014 07:22 PM, Jim Popovitch wrote:
That won't automatically invoke bash on Debian/Ubuntuunless someone
intentionally changed default
On Wed, Sep 24, 2014 at 10:43 PM, Jim Popovitch jim...@gmail.com wrote:
You have done something wrong/different than what appears on a
relatively clean install:
Since you didn't read it, I'm gonna repeat it:
If you installed Debian from scratch in the last couple of years you
might have gotten
On Wed, Sep 24, 2014 at 10:49 PM, William Herrin b...@herrin.us wrote:
On Wed, Sep 24, 2014 at 10:43 PM, Jim Popovitch jim...@gmail.com wrote:
You have done something wrong/different than what appears on a
relatively clean install:
Since you didn't read it, I'm gonna repeat it:
If you
paper this morning at a really good ches http://www.chesworkshop.org/ches2014/
SCA-obsessed conference
Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks On
PCs
http://eprint.iacr.org/2014/626
http://www.tau.ac.il/~tromer/handsoff/
gets your gpg private key damned
On Wed, Sep 24, 2014 at 10:52 PM, Jim Popovitch jim...@gmail.com wrote:
I *did* read that, and it doesn't change anything about what I wrote.
Debian didn't make those changes for you.. Debian has never set
root's shell to bash, ever. PEBKAC?
I've been running Debian for longer than the
On Wed, Sep 24, 2014 at 9:43 PM, Jim Popovitch jim...@gmail.com wrote:
You have done something wrong/different than what appears on a
relatively clean install:
$ cat /etc/debian_version
7.6
$ ls -laF /bin/sh
lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh - dash*
What is this fabled 7.6 that
On Wed, Sep 24, 2014 at 10:56 PM, Jimmy Hess mysi...@gmail.com wrote:
On Wed, Sep 24, 2014 at 9:43 PM, Jim Popovitch jim...@gmail.com wrote:
You have done something wrong/different than what appears on a
relatively clean install:
$ cat /etc/debian_version
7.6
$ ls -laF /bin/sh
lrwxrwxrwx 1
On Wed, 24 Sep 2014, Jim Popovitch wrote:
I *did* read that, and it doesn't change anything about what I wrote.
Debian didn't make those changes for you.. Debian has never set
root's shell to bash, ever. PEBKAC?
I can verify Williams settings on my Debian system that was initially
On Sep 24, 2014 10:56 PM, William Herrin b...@herrin.us wrote:
On Wed, Sep 24, 2014 at 10:52 PM, Jim Popovitch jim...@gmail.com wrote:
I *did* read that, and it doesn't change anything about what I wrote.
Debian didn't make those changes for you.. Debian has never set
root's shell to
On Wed, Sep 24, 2014 at 10:03 PM, William Herrin b...@herrin.us wrote:
lrwxrwxrwx 1 root root 4 2014-02-22 11:52 /bin/sh - bash
ROFL. Jimmy, please tell me you had to start up a VM to check that. :)
Not a live system, but aside from honeypots, there really are
embedded appliances and
On Wed, 24 Sep 2014 21:39:39 -0400
Peter Beckman beck...@angryox.com wrote:
Likely some sort of potentially serious bug or flaw in EC2 or Xen. AWS
Security is really on the ball on such things and do everything they can to
make invisible fixes with no customer impact, but sometimes a reboot is
Keeping silent after the embargo is over isn't doing anyone any
favors.
when do you think the embargo is over?
yes, it got blabbed. but that does not mean one should be a blabber.
randy
--As of September 25, 2014 4:05:16 AM +0900, Randy Bush is alleged to have
said:
there is an update out you want. badly.
debian/ubuntu admins may want to apt-get update/upgrade or whatever
freebsd similarly
can not speak for other systems
--As for the rest, it is mine.
FreeBSD (and other
On Thu, Sep 25, 2014 at 05:11:22AM +0200, Mikael Abrahamsson wrote:
On Wed, 24 Sep 2014, Jim Popovitch wrote:
I *did* read that, and it doesn't change anything about what I wrote.
Debian didn't make those changes for you.. Debian has never set
root's shell to bash, ever. PEBKAC?
when do you think the embargo is over?
ref: http://seclists.org/oss-sec/2014/q3/650
At present, public disclosure is scheduled for Wednesday, 2014-09-24
14:00 UTC. We do not expect the schedule to change, but we may be
forced to revise it.
Date: Wed, 24 Sep 2014 15:07:26 -0400
From: Jared
52 matches
Mail list logo