The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Grrr... more stuff

Good Morning,

	Chris, don't get me wrong, but you have not answered my questions in
addition to CC'ing everyone of the orignal dist list. 
	Can someone from Debian who deals with libc provide me the real
info? I really do not want to end up distributing information based on the
unverified statement.

> libc is already at version 5.4.13-1 which is even newer than Red Hat's
> fixed release.  This version is part of the recently released Debian-1.2
> (ftp://ftp.debian.org/debian/Debian-1.2/binary/base/libc5_5.4.13-1.deb).
> Obviously anyone with an older version should upgrade.  One can check
> the version of their installed libc with the command "dpkg -l libc5".
> The package libc5_5.4.17-1.deb was just released to our Incoming directory.
> (ftp://ftp.debian.org/debian/unstable/binary/base/libc5_5.4.17-1.deb).
> At this time there are no plans to move it into our Debian-1.2 patches
> area.  So unless version 5.4.13 is insecure, we should not recommend
> people get this experimental package.

Is this a position of the Debian Project? 

> sendmail in Debian-1.2 is version 8.7.6
> (ftp://ftp.debian.org/debian/Debian-1.2/binary/mail/sendmail_8.7.6-2.deb).
> It is probably vulnerable, but I don't know.  We also have (as part of
> our "unstable" development tree) version 8.8.3
> (ftp://ftp.debian.org/debian/Debian-1.2/binary/mail/sendmail_8.8.3-1.deb).
> This is known to be vulnerable.  Robert Leslie <rob@mars.org> is our
> sendmail maintainer.  I have added him to the CC: list.

Again, what is the official story from the package maintainer?

> BTW, I have discovered a security hole in dpkg, rpm, and install with
> regard to installing software over setuid binaries.  The scenario is
> that if a setuid binary is replaced by a newer binary (the significant
> case is when the newer binary includes security fixes) and the binary
> being replaced had hard links to it, then (in spite of the intention of
> the sysadmin to upgrade his software) there will still be an older
> version lying around somewhere (ie., the link to the original will not
> have been upgraded).  I posted to linux-kernel and filed a Debian bug
> report against dpkg and install.  But all the vendors need to reexamine
> their installation software for upgrading setuid binaries.  If that
> wasn't clear, you can get a copy of my bug report by sending mail to
> request@bugs.debian.org (the subject is ignored except for generating
> the Subject of the reply) with the body "send 6006".

The fix is very simple. Installation software should make the original file
being owned by root.root with protection mode 000, than move it into a
backup file after which a new program should be installed.

Alex


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com