not as easy as it used to be...
Marek
-BEGIN PGP SIGNED MESSAGE-
Format: 1.5
Date: Sun, 15 Jun 1997 11:38:23 +0200
Source: ncpfs
Binary: ncpfs
Architecture: source i386
Version: 2.0.10-1
Distribution: unstable
Urgency: low
Maintainer: Marek Michalkiewicz <[EMAIL PROTECTED]>
Hi,
Mark Eichin:
> 2) the xdm shadow support doesn't fall back in any sane way,
> and it's more than just dropping a check -- a bunch of code needs
> rearrangement. (If you run xdm-shadow on a non-shadow system, you *lose*...)
Well, I just did that with xbase-3.2-6:
# mv /usr/X11R6/bin/xdm
The latest release (shadow-970502-2) has a bug in libmisc/mail.c
that causes login to segfault when checking for new mail. Yes,
I have tested this version before releasing it (really!), but
unfortunately I had MAIL_CHECK_ENAB disabled (by mistake) on my
machine and the bug didn't show up.
Workaro
Package: sendmail
Version: 8.7.5-4
See the recent CERT Advisory CA-96.20 for more information.
It says that Debian is not vulnerable because it uses smail,
but that's not completely true, smail is the default but
sendmail is also available, and I'm not convinced that smail
has no bugs - it's just
Package: lynx
Version: 2.4-FM-960316-1
Lynx 2.6 is out, and version 2.5 has been available for quite some
time now - but we still have the outdated, pre-release version.
One user here needed a newer version (improved ISO-8859-2 support
etc.), so I packaged it myself, fixing two of the numerous pac
Owen Dunn:
> I'm currently trying to clear some of Steve Early's backlog of X
> package bugs; this'll be among them (though it may be a while longer
> before the packages get converted to the new source format.)
Thanks. One suggestion: this particular bug is a quite serious
one (uid 0 exploit for
> AFAIK it is along the line wit
>
> "site exec tar cvzf -rsh-command blafasel host:tar.tgz"
Probably something else - I don't believe Red Hat would have that
nice old _PATH_EXECPATH bug for so long :-). It might be related
to the feature that wu-ftpd can send you a tar of a directory if
you do
David Engel wrote:
> About the best I can do, without further guidance, is make libc not
> echo the problem lines to stderr. Is that acceptable?
I'm not sure. Someone could still read special files as root
(they would not see the contents, but merely reading them might
sometimes cause troubles t
Dale Scheetz wrote:
> The copyright is quite clear. You can not distribute this package for a
> fee without first getting permission from the pine developers. According
> to our policy this requires it go into non-free.
Now I noticed that the copyright has changed, the new one (same in
version 3.9
Package: ssh
Version: 1.2.14-1
The binaries in this package are not stripped, and they should
according to the packaging guidelines.
Marek
Package: ftp.debian.org
The current version of pine is in non-free because the copyright
is not clear. We really should talk to the maintainers - perhaps
we can get permission to distribute the package as part of the
distribution? (FYI, it's in Red Hat, and those guys are quite
careful about cop
Package: ssh
Version: 1.2.14-1
If compiled on a system which has no /etc/shadow file, sshd
doesn't support shadow passwords when using the password
authentication. All the necessary code is already there (will
work with both shadow and non-shadow passwords) - all that is
needed is to hack the con
Package: ssh
Version: 1.2.14-1
The package is compiled with the -g -O flags (autoconf default)
- this results in larger and slower binaries. It might be a good
idea to use -O2 instead (no -g) and maybe strip the binaries too.
Marek
Package: ssh
Version: 1.2.14-1
sshd writes to the file /etc/ssh/ssh_random_seed during normal
operation - the file should be moved to /var according to the
FSSTND recommendations.
Marek
Package: squid
Version: 1.0.beta16-1
In the default configuration, squid runs as root. While it can be
changed in the config file, someone might forget to configure it
after installation, so I think the default should be secure. The
permissions/ownerships in /var/squid and /var/log/squid should
Package: netstd
Version: 2.06-1
Right now, telnetd checks for a few dangerous environment variables.
I think it should do what telnetd in NetKit-0.08 does: only allow
a few variables which are known to be safe, and don't allow any
others. The problem is that you never know that the list of the
da
Hi,
is there any way to change the subject line of an already existing
bug report? This hole is a really *serious* (not moderate) one -
it lets any local and remote users read any file on the system.
I think there are two possible ways to fix it:
(1) ignore the dangerous environment variables co
Package: xlib
Version: 3.1.2-7
It seems there is a buffer overrun in libXt, which may be a security
hole (some programs using libXt, such as xterm, are setuid root).
I haven't tried to exploit it, but xterm -fg very_long_string
segfaults, so it might be exploitable (stack overwrite). See the
atta
Package: wu-ftpd
Version: 2.4-23
I don't know the exploit, but tar in the anon ftp area is the
same as the normal one, so I think Debian systems may have this
problem too. Two messages from the linux-security list (the
second one includes a patch for tar - only for anon ftp, not
for the normal on
Bruce Perens:
> Yes, I know. I'm thinking about how Debian should be differentiating itself
> from the commercial Linux distributions. One way would be for the system to
Debian is already differentiating itself from them - by its open
development by volunteers, availability of the current developm
Buddha Buck:
> Pine requires explicit permission for redistribution by for-profit
> organisations, which means that Bruce can put it on his CD-ROMs,
> Software in the Public Interest (Debian) can put it on their CD-ROMs,
> but Yggdrisil or SSC (Linux Journal) can't. That's too unfree to not
>
Package: (bootdisk)
Version: 1996_6_16
APM support is enabled in the 2.0 kernel on this bootdisk. Some
"green" motherboards have problems with this, resulting in kernel
oops every time during kernel startup (before mounting the root
filesystem). Turning off power management in BIOS setup doesn't
Hi,
> different sources and systems. Non-free packages and optional
> support for shadow passwords are also available, making Debian a
It might be a good idea to call the support for shadow passwords
"experimental" or "beta" just to be safe (not all packages support
them yet). I
> If you're creating a Debian package you need to be root on the system
> you're going to install it on to test it. Even if you're using some
> shared environment in which you don't have root on the main
> development machine, is it really that problematic to make the
> `binary' target on the test
Package: dpkg
To create a binary *.deb package, root privileges are required. This
is because you must create a complete directory structure with proper
ownerships and permissions first, and then use dpkg-deb to create
a package from it.
But this should't really be necessary. A tar file is a ta
[EMAIL PROTECTED]:
> I have reported this to the upstream maintainer. He promised me new acct code
> (last is part of acct) about six months ago, so don't hold your breath.
How about using last from util-linux? It has the standard BSD copyright,
there are no patent issues that I know of, it knows
Package: (base)
The default /etc/issue and /etc/issue.net files contain the copyright
notice. The /etc/motd file contains another copyright notice. I know
copyrights are very important, but I think only one (/etc/motd) should
be enough for most users :-).
It would be more useful to put the OS/h
Package: last
Version: 5-12
The GNU version of last doesn't make use of the ut_addr utmp field which
is supposed to contain the IP address for remote logins. The size of
ut_host (16 chars) is too small and host names are often truncated. The
IP address is the only reliable way to identify the re
> From: [EMAIL PROTECTED] (Ian Jackson)
> Responsibility for it has been taken by one of the developers, namely
> Anders Chrigstrom <[EMAIL PROTECTED]>.
>
> You should be hearing from them with a substantive response shortly, if
> you have not already done so. If not, please contact them directly
Package: image
Version: 1.2.13-4
Already reported as xdm problem (Bug#1690), but sounds like a kernel bug
to me. I have never seen it before, and I have seen it several times on
Debian systems only. It may be that gcc-2.6.3 generates some bad code...
(I never had any problems with Linux 1.2.13 c
Bruce Perens:
> I was sort of hoping that compress would be replaced by "gzip" throughout
> the world, and thus we would not have to deal with its hassles.
That would be the case if gzip was in the public domain, but it is under
the GPL which may be too restrictive for commercial UNIX vendors...
le at all
change with the weather. if the courts finally nail down
From <@mongo.pixar.com:[EMAIL PROTECTED]> Wed Nov 22 07:19:04 1995
Received: from mongo.pixar.com (mongo.pixar.com [138.72.50.60]) by
bugs.cps.cmich.edu (8.6.12/8.6.9) with ESMTP id HAA05993 for <[
Package: base? gzip?
I can't find the "compress" program on the system. I know, gzip is better,
and can decompress *.Z files, but can't create *.Z files if I want to give
something compressed to someone who doesn't have gzip (many non-Linux
systems come with "compress" but not "gzip").
Source ca
Andrew Howell:
> Does anyone have any suggestions for this? Should I leave ntp.drift in
> /etc or move it to /var/run or /var/lib/xntp?
... or /var/log/xntp - xntpd can generate some statistics logs if this
feature is enabled in the config file, so a separate directory might be
a good idea.
Marek
Package: xwpe
Version: 1.4.1-1
xwpe requires old X library (libX11.so.3) which is in the xcompat
package. But xwpe does not "depend" on xcompat.
Marek
Package: xbase
Version: 3.1.2-4
The /etc/init.d/xdm (and xfs) scripts still source /etc/init.d/functions
- known problem, just yet another package to fix...
Marek
Package: at
Version: 2.8a-2
The at command sometimes has problems with date parsing which result
in a SEGV. For example:
$ at tomorrow
Segmentation fault
But if I try this as root, it works...
Marek
I think we could use tar man page from Slackware. The only problem:
it has no copyright on it. Is this the reason for not including it
in Debian?
Marek
Package: xbase
Version: 3.1.2-4
The default tty permissions in xterm are still 622. They should be
changed to 620 or 600 (depending what should be the default: mesg y
or n), group tty.
Marek
The patch which replaces the %40c format with %39s sometimes doesn't
do the right thing: if the command name contains whitespace, it will
be truncated (according to the scanf man page, the %s format "matches
a sequence of non-white-space characters"). I suggest to apply the
patch below.
BTW, this
Bruce Perens:
> I think there was a copyright problem with "setterm" that caused us to
> remove it from the distribution a long time ago. If I recall correctly,
> it didn't allow distribution for a fee, which is of course essential to
> our CD-ROM redistributors.
Hmm, setterm is distributed on cou
Package: miscutils
I can't find the setterm program (distributed as part of util-linux)
anywhere in the distribution (the output from "grep setterm Contents"
is empty, and this program is not on my freshly installed, fairly
complete Debian system at home).
It is not currently part of any package,
42 matches
Mail list logo
