http://blog.gmane.org/gmane.linux.gentoo.security hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.linux.gentoo.security/3116 I will be out of the office starting 18/08/2008 and will not return until 29/08/2008. I will have limited access to my email while away from the office. Should you require immediate assistance during that time, please contact ricardo.buckham< at >jm.pwc.com or melissa.a.mclymont< at >jm.pwc.com. _________________________________________________________________ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. samuel.prince< at >jm.pwc.com 2008-08-21T03:03:43 http://comments.gmane.org/gmane.linux.gentoo.security/3115 Hello all, as you might be aware, the Gentoo Security Team encourages users to report security vulnerabilities or findings of code audits that are not yet public in our Bugzilla under the 'Gentoo Security' component. However, as we learned earlier, it was not possible for users to restrict access to such security bugs, which would lead to a public disclosure of all details. This issue is now corrected, as an over-careful restriction in our template was lifted. I'd like to thank Robin H. Johnson for promptly investigating and resolving the issue! You can find details on how to report confidential bugs in section 3 on this site: http://www.gentoo.org/security/en/ Regards, Robert Robert Buchholz 2008-08-20T21:37:04 http://comments.gmane.org/gmane.linux.gentoo.security/3114 Joe Nolting 2008-08-06T14:12:56 http://comments.gmane.org/gmane.linux.gentoo.security/3104 Hi everyone, the security project will hold a public meeting in #gentoo-security this monday, 2008-07-14 at 19:00 UTC (21:00 CEST). The tentative agenda looks as follows: 1) Project status 2) Recruitment 3) Delays in bug resolution/GLSA publication 4) GLSA related issues 4.1) new date format 4.2) slot support 5) Handling of CVE identifiers in bugs 6) Possible changes to the Vulnerability Policy 6.1) Rating for "insecure creation of temporary files" 6.2) Rating for "SQL injection" 7) Security support for games 8) Any other topic Any changes to the agenda as well as related info can be found at [1]. [1] <http://dev.gentoo.org/~vorlon/security/meeting-20080714.xml> Matthias Geerdsen 2008-07-12T23:18:29 http://comments.gmane.org/gmane.linux.gentoo.security/3100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, the recently publicized SSL weak key generation for debian-based systems (c.f. http://www.debian.org/security/key-rollover/) has lead our university computing center to retract our Gentoo-generated SSL keys based on an advisory from the German DFN cert :-( I have not found any information about whether this might also affect Gentoo systems. A test with the Perl script from http://security.debian.org/project/extra/dowkd/dowkd.pl.gz does not show vulnerability: ~ summary: keys found: 2, weak keys: 0 So I guess that Gentoo-generated keys are not affected. Still it would be nice to have an official statement to prevent official certification bodies from retracting valid Gentoo-generated keys. Regards, Peter - -- Peter Schneider-Kamp mailto:psk< at >informatik.rwth-aachen.de LuFG Informatik II http://verify.rwth-aachen.de/psk RWTH Aachen phone: +49 241 80-21211 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Peter Schneider-Kamp 2008-05-17T09:08:36 http://comments.gmane.org/gmane.linux.gentoo.security/3097 I will be out of the office starting 03/31/2008 and will not return until 04/07/2008. I will respond to your message when I return. _________________________________________________________________ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. samuel.prince< at >jm.pwc.com 2008-04-01T21:01:02 http://comments.gmane.org/gmane.linux.gentoo.security/3092 Janek Lünstedt 2008-03-29T03:00:33 http://comments.gmane.org/gmane.linux.gentoo.security/3091 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm seeing a bunch of keys in my keyring with GSWoT(1) and PGP Global Directory(2) signatures on them. Obviously both websites encourage you to download their keys and trust them. While I realize what keys you trust is totally up to you, I'm wondering what fellow people do. My idea was to /maybe/ add them in as moderates that way they don't run my keyring for me, but still vouch for people where necessary. 1)http://www.gswot.org/ 2)http://www.pgp.com/products/globaldirectory/index.html - -- Eric Martin Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH7UNndheOldgSlQgRAtMfAJ9NBp0+gN+n6rqrjdSIr7gLE1s4WgCfc55b QyXV8k4NDKvGGsd9xXDRNv8= =hJiF -----END PGP SIGNATURE----- Eric Martin 2008-03-28T19:13:43 http://comments.gmane.org/gmane.linux.gentoo.security/3085 Hi list! Am I right that there is currently no way portage tries to verify that the rsync-mirror is not spoofed? Doesn't that pose a major threat? If I were able to manipulate the domain name resolution, I could easily trick gentooers into making false updates and thus executing a malicious program with root-permission on their machine. So, why isn't there some kind of public key authentication going on, at least optionally? By the way: How does gentoo's gpg-feature work. The man-page doesn't contain an explanation. Florian Philipp 2008-03-20T10:45:40 http://comments.gmane.org/gmane.linux.gentoo.security/3082 Hi, I found many guides on harddisk encryption with cryptsetup-LUKS but none of them clarifies if it makes sense to use a hash-function (like sha256) with xts-plain. I would appreciate any hint. Best, Jehovah jehovah< at >wir-sind-cool.org 2008-03-15T12:38:41 http://comments.gmane.org/gmane.linux.gentoo.security/3081 I will be out of the office starting 10/03/2008 and will not return until 17/03/2008. I will respond to your message when I return. _________________________________________________________________ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. samuel.prince< at >jm.pwc.com 2008-03-11T21:01:03 http://comments.gmane.org/gmane.linux.gentoo.security/3080 Chris L. Mason 2008-03-11T15:28:38 http://comments.gmane.org/gmane.linux.gentoo.security/3078 Thomas Skipper 2008-03-07T08:15:34 http://comments.gmane.org/gmane.linux.gentoo.security/3072 Hi! Now that my initrd-script is ready and provides me with the means to encrypt partitions with a gpg-encrypted key-file [1], I'd like to use the very same file for user authentication. It would be even better if gpg-agent could get it right from the user authentication (pam) to use it for as many services as possible, ssh, gpg, gnome-keyring (?), sudo (?), password database. I think what I really want is something like a poor man's version of smartcard authentication. Could you please give me some hints? I'd be pleased to hear any comments, criticism and recommendations on that issue. Thanks in advance! Florian Philipp [1] basically 1k of random data, encrypted with 3DES by gpg Florian Philipp 2008-03-03T18:53:28 http://comments.gmane.org/gmane.linux.gentoo.security/3062 Darren Taylor 2008-02-28T20:50:47 http://comments.gmane.org/gmane.linux.gentoo.security/3055 Hi! I just did some benchmarking on different ciphers for cryptsetup-luks and now I've got some questions: 1. Is it a valid way to benchmark by using "time dd if=/dev/zero of=/dev/mapper/cryptmapping -bs=1M"? The results seem to match other benchmarks but I just want to be sure. 2. I've tested every (sensible) cipher with 64, 128, 256 and 320bits keysize (if supported). Apparently I can choose between: Blowfish 64-256bit Twofish 128-256bit AES 128-256bit Anubis 128-320bit These are settings on which my harddisk limits transfer speed, not the encryption. Surprisingly, Anubis is faster with 320bits than Blowfish with the same setting (Blowfish: 32MB/s, Anubis 37MB/s, hdparm -tT 38MB/s). Do you think keysize is more important than choosing a cipher which made it further in the AES-contest and therefore using Anubis with 320bit would be a better choice than AES or Twofish with 256bit? Might it even be an advantage because less people try to brake Anubis than AES (although it bears some similarity with AES Florian Philipp 2008-02-27T18:58:11 http://comments.gmane.org/gmane.linux.gentoo.security/3047 F A S T T R A C K D E G R E E P R O G R A M Obtain the degree you deserve, based on your present knowledge and life experience. A prosperous future, money earning power, and the Admiration of all. Degrees from an Established, Prestigious, Leading Institution. Your Degree will show exactly what you really can do. Get the Job, Promotion, Business Opportunity and Social Advancement you Desire! Eliminates classrooms and traveling. Achieve your Bachelors, Masters, MBA, or PhD in the field of your expertise Professional and affordable Call now - your Graduation is a phone call away. Please call: +1 206 309033 - 6 Claudio 2008-02-21T19:07:18 http://comments.gmane.org/gmane.linux.gentoo.security/3026 Can anyone tell me what service/application would start sendmail? I discovered my Gentoo computer recently very active with I/O on the harddrive and receive/transmit activity on an invocation of gkrellm. In researching the activity, I found that I had an smtp connection to a computer in Toronto, Canada. The connection was on port 43121 and looked like so: bash$ netstat -t -u Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 1 [myIP]:43121 [theirIP]:smtp ESTABLISHED ... Other usual stuff .... Running a check to see what may be running in the process tables: bash$ ps -efl showed this process here: /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t I could not find the cause for this application invocation. Nothing in the rc-update, crontab, nor services suggests that sendmail ought to be running. When I killed the PID for this sendmail process, all disk I/O immediately stopped. The site for the IP addre Christopher P. Kern 2008-02-19T11:42:27 http://comments.gmane.org/gmane.linux.gentoo.security/3025 Can anyone tell me what service/application would start sendmail? I discovered my Gentoo computer recently very active with I/O on the harddrive and receive/transmit activity on an invocation of gkrellm. In researching the activity, I found that I had an smtp connection to a computer in Toronto, Canada. The connection was on port 43121 and looked like so: bash$ netstat -t -u Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 1 [myIP]:43121 [theirIP]:smtp ESTABLISHED ... Other usual stuff .... Running a check to see what may be running in the process tables: bash$ ps -efl showed this process here: /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t I could not find the cause for this application invocation. Nothing in the rc-update, crontab, nor services suggests that sendmail ought to be running. When I killed the PID for this sendmail process, all disk I/O immediately stopped. The site for the IP addre Christopher P. Kern 2008-02-19T11:39:12 http://comments.gmane.org/gmane.linux.gentoo.security/3015 After reading the tangent topic in bug id 209460 concerning kernel vulnerabilities and GLSAs I did some searching and came across the "Kernels and GLSAs" thread from awhile ago. I understand the logic behind not including kernel vulnerabilities in regular GLSAs but in that thread an up and coming solution (KISS) was mentioned. That was back in 2005 and now according to the Gentoo Kernel Security sub-project page the project is stalled. Whatever happened to the KISS project? I think notifying users of relevant kernel vulnerabilities is important and I would like to help if possible. What is the current state of things regarding kernel vulnerability reporting? Casey Link Casey Link 2008-02-16T22:57:23 http://comments.gmane.org/gmane.linux.gentoo.security/3002 I am probably being paranoid, but I'd like to encrypt my /home/username folder on my laptop. I tried EncFS using [1], but KDE didn't seem to work under that setup because of the restriction that the filesystem doesn't support hardlinks. So now I am playing around with [2]. The only problem I have here is that it seems like I have to know in advance what size I want to use for my home folder (I am using a file as a loopback device rather than a partition, mostly because I already have a system up and don't want to mess with resizing partitions). Is there any way to resize the loopback device on the fly, or do you just have to create a new one and copy the files into it every time you need to resize? Another question I have: I am pretty new to ciphers. One thing I have learned is that the avalanche effect is desirable, meaning that one bit flipped in the plaintext should cause about half of the ciphertext bits to flip. Does the dm-crypt setup have much correlation between encryption blocks to where this Randy Barlow 2008-02-15T23:09:41 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.linux.gentoo.security