The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Draft: Security Alert Announce#1 Debian/GNU Linux



Hi,

lprng should be moved to stable very quickly. I suggest to create 1.1.14
with the removed Zircon, lpr and the new lprng. There is no changes file in
incoming... umm.. can anybody do this by hand, since it is urgend.

The following Announce is a proposal. Please, nativ english speakers fix my
language. Unfortunately I dont have access to an archive about the reported
problems, therefore I'm writing this from memory. Especially the Version of
the non-vulnerabe Zircon slipped my mind... is 1.18 ok?

I would suggest that if there are no more comments within a day, Bruce
should post this to deian-announce and the linux-security mailinglist.

Greetings
Bernd

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Debian GNU/Linux         security@debian.org         http://www.debian.org/

                     Security Alert Announcement
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This announce intends to inform Debian GNU/Linux System Admins and Users
about serious security problems on current Debian GNU/Linux Releases. 

Please read carefully to see if your System is vulnerable.

SHORT

 - Don't use (rm /usr/bin/X11/zircon) Zircon older than 1.18
 - Replace Package lpr (<=5.9-12) with lprng (>=2.3.12-3)


DESCRIPTION

 There are Bugs in the upstream version of zircon and lpr which makes your
 system vulnerable to exploits. Please check if you have installed one of
 those packages with the command:

 dpkg -l zircon lpr

 Sample Output on vulnerable Systems would be:

 Desired=Unknown/Install/Remove/Purge
 | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
 |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:uppercase=bad)
 ||/ Name            Version        Description
 +++-===============-==============-============================================
 ii  lpr             5.9-12         Berkeley lpr/lpd line printer spoolingsyste,
 ii  zircon          1.17p1-4       An X11 interface to Internet Relay Chat.

 Zircon is vulnerable if you connect to IRC with it, and the lpr can be
 exploit by local users.


FIX

 - zircon

 The Zircon bug is fixed in Version >=1.18, but there is no Debian Package
 (1996-10-30) with that Version ready. So please remove the Zircon Package
 from your system. Check the FTP mirrors for an updated version. You can
 remove Zircon from your System by executing `dpkg --remove zircon' as root.

 - lpr

 The lpr spoolingsystem is obsoleted by the more powerfull and less buggy
 lprng spooler. Please upgrade to the new package (which will remove the old
 and buggy lpr package). lprng is available in Debian-1.1.14 from your usual
 FTP mirror.

 

 Thanks for paying attention.

 Please submit Reports about security problems in Debian GNU/Linux to
 security@debian.org.

--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com