Re: chroot bind?
On Sun, Apr 22, 2001 at 06:23:43PM +0200, Marco d'Itri wrote: > On Apr 21, Yotam Rubin <[EMAIL PROTECTED]> wrote: > > >We could harden the default configuration with the following directives: > > > >version 'Not available'; > This does not harden anything and just makes debugging harder. > Don't dare putting something like this in the default configuration of a > debian package. I disagree. A lot of the vulnerability scanners out there determine whether a host is susceptible to a certain bug by looking at its version.bind record. If a bug were to be discovered in 8.2.3, conventional script kiddie methods will not properly function. Obviously, it does not provide full 'protection', but it will render a lot of scanners out there useless. Debugging? When in debugging does one check one's version.bind? Regards, Yotam Rubin > > -- > ciao, > Marco > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > pgpRsyDdbO8BA.pgp Description: PGP signature
Re: chroot bind?
On Mon, Apr 23, 2001 at 12:29:17PM +0200, Marco d'Itri wrote: > On Apr 22, Yotam Rubin <[EMAIL PROTECTED]> wrote: > > >I disagree. A lot of the vulnerability scanners out there determine whether > >a host is susceptible to a certain bug by looking at its version.bind > record. > I disagree. A lot of scanners just send the exploit and don't care. Um, scanners follow the reputation of their name, they merely scan[1] for vulnerabilities. I agree that previously, attackers probed hosts for vulnerabilities prior to launching an attack, and now this has changed a bit. It does not however, imply that we should ease the life of those who still follow conventional script kiddie methods. If version 'Not available' is able to thwart at least a single scan, then it's worth it. > > >Debugging? When in debugging does one check one's version.bind? > When he wants to see if his secondary servers are vulnerable, or if his > ISP is a crap ISP. > Or when debugging cache pollution problems one needs to check if the > server is running BIND 4.x or older 8.x releases. Doesn't one know one's bind version? I believe that probes for the version.bind are mostly malicious in nature. If one wishes to determine the bind version of his ISP, one can simply call up the respective technical support center. Regards, Yotam Rubin [1] I'm not entirely correct, there are scanners which both scan and attack, but that's not the majority of scanners. > > -- > ciao, > Marco
Re: chroot bind?
On Tue, Apr 24, 2001 at 12:44:05PM +0200, Jean Charles Delepine wrote:
> Yotam Rubin <[EMAIL PROTECTED]> writes:
>
> > We could harden the default configuration with the following directives:
> >
> > options {
> > version 'Not available';
>
> That's not harden, that's obscurity and should be avoided in a free
> distribution like Debian.
>
> Admins can put this line themself if they want to.
Sometimes, obscuring _is_ hardening one's security. Besides, how does that
Debian is a free distribution affect this statement?
>
> Jean Charles
> --
> Jean Charles Del?pine - ?quipe R?seaux T?l?coms - Universit? de Picardie
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
Re: spammer attached to debian-bugs-dist?
Yes, after submitting a bug against krolden, I immediately received this automatic reply. Pretty damn annoying. Regards, Yotam Rubin On Tue, Sep 11, 2001 at 10:41:59PM -0500, Steve Langasek wrote: > > Hello, > > I received this autoresponse to two different messages I sent to the BTS this > evening. Anyone have any insights into this particular bit of nonsense? > > Thanks, > Steve Langasek > postmodern programmer > > -- Forwarded message -- > Return-Path: <[EMAIL PROTECTED]> > Received: from bne005m.server-mail.com (bne005m.server-mail.com > [202.139.234.85]) > by netexpress.net (8.11.3/8.11.3) with SMTP id f8C354K17808 > for <[EMAIL PROTECTED]>; Tue, 11 Sep 2001 22:05:04 -0500 > X-Spam-Filter: [EMAIL PROTECTED] by digitalanswers.org > Received: (qmail 9516 invoked by uid 59253); 12 Sep 2001 03:04:58 - > Date: 12 Sep 2001 03:04:58 - > Message-ID: <[EMAIL PROTECTED]> > Content-Type: TEXT/PLAIN; charset=US-ASCII > To: [EMAIL PROTECTED] > From: [EMAIL PROTECTED] (Nikki Webster's Fanmail) > Subject: Re: Bug#112032: sample build scripts should call ./configure --host > > Hi ! Thanks for your email. Please visit my site again soon to check out the > latest news and information. There'll be regular updates too. > from Nikki > ( I'm very busy, so this is an automatically generated response from me at > www.nikkiwebster.com.au ) > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Request to NMU libsafe
Greetings,
The last libsafe upload has been over a year ago. Since then, libsafe
has accumulated a large number of bugs. The current Debian release doesn't
seem to be very effective. I've packaged the latest libsafe and made it
available at: http://192.117.130.34/Fendor/debian/libsafe/
Can someone NMU that? I've contacted the maintainer but received no reply.
It's a shame that libsafe wouldn't be usable for Debian users.
Regards, Yotam Rubin
Re: Request to NMU libsafe
On Thu, Dec 27, 2001 at 01:53:01PM +0100, Matthias Klose wrote: > Yotam Rubin writes: > > Greetings, > > > > The last libsafe upload has been over a year ago. Since then, libsafe > > has accumulated a large number of bugs. The current Debian release doesn't > > seem to be very effective. I've packaged the latest libsafe and made it > > available at: http://192.117.130.34/Fendor/debian/libsafe/ > > Can someone NMU that? I've contacted the maintainer but received no reply. > > It's a shame that libsafe wouldn't be usable for Debian users. > > - the upload isn't marked as a NMU It's not. I only included the fixes. > > - the package does not build from source (calls ldconfig): That slipped in. It was actually disabled before I merged some patches. > > - the package does not build a -dev package. Correct? Indeed it doesn't, and it shouldn't. > > - the package overwrites the old library? Correct, if it's an > extension only. But then it needs to be marked in the shlibs file. > Else you need to build a libsafe2 and libsafe-dev package. > OTOH, no package depends on libsafe. Fixed. A new upload will take place in several hours. > > So it seems, we don't gain much to replace one buggy version with the > next buggy version. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
