Security Issue - version XI

Similar Messages

• Why is Java Deployment Toolkit (click-to-play) blocked, also the referenced bug is closed and there are no security issues known in Version 7 U51?

  I think it is important to block unsecure addons. But if you do so there should be an open bug assigened. The referenced bug for this add-on is allready resolved so I do not know why this plugin is disabled. https://bugzilla.mozilla.org/show_bug.cgi?id=636633
  I have the problem that I want to use Secure_Auth that is using the Java Deployment Kit in such a nasty way (via javascript) that firefox doesn't see that the deployment kit should be started. Therefore I will not be asked to allow this plugin always for this web site. Since there is no documentation available how to do this configuration in a config file I am stuck at the moment.
  I'm a liitle bit suprised that blocking all versions (even secure versions) is a way to get a good user experience.
  Regards
  Martin

  ''MG_DAU wrote:''
  The referenced bug for this add-on is allready resolved so I do not know why this plugin is disabled. https://bugzilla.mozilla.org/show_bug.cgi?id=636633
  That's a bug report in the Blocklisting component, meaning it's a request to add an add-on to the blocklist. The fact that it's marked as fixed means the add-on has been added to the blocklist.
  * https://addons.mozilla.org/firefox/blocked/p428
  * [[Add-ons that cause stability or security issues are put on a blocklist]]
  Given that there's no way to disable Click-to-Play for this plug-in (the only options are Ask to Activate or Never Activate), if Firefox doesn't trigger a Click-to-Play prompt, I see no way to use it apart from disabling the entire blocklist. This carries a considerable security risk, as no plug-ins will be blocked or set to Click-to-Play, including known malware. If you're sure you want to go through with it, set ''extensions.blocklist.enabled'' to '''false''' in [http://kb.mozillazine.org/About:config about:config].

• Security issues faced by users of unsupported OS versions?

  Since Tiger users will relatively soon be in the same situation, I'm wondering what kinds of security issues 10.3.9 users have been faced with now that Panther has for some time not been supported by Apple (including no more security updates). I posted the following in the Tiger Forum, but I'd really appreciate hearing what your experience has been. (BD Aqua in Tiger thought issues simply to do with getting around the Internet would be more the problem than safety).
  I realize I will, sooner or later, have to buy a new Mac and install a more current version, but I would like to postpone this as long as possible. Thanks.
  http://discussions.apple.com/thread.jspa?threadID=2033860&tstart=0
  Now that S Leo has been officially announced for release in September, a question I've been meaning to ask for a while. What do we Tiger stalwarts have to look forward to in terms of security issues once there are no more security updates, and when, presumably, there are no more new browser versions or updates for soon to be archaic PPC and Tiger? (PPC, I realize, is a separate issue). Will we be, to put it simply, screwed and will it become impossible to safely navigate the internet? I realize the browser issues will probably arrive somewhat later than the OS security issues, since there will continue to be secure third party browsers, at least for a while.
  Since we will, relatively soon, be in a similar position, I'm wondering how the folks still running 10.3.9 are >managing with this? (Might post this over there, too.)

  Most security updates fix holes in the system that can be exploited by hackers. However, hackers are mostly interested in gaining access to systems that have something of value. An individual's system has virtually nothing of value worth a hacker's time and effort. It's far easier for them to get what they want via Internet phishing exploits, but such exploits cannot be fixed by security releases. They require effort on the part of the user to be careful about sites they visit and clicking on links they know nothing about thus providing information about themselves such as social security and/or banking numbers. No amount of security patches will help you with this.
  Most security patches recently issued relate to holes in Safari with a couple for the system. These are obscure holes that require hackers to have intimate knowledge of the software to exploit them. None of these exploits have been known to be used in the field. Rather they have been demonstrated as a way of exposing their existence so they can be fixed.

• Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

  Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

  The official communication is now posted to
      https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169

• Using latest version of fireFox to access Think Central, pages will not load and they say that this is a security issue with FireFox?

  Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
  Some have no problem accessing the lesson plans.
  Most when they login click on a lesson plan and an icon shows up that says loading but never does.
  If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
  Think Central support says this is a security issue with Firefox.
  I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
  I have allowed the pop ups to the think Central web site.
  Any help would be appreciated

  Are there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
  Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand.

• Version 37 has security issues

  A certain website that i use now has a dialog box coming up saying"We see you are using Firefox browser 37.0. This browser has a serious security defect and is not recommended for use on this website. Please change to Internet Explorer, Chrome, Safari or Opera or any other browser to continue browsing this website without issue. " I am using 37.0.1.

  I have a hard time imagining that this site has found a serious security issue. Please continue to use Firefox as normal. I've contact the site and will try to clear this up.
  thank you for reporting it!

• Other web browsers and security issues?

  Since even an Apple KB article recognizes the need for an additional browser and because of Safari's limitations and problems, I'm going to try switching to another browser (most likely OmniWeb and am looking at Firefox, Shira and Opera also though perhaps not as a primary browser) but I'm wondering about their ability to keep on top of any security issues for Mac? (and how do you keep up with security updates?)
  Though perhaps unfounded, at least with Safari, I feel that Apple has a vested interest in keeping on top of security issues (for Safari and Java) and I can readily find out about security updates via software updater.

  Most of the other Mac browsers have their adherents. They are all good browsers (I have 7 browsers installed to test various web sites and for change-of-pace usage). They all have their strengths and they all have their weaknesses. Only iCab and OmniWeb are still shareware, the rest are now or always have been free (Opera just recently stopped charging for its browser).
  I have settled on Firefox as my alternate browser and I use it maybe just a tad more than Safari, but I do switch back and forth between them. The Mozilla foundation is good at getting security updates out when needed. Firefox has a button on the toolbar to check for updates. One nice thing about Firefox is that you can install free extensions which enhance the features available. I have one to supplement tab features, one to control iTunes from Firefox's status bar, one to help me format messages in discussion forums, and one to block ads.
  I prefer OmniWeb for doing intensive research because of the way it handles tabs in its sidebar, showing me which ones I've looked at and which ones I haven't, and giving me great flexibility in rearranging tabs, which are viewable as thumbnails or text names (I have had up to a hundred or so tabs open in OmniWeb.
  Shiira is good and its fast. I have not checked for updates for a while, but the last time I updated there was still a problem with Shiira kicking you out of logged-in sites when you moved from page to page with in web site. This may have been fixed by now - they were aware of the problem back then.
  Camino is a native OS X cousin of Firefox and is also fast, but is not updated as often.
  I would stay away from Mozilla or Netscape unless you need all the additional modules they have and which take up hard disk space. Firefox and Camino represent the browser module of Mozilla/Netscape. Mozilla and Netscape have modules for email, irc chat, newsgroups, and for creating and editing web pages. Netscape is a branded and slightly customized version of Mozilla and is not updated as often.
  Opera is a nice browser and some use it as their main browser, but I have not seen anything that really stands out for me, but that does not mean it is not worth a look.
  I would stay away from abandonware Internet Explorer.
  As for checking for updates, several of them, as with many Mac programs, now have a menu item that allows you to check for updates. Most of them also announce their updates on both VersionTracker and MacUpdate.
  Happy Exploring.

• HT5642 I need to update iOS 6.1.3 on my iPad2 to 6.1.6, due to security issue. Why is no update available? I do NOT want to install iOS 7, due to memory limitations.

  I need to update iOS 6.1.3 on my iPad2 to 6.1.6, due to security issue. Why is no update available? I do NOT want to install iOS 7, due to memory limitations.

  Any upgrade will be to the most recent, compatible version, in this case 7.0.6.

• Can I create a form that doesn't trigger Acrobat's JavaScript disabled / security issues warning?

  Hello,
  Can I create a pdf that doesn't trigger Acrobat's JavaScript is currently disabled and this document uses it for some features.  Enabling JavaScript can lead to potential security issues.
  I even get this error when I create a blank pdf.
  I'm not using any JavaScript in the form and the nature of the message might tend to be a bit scary to some people since it mentions enabling JS can lead to potential security issues.  I basically want to disable the messaging of a feature I'm not even using.
  Anyone know if this is possible and if so, how I go about it?
  Thank you.

  Hi,
  I too share your frustration!!
  Unfortunately I do not have a complete answer for you.
  From the start I must say that Stefan Cameron has been very helpful (http://forms.stefcameron.com/2010/01/14/acrobatreader-9-3-now-available/), however I have not had sufficient time available to deal with the issue (or find a satisfactory resolution).
  The original post that Srini shared with you related to an XFA form that had FormCalc and Javascript in it. I will now share with you another situation that is closer to your experiences.
  Sometimes where we have a complex solution/form, we often give our users a PDF with instructions and demonstrations. We generate these using Adobe products:
  LiveCycle Designer ES to generate the solution/form;
  Captivate to record the demonstration (.swf);
  Acrobat to package it up in a static PDF.
  The screen shots below are from a PDF that includes written instructions and six Flash (.swf) files. The PDF does NOT include fields/form objects and does NOT include any FormCalc or Javascript.
  One of the big sells in Acrobat 9 was that Adobe had fully integrated Flash (Adobe product, ex. Macromedia) into Acrobat 9. This mean that .swf files could run natively inside a PDF. Brilliant!!!  The website today is still pushing this message, for example:
  Now bear in mind that the following screenshots are from a PDF that does not contain any scripting - its sole purpose is to "inform" the user, "look as good as the work I put into it", incorporate instruction and "multimedia" in a "single polished file" and I should be "confident that my audience will be able to view my work exactly as intended".
  Not so!!
  When the user now opens the form, all looks OK. No warning. They can read the instructions and scroll down to the multimedia (.swf files).
  However when the user clicks on the multimedia, the yellow bar appears:
  I go through the "trust" process:
  And the PDF looks like it is OK, no yellow bar. When I click on the multimedia, it begins to play - yes!! BUT ONLY FOR A SECOND OR TWO AND THEN IT STOPS AND GOES BACK TO THE START - AGGGGHHHHHHH!!!!!. I would apologise for shouting, but this is beyond frustration. The work in capturing six screencasts in Captivate, annotating them, publishing to .swf and packaging up in Acrobat has been a complete waste of time. Worse than that I now have several PDFs out there, that do not work. Good advertisement for my business? I don't think so!!
  The document that Stefan provided (Managing JavaScript Execution in the Acrobat Family of Products) does not mention Flash/.swf as being a problem. However I would recommend that you go through this document, as it may help you.
  So, where to now? I don't know. The previous posts and Stefan's responses have several urls that may help. You should maybe consider logging your experiences as a bug (log at Adobe).
  In the meantime good luck,
  Niall
  UPDATE:
  This behaviour (.swf playing for only a few seconds) happens in PDFs where the .swf is inserted as legacy media to run in earlier versions of Acrobat/Reader. In this case Acrobat/Reader is making an external call to Flash Player. Hence the yellow bar. However it does not explain why the Flash video still does not play when trusted.
  If the .swf is added into the PDF as Flash media to run on Acrobat 9 and above, then it works without displaying the yellow warning bar.
  So maybe any feature of your PDF that calls an external resource is likely to show the yellow warning bar.

• DB Links vs. Public Synonyms Security issue

  I have been debating on using either a public synonym or a db link for my purpose. I have a dev, test, and prod database. I have applications that have been developed using a public synonym. I know that if I were to switch to db links I would have to go back and change the applications to have access to the tables. I was wondering if it would be more secure to just have the public synonyms with select privilege or have db links. I need to decide if I should use db links for various users in the same DB (e.g. prod) and to use db links from one DB to another. Can someone explain what the security risks are between the two and which would be safer to use?
  Thanks

  I appreciate that you have taken the time to read my post. The version of the database I am using is 10g. I guess to clarify my post I am asking if someone can provide me advantages and disadvantages of using either public synonyms or db links. I don't know if I am clear, but when I refer to a DB Link I am referring to the following type of access where a client in a database A can access information in a remote database B (e.g. schema1.table2@databaseB). I am not sure what you mean by "Database links are two entirely different technologies that do two entirely different things". But I would appreciate if someone with DBA experience can provide some insight regarding security issues associated with using public synonyms and db links.
  Thank you,

• Spoof dialog Boxes security issue

  Hi all
  Any one out there aware of this security issue with Safari
  "Secunia Research has discovered a vulnerability in various browser's, which can be exploited by malicious web sites to spoof dialog boxes.
  The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site."
  I found the above by accident as i was looking up something else.
  If you go to Secunia site and try the test you may find that you are also vulnerable.
  http://secunia.com/multiple_browser'sdialog_origin_vulnerabilitytest/
  The only way i found to stop the spoof dialog box was to turn off enable plug-ins in preferences. However i don't have any plug-ins in my Safari plug-in folder.
  I'am running safari 1.3(v312) however it would appear that it also effects version 2.2 of Safari too. Also i have installed the latest update but to no effect. Other browser effect are:-
  _ Internet Explorer for Mac
  - Internet Explorer
  - Opera
  - iCab
  - Mozilla / FireFox / Camino
  My question is, is this vulnerability true, or just a setup
  Any comments welcome.
  ~Tim

  Hi,
  The issue is resolved, but I don't know what caused this error.
  I uninstalled the java components and BO then I deleted the BO folder under program files, then I deleted all BO entries in the registry.
  Finally I reinstalled everything except the service pack and that finally worked. I don't know the cause of this error.
  Regards,
  Marcela

• Security issue - or not? (remote trigger SMC startup)

  Hi,
  During installation of a few zones on a Sol10U2 system today, I noticed that simply running an nmap scan on a freshly installed and booted zone would cause the SMC to start:
  Starting Solaris Management Console server version 2.1.0.
  endpoint created: :898
  Adding instance of solaris_providerpath
  Adding class Solaris_LocalFileSystem
  Adding class Solaris_Directory
  Adding class Solaris_Mount
  Adding class Solaris_UFS
  Adding class Solaris_HSFS
  Adding class Solaris_UFSMount
  Adding class Solaris_HSFSMount
  Adding class Solaris_LocalFSResidesOnExtent
  Compilation succeeded.
  Adding class Solaris_DiskDrive
  Adding class Solaris_DiskPartition
  Adding class Solaris_MediaPresent
  Adding class Solaris_LogicalDisk
  Adding class Solaris_PhysicalMedia
  Adding class Solaris_Disk
  Adding class Solaris_PhysicalPackage
  Adding class Solaris_RealizesExtent
  Adding class Solaris_RealizesDiskPartition
  Adding class Solaris_RealizesDiskDrive
  Adding class Solaris_DiskPartitionBasedOnDisk
  Adding class Solaris_DiskPartitionBasedOnFDisk
  Adding class Solaris_SCSIController
  Adding class Solaris_IDEController
  Adding class Solaris_MPXIOController
  Adding class Solaris_USBSCSIController
  Adding class Solaris_GenericController
  Adding class Solaris_SCSIInterface
  Adding class Solaris_MPXIOInterface
  Adding class Solaris_IDEInterface
  Adding class Solaris_ExtraCapacityGroup
  Adding class Solaris_MPXIOGroup
  Adding class Solaris_ControllerLogicalIdentity
  Adding class Solaris_MPXIOCtrlrLogicalIdentity
  Adding class Solaris_ControllerComponent
  Adding class Solaris_MPXIOComponent
  Adding class Solaris_StorageLibrary
  Compilation succeeded.
  Adding class CIM_ManagedElement
  Adding class CIM_SettingData
  Adding class CIM_Share
  Adding class CIM_FileShare
  Adding class CIM_NFSShare
  Adding class CIM_SharedElement
  Adding class CIM_HostedShare
  Compilation succeeded.
  Adding class Solaris_NFSShare
  Adding class Solaris_NFSShareSecurity
  Adding class Solaris_NFS
  Adding class Solaris_PersistentShare
  Adding class Solaris_MountSetting
  Adding class Solaris_NFSMountSetting
  Adding class Solaris_ShareSetting
  Adding class Solaris_NFSShareSetting
  Adding class Solaris_ShareService
  Adding class Solaris_MountService
  Adding class Solaris_NFSMount
  Adding class Solaris_NFSShareSecurityModes
  Adding class Solaris_NFSShareDefSecurityMode
  Adding class Solaris_HostedShare
  Adding class Solaris_PersistentShareConfiguration
  Adding class Solaris_PersistentShareForSystem
  Adding class Solaris_NFSShareEntry
  Adding class Solaris_SharedElement
  Adding class Solaris_NFSExport
  Adding class Solaris_SharedFileSystem
  Compilation succeeded.
  Adding instance of solaris_providerpath
  Adding instance of solaris_providerpath
  Adding class Solaris_VMStateDatabase
  Adding class Solaris_VMSoftPartition
  Adding class Solaris_VMExtent
  Adding class Solaris_VMStripe
  Adding class Solaris_VMConcat
  Adding class Solaris_VMMirror
  Adding class Solaris_VMRaid5
  Adding class Solaris_VMTrans
  Adding class Solaris_VMHotSparePool
  Adding class Solaris_VMDiskSet
  Adding class Solaris_VMStorageVolume
  Adding class Solaris_VMConcatComponent
  Adding class Solaris_VMDriveInDiskSet
  Adding class Solaris_VMExtentBasedOn
  Adding class Solaris_VMSoftPartComponent
  Adding class Solaris_VMExtentInDiskSet
  Adding class Solaris_VMHostInDiskSet
  Adding class Solaris_VMHotSpareInUse
  Adding class Solaris_VMHotSpares
  Adding class Solaris_VMMirrorSubmirrors
  Adding class Solaris_VMRaid5Component
  Adding class Solaris_VMStatistics
  Adding class Solaris_VMStripeComponent
  Adding class Solaris_VMTransLog
  Adding class Solaris_VMTransMaster
  Adding class Solaris_VMUsesHotSparePool
  Adding class Solaris_VMVolumeBasedOn
  Adding class Solaris_DiskIOPerformanceMonitor
  Compilation succeeded.
  Adding instance of solaris_providerpath
  Adding class Solaris_ActiveUser
  Adding class Solaris_ActiveProject
  Adding class Solaris_ProcessStatisticalInformation
  Adding class Solaris_UserProcessAggregateStatisticalInformation
  Adding class Solaris_ProjectProcessAggregateStatisticalInformation
  Adding class Solaris_ProcessStatistics
  Adding class Solaris_ActiveUserProcessAggregateStatistics
  Adding class Solaris_ActiveProjectProcessAggregateStatistics
  Compilation succeeded.
  Registration setup: 8/8 (Executing SUNWpmgr_reg.sh)
  Registering components: 64/64 (Registering PatchMgrCli.jar)                 er)
  Solaris Management Console server is ready.For interest, the nmap result is:
  toby@deepthought ~ $ nmap -v 192.168.1.122
  Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 20:39 EDT
  DNS resolution of 1 IPs took 0.23s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
  Initiating Connect() Scan against 192.168.1.122 [1672 ports] at 20:39
  The Connect() Scan took 44.49s to scan 1672 total ports.
  Host 192.168.1.122 appears to be up ... good.
  Interesting ports on 192.168.1.122:
  (The 1662 ports scanned but not shown below are in state: closed)
  PORT     STATE SERVICE
  21/tcp   open  ftp
  22/tcp   open  ssh
  23/tcp   open  telnet
  79/tcp   open  finger
  111/tcp  open  rpcbind
  513/tcp  open  login
  514/tcp  open  shell
  898/tcp  open  sun-manageconsole
  4045/tcp open  lockd
  7100/tcp open  font-service
  Nmap finished: 1 IP address (1 host up) scanned in 44.874 seconds(port 7100 is actually a non-standard VNC server which was carried over from the global zone)
  Of course, this is immediately before running Solaris Security Toolkit (jass) to apply a secure profile.
  Does it matter that this SMC startup can be triggered so easily remotely?

  It just struck me odd that simply port-scanning the
  machine could produce this behaviour, and I wonder if
  it might be a security issue.Probably not directly. Sun has distributed several items in the past that launch via inetd connections (calendar manager and font server were two common ones). Just because it launches doesn't mean it's a security problem. The application itself may require authentication after running.
  Of course the resources required by the process may be non-trivial, and the application may have security issues, but the fact that it launches isn't a direct indication of a problem.
  Darren

• Security Issue in Planning. Unable to write to particular Year member

  Hello Everyone,
  I am currently facing a strange security issue in our PRD environment. I am unable to lock and send any data or punch the data in directly through a dataform for a particular Year, Scenario and Version combination. I have all the write access set up on these dimensions directly from planning interface and configured myself as Admin through Shared services.
  Dimensions are as follows:
  Year
  -FY11
  -FY12
  -FY13
  Scenario
  -Forecast
  Version
  -Working
  I can key in the data for FY11+Forecast+Working BUT all the cells in the dataform appear to be green for below combination:
  FY12+Forecast+Working and FY13+Forecast+Working
  I am not sure whats happening here as I have right security setup and Forecast is setup correctly too, from FY11 to FY13 for all the months(Jan:Dec).
  Please Help
  Thanks

  Hi John,
  Yes the months are setup correctly. I resolved the issue. We had a replicated partition connected to it, which pushes data to my application for FY12 and FY13. The partition needed to be dropped. Now I can see the cells in yellow.
  Thanks

• Samba 3.2.6 patch for security issue

  I know the security issue is hard to trigger, but I created a new PKGBUILD for samba 3.2.6 containing the patch.
  Excerpt from the patch commentary:
  commit 288fa94ac7cfdf7457b5098c33fc840bed3d5410
  Author: Michael Adam <[email protected]>
  AuthorDate: Thu Dec 18 18:01:55 2008 +0100
  Commit: Karolin Seeger <[email protected]>
  CommitDate: Fri Dec 19 08:30:23 2008 +0100
  smbd: prevent access to root filesystem when connecting with empty service name
  This only applies to a setup with "registry shares = yes"
  Michael
  And here's the PKGBUILD:
  # $Id: PKGBUILD 22200 2008-12-22 22:24:26Z tpowa $
  # Maintainer: judd <[email protected]>
  pkgname=samba
  pkgver=3.2.6
  # We use the 'A' to fake out pacman's version comparators. Samba chooses
  # to append 'a','b',etc to their subsequent releases, which pamcan
  # misconstrues as alpha, beta, etc. Bad samba!
  _realver=3.2.6
  pkgrel=2.1
  pkgdesc="Tools to access a server's filespace and printers via SMB"
  arch=(i686 x86_64)
  url="http://www.samba.org"
  license=('GPL3')
  backup=(etc/logrotate.d/samba etc/pam.d/samba etc/samba/smb.conf etc/xinetd.d/swat etc/conf.d/samba)
  depends=('db>=4.7' 'popt' 'libcups' 'acl' 'libldap' 'smbclient=3.2.6' 'libcap' 'heimdal>=1.2-1' 'pam' 'fam' 'gnutls>=2.4.1' 'tdb=3.2.6')
  options=(!makeflags)
  source=(http://us1.samba.org/samba/ftp/stable/${pkgname}-${_realver}.tar.gz \
  no-clients.patch samba samba.logrotate swat.xinetd samba.pam samba.conf.d \
  ftp://us1.samba.org/pub/samba/patches/security/samba-3.2.6-CVE-2009-0022.patch)
  build() {
  cd ${srcdir}/${pkgname}-${_realver}/source
  patch -Np2 -i ${srcdir}/no-clients.patch || return 1
  patch -Np2 -i ${srcdir}/samba-3.2.6-CVE-2009-0022.patch || return 1
  ./configure --prefix=/usr --with-configdir=/etc/samba \
  --with-lockdir=/var/cache/samba \
  --with-piddir=/var/run/samba \
  --with-fhs --with-pam --with-ads --with-acl-support \
  --without-cifsmount --without-libsmbclient \
  --with-syslog --with-pam_smbpass \
  --localstatedir=/var --disable-dnssd --libdir=/usr/lib/samba
  make || return 1
  mkdir -p ${pkgdir}/var/log/samba
  mkdir -p ${pkgdir}/etc/samba/private
  chmod 700 ${pkgdir}/etc/samba/private
  make DESTDIR=$startdir/pkg install
  chmod 644 ${pkgdir}/usr/include/*.h
  rm -rf ${pkgdir}/usr/var
  (cd script; cp installbin.sh i; cat i | sed 's/\/sbin\///' > installbin.sh)
  install -D -m755 ../../samba ${pkgdir}/etc/rc.d/samba
  install -D -m644 ../../samba.conf.d ${pkgdir}/etc/conf.d/samba
  mkdir -p ${pkgdir}/etc/samba
  cat ../examples/smb.conf.default | \
  sed 's|log file = .*$|log file = /var/log/samba/log.%m|g' >${pkgdir}/etc/samba/smb.conf.default
  install -D -m644 ../../samba.logrotate ${pkgdir}/etc/logrotate.d/samba
  install -D -m644 ../../swat.xinetd ${pkgdir}/etc/xinetd.d/swat
  install -D -m644 ../../samba.pam ${pkgdir}/etc/pam.d/samba
  # symlink libs
  for i in ${pkgdir}/usr/lib/samba/libsmbshare*; do
  ln -sf samba/$(basename $i) ${pkgdir}/usr/lib/$(basename $i)
  done
  # spool directory
  install -d -m1777 ${pkgdir}/var/spool/samba
  sed -i 's|/usr/spool/samba|/var/spool/samba|g' ${pkgdir}/etc/samba/smb.conf.default
  # fix logrotate
  sed -i -e 's|log.%m|%m.log|g' ${pkgdir}/etc/samba/smb.conf.default
  # nsswitch libraries
  install -D -m755 nsswitch/libnss_wins.so ${pkgdir}/lib/libnss_wins.so
  ln -s libnss_wins.so ${pkgdir}/lib/libnss_wins.so.2
  install -D -m755 nsswitch/libnss_winbind.so ${pkgdir}/lib/libnss_winbind.so
  install -D -m755 bin/pam_winbind.so ${pkgdir}/lib/security/pam_winbind.so
  # remove conflict files of smbclient and tdb
  for man in libsmbclient smbspool \
  umount.cifs mount.cifs net; do
  rm -f ${pkgdir}/usr/share/man/man8/${man}.8
  done
  for i in libnetapi* libtdb* libtalloc* libwbclient*; do
  rm -f ${pkgdir}/usr/lib/samba/$i
  done
  rm -f ${pkgdir}/usr/bin/tdbbackup
  rm -f ${pkgdir}/usr/include/{tdb.h,talloc.h,netapi.h}
  for man in rpcclient smbcacls smbclient smbcquotas \
  smbtree smbtar nmblookup smbget; do
  rm -f ${pkgdir}/usr/share/man/man1/${man}.1
  done
  rm -f ${pkgdir}/usr/share/man/man7/libsmbclient.7
  rm -f ${pkgdir}/usr/include/libsmbclient.h
  md5sums=('0cd27c7afbb8211616eea4010f32271c'
  'a676f0dde2c434aeb5125376b8797a64'
  'e93533fa2296c07c1f645dfdd373657f'
  '5697da77590ec092cc8a883bae06093c'
  'a4bbfa39fee95bba2e7ad6b535fae7e6'
  '96f82c38f3f540b53f3e5144900acf17'
  'f2f2e348acd1ccb566e95fa8a561b828'
  'e15ab37115101cf3a8d110f0c1f8e29e')
  I think a security task force should be initiated (I know discussions existed, but I don't know what were the consequences), so that important packages (like those providing services) could be updated in a timely manner. This is a minor issue as I stated earlier, but it could be worse. Those interested, let's initiate a discussion with the developers of important packages and try to get some things working. People (mostly trusted users) who can generate early packages are welcome, so that they can provide early versions of unvulnerable packages.

  ckristi wrote:I don't know about other packages, but I believe when I checked the PKGBUILD for PHP, that the security fix was included in 5.2.7.
  Check http://repos.archlinux.org/viewvc.cgi/p … iew=markup for more info.
  And don't get me wrong, I am a little bit concerned about the way vulnerabilities are treated in Arch, 'cause my home server is running this distro.
  And I really would think we should start some serious discussions about this security issues and the way they should be treated. I know the developers are doing their best and I'm not going to put fingers at all. They should be helped in maintaining packages for important services. We'll benefit from it and their tasks would be easier.
  Why don't you start a wiki page tracking the latest vulnerabilities disclosed on various security mailing lists which are not fixed in arch. This will make it much easier for the devs.
  This thing has been already discussed multiple times and already a wiki page exists for Arch Security Team but it seems nobody followed up with that.
  http://wiki.archlinux.org/index.php/Security_Task_Force

• Security issues in Mavericks 9.04

  I just had a secure scan done on my Mavericks server. The main issues seem to be:
  OpenSSL Running Version Prior to 0.9.8za Upgrade to OpenSSL version 0.9.8za or newer.
  Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities (Upgrade to Apache version 2.3.2 or newer.)
  Given that upgrading these would mean compiling and installing Apache and OpenSSL(which I'm not really keen to do) I'm wondering what experienced admins think of these threats.

  pkmusic wrote:
  Dumb question - so a self-signed SSL cert doesn't use Open SSL?
  Certificates are used with ssh and SSL/TLS and such, yes.  Most of OS X uses Secure Transport for its certificate- and SSL/TLS-related processing, but Apache does not.  Apache is linked against OpenSSL.
  Self-signed certificates lead to a different security issue.  
  An HTTPS site with a self-signed certificate will be considered untrusted by accessing web clients and the web browser will usually issue diagnostics before allowing access to the site or a diagnostic before marking the certificate as trusted, or that you've set up your own certificate chain and installed your own root certificate.  That you're asking this question implies the former; that you're not really running HTTPS with a trusted certificate chain.   Which generally means you can just shut off SSL/TLS.
  As for the original question, here's how the scanner is likely detecting the down-revision versions — if you look at the server details being returned to the client, you'll see some information on Apache and OpenSSL versions embedded in the response:
  $ telnet foo.example.com 80
  Trying 10.1.3.1...
  Connected to foo.example.com
  Escape character is '^]'.
  HEAD / HTTP/1.0
  HTTP/1.1 301 Moved Permanently
  Date: Sun, 20 Jul 2014 14:40:11 GMT
  Server: Apache/2.2.26 (Unix) PHP/5.4.24 mod_ssl/2.2.26 OpenSSL/0.9.8y DAV/2
  Location: http://foo.example.com/
  Cache-Control: max-age=1209600
  Expires: Sun, 03 Aug 2014 14:40:11 GMT
  Connection: close
  Content-Type: text/html; charset=iso-8859-1
  Connection closed by foreign host.
  $
  That won't get fixed without replacing Apache et al or one of the other options, as described in my earlier reply.
  For completeness, some folks will manually configure the server to not return these details.  That'll derail the the vulnerability scanner, certainly.  It might not have the intended result, too, as the remote attackers can simply decide to throw every attack they have at your server — the attackers are not short on CPU cycles and network bandwidth, after all; unintended consequences.
  As for using a self-signed cert and given you probably aren't providing file-level access to other folks, I'd not (personally) be particularly concerned about that vulnerability scan — one of the limitations with using vulnerability scanners is that you then have to go off and figure out if you're actually vulnerable to whatever the scanner is reporting.  It's an issue certainly, but then you'll have to decide if your backups are complete and current and with copies kept off-site, and if your other security practices and password policies and such are also all up to date and secure, and at what else you might risk if the server is breached — if configuring a DMZ for your server might be appropriate, for instance, to isolate the server from the rest of your network should the server be breached.