The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Draft: Security Alert Announce#1 Debian/GNU Linux

Criminy people!

Moving to LPRng is probably a great option, but to tell people to do it
without thinking, without ANY kind of migration information WHATSOEVER
is not a good thing.

Platinum level service would mean:

1) Fix the bug in lpr.  A fix has been available, in association with
the OpenBSD project, for some time.  Yes, it's annoying when better
software is available.  I OFTEN push for new packages when an old one is
clearly dying, but...

2) Write up migration information for the BSD/lpd->LPRng migration.  If
that means nothing more than dropping in ":bk:" that's GREAT, but at
least THAT should be elaborated upon, so each and every debian admin
with a printer doesn't have to rediscover it on their own, expecting
that things are supposed to "just work" and blaming themselves when it
doesn't (or getting chewed out by their boss for "using that flakey
linux stuff")

3) -Recommend- that people start migrating to LPRng

4) Schedule a date for the first release of debian to use LPRng in
preference to the BSD/lpd.

No, I'm not declaring that we must provide "platinum level service".  I
-am- saying that we'd better be aware of what "great service" means,
when deciding what level of service we -do- want to provide, tho.

Bernd Eckenfels wrote:
> 
> Hi,
> 
> lprng should be moved to stable very quickly. I suggest to create 1.1.14
> with the removed Zircon, lpr and the new lprng. There is no changes file in
> incoming... umm.. can anybody do this by hand, since it is urgend.
> 
> The following Announce is a proposal. Please, nativ english speakers fix my
> language. Unfortunately I dont have access to an archive about the reported
> problems, therefore I'm writing this from memory. Especially the Version of
> the non-vulnerabe Zircon slipped my mind... is 1.18 ok?
> 
> I would suggest that if there are no more comments within a day, Bruce
> should post this to deian-announce and the linux-security mailinglist.
> 
> Greetings
> Bernd
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Debian GNU/Linux         security@debian.org         http://www.debian.org/
> 
>                      Security Alert Announcement
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> This announce intends to inform Debian GNU/Linux System Admins and Users
> about serious security problems on current Debian GNU/Linux Releases.
> 
> Please read carefully to see if your System is vulnerable.
> 
> SHORT
> 
>  - Don't use (rm /usr/bin/X11/zircon) Zircon older than 1.18
>  - Replace Package lpr (<=5.9-12) with lprng (>=2.3.12-3)
> 
> DESCRIPTION
> 
>  There are Bugs in the upstream version of zircon and lpr which makes your
>  system vulnerable to exploits. Please check if you have installed one of
>  those packages with the command:
> 
>  dpkg -l zircon lpr
> 
>  Sample Output on vulnerable Systems would be:
> 
>  Desired=Unknown/Install/Remove/Purge
>  | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
>  |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:uppercase=bad)
>  ||/ Name            Version        Description
>  +++-===============-==============-============================================
>  ii  lpr             5.9-12         Berkeley lpr/lpd line printer spoolingsyste,
>  ii  zircon          1.17p1-4       An X11 interface to Internet Relay Chat.
> 
>  Zircon is vulnerable if you connect to IRC with it, and the lpr can be
>  exploit by local users.
> 
> FIX
> 
>  - zircon
> 
>  The Zircon bug is fixed in Version >=1.18, but there is no Debian Package
>  (1996-10-30) with that Version ready. So please remove the Zircon Package
>  from your system. Check the FTP mirrors for an updated version. You can
>  remove Zircon from your System by executing `dpkg --remove zircon' as root.
> 
>  - lpr
> 
>  The lpr spoolingsystem is obsoleted by the more powerfull and less buggy
>  lprng spooler. Please upgrade to the new package (which will remove the old
>  and buggy lpr package). lprng is available in Debian-1.1.14 from your usual
>  FTP mirror.
> 
> 
> 
>  Thanks for paying attention.
> 
>  Please submit Reports about security problems in Debian GNU/Linux to
>  security@debian.org.
> 
> --
> Please respect the confidentiality of material on the debian-private list.
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
> debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com