(resend -- forgot to set the 'Re:' to something intelligible -- sorry.) On Mon, 24 Jun 2002 17:46:02 -0700, plug-discuss-request@lists.plug.phoenix.az.us said: I've experienced the same behavior intermittently on my RH 7.2 box while checking out source from SourceForge.net. Not sure where the problem is, but when I Ctrl-C to break the connection, it seems that the last file did fully download, so the problem is probably in the closing the socket connection itself. /s. > Message: 8 > Date: Mon, 24 Jun 2002 15:20:25 -0700 > From: mondoshawan@tank.dyndns.org > To: plug > Subject: CVS via SSH issues > Reply-To: plug-discuss@lists.plug.phoenix.az.us > > Okay, maybe I'm doing something _completely_ wrong in here somewhere, > but > I'm experiencing problems doing a CVS checkout operation via SSH. > Either CVS > or SSH is hanging after checking out the last file in a module. Here's > the > scenario: > > [mondoshawan@nadesico:~]$ echo $CVSROOT > :ext:mondoshawan@thing:/var/cvs > [mondoshawan@nadesico:~]$ echo $CVS_RSH > ssh > [mondoshawan@nadesico:~]$ cvs co common > mondoshawan@thing's password: > U common/classes/srep/live/MsgTopicPostable.php > U common/classes/srep/live/Nav.php > (...ad infinitum...) > U common/functions/session.php > > Just after dealing with that last file, it hangs. It just so happens > that > common/functions/session.php is the last file it needs to checkout. > When I > do the checkout locally on Thing, I don't have any problems. > Additionally, > other coworkers don't have this issue (both Mac OS X and Debian Linux), > so > I'm guessing it's an issue on my local machine. Any ideas? > > -- > Thomas "Mondoshawan" Tate > mondoshawan@tank.dyndns.org > http://tank.webhop.org > > --__--__-- > > Message: 9 > From: Lynn David Newton > Date: Mon, 24 Jun 2002 15:22:31 -0700 > To: Phoenix Linux Users Group > Subject: PostgreSQL versus MySQL > Reply-To: plug-discuss@lists.plug.phoenix.az.us > > > To persons who have knowledge of both MySQL and > PostgreSQL: > > Could someone characterize the highlights and > differences, particularly regarding PostgreSQL? I've > been working on a project where I suggested using > MySQL, with which I am sufficiently familiar to just > jump right in and start using it to design a database, > tables, etc. However, I know utterly nothing about > PostgreSQL, and the person I'm working for believes it > would be a better choice for the project we're working > on, and also doesn't mind the time it will take for me > to come up to speed on it. No problem there, I'm always > happy for someone to pay me to learn something new, but > I also need to get a handle on it as quickly as > possible. > > Any short bullet list of comparisons would be much > appreciated. > > And lest I forget -- congratulations to PLUG on pulling > off what was apparently a successful event this past > weekend. I was not able to be there myself, but > encouraged others to go. > > -- > Lynn David Newton > Phoenix, AZ > > --__--__-- > > Message: 10 > Subject: OpenSSL encryption > From: Benjamin Bostow > To: plug-discuss@lists.plug.phoenix.az.us > Date: 24 Jun 2002 15:59:55 -0700 > Reply-To: plug-discuss@lists.plug.phoenix.az.us > > What is the strength of the encryption in OpenSSL and OpenSSH? Is there > a way to limit it to 56-bit for export and not allow the 128-bit? > > Ben > > > > --__--__-- > > Message: 11 > Date: Mon, 24 Jun 2002 15:28:20 -0700 > From: KevinO > To: AZUnix csnet , > PLUG discuss > > Subject: [Fwd: [openssh-unix-announce] Re: Upcoming OpenSSH > vulnerability] > Reply-To: plug-discuss@lists.plug.phoenix.az.us > > For your SA'n enjoyment > > -------- Original Message -------- > Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability > Date: Mon, 24 Jun 2002 23:06:31 +0200 > From: Markus Friedl > Reply-To: openssh@openssh.com > To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org > References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> > > On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > > Date: Mon, 24 Jun 2002 15:00:10 -0600 > > From: Theo de Raadt > > Subject: Upcoming OpenSSH vulnerability > > To: bugtraq@securityfocus.com > > Cc: announce@openbsd.org > > Cc: dsi@iss.net > > Cc: misc@openbsd.org > > > > There is an upcoming OpenSSH vulnerability that we're working on with > > ISS. Details will be published early next week. > > > > However, I can say that when OpenSSH's sshd(8) is running with priv > > seperation, the bug cannot be exploited. > > > > OpenSSH 3.3p was released a few days ago, with various improvements > > but in particular, it significantly improves the Linux and Solaris > > support for priv sep. However, it is not yet perfect. Compression is > > disabled on some systems, and the many varieties of PAM are causing > > major headaches. > > > > However, everyone should update to OpenSSH 3.3 immediately, and enable > > priv seperation in their ssh daemons, by setting this in your > > /etc/ssh/sshd_config file: > > > > UsePrivilegeSeparation yes > > > > Depending on what your system is, privsep may break some ssh > > functionality. However, with privsep turned on, you are immune from > > at least one remote hole. Understand? > > > > 3.3 does not contain a fix for this upcoming bug. > > > > If priv seperation does not work on your operating system, you need to > > work with your vendor so that we get patches to make it work on your > > system. Our developers are swamped enough without trying to support > > the myriad of PAM and other issues which exist in various systems. > > You must call on your vendors to help us. > > > > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A > > lot of that runs as root. But when UsePrivilegeSeparation is enabled, > > the daemon splits into two parts. A part containing about 2500 lines > > of code remains as root, and the rest of the code is shoved into a > > chroot-jail without any privs. This makes the daemon less vulnerable > > to attack. > > > > We've been trying to warn vendors about 3.3 and the need for privsep, > > but they really have not heeded our call for assistance. They have > > basically ignored us. Some, like Alan Cox, even went further stating > > that privsep was not being worked on because "Nobody provided any info > > which proves the problem, and many people dont trust you theo" and > > suggested I "might be feeding everyone a trojan" (I think I'll publish > > that letter -- it is just so funny). HP's representative was > > downright rude, but that is OK because Compaq is retiring him. Except > > for Solar Designer, I think none of them has helped the OpenSSH > > portable developers make privsep work better on their systems. > > Apparently Solar Designer is the only person who understands the need > > for this stuff. > > > > So, if vendors would JUMP and get it working better, and send us > > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday > > which supports these systems better. So send patches by Thursday > > night please. Then on Tuesday or Wednesday the complete bug report > > with patches (and exploits soon after I am sure) will hit BUGTRAQ. > > > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not > > exploitable. Clearly we cannot yet publish what the bug is, or > > provide anyone with the real patch, but we can try to get maximum > > deployement of privsep, and therefore make it hurt less when the > > problem is published. > > > > So please push your vendor to get us maximally working privsep patches > > as soon as possible! > > > > We've given most vendors since Friday last week until Thursday to get > > privsep working well for you so that when the announcement comes out > > next week their customers are immunized. That is nearly a full week > > (but they have already wasted a weekend and a Monday). Really I think > > this is the best we can hope to do (this thing will eventually leak, > > at which point the details will be published). > > > > Customers can judge their vendors by how they respond to this issue. > > > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > > On OpenBSD privsep works flawlessly, and I have reports that is also > > true on NetBSD. All other systems appear to have minor or major > > weaknesses when this code is running. > > > > (securityfocus postmaster; please post this through immediately, since > > i have bcc'd over 30 other places..) > _______________________________________________ > openssh-unix-announce@mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-announce > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > -- > Kevin O'Connor > > "People will be free to devote themselves to activities that are fun > ... > > The GNU Manifesto - Copyright (C) 1985, 1993 Free Software Foundation, > Inc. > > > > --__--__-- > > _______________________________________________ > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > End of PLUG-discuss Digest > -- Scott Goodwin scott@scottg.net http://scottg.net