PLUG-discuss digest, Vol 1 #2399 - 11 msgs

Scott Goodwin plug-discuss@lists.plug.phoenix.az.us
Tue, 25 Jun 2002 02:31:02 +0000


On Mon, 24 Jun 2002 17:46:02 -0700,
plug-discuss-request@lists.plug.phoenix.az.us said:

I've experienced the same behavior intermittently on my RH 7.2 box
while checking out
source from SourceForge.net. Not sure where the problem is, but when I
Ctrl-C to break the
connection, it seems that the last file did fully download, so the
problem is probably in the
closing the socket connection itself.

/s.




> Message: 8
> Date: Mon, 24 Jun 2002 15:20:25 -0700
> From: mondoshawan@tank.dyndns.org
> To: plug <plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: CVS via SSH issues
> Reply-To: plug-discuss@lists.plug.phoenix.az.us
> 
> Okay, maybe I'm doing something _completely_ wrong in here somewhere,
> but
> I'm experiencing problems doing a CVS checkout operation via SSH.
> Either CVS
> or SSH is hanging after checking out the last file in a module. Here's
> the
> scenario:
> 
> 	 [mondoshawan@nadesico:~]$ echo $CVSROOT
> 	 :ext:mondoshawan@thing:/var/cvs
> 	 [mondoshawan@nadesico:~]$ echo $CVS_RSH
> 	 ssh
> 	 [mondoshawan@nadesico:~]$ cvs co common
> 	 mondoshawan@thing's password: 
> 	 U common/classes/srep/live/MsgTopicPostable.php
> 	 U common/classes/srep/live/Nav.php
> 	   	   (...ad infinitum...)
> 	 U common/functions/session.php
> 
> Just after dealing with that last file, it hangs. It just so happens
> that
> common/functions/session.php is the last file it needs to checkout.
> When I
> do the checkout locally on Thing, I don't have any problems.
> Additionally,
> other coworkers don't have this issue (both Mac OS X and Debian Linux),
> so
> I'm guessing it's an issue on my local machine. Any ideas?
> 
> -- 
> Thomas "Mondoshawan" Tate
> mondoshawan@tank.dyndns.org
> http://tank.webhop.org
> 
> --__--__--
> 
> Message: 9
> From: Lynn David Newton <lynn.newton@cox.net>
> Date: Mon, 24 Jun 2002 15:22:31 -0700
> To: Phoenix Linux Users Group <plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: PostgreSQL versus MySQL
> Reply-To: plug-discuss@lists.plug.phoenix.az.us
> 
> 
> To persons who have knowledge of both MySQL and
> PostgreSQL:
> 
> Could someone characterize the highlights and
> differences, particularly regarding PostgreSQL? I've
> been working on a project where I suggested using
> MySQL, with which I am sufficiently familiar to just
> jump right in and start using it to design a database,
> tables, etc. However, I know utterly nothing about
> PostgreSQL, and the person I'm working for believes it
> would be a better choice for the project we're working
> on, and also doesn't mind the time it will take for me
> to come up to speed on it. No problem there, I'm always
> happy for someone to pay me to learn something new, but
> I also need to get a handle on it as quickly as
> possible.
> 
> Any short bullet list of comparisons would be much
> appreciated.
> 
> And lest I forget -- congratulations to PLUG on pulling
> off what was apparently a successful event this past
> weekend. I was not able to be there myself, but
> encouraged others to go.
> 
> -- 
> Lynn David Newton
> Phoenix, AZ
> 
> --__--__--
> 
> Message: 10
> Subject: OpenSSL encryption
> From: Benjamin Bostow <ben@viatornetworks.com>
> To: plug-discuss@lists.plug.phoenix.az.us
> Date: 24 Jun 2002 15:59:55 -0700
> Reply-To: plug-discuss@lists.plug.phoenix.az.us
> 
> What is the strength of the encryption in OpenSSL and OpenSSH? Is there
> a way to limit it to 56-bit for export and not allow the 128-bit?
> 
> Ben
> 
> 
> 
> --__--__--
> 
> Message: 11
> Date: Mon, 24 Jun 2002 15:28:20 -0700
> From: KevinO <kevino7@deru.com>
> To: AZUnix csnet <azunix@csnet.sc.maricopa.edu>,
>    PLUG discuss
>  <plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: [Fwd: [openssh-unix-announce] Re: Upcoming OpenSSH
> vulnerability]
> Reply-To: plug-discuss@lists.plug.phoenix.az.us
> 
> For your SA'n enjoyment
> 
> -------- Original Message --------
> Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability
> Date: Mon, 24 Jun 2002 23:06:31 +0200
> From: Markus Friedl <markus@openbsd.org>
> Reply-To: openssh@openssh.com
> To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org
> References: <200206242100.g5OL0BLL019128@cvs.openbsd.org>
> 
> On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote:
>  > Date: Mon, 24 Jun 2002 15:00:10 -0600
>  > From: Theo de Raadt <deraadt@cvs.openbsd.org>
>  > Subject: Upcoming OpenSSH vulnerability
>  > To: bugtraq@securityfocus.com
>  > Cc: announce@openbsd.org
>  > Cc: dsi@iss.net
>  > Cc: misc@openbsd.org
>  >
>  > There is an upcoming OpenSSH vulnerability that we're working on with
>  > ISS.  Details will be published early next week.
>  >
>  > However, I can say that when OpenSSH's sshd(8) is running with priv
>  > seperation, the bug cannot be exploited.
>  >
>  > OpenSSH 3.3p was released a few days ago, with various improvements
>  > but in particular, it significantly improves the Linux and Solaris
>  > support for priv sep.  However, it is not yet perfect.  Compression is
>  > disabled on some systems, and the many varieties of PAM are causing
>  > major headaches.
>  >
>  > However, everyone should update to OpenSSH 3.3 immediately, and enable
>  > priv seperation in their ssh daemons, by setting this in your
>  > /etc/ssh/sshd_config file:
>  >
>  > 	UsePrivilegeSeparation yes
>  >
>  > Depending on what your system is, privsep may break some ssh
>  > functionality.  However, with privsep turned on, you are immune from
>  > at least one remote hole.  Understand?
>  >
>  > 3.3 does not contain a fix for this upcoming bug.
>  >
>  > If priv seperation does not work on your operating system, you need to
>  > work with your vendor so that we get patches to make it work on your
>  > system.  Our developers are swamped enough without trying to support
>  > the myriad of PAM and other issues which exist in various systems.
>  > You must call on your vendors to help us.
>  >
>  > Basically, OpenSSH sshd(8) is something like 27000 lines of code.  A
>  > lot of that runs as root.  But when UsePrivilegeSeparation is enabled,
>  > the daemon splits into two parts.  A part containing about 2500 lines
>  > of code remains as root, and the rest of the code is shoved into a
>  > chroot-jail without any privs.  This makes the daemon less vulnerable
>  > to attack.
>  >
>  > We've been trying to warn vendors about 3.3 and the need for privsep,
>  > but they really have not heeded our call for assistance.  They have
>  > basically ignored us.  Some, like Alan Cox, even went further stating
>  > that privsep was not being worked on because "Nobody provided any info
>  > which proves the problem, and many people dont trust you theo" and
>  > suggested I "might be feeding everyone a trojan" (I think I'll publish
>  > that letter -- it is just so funny).  HP's representative was
>  > downright rude, but that is OK because Compaq is retiring him.  Except
>  > for Solar Designer, I think none of them has helped the OpenSSH
>  > portable developers make privsep work better on their systems.
>  > Apparently Solar Designer is the only person who understands the need
>  > for this stuff.
>  >
>  > So, if vendors would JUMP and get it working better, and send us
>  > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
>  > which supports these systems better.  So send patches by Thursday
>  > night please.  Then on Tuesday or Wednesday the complete bug report
>  > with patches (and exploits soon after I am sure) will hit BUGTRAQ.
>  >
>  > Let me repeat: even if the bug exists in a privsep'd sshd, it is not
>  > exploitable.  Clearly we cannot yet publish what the bug is, or
>  > provide anyone with the real patch, but we can try to get maximum
>  > deployement of privsep, and therefore make it hurt less when the
>  > problem is published.
>  >
>  > So please push your vendor to get us maximally working privsep patches
>  > as soon as possible!
>  >
>  > We've given most vendors since Friday last week until Thursday to get
>  > privsep working well for you so that when the announcement comes out
>  > next week their customers are immunized.  That is nearly a full week
>  > (but they have already wasted a weekend and a Monday).  Really I think
>  > this is the best we can hope to do (this thing will eventually leak,
>  > at which point the details will be published).
>  >
>  > Customers can judge their vendors by how they respond to this issue.
>  >
>  > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
>  > On OpenBSD privsep works flawlessly, and I have reports that is also
>  > true on NetBSD.  All other systems appear to have minor or major
>  > weaknesses when this code is running.
>  >
>  > (securityfocus postmaster; please post this through immediately, since
>  > i have bcc'd over 30 other places..)
> _______________________________________________
> openssh-unix-announce@mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-announce
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 
> 
> 
> -- 
> Kevin O'Connor
> 
>   "People will be free to devote themselves to activities that are fun
>   ...
> 
> The GNU Manifesto - Copyright (C) 1985, 1993 Free Software Foundation,
> Inc.
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> 
> End of PLUG-discuss Digest
> 

-- 
  Scott Goodwin
  scott@scottg.net
  http://scottg.net