big debian and ubuntu security alert - Linux

This is a discussion on big debian and ubuntu security alert - Linux ; Whoknew wrote: >Hmm, Hmm, another bald-faced lying Wintroll. *plonk*...

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 21 to 40 of 51

Thread: big debian and ubuntu security alert

  1. Re: big debian and ubuntu security alert

    Whoknew wrote:

    >Hmm,


    Hmm, another bald-faced lying Wintroll.

    *plonk*


  2. Re: big debian and ubuntu security alert

    [snips]

    On Wed, 14 May 2008 17:12:32 +0000, Whoknew wrote:

    > Hmm, I thought you a**holes said linsux was impenetrable


    You're right; the Wintroll a**holes use that line fairly regularly.
    Linux users, by contrast, tend to know better and what they generally say
    is that Linux's security, overall, tends to be significantly better than
    that of Windows.


  3. Re: big debian and ubuntu security alert

    On Wed, 14 May 2008 09:27:32 -0500, Ignoramus12901 wrote:

    > On 2008-05-14, Moshe Goldfarb wrote:
    >> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>
    >>> I believe there are many Debian and Ubuntu users here. Important
    >>> security alert:
    >>>
    >>>
    >>>
    >>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>> You have to deal with any tainted keys that were generated in the last
    >>> couple of years and are still in use.
    >>>
    >>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>> have no idea at this time if I have a problem here or not. :-(

    >>
    >> Interesting that Roy Schestowitz missed this one. Not surprising though
    >> as he missed it when his own server www.schestowitz.com was hacked and
    >> trojan infested.

    >
    > I am still waiting for a good picture of impact from this one. (ie can
    > someone fully remote log on as an authorized user whose key is in
    > authorized_keys)
    >
    > Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    > network.


    Interesting the "Moshe Flatfish Goldfarb" troll decided to crosspost into
    another group.

    --
    Mandriva 2008.1 64-bit.
    This message was sent from a
    computer which is guaranteed
    100% free of the M$ Windoze virus.

  4. Re: big debian and ubuntu security alert

    In article ,
    Tim Smith wrote:
    > I changed my ssh keys a couple month ago...but I don't remember if I
    > generated my new key on one of my Ubuntu systems or one of my Macs, so
    > have no idea at this time if I have a problem here or not. :-(


    Turns out my keys were OK. I still don't recall whether I generated
    them on Ubuntu or Mac, but my Ubuntu then was 6.06 LTS, which did not
    have the problem, so I'm fine regardless of where I generated them. :-)

    My new 8.04 LTS system had bad host keys, but that was an easy fix (the
    update includes a script that regenerates your host keys), and that is
    an internal system where everyone in a position to hack it has root
    access already.

    Hopefully, though, this will prompt the Debian people to be more careful
    in the future. The obvious question is why didn't they submit this
    patch back to the OpenSSL folks, where the problems likely would have
    been caught?

    --
    --Tim Smith

  5. Re: big debian and ubuntu security alert

    In article ,
    Ignoramus12901 wrote:
    > > I just did my ssh rsa keys for ssh'ing in without password but is that
    > > all?

    >
    > That's about it, if your host keys were changed automatically.
    >
    > Still I would run the perl script, to check for anything that you
    > might have missed.


    Actually, the affected keys are more widespread, as what they broke was
    the random number generation in OpenSSL, which is used by more than just
    ssh. Some prominent things whose keys may be affected include:

    OpenVPN
    Tor
    Postifx, sendmail, and other MTAs if you use SSL/TLS
    cyrus, courier, and dovecot IMAP servers
    Apache2 SSL certs

    Details on these and others here:



    --
    --Tim Smith

  6. Re: big debian and ubuntu security alert

    On Wed, 14 May 2008 10:19:33 -0400, Moshe Goldfarb wrote:

    > On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >
    >> I believe there are many Debian and Ubuntu users here. Important
    >> security alert:
    >>
    >>
    >>
    >> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >> You have to deal with any tainted keys that were generated in the last
    >> couple of years and are still in use.
    >>
    >> I changed my ssh keys a couple month ago...but I don't remember if I
    >> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >> have no idea at this time if I have a problem here or not. :-(

    >
    > Interesting that Roy Schestowitz missed this one. Not surprising though
    > as he missed it when his own server www.schestowitz.com was hacked and
    > trojan infested.


    Please excuse my iggnorance in advance. I've recently started using
    Ubunto from Slackware a long time ago and am just starting to get back
    into things. What is this ssh thing all about? I have a Ubunto box (Harty
    Heron) and a Debian Box (Etch) and just wondering if I am at risk? Is
    there an article that someone could link me to for information regarding
    this? I'm sure it's out there but I don't follow the correct security
    lists yet for above stated reasons.

  7. Re: big debian and ubuntu security alert

    In article <482ad230@127.0.0.1>,
    "Man-wai Chang ToDie (33.6k)" wrote:

    > Tim Smith wrote:
    > > I believe there are many Debian and Ubuntu users here. Important
    > > security alert:
    > >
    > >

    >
    > Does it affect the openssl-0.9.8g from the official website?


    The official OpenSSH website? No. It is only Debian, and things that
    get their packages from Debian. Basically, the Debian people made a
    couple changes to OpenSSL in their packages, breaking OpenSSL in the
    process.


    --
    --Tim Smith

  8. Re: big debian and ubuntu security alert

    On 2008-05-14, Scott Eberl wrote:
    > On Wed, 14 May 2008 10:19:33 -0400, Moshe Goldfarb wrote:
    >
    >> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>
    >>> I believe there are many Debian and Ubuntu users here. Important
    >>> security alert:
    >>>
    >>>
    >>>
    >>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>> You have to deal with any tainted keys that were generated in the last
    >>> couple of years and are still in use.
    >>>
    >>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>> have no idea at this time if I have a problem here or not. :-(

    >>
    >> Interesting that Roy Schestowitz missed this one. Not surprising though
    >> as he missed it when his own server www.schestowitz.com was hacked and
    >> trojan infested.

    >
    > Please excuse my iggnorance in advance. I've recently started using
    > Ubunto from Slackware a long time ago and am just starting to get back
    > into things. What is this ssh thing all about? I have a Ubunto box (Harty
    > Heron) and a Debian Box (Etch) and just wondering if I am at risk? Is
    > there an article that someone could link me to for information regarding
    > this? I'm sure it's out there but I don't follow the correct security
    > lists yet for above stated reasons.


    You are at risk if you have SSH installed. If so, You need to do a system
    upgrade and detect and eliminate weak keys.

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  9. Re: big debian and ubuntu security alert

    * Tim Smith peremptorily fired off this memo:

    > Hopefully, though, this will prompt the Debian people to be more careful
    > in the future. The obvious question is why didn't they submit this
    > patch back to the OpenSSL folks, where the problems likely would have
    > been caught?


    That's a good question. But maybe openssl needs some better unit tests,
    too?!

    --
    Reinvent yourself!
    -- Bill Gates

  10. Re: big debian and ubuntu security alert

    On Wed, 14 May 2008 14:31:57 -0500, Ignoramus12901 wrote:

    > On 2008-05-14, Scott Eberl wrote:
    >> On Wed, 14 May 2008 10:19:33 -0400, Moshe Goldfarb wrote:
    >>
    >>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>
    >>>> I believe there are many Debian and Ubuntu users here. Important
    >>>> security alert:
    >>>>
    >>>>
    >>>>
    >>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>> You have to deal with any tainted keys that were generated in the
    >>>> last couple of years and are still in use.
    >>>>
    >>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>> generated my new key on one of my Ubuntu systems or one of my Macs,
    >>>> so have no idea at this time if I have a problem here or not. :-(
    >>>
    >>> Interesting that Roy Schestowitz missed this one. Not surprising
    >>> though as he missed it when his own server www.schestowitz.com was
    >>> hacked and trojan infested.

    >>
    >> Please excuse my iggnorance in advance. I've recently started using
    >> Ubunto from Slackware a long time ago and am just starting to get back
    >> into things. What is this ssh thing all about? I have a Ubunto box
    >> (Harty Heron) and a Debian Box (Etch) and just wondering if I am at
    >> risk? Is there an article that someone could link me to for information
    >> regarding this? I'm sure it's out there but I don't follow the correct
    >> security lists yet for above stated reasons.

    >
    > You are at risk if you have SSH installed. If so, You need to do a
    > system upgrade and detect and eliminate weak keys.


    OK so is that why when I run apt-get update / apt-get upgrade I'm getting
    the following listed:?

    The following packages have been kept back:
    openssh-client openssh-server

  11. Re: big debian and ubuntu security alert

    Tim Smith writes:

    > In article <482ad230@127.0.0.1>,
    > "Man-wai Chang ToDie (33.6k)" wrote:
    >
    >> Tim Smith wrote:
    >> > I believe there are many Debian and Ubuntu users here. Important
    >> > security alert:
    >> >
    >> >

    >>
    >> Does it affect the openssl-0.9.8g from the official website?

    >
    > The official OpenSSH website? No. It is only Debian, and things that
    > get their packages from Debian. Basically, the Debian people made a
    > couple changes to OpenSSL in their packages, breaking OpenSSL in the
    > process.


    I quite look forward to HPT's take on it since he still doesn't
    understand what "stable" means in Debian parlance.

  12. Re: big debian and ubuntu security alert

    On 2008-05-14, Scott Eberl wrote:
    > On Wed, 14 May 2008 14:31:57 -0500, Ignoramus12901 wrote:
    >
    >> On 2008-05-14, Scott Eberl wrote:
    >>> On Wed, 14 May 2008 10:19:33 -0400, Moshe Goldfarb wrote:
    >>>
    >>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>
    >>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>> security alert:
    >>>>>
    >>>>>
    >>>>>
    >>>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>>> You have to deal with any tainted keys that were generated in the
    >>>>> last couple of years and are still in use.
    >>>>>
    >>>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>>> generated my new key on one of my Ubuntu systems or one of my Macs,
    >>>>> so have no idea at this time if I have a problem here or not. :-(
    >>>>
    >>>> Interesting that Roy Schestowitz missed this one. Not surprising
    >>>> though as he missed it when his own server www.schestowitz.com was
    >>>> hacked and trojan infested.
    >>>
    >>> Please excuse my iggnorance in advance. I've recently started using
    >>> Ubunto from Slackware a long time ago and am just starting to get back
    >>> into things. What is this ssh thing all about? I have a Ubunto box
    >>> (Harty Heron) and a Debian Box (Etch) and just wondering if I am at
    >>> risk? Is there an article that someone could link me to for information
    >>> regarding this? I'm sure it's out there but I don't follow the correct
    >>> security lists yet for above stated reasons.

    >>
    >> You are at risk if you have SSH installed. If so, You need to do a
    >> system upgrade and detect and eliminate weak keys.

    >
    > OK so is that why when I run apt-get update / apt-get upgrade I'm getting
    > the following listed:?
    >
    > The following packages have been kept back:
    > openssh-client openssh-server


    try either:

    aptitude install openssh-client openssh-server

    (this installs some dependencies for them and enables them to go)

    or

    aptitude dist-upgrade

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  13. Re: big debian and ubuntu security alert

    On Wed, 14 May 2008 21:51:43 +0200, Hadron wrote:

    > Tim Smith writes:
    >
    >> In article <482ad230@127.0.0.1>,
    >> "Man-wai Chang ToDie (33.6k)" wrote:
    >>
    >>> Tim Smith wrote:
    >>> > I believe there are many Debian and Ubuntu users here. Important
    >>> > security alert:
    >>> >
    >>> >
    >>>
    >>> Does it affect the openssl-0.9.8g from the official website?

    >>
    >> The official OpenSSH website? No. It is only Debian, and things that
    >> get their packages from Debian. Basically, the Debian people made a
    >> couple changes to OpenSSL in their packages, breaking OpenSSL in the
    >> process.

    >
    > I quite look forward to HPT's take on it since he still doesn't
    > understand what "stable" means in Debian parlance.


    He will bury his head in the sand and flail his arms around all the while
    denying their is a problem.

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  14. Re: big debian and ubuntu security alert

    On Wed, 14 May 2008 17:12:32 +0000, Whoknew wrote:

    > Hmm, I thought you a**holes said linsux was impenetrable
    >


    It is now, the flaw has been fixed.

  15. Re: big debian and ubuntu security alert

    On 2008-05-14, jellybean stonerfish wrote:
    > On Wed, 14 May 2008 17:12:32 +0000, Whoknew wrote:
    >
    >> Hmm, I thought you a**holes said linsux was impenetrable
    >>

    >
    > It is now, the flaw has been fixed.


    The story is relatively nice, I think, the guy who found it, nicely
    reported it, fixes were made, and then announcements were properly
    given when the patches were out.

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  16. Re: big debian and ubuntu security alert

    On Wed, 14 May 2008 15:12:24 -0500, Ignoramus12901 wrote:

    > On 2008-05-14, Scott Eberl wrote:
    >> On Wed, 14 May 2008 14:31:57 -0500, Ignoramus12901 wrote:
    >>
    >>> On 2008-05-14, Scott Eberl wrote:
    >>>> On Wed, 14 May 2008 10:19:33 -0400, Moshe Goldfarb wrote:
    >>>>
    >>>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>>
    >>>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>>> security alert:
    >>>>>>
    >>>>>> <http://lists.debian.org/debian-security-announce/2008/

    msg00152.html>
    >>>>>>
    >>>>>> IMPORTANT NOTE: just installing the fixed software is not
    >>>>>> sufficient. You have to deal with any tainted keys that were
    >>>>>> generated in the last couple of years and are still in use.
    >>>>>>
    >>>>>> I changed my ssh keys a couple month ago...but I don't remember if
    >>>>>> I generated my new key on one of my Ubuntu systems or one of my
    >>>>>> Macs, so have no idea at this time if I have a problem here or not.
    >>>>>> :-(
    >>>>>
    >>>>> Interesting that Roy Schestowitz missed this one. Not surprising
    >>>>> though as he missed it when his own server www.schestowitz.com was
    >>>>> hacked and trojan infested.
    >>>>
    >>>> Please excuse my iggnorance in advance. I've recently started using
    >>>> Ubunto from Slackware a long time ago and am just starting to get
    >>>> back into things. What is this ssh thing all about? I have a Ubunto
    >>>> box (Harty Heron) and a Debian Box (Etch) and just wondering if I am
    >>>> at risk? Is there an article that someone could link me to for
    >>>> information regarding this? I'm sure it's out there but I don't
    >>>> follow the correct security lists yet for above stated reasons.
    >>>
    >>> You are at risk if you have SSH installed. If so, You need to do a
    >>> system upgrade and detect and eliminate weak keys.

    >>
    >> OK so is that why when I run apt-get update / apt-get upgrade I'm
    >> getting the following listed:?
    >>
    >> The following packages have been kept back:
    >> openssh-client openssh-server

    >
    > try either:
    >
    > aptitude install openssh-client openssh-server
    >
    > (this installs some dependencies for them and enables them to go)
    >
    > or
    >
    > aptitude dist-upgrade


    yeah sudo apt-get dist-upgrade did the trick. also ran the slick little
    script that told me my key for no machine was compromised. All is updated
    and good now.

  17. Re: big debian and ubuntu security alert

    On 2008-05-15, Scott Eberl wrote:
    > On Wed, 14 May 2008 15:12:24 -0500, Ignoramus12901 wrote:
    >
    >> On 2008-05-14, Scott Eberl wrote:
    >>> On Wed, 14 May 2008 14:31:57 -0500, Ignoramus12901 wrote:
    >>>
    >>>> On 2008-05-14, Scott Eberl wrote:
    >>>>> On Wed, 14 May 2008 10:19:33 -0400, Moshe Goldfarb wrote:
    >>>>>
    >>>>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>>>
    >>>>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>>>> security alert:
    >>>>>>>
    >>>>>>> <http://lists.debian.org/debian-security-announce/2008/

    > msg00152.html>
    >>>>>>>
    >>>>>>> IMPORTANT NOTE: just installing the fixed software is not
    >>>>>>> sufficient. You have to deal with any tainted keys that were
    >>>>>>> generated in the last couple of years and are still in use.
    >>>>>>>
    >>>>>>> I changed my ssh keys a couple month ago...but I don't remember if
    >>>>>>> I generated my new key on one of my Ubuntu systems or one of my
    >>>>>>> Macs, so have no idea at this time if I have a problem here or not.
    >>>>>>> :-(
    >>>>>>
    >>>>>> Interesting that Roy Schestowitz missed this one. Not surprising
    >>>>>> though as he missed it when his own server www.schestowitz.com was
    >>>>>> hacked and trojan infested.
    >>>>>
    >>>>> Please excuse my iggnorance in advance. I've recently started using
    >>>>> Ubunto from Slackware a long time ago and am just starting to get
    >>>>> back into things. What is this ssh thing all about? I have a Ubunto
    >>>>> box (Harty Heron) and a Debian Box (Etch) and just wondering if I am
    >>>>> at risk? Is there an article that someone could link me to for
    >>>>> information regarding this? I'm sure it's out there but I don't
    >>>>> follow the correct security lists yet for above stated reasons.
    >>>>
    >>>> You are at risk if you have SSH installed. If so, You need to do a
    >>>> system upgrade and detect and eliminate weak keys.
    >>>
    >>> OK so is that why when I run apt-get update / apt-get upgrade I'm
    >>> getting the following listed:?
    >>>
    >>> The following packages have been kept back:
    >>> openssh-client openssh-server

    >>
    >> try either:
    >>
    >> aptitude install openssh-client openssh-server
    >>
    >> (this installs some dependencies for them and enables them to go)
    >>
    >> or
    >>
    >> aptitude dist-upgrade

    >
    > yeah sudo apt-get dist-upgrade did the trick. also ran the slick little
    > script that told me my key for no machine was compromised. All is updated
    > and good now.


    Did you check your personal keys also (not host keys)
    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/


  18. Re: big debian and ubuntu security alert

    Moshe Goldfarb is flatfish (in real life Gary Stewart)

    http://colatrolls.blogspot.com/2008/...arb-troll.html
    http://colatrolls.blogspot.com/2007/...ish-troll.html

    Traits:

    * Nym shifting (see below)
    * Self confessed thief and proud of it
    * Homophobic
    * Racist
    * Habitual liar
    * Frequently cross posts replies to other non-Linux related newsgroups
    * Frequently cross posts articles originally not posted to COLA

  19. Re: big debian and ubuntu security alert

    Moshe Goldfarb is flatfish (in real life Gary Stewart)

    http://colatrolls.blogspot.com/2008/...arb-troll.html
    http://colatrolls.blogspot.com/2007/...ish-troll.html

    Traits:

    * Nym shifting (see below)
    * Self confessed thief and proud of it
    * Homophobic
    * Racist
    * Habitual liar
    * Frequently cross posts replies to other non-Linux related newsgroups
    * Frequently cross posts articles originally not posted to COLA

  20. Re: big debian and ubuntu security alert


    "jellybean stonerfish" wrote in message
    news:8pJWj.57$Q57.49@nlpi065.nbdc.sbc.com...
    > On Wed, 14 May 2008 17:12:32 +0000, Whoknew wrote:
    >
    >> Hmm, I thought you a**holes said linsux was impenetrable
    >>

    >
    > It is now, the flaw has been fixed.


    Certainly not impenetrable. There's just no huge holes that you are aware
    of. Last week before this 2-year old hole was announced (the bug was
    introduced into the code back in 2006) you used your computer thinking that
    it was "impenetrable" which it was not.


    ** Posted from http://www.teranews.com **

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast