Asking for documentation help (Re: IPSec questions...)

2002-01-14 Thread Javier Fernández-Sanguino Peña 

I was wondering... could someone write a How to build VPN's in
Debian small documentation for inclusion in the Debian Security HOWTO
(http://www.debian.org/doc/ddp) it could make for a nice chapter in there.
Topics to comment about:

- FreeSwan 
- CIPE
- Ssh
- ...

Any volunteer?

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

[] .

2002-01-14 Thread 
Title: °Ë»ö¿£Áø ¾ÆÀ̵ûµûµû






   

 
  
 
  

 
  

 
   

   
 
  
 
  

 
  ÀÎÅͳݿ¡´Â ¸¹Àº Á¤º¸¿Í ±× Á¤º¸¸¦ ã¾ÆÁÖ´Â °Ë»ö¿£ÁøÀÌ ÀÖ½À´Ï´Ù.
ÇÏÁö¸¸ °Ë»ö¿£ÁøµéÀÌ ³Ê¹«³ª ¸¹Àº Á¤º¸¸¦ Á¦°øÇØ ÁÖ´Â °á°ú ¿ÀÈ÷·Á Á¤º¸¸¦ ã´Âµ¥ ¸¹Àº ³ë·Â°ú ½Ã°£À»  
ÇãºñÇÏ´Â °á°ú¸¦ ÃÊ·¡ÇÏ°í ÀÖ½À´Ï´Ù. 


 
  
ÀÌÁ¦´Â ¾òÀ» ¼ö ¾ø´Â ¸¹Àº ¾çÀÇ °Ë»ö°á°úº¸´Ù´Â ½Å·Ú¼º ÀÖ´Â Á¤º¸¸¦ ¿ä±¸ÇÏ´Â ½Ã´ë°¡ µÇ¾ú½À´Ï´Ù.  
ÀÎÅͳݿ¡ »êÀçÇØ ÀÖ´Â »çÀÌÆ® Áß¿¡´Â ¿ì¸®°¡ ²À ÇÊ¿äÇÑ Á¤º¸µéÀ» ´ã°í ÀÖ´Â »çÀÌÆ®°¡ ¸¹ÀÌ Àִµ¥,   
ÀÌ »çÀÌÆ® µéÀ» ±¸ºÐÇϸé Æ÷Å»,º¸Å»,Çãºê »çÀÌÆ®¶ó°í ÇÕ´Ï´Ù.  


 
  
¾ÆÀ̵ûµûµû´Â ÀÌ·± »çÀÌÆ®¸¦ ã¾ÆÁÖ´Â Ä«Å×°í¸® ¹× Å°¿öµå °Ë»ö¿£ÁøÀÔ´Ï´Ù.  
°¢ Ä«Å×°í¸® º°·Î ½Å·Ú¼º ÀÖ´Â ¾ö¼±µÈ »çÀÌÆ®¸¸ ³×ƼÁðÀÇ ¾ç½ÉÀ¸·Î
µî·Ï°ü¸®ÇÏ´Â °Ë»ö¿£ÁøÀ̸ç
±ÍÇϲ²¼­µµ Ä«Å×°í¸® ´ã´çÀÚ°¡ µÇ½Ç ¼ö ÀÖ½À´Ï´Ù.


Ä«Å×°í¸® ´ã´çÀÌ µÇ½Ã¸é ¢ß¾ÆÀÌ¿£À¥ÀÇ ÁÖ½Ä 1ÁÖ¸¦ ¹«»óÀ¸·Î µå¸®¸ç pop3 e-mail °èÁ¤À» µå¸³´Ï´Ù.  
("¿¹" [EMAIL PROTECTED]")   
¶ÇÇÑ,±× Ä«Å×°í¸®¸¦ °ü¸®ÇÒ ¼ö ÀÖ´Â ±ÇÇÑ°ú ÇØ´ç Ä«Å×°í¸®¿¡ ´ã´çÀÚ ¾ÆÀ̵𸦠µî·ÏÇÕ´Ï´Ù.   
(µî·Ï½ÅûÀ» ÇϽÅÈÄ ´ã´ç°ü¸®ÀÚ·Î login ÇϽøé Ä«Å×°í¸®¸¦ Á÷Á¢ °ü¸®ÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù.)   

ȸ¿ø°¡ÀÔÀ» ÇϽðí ȸ¿øÀÌ µÇ½Ã¸é ¢ß ¾ÆÀÌ¿£À¥ÀÇ ÁÖ½Ä 1ÁÖ¸¦ ¹«»óÀ¸·Î µå¸³´Ï´Ù.  
ÀÎÅͳÝÀº ³×ƼÁðÀÌ ÁÖÀÎÀÌ°í ¾ÆÀ̵ûµûµû´Â ³×ƼÁðÀÇ °ÍÀ̱⠶§¹®ÀÔ´Ï´Ù! 




  
  
http://iwww.net (¾ÆÀ̵ûµûµû)·Î ¹æ¹®ÇØ ÁÖ¼¼¿ä

  
  
¾ÆÀ̵ûµûµûÀÇ À̳äÀº ¿ì¸® ³×ƼÁðÀÌ °®°íÀÖ´Â À¯ÀÍÇÑ Á¤º¸¸¦ ¼­·Î °øÀ¯ÇÏ°í »õ·Î¿î ³×ƼÁð¹®È­¸¦ 
âÃâÇϴ°ÍÀÔ´Ï´Ù. ±ÍÇϲ²¼­µµ ¾ÆÀ̵ûµûµûÀÇ ÇÑ °¡Á·ÀÌ µÇ¾îÁÖ½Ã±æ ºÎŹµå¸³´Ï´Ù.

´Ã °Ç°­ÇϽðí ÇູÇϼ¼¿ä~~~°¨»çÇÕ´Ï´Ù.




  


  
   
 

 
  
  
  
  

 
  
  1ÀÏ Æò±Õ ¹æ¹®
  
  774,500 hit(2002.01.07)


   
 
  
  
  
  

 
  
  ³×ƼÁð ´ã´ç Ä«Å×°í¸®
  
  
745 °³


  
  
   
 
  
Á÷Á¢ ¹æ¹®Çϼż­ Æò°¡ÇØ ÁֽʽÿÀ! ==http://iwww.net
À¯ÀÍÇÑ »çÀÌÆ®¶ó°í Æò°¡µÇ½Ã¸é 
ÁÖÀ§ºÐµé¿¡°Ô ¾Ë·ÁÁֽñæ¹Ù¶ø´Ï´Ù. ( ¾ÆÀ̵ûµûµû = iwww )


  

 
  

  


  
  

±ÍÇϲ² ºÒÆíÀ» ³¢ÃÄ µå·È´Ù¸é ¿ë¼­¸¦ ¹Ù¶ø´Ï´Ù.

±ÍÇÏÀÇ ¸ÞÀÏÀº ÀÎÅͳݿ¡¼­ À¥¼­ÇÎÁß ÃëµæÇÏ¿´À¸¸ç ±ÍÇÏÀÇ ¾î¶°ÇÑ Á¤º¸µµ °®°íÀÖÁö ¾Ê½À´Ï´Ù.
´ÙÀ½ºÎÅÍ´Â ÀÎÅͳÝ,Á¤º¸Åë½Å,¹ÙÀÌ·¯½º¹é½Å µî À¯ÀÍÇÑ Á¤º¸¸¸À» º¸³»µå¸³´Ï´Ù. 
¾ÆÀ̵ûµûµûÀÇ °¡Á·ÀÌ µÇ½Ã¸é Àüü°¡Á· ¸ÞÀÏÀ» ÅëÇÏ¿© À¯ÀÍÇÑ Á¤º¸¸¦ ¹Þ¾Æº¸½Ç ¼ö ÀÖ½À´Ï´Ù.
°øÁö»çÇ×À» Âü°íÇÏ½Ã¸é ¾ÆÀ̵ûµûµû ³»ºÎ»çÁ¤À» ¾Æ½Ç ¼ö ÀÖ½À´Ï´Ù.
 ¹Ù·Î°¡¼­ º¸±â
³×ƼÁðÀÇ °í°ßÀ» ¼ö·ÅÇÏ´Â °ø°³°Ô½ÃÆÇÀ» ¿î¿µÁßÀÔ´Ï´Ù.
¹Ù·Î°¡¼­ º¸±â
  
±×·¡µµ ¼ö½ÅÀ» ¿øÄ¡ ¾ÊÀ¸½Ç °æ¿ì ¼ö½Å°ÅºÎ¸¦ Ŭ¸¯ÇϽʽÿÀ!

¼ö½Å°ÅºÎ

Don't panic (ssh)

2002-01-14 Thread Jacques Lav!gnotte 


Good Morning,

While you are talking about ssh issues...

From my log :

Jan 13 09:50:58 news sshd[897]: scanned from 216.78.148.184 with
+SSH-1.0-SSH_Version_Mapper.  Don't panic.
Jan 13 09:50:58 news sshd[896]: Did not receive identification string from
+216.78.148.184


Should I really Not Panic ? :)



  Thanks,Jacques



-- 

0CBE 3F8A 5A77 A35C 27C7  2D42 3EC5 806B 9178 088D



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Thomas Seyrat 

Jacques Lav!gnotte wrote:
 Jan 13 09:50:58 news sshd[897]: scanned from 216.78.148.184 with
 +SSH-1.0-SSH_Version_Mapper.  Don't panic.
 Jan 13 09:50:58 news sshd[896]: Did not receive identification string from
 +216.78.148.184
 Should I really Not Panic ? :)

  Not if your SSH daemon is up to date :-)

  Actually,  this message  is  left  by the  «  scanssh  » utility  (see
  http://www.monkey.org/~provos/scanssh/),  which is  used by  sysadmins
  (or crackers) to detect weak SSH daemons on whole networks.

-- 
Thomas Seyrat.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Iain Tatch 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14 January 2002 at 10:35:17 Thomas Seyrat wrote:

TS   Not if your SSH daemon is up to date :-)

Is the SSHD in the latest potato fully up-to-date, though? I am a very
recent convert to Debian, having been an avid Slackware fan for the last
seven years. However one of my (very old) Slack boxen was compromised on
Christmas Day via the sshd CRC32 vulnerability and I decided to replace it
with Debian, a distro which has seriously impressed me.

Not wanting the same problem to reoccur, after installation 
configuration I checked my version of sshd. As far as I could ascertain
the sshd which comes with the current potato release is OpenSSH
1.something (can't say exactly what now as I've removed it and my notes
are all at home), however iirc it was only using version 1 of the SSH
protocols, which leaves the vulnerability in place.

I removed the Debian SSH package  manually installed OpenSSH 3.0.2p1
which is invulnerable (so far!) to all known vulnerabilities as long as
version 1 of the SSH protocol isn't used, even as a fallback.

Have I missed something and was I already OK, or is the current stable potato
release shipping with a potential ssh security hole?

Cheers
- --
Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc
 Versace  Prada mean nothing to me,
   You buy your friends but I'll hate you for free
   Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com

-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQA/AwUBPEK8BWByUNb+aO+GEQJfogCghHz4ajXP81s4OwS2/HOMx8sbXgIAoJLo
moxb226Bpj+mLJ7wp4PVsJbK
=wRJH
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Dietmar Braun 

Anybody residing near to the korean border who can take the great scissor 
and cut off the cable from korea to the civilized world?

Nothing but spam coming from this foolish idiots...

Sorry but that makes me very angry now.

No chance to block this bastards?

Dietmar, annoyed.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread crispin 

On Mon, Jan 14, 2002 at 11:07:38AM +, Iain Tatch wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote:
 
 TS   Not if your SSH daemon is up to date :-)
 
 Is the SSHD in the latest potato fully up-to-date, though? I am a very
 recent convert to Debian, having been an avid Slackware fan for the last
 seven years. However one of my (very old) Slack boxen was compromised on
 Christmas Day via the sshd CRC32 vulnerability and I decided to replace it
 with Debian, a distro which has seriously impressed me.
 
 Not wanting the same problem to reoccur, after installation 
 configuration I checked my version of sshd. As far as I could ascertain
 the sshd which comes with the current potato release is OpenSSH
 1.something (can't say exactly what now as I've removed it and my notes
 are all at home), however iirc it was only using version 1 of the SSH
 protocols, which leaves the vulnerability in place.
 
 I removed the Debian SSH package  manually installed OpenSSH 3.0.2p1
 which is invulnerable (so far!) to all known vulnerabilities as long as
 version 1 of the SSH protocol isn't used, even as a fallback.
 
 Have I missed something and was I already OK, or is the current stable potato
 release shipping with a potential ssh security hole?

AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use 
SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far 
does not support RSA keypairs and needs DSA keys.

Anyone with more indepth knowledge like to coment?

Crispin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Debian security being trashed in Linux Today comments

2002-01-14 Thread Adam Warner 

http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB

Someone with better knowledge of all the facts might want to comment on
the claim that Debian is always the last to fix security holes and the
tag team follow up I've been fighting for months now to try to convince
them to release an advisory or fix for ftpd...

Regards,
Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Tim Haynes 

Adam Warner [EMAIL PROTECTED] writes:

 http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB

 Someone with better knowledge of all the facts might want to comment on
 the claim that Debian is always the last to fix security holes and the
 tag team follow up I've been fighting for months now to try to convince
 them to release an advisory or fix for ftpd...

Some of us wouldn't dare say such things without at least reviewing the
given distro's security policy, FAQ and history.

http://www.debian.org/security/ is over there --- .

~Tim
-- 
http://spodzone.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Iain Tatch 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote:

 Have I missed something and was I already OK, or is the current stable
 potato release shipping with a potential ssh security hole?  

 AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need
 to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,
 as SSH2 so far does not support RSA keypairs and needs DSA keys.  

That's the impression I was under, too. In which case the current stable
release of Debian comes with an sshd which uses protocol 1 and is
therefore open to allowing remote root compromises.

Is there any way to find out what flavour of Debian I have which is more
detailed than this:

iain@starfish:~$ cat /etc/debian_version
2.2

Cheers
- --
Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc
 Versace  Prada mean nothing to me,
   You buy your friends but I'll hate you for free
   Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com

-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQA/AwUBPELMV2ByUNb+aO+GEQJQ9gCgi8S43E7EeimjmNgVxdVQ0lIcBcgAoNxK
VUCUJvFQB8mjDD47v4eFyyly
=6JW1
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Wichert Akkerman 

Previously Adam Warner wrote:
 Someone with better knowledge of all the facts might want to comment on
 the claim that Debian is always the last to fix security holes and the
 tag team follow up I've been fighting for months now to try to convince
 them to release an advisory or fix for ftpd...

Someone should point them to Javier's analysis of security response
times..

Wichert.

-- 
  _
 [EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Daniel Polombo 

Adam Warner wrote:

 On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:

Some of us wouldn't dare say such things without at least reviewing the
given distro's security policy, FAQ and history.

 But I was really impressed that updates for unstable/testing were
 released at the same time. For those of us that use/test the bleeding
 edge on our systems it's a great reassurance to see the security team
 giving consideration to the security of testing/unstable.


Well, maybe you should follow Tim's advice and go check the security team's FAQ :

Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly moving
   targets and the security team does not have the resources needed to
   properly support those. If you want to have a secure (and stable)
   server you are strongly encouraged to stay with stable.

Of course, if you're using unstable, fixes tend to appear quickly, but :

- tend to is not acceptable when security is concerned
- it may take a lot more time depending on your local mirror

--
Daniel


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Daniel Polombo 

Iain Tatch wrote:


 
AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need
to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,
as SSH2 so far does not support RSA keypairs and needs DSA keys.  

 That's the impression I was under, too. In which case the current stable
 release of Debian comes with an sshd which uses protocol 1 and is
 therefore open to allowing remote root compromises.

Just a quick precision here : you have to _disable_ v1 in order to be 
protected from that vulnerability. The point here is not that you have to 
support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 
connections is vulnerable.

--
Daniel


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Don't panic (ssh)

2002-01-14 Thread Craigsc 

How do you disable ssh1 protocol with the current
ssh on potato ?

..Craig

-Original Message-
From: Daniel Polombo [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 14, 2002 2:45 PM
To: Iain Tatch
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Don't panic (ssh)


Iain Tatch wrote:



AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you
need
to use SSH2 protocol. OpenSSH supports SSH2. You need different keys
though,
as SSH2 so far does not support RSA keypairs and needs DSA keys.

 That's the impression I was under, too. In which case the current stable
 release of Debian comes with an sshd which uses protocol 1 and is
 therefore open to allowing remote root compromises.

Just a quick precision here : you have to _disable_ v1 in order to be
protected from that vulnerability. The point here is not that you have to
support v2, it's that you have to disallow v1. A recent daemon allowing ssh1
connections is vulnerable.

--
Daniel


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Tim Haynes 

Craigsc [EMAIL PROTECTED] writes:

 How do you disable ssh1 protocol with the current
 ssh on potato ?

I don't think you have to. See
http://www.debian.org/security/2001/dsa-086.

Or have I really been so asleep as not to notice a major thou shalt not
use ssh1 even though we applied all the fixes AS PER FAQ to the old
version alert???
That might be commendable behaviour, but it hasn't been mandated by Debian
that I saw.

~Tim
-- 
http://spodzone.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Iain Tatch 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14 January 2002 at 13:05:57 Craigsc wrote:

 How do you disable ssh1 protocol with the current
 ssh on potato ?

I may be very wrong here as I've only been using Debian for 3 days now,
but as far as I can see the current sshd on potato only supports ssh1
protocol. That's why I removed the package and self-compiled the latest
sources from www.openssh.org to ensure I had only ssh2 protocol compiled
in.

I've had a box compromised through the ssh1 CRC32 vulnerability once, I'm
not going to let it happen again!

Cheers
- --
Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc
 Versace  Prada mean nothing to me,
   You buy your friends but I'll hate you for free
   Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com


-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQA/AwUBPELbYWByUNb+aO+GEQL/FACeMwMQY9nvTPpORPRdKpd6X5ret8EAoIcI
966spRQfdUFlD2D8KHY8TAN/
=9qaj
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: /etc/passwd-shell

2002-01-14 Thread Anthony DeRobertis 


On Saturday, January 12, 2002, at 02:46 PM, Hubert Chan wrote:

 I think that if you boot into single mode (e.g. type linux single at
 the LILO prompt), you'll drop into whatever shell is defined for root.

More importantly, will it break if, e.g., fsck fails and drops 
you into single-user mode?

You mentioned the solution for lilo, though I prefer init=/sbin/sash.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Don't panic (ssh)

2002-01-14 Thread Denny Fox 

Debian has back ported the fix for the CRC-32 vulnerability into both
OpenSSH (1.2.3-9.3) and ssh-nonfree/ssh-socks (1.2.27-6.2) for Debian
stable.

This is documented at:
http://www.debian.org/security/2001/dsa-086

This would appear to remove any concern about using SSH version 1
protocol as long as you are running the updated sshd.

The published vulnerabilities for ssh1 have been against the
implementation in the sshd appliction itself, not in the ssh1
protocol. The current Debian versions have addressed the
implememtation issues.

Please correct me if I am mistaken...

Thanks,

Denny

 -Original Message-
 From: Craigsc [mailto:[EMAIL PROTECTED]]
 Sent: Monday, January 14, 2002 7:06 AM
 To: Debian-Security; Daniel Polombo
 Subject: RE: Don't panic (ssh)


 How do you disable ssh1 protocol with the current
 ssh on potato ?

 ..Craig

 -Original Message-
 From: Daniel Polombo [mailto:[EMAIL PROTECTED]]
 Sent: Monday, January 14, 2002 2:45 PM
 To: Iain Tatch
 Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Re: Don't panic (ssh)


 Iain Tatch wrote:


 
 AFAIK, all SSH1 connections are vulnerable to the CRC32
 attack. Thus you
 need
 to use SSH2 protocol. OpenSSH supports SSH2. You need
 different keys
 though,
 as SSH2 so far does not support RSA keypairs and needs DSA keys.
 
  That's the impression I was under, too. In which case the
 current stable
  release of Debian comes with an sshd which uses protocol 1 and is
  therefore open to allowing remote root compromises.

 Just a quick precision here : you have to _disable_ v1 in
 order to be
 protected from that vulnerability. The point here is not
 that you have to
 support v2, it's that you have to disallow v1. A recent
 daemon allowing ssh1
 connections is vulnerable.

 --
 Daniel


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Glenn McGrath 

On Mon, 14 Jan 2002 13:10:08 +
Tim Haynes [EMAIL PROTECTED] wrote:

 Craigsc [EMAIL PROTECTED] writes:
 
  How do you disable ssh1 protocol with the current
  ssh on potato ?
 
 I don't think you have to. See
 http://www.debian.org/security/2001/dsa-086.
 

I dont know about potato, but ssh v1 definitly works in sid.


Glenn


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Simon Huggins 

On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote:
 Adam Warner [EMAIL PROTECTED] writes:
  http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
 
  Someone with better knowledge of all the facts might want to comment
  on the claim that Debian is always the last to fix security holes
  and the tag team follow up I've been fighting for months now to try
  to convince them to release an advisory or fix for ftpd...
 Some of us wouldn't dare say such things without at least reviewing
 the given distro's security policy, FAQ and history.

 http://www.debian.org/security/ is over there --- .

Indeed.  My only experience with trying to get an exploitable package
patched was rather disappointing though.

I believe (not being a Debian developer myself) that [EMAIL PROTECTED]
goes to debian-private which is only available to developers.  It then
requires the developer of the package you're reporting about to be awake
enough to /do/ something about the bug you are reporting.

I had problems with apache whose old maintainer didn't really seem to
care (bug 104187 for the gory details)

So perhaps Debian security is only as good as the package maintainers?
I'm sure most maintainers do care and do investigate bugs I probably
just had a bad experience.


-- 
--(  Have you seen a man who's lost his luggage?   )--
Simon (   -- Suitcase) Nomis
 Htag.pl 0.0.19


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Oystein Viggen 

* [Dietmar Braun] 

 No chance to block this bastards?

Simple anti-spam function for .procmailrc:

:0 fhw
* ^Content-Type: text/html|\
^Subject:.*=\?ks_c_5601-1987\?
Spambox

Oystein
-- 
When in doubt: Recompile.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Javier Fernández-Sanguino Peña 

On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
 Previously Adam Warner wrote:
  Someone with better knowledge of all the facts might want to comment on
  the claim that Debian is always the last to fix security holes and the
  tag team follow up I've been fighting for months now to try to convince
  them to release an advisory or fix for ftpd...
 
 Someone should point them to Javier's analysis of security response
 times..

Thanks' I was about to say so... BTW pointer is:
http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html

I'm going to add this to the info available in the Debian
Security Manual seems to be a FAQ

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Oystein Viggen 

* [Oystein Viggen] 

 * [Dietmar Braun] 

 No chance to block this bastards?

 Simple anti-spam function for .procmailrc:

Oops.. I'm sleeping in front of the keyboard again.  The correct recipe
would be like this:

:0
* ^Content-Type: text/html|\
^Subject:.*=\?ks_c_5601-1987\?
Spambox

Oystein
-- 
When in doubt: Recompile.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Dietmar Braun 

At 15:21 14.01.2002 +0100, Oystein Viggen wrote:
 :0
 * ^Content-Type: text/html|\
 ^Subject:.*=\?ks_c_5601-1987\?
 Spambox
 
 Oystein

In my opinion, this is only a workaround.
Providers should close their routes to this spammers or block their IP 
addresses - this could be the only way to change the koreans minds.

Dietmar


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Noah L. Meyerhans 

On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
 So perhaps Debian security is only as good as the package maintainers?
 I'm sure most maintainers do care and do investigate bugs I probably
 just had a bad experience.

That is the case in unstable and testing, but not stable.  That is why
you're encouraged to run stable on any machine connected to the
internet.  In its case, there is a group within Debian who is
responsible for providing security updates in a timely manner with or
without assistance from the package maintainer.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 



msg05231/pgp0.pgp
Description: PGP signature

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Régis Grison 

Dietmar Braun wrote:

 In my opinion, this is only a workaround.
 Providers should close their routes to this spammers or block their IP 
 addresses - this could be the only way to change the koreans minds.

well, the mail is from [EMAIL PROTECTED]

ping iwww.net - 211.171.252.68

whois 211.171.252.68

[...]
E-Mail : [EMAIL PROTECTED]

Seems like [EMAIL PROTECTED] depends from kidc.net

whois iwww.net and whois kidc.net tells us they are not the same. So if 
you want a result, don't write to [EMAIL PROTECTED] (may be the same guy 
than [EMAIL PROTECTED]), directly write to [EMAIL PROTECTED] (the provider)

Honnestly, I won't do so. There is not enough mail for me. But if 
someone want...

Regis.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Christian Kurz 

On 14/01/02, [EMAIL PROTECTED] wrote:

 AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus
 you need to use SSH2 protocol. OpenSSH supports SSH2. You need
 different keys though, as SSH2 so far does not support RSA keypairs
 and needs DSA keys.

OpenSSH supports both, RSA and DSA keys for SSH protocol version 2.
Please read the manpage for ssh and look for the paragraph called SSH
protocol version 2 where this is explained. But you are right about the
CRC32 attack. The crc32 compensation attack is a vulnerability in the
SSH protocol version 1. An analysis of this exploit can be found at:

http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

And here's an excerpt from a mail (MID:
[EMAIL PROTECTED])
about the rules, which clients or servers are vulnerable. The comments
are from Markus Friedl, one of the openssh authors:

,
| the rules are simpler:
| 
| 1) protocol 2 only
| 
| all
| SSH-2.0-*
| are not affected, since no protocol v1 is iisnvolved.
| 
| 2) protocol 1 und 2 support
| 
| since
| SSH-1.99-*
| supports both protocol versions, it gets more difficult.
| for the commercial server, you never know the version
| of the server that will be called for the fallback,
| you have to assume that all
| SSH-1.99-[23]*
| are affected, and
| SSH-1.99-OpenSSH[-_].x.y
| are affected for versions x.y  2.3
| 
| 3) protocol 1 only
| SSH-1.5-OpenSSH[-_].x.y
| is affected versions x.y  2.3
| 
| and the commercial versions.
| 
| SSH-1.5-1.2.2[456789]
| SSH-1.5-1.2.3[01]
| 
| so:
`

Christian
-- 
   Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853



msg05233/pgp0.pgp
Description: PGP signature

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Tim Haynes 

Noah L. Meyerhans [EMAIL PROTECTED] writes:

 On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
  So perhaps Debian security is only as good as the package maintainers?
 I'm sure most maintainers do care and do investigate bugs I probably
 just had a bad experience.

 That is the case in unstable and testing, but not stable. That is why
 you're encouraged to run stable on any machine connected to the internet.
 In its case, there is a group within Debian who is responsible for
 providing security updates in a timely manner with or without assistance
 from the package maintainer.

Agreed. You have to decide for the situation at hand; as it happens, my
favourite colo swerver runs Testing, on the grounds that one of these days,
Stable will change en-masse and the last thing I want is for ssh not to
restart in my daily dist-upgrades of nearly every package on the box - the
machine came home for a bit of TLC one time and got put onto Testing so the
daily dist-upgrade only does a few packages rather than the whole lot.
In the meantime, security patches (notably only _mutt_ anyway) can come
down from Unstable.

Cheers,

~Tim
-- 
http://spodzone.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Will Aoki 

On Mon, Jan 14, 2002 at 12:17:15PM +, Iain Tatch wrote:
 On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote:
 
  Have I missed something and was I already OK, or is the current stable
  potato release shipping with a potential ssh security hole?  
 
  AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need
  to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,
  as SSH2 so far does not support RSA keypairs and needs DSA keys.  
 
 That's the impression I was under, too. In which case the current stable
 release of Debian comes with an sshd which uses protocol 1 and is
 therefore open to allowing remote root compromises.

There are actually two *separate* CRC32-related flaws in ssh.

The first is a protocol design flaw that allows the injection of data
into an ssh session. This is the 'CRC32 compensation' attack. Modern
ssh1 implementations have code to detect this, which leads to the next
flaw:

The remote root flaw is a bug in the CRC32 compensation attack detector.
In OpenSSH this has been fixed since 2.3.0 - nearly a year old.

It's still probably better to run only ssh2 if you have a choice, but
if you're still running ssh1 your system is not wide open.

The Debian stable sshd has had the apropriate patches backported to it,
so it's not vulnerable to this remote root hole.

-- 
William Aoki [EMAIL PROTECTED]   /\  ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92  \ /  No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B   X
   / \


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Preben Randhol 

Dietmar Braun [EMAIL PROTECTED] wrote on 14/01/2002 (12:21) :
 Anybody residing near to the korean border who can take the great scissor 
 and cut off the cable from korea to the civilized world?
 
 Nothing but spam coming from this foolish idiots...

Well if one should do like you say then one would have to cut off Germany and
USA too as I get spam from both countries, most from the latter of
course.

I think procmail is your friend.

Preben
-- 
 ()   Join the worldwide campaign to protect fundamental human rights.
'||}
{||'   http://www.amnesty.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Preben Randhol 

Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (15:24) :
 * [Oystein Viggen] 
 
 :0
 * ^Content-Type: text/html|\
 ^Subject:.*=\?ks_c_5601-1987\?
 Spambox

Why not simply:

:0
* ^Content-Type: text/html
Spambox

I have never gotten a html mail worth reading.

Preben
-- 
«.., chaos is found in greatest abundance wherever order is being
sought. It always defeats order, because it is better organized.»
-- Interesting Times, Terry Pratchett


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Asking for documentation help (Re: IPSec questions...)

2002-01-14 Thread Noah L. Meyerhans 

On Mon, Jan 14, 2002 at 10:31:38AM +0100, Javier Fernández-Sanguino Peña wrote:
   I was wondering... could someone write a How to build VPN's in
 Debian small documentation for inclusion in the Debian Security HOWTO
 (http://www.debian.org/doc/ddp) it could make for a nice chapter in there.

I can't necessarily volunteer right now, as I'm far too busy, but I can
certainly put in some effort and provide some technical help.  I use
FreeS/WAN in just about every configuration it supports, all on Debian.

I'd happily volunteer to write the whole chapter, but I don't forsee
having enough free time for that until sometime in mid March.  If
anybody wants to work on it, though, let me know, and I'll lend a hand.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 



msg05238/pgp0.pgp
Description: PGP signature

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Dietmar Braun 

 Well if one should do like you say then one would have to cut off Germany and
 USA too as I get spam from both countries, most from the latter of
 course.

Ok, I admit that this isn't practicable (I shouldn't write mails when I am 
VERY angry...),
but the point is:
from USA and Germany, we normally get also mails we want and we need.
 From Korea/China and other spammers heaven, we get nothing but spam - 
there is no mail from these countries I had to admit that I wanted it...

Dietmar


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Preben Randhol 

Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (17:14) :
 
 Note the |, thats an OR.  My rule kills all html-mail but also (I
 believe), all that unintelligible Korean spam.

Ah I missed that.

Preben
-- 
 ()   Join the worldwide campaign to protect fundamental human rights.
'||}
{||'   http://www.amnesty.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

The most cost-effective marketing tool

2002-01-14 Thread Direct email service 




we are the World's Largest distributor of 
direct company news and other business communications materials.
we can broadcast your web site news or your 
business, or a new service within your business ( you can add your logo/photo to 
your press release ) to every Newspaper, Magazine, Television and Cable Channel, 
AM/FM Radio Station and all major media outlets in the top daily and national 
newspapers, top industry and segment publications, TV, Radio, and top online 
news sources in the world.
Direct e-mail service that generates new lists 
based on the target market for your products/services,we specialize in helping 
increase business contacts and sales through the use of targeted consumer and 
business lists.
For more information welcome to:http://www.longf.com

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Jacques Lav!gnotte 

On Mon, Jan 14, 2002 at 04:54:31PM +0100, Dietmar Braun wrote:
  Well if one should do like you say then one would have to cut off Germany and
  USA too as I get spam from both countries, most from the latter of
  course.
 
 Ok, I admit that this isn't practicable (I shouldn't write mails when I am 
 VERY angry...),

What about SECURITY about this thread ???

Be 'civilized' people and please stop it.


Jacques

-- 

0CBE 3F8A 5A77 A35C 27C7  2D42 3EC5 806B 9178 088D



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Joey Hess 

Dietmar Braun wrote:
 from USA and Germany, we normally get also mails we want and we need.
 From Korea/China and other spammers heaven, we get nothing but spam - 
 there is no mail from these countries I had to admit that I wanted it...

Ignoring in your blind nationalistic fury that there are indeed Debian
developers in both those countries[1], of course.

-- 
see shy jo

[1] For values of Korea approaching South Korea, anyway.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Dietmar Braun 

At 11:30 14.01.2002 -0500, Joey Hess wrote:
 Ignoring in your blind nationalistic fury that there are indeed Debian
 developers in both those countries[1], of course.

There is no need to call me nationalistic just because I am angry about
spammers in this groups.

But its enough now, I won't post anything about that any more here, ok?

Despite of this complaints at the police and the provider don't help - we 
all know that.

Back to business now, sorry for having disturbed.

Dietmar


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: I've been hacked by DevilSoul

2002-01-14 Thread Florian Weimer 

Dries Kimpe [EMAIL PROTECTED] writes:

   Hmm, am I right in assuming that all (current) non-LKM rootkits use
 write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that
 there's no write access would be a good idea.

Yes, but it's a tremendous task.  Quite a few device drivers have bugs
which enable root to write kernel memory.

OTOH, if somebody obtains root privileges, he can probably plant a
kernel in the swapfile and instruct the boot loader to load it on the
next reboot.  AFAIK, most if not all checksumming tools don't deal
properly with such scenarios.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Asking for documentation help (Re: IPSec questions...)

2002-01-14 Thread Lupe Christoph 

On Monday, 2002-01-14 at 10:31:38 +0100, Javier Fernández-Sanguino Peña wrote:
   I was wondering... could someone write a How to build VPN's in
 Debian small documentation for inclusion in the Debian Security HOWTO
 (http://www.debian.org/doc/ddp) it could make for a nice chapter in there.
   Topics to comment about:

   - FreeSwan 
   - CIPE
   - Ssh
   - ...

   Any volunteer?

Not this one: ENOTUITS. But I'd like to suggest to incorporate
information from http://www.shorewall.net/PPTP.htm and
http://poptop.lineo.com/setup_pptp_server.html on PPTP and
MPPE. At least temporarily until the US vs. Non-US problem
for the kernel and PPP goes away.

I just set up PPTP and the description at the two sites applies
to Debian, too.

Obstacles that should be removed:
1) integrate MPPE in the kernel.
2) patch PPP for MPPE and MSCHAPv2.
3) upgrade PPTP to 1.0.1.

I sincerely hope this can happen soon. Until then, SuSE is ways
easier to set up for PPTP. (Dunno what they deliver in the US,
but here in Germany, they have those patches integrated.)

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Lupe Christoph 

On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote:
 On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
  Previously Adam Warner wrote:
   Someone with better knowledge of all the facts might want to comment on
   the claim that Debian is always the last to fix security holes and the
   tag team follow up I've been fighting for months now to try to convince
   them to release an advisory or fix for ftpd...

  Someone should point them to Javier's analysis of security response
  times..

   Thanks' I was about to say so... BTW pointer is:
 http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html

   I'm going to add this to the info available in the Debian
 Security Manual seems to be a FAQ

I hope you provide a cleaned-up version. .../msg00257.html is full
of binary crap. And the link .../bin0.bin could be stored
as the PNG file it is supposed to be. The way it is now, I get
a MIME-type of application/octet-stream, which Mozilla won't
display. Maybe you can put the text, the spreadsheet, and the
graph on a website?

Archive maintainers, what happens to attachments like those in
the mentioned mail? I don't keep debian-security mails around,
so I can't see what MIME-type the attachments had. The binary crap
must be the spreadsheet which has been inlined.

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Javier Fernández-Sanguino Peña 

On Mon, Jan 14, 2002 at 06:16:46PM +0100, Lupe Christoph wrote:
 
 I hope you provide a cleaned-up version. .../msg00257.html is full
 of binary crap. And the link .../bin0.bin could be stored
 as the PNG file it is supposed to be. The way it is now, I get
 a MIME-type of application/octet-stream, which Mozilla won't
 display. Maybe you can put the text, the spreadsheet, and the
 graph on a website?

Ummm not likely.
 
 Archive maintainers, what happens to attachments like those in
 the mentioned mail? I don't keep debian-security mails around,
 so I can't see what MIME-type the attachments had. The binary crap
 must be the spreadsheet which has been inlined.

As I said, attachments are not parsed correctly by the archiving
software. And no, the spreadsheet should have been sent as a MIME
attachment (used mutt).

Regards

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: I've been hacked by DevilSoul

2002-01-14 Thread Henrique de Moraes Holschuh 

On Mon, 14 Jan 2002, Dave Kline wrote:
 OTOH, if somebody obtains root privileges, he can probably plant a 
 kernel in the swapfile and instruct the boot loader to load it on the 
 next reboot. AFAIK, most if not all checksumming tools don't deal 
 properly with such scenarios. 
 
 Quite a scary scenario.  How could one plant a file in swap?  How could 
 you access that file?

If swap is enabled, the kernel knows where it is swapping, so you have the
first part of the deal (assuming you will swapoff that swap partition/file).

For the bootloader part, it is very platform-dependent, and some ones (such
as grub) will be a pain in the ass if you only have swap partitions (as
opposed to swap files).

It IS possible, but it is much harder than pigging back code on the kernel
without module support.

-- 
  One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie. -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Debian security being trashed in Linux Today comments

2002-01-14 Thread Jeremy L. Gaddis 

It renders fine in IE.  :)

The binary data is, I presume, the two files that
Javier attached, as stated in the message:

quote
I adjoint some data:

- a Gnumeric spreadsheet with all the information
- a PNG graphic with this year's distribution of time-to-fix (in days)
made by
gnuplot with the previous data
/quote

j.

--
Jeremy L. Gaddis [EMAIL PROTECTED]

-Original Message-
From: Lupe Christoph [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 14, 2002 12:17 PM
To: Javier Fernández-Sanguino Peña
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Debian security being trashed in Linux Today comments


On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña
wrote:
 On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
  Previously Adam Warner wrote:
   Someone with better knowledge of all the facts might want to
comment on
   the claim that Debian is always the last to fix security holes
and the
   tag team follow up I've been fighting for months now to try to
convince
   them to release an advisory or fix for ftpd...

  Someone should point them to Javier's analysis of security response
  times..

   Thanks' I was about to say so... BTW pointer is:

http://lists.debian.org/debian-security/2001/debian-security-200112/msg0
0257.html

   I'm going to add this to the info available in the Debian
 Security Manual seems to be a FAQ

I hope you provide a cleaned-up version. .../msg00257.html is full
of binary crap. And the link .../bin0.bin could be stored
as the PNG file it is supposed to be. The way it is now, I get
a MIME-type of application/octet-stream, which Mozilla won't
display. Maybe you can put the text, the spreadsheet, and the
graph on a website?

Archive maintainers, what happens to attachments like those in
the mentioned mail? I don't keep debian-security mails around,
so I can't see what MIME-type the attachments had. The binary crap
must be the spreadsheet which has been inlined.

Lupe Christoph
--
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe
|
| I have challenged the entire ISO-9000 quality assurance team to a
|
| Bat-Leth contest on the holodeck. They will not concern us again.
|
| http://public.logica.com/~stepneys/joke/klingon.htm
|


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Micah Anderson 

On Mon, 14 Jan 2002, Daniel Polombo wrote:

 Adam Warner wrote:

 Well, maybe you should follow Tim's advice and go check the security team's 
 FAQ :
 
Q: How is security handled for testing and unstable?
 
A: The short answer is: it's not. Testing and unstable are rapidly moving
   targets and the security team does not have the resources needed to
   properly support those. If you want to have a secure (and stable)
   server you are strongly encouraged to stay with stable.
 
 Of course, if you're using unstable, fixes tend to appear quickly, but :
 
 - tend to is not acceptable when security is concerned
 - it may take a lot more time depending on your local mirror


As woody draws closer and closer to being stable, and potato draws
closer and closer to the legendary dinosaurs which roamed the earth
with regards to its outdated software, perhaps this comittment to
woody's security could be revisted. I would be surprised if a lot of
the criticsm that is coming out on this issue is not related to the
fact that a lot of people have moved from potato to woody because they
cannot continue to use potato due to the requirements of certain
software or underlying libraries, and are thus burned by this security
policy.

Lets face it, potato has some ancient software that is getting
outdated, you can hardly find any software that uses db2 anymore, and
it is not trivial to backport from db3, the version of perl makes
usage and installation of anything that was done in the last 5 years
difficult... potato is great, if you want to only use the packages
which come with it, it is great as a server which doesn't need any
changes, but if you want to do anything semi-new, or outside of the
package scope, you have to move to woody, or just wait. With that
movement comes a significant loss in security policy. 

Now that woody draws near to being stable, perhaps the policy can be
altered to accomodate for that. 

Micah


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread John Galt 


Okay, this has gone far enough.  The reason that s.d.o only deals with 
stable is that stable is the only part of Debian that by it's nature 
cannot change.  For unstable (and now testing) if there's a security bug, 
any DD can put up a NMU if it's severe enough, or the regular maintainer 
can fix it in a [relatively] short amount of time. It's just not feasable 
to expect a change to propagate in stable, because stable doesn't change 
at all, except in very small spurts: there have been 5 revisions to 
potato in the last [going on 2] years.  THIS is the reason that there's no 
s.d.o support for testing and unstable.  So when woody becomes stable, 
there WILL be s.d.o support for woody, because woody won't change.  Unitl 
they become [stagnant,stable], there is just not enough reason to have 
s.d.o support for a distribution.


On Mon, 14 Jan 2002, Micah Anderson wrote:

On Mon, 14 Jan 2002, Daniel Polombo wrote:

 Adam Warner wrote:

 Well, maybe you should follow Tim's advice and go check the security team's 
 FAQ :
 
Q: How is security handled for testing and unstable?
 
A: The short answer is: it's not. Testing and unstable are rapidly moving
   targets and the security team does not have the resources needed to
   properly support those. If you want to have a secure (and stable)
   server you are strongly encouraged to stay with stable.
 
 Of course, if you're using unstable, fixes tend to appear quickly, but :
 
 - tend to is not acceptable when security is concerned
 - it may take a lot more time depending on your local mirror


As woody draws closer and closer to being stable, and potato draws
closer and closer to the legendary dinosaurs which roamed the earth
with regards to its outdated software, perhaps this comittment to
woody's security could be revisted. I would be surprised if a lot of
the criticsm that is coming out on this issue is not related to the
fact that a lot of people have moved from potato to woody because they
cannot continue to use potato due to the requirements of certain
software or underlying libraries, and are thus burned by this security
policy.

Lets face it, potato has some ancient software that is getting
outdated, you can hardly find any software that uses db2 anymore, and
it is not trivial to backport from db3, the version of perl makes
usage and installation of anything that was done in the last 5 years
difficult... potato is great, if you want to only use the packages
which come with it, it is great as a server which doesn't need any
changes, but if you want to do anything semi-new, or outside of the
package scope, you have to move to woody, or just wait. With that
movement comes a significant loss in security policy. 

Now that woody draws near to being stable, perhaps the policy can be
altered to accomodate for that. 

Micah




-- 
void hamlet()
{#define question=((bb)||(!bb))}

Who is John Galt?  [EMAIL PROTECTED] that's who!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Florian Weimer 

Adam Warner [EMAIL PROTECTED] writes:

 http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
 
 Someone with better knowledge of all the facts might want to comment on
 the claim that Debian is always the last to fix security holes and the
 tag team follow up I've been fighting for months now to try to convince
 them to release an advisory or fix for ftpd...

Of course, libc problems are a bit unfair for comparison.  Red Hat
runs the official CVS repository, and they probably knew about the
problem by mid-November or something like that (the fix was committed
on 2001-11-29, IIRC).

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Josip Rodin 

On Mon, Jan 14, 2002 at 07:19:29PM +0100, Javier Fernández-Sanguino Peña wrote:
  I hope you provide a cleaned-up version. .../msg00257.html is full
  of binary crap. And the link .../bin0.bin could be stored
  as the PNG file it is supposed to be. The way it is now, I get
  a MIME-type of application/octet-stream, which Mozilla won't
  display.
 
   As I said, attachments are not parsed correctly by the archiving
 software. And no, the spreadsheet should have been sent as a MIME
 attachment (used mutt).

Does anyone know if we can tweak mhonarc to handle this more gracefully?

-- 
 2. That which causes joy or happiness.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Alain Tesio 

 Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (15:24) :
 
 :0
 * ^Content-Type: text/html|\
  Look here: ^
 ^Subject:.*=\?ks_c_5601-1987\?
 Spambox


You should also filter on:
Content-Type: text/html; charset=ks_c_5601-1987

Or just use spamassassin (package in sid and woody) and the
rule CHARSET_FARAWAY, it's a great antispam filter.

Alain



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Adam Warner 

On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote:
 Adam Warner wrote:
 
  On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
 
 Some of us wouldn't dare say such things without at least reviewing the
 given distro's security policy, FAQ and history.
 
  But I was really impressed that updates for unstable/testing were
  released at the same time. For those of us that use/test the bleeding
  edge on our systems it's a great reassurance to see the security team
  giving consideration to the security of testing/unstable.
 
 Well, maybe you should follow Tim's advice and go check the security team's FAQ :

Weren't my comments enough for you to to be able to interpret WHY I said
I was really impressed? I have known and understood the security FAQ
for a long time Daniel.
 
 Q: How is security handled for testing and unstable?
 
 A: The short answer is: it's not. Testing and unstable are rapidly moving
targets and the security team does not have the resources needed to
properly support those. If you want to have a secure (and stable)
server you are strongly encouraged to stay with stable.

http://www.debian.org/security/2002/dsa-097

This problem has been fixed in Exim version 3.12-10.2 for the stable
distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and
unstable distribution.

Oops the security team breached their FAQ :-)

 Of course, if you're using unstable, fixes tend to appear quickly, but :
 
 - tend to is not acceptable when security is concerned
 - it may take a lot more time depending on your local mirror

Which is why I uncommented the main distribution sites in sources.list
and got the updates for testing/unstable right away. That's why I was
impressed. Because I am aware of the FAQ.

Still I hope such care about the security of testing/unstable continues
and note the comments of John Galt.

I have noticed many instances where unstable has been secure when stable
has not (before an update). Bugs that are found in Potato are not always
relevant to the quick moving new binaries and code in unstable.

I feel happy about the security of my unstable systems and am not aware
of any vulnerabilities that I have read about at Linux Weekly News that
presently affect my installations. I have had to keep up with a few
fixes to Zope in the past but there was a huge Python transition being
undertaken at the time.

Regards,
Adam



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Asking for documentation help (Re: IPSec questions...)

2002-01-14 Thread Stefan Srdic 

On January 14, 2002 02:31 am, Javier Fernández-Sanguino Peña wrote:
 I w
 as wondering... could someone write a How to build VPN's in
 Debian small documentation for inclusion in the Debian Security HOWTO
 (http://www.debian.org/doc/ddp) it could make for a nice chapter in there.
   Topics to comment about:

   - FreeSwan
   - CIPE
   - Ssh
   - ...

   Any volunteer?

   Javi

I would'nt mind getting involved with the Debian project, even it is just 
wriiting docs for the community.

I don't have any pratical experience with FreeSWAN at all, however, I have 
statically compiled BIND 9 and placed it in a chroot jail on Debian. I 
wonder if it would hard to packge a chroot'ed setup of BIND9 once it 
completely configured?

Anyway,

I would be glad to contribute to any aspect of Debian itself. Just let me 
know what I can do.

Stef


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Peter Cordes 

On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
 It renders fine in IE.  :)

 Yeah, but it has the binary crap at the end.  It renders like that in moz
too.  (both running on the family 'doze PC while I type this mail through
PuTTY.)

 
 The binary data is, I presume, the two files that
 Javier attached, as stated in the message:
 
 quote
 I adjoint some data:
 
 - a Gnumeric spreadsheet with all the information
 - a PNG graphic with this year's distribution of time-to-fix (in days)
 made by
 gnuplot with the previous data
 /quote

 The binary crap is probably the spreadsheet by itself, but maybe the image
too.  The download link for bin0.bin is the image.  It is not PNG, but
rather a gzipped xwd.  I don't know why it's .bin instead of .xwd.gz.

 I recompressed it as a real PNG, and attached it to this mail, for your
viewing pleasure :)  PNG gets 3.5 times better compression, probably because
this image only uses 8 bits of colour, and the xwd was 24bit.


 Someone else mentioned that this graph should go up on a website, but
someone else shot them down.  I think the suggestion was just for this image
in particular, not that this should be done for every image-attachment on
all lists.  Anyway, I agree that it would be cool to have this graph and the
data available on a web site.  (With the data in a two-column ascii list,
rather than a spreadsheet or something that needs to be downloaded and dealt
with separately.)  Of course, then we might need to make up excuses, or
preferably find solutions, for the exceptionally long bugs.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces! -- Plautus, 200 BCE



fix-time.png
Description: PNG image

Re: Don't panic (ssh)

2002-01-14 Thread crispin 

On Mon, Jan 14, 2002 at 11:07:38AM +, Iain Tatch wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote:
 
 TS   Not if your SSH daemon is up to date :-)
 
 Is the SSHD in the latest potato fully up-to-date, though? I am a very
 recent convert to Debian, having been an avid Slackware fan for the last
 seven years. However one of my (very old) Slack boxen was compromised on
 Christmas Day via the sshd CRC32 vulnerability and I decided to replace it
 with Debian, a distro which has seriously impressed me.
 
 Not wanting the same problem to reoccur, after installation 
 configuration I checked my version of sshd. As far as I could ascertain
 the sshd which comes with the current potato release is OpenSSH
 1.something (can't say exactly what now as I've removed it and my notes
 are all at home), however iirc it was only using version 1 of the SSH
 protocols, which leaves the vulnerability in place.

According to SSH, the secure shell Oreilly and Associates...

Insertion or compensation attack:

Although not an especially easy attack to mount, this is a serious vulnerability. The 
attack results from composition properties of CRC-32 together with certain bulk 
ciphers in certain modes. The attack can be avoided altogether by using the 3DES 
cipher, which is immune.

SSH1 1.2.25, F-Secure SSH1 1.3.5 and later versions as well as all versions of OpenSSH 
include the crc32 compensation attack detector, designed to detect and prevent this 
attack. The detector renders the attack harder to mount, but doesn't prevent it 
entirely. SSH-2 uses cryptographically strong integrity checks to avoid such problems.

Kind Regards
Crispin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Peter Cordes 

On Mon, Jan 14, 2002 at 12:17:15PM -0700, John Galt wrote:
 
 Okay, this has gone far enough.  The reason that s.d.o only deals with 
 stable is that stable is the only part of Debian that by it's nature 
 cannot change.  For unstable (and now testing) if there's a security bug, 
 any DD can put up a NMU if it's severe enough, or the regular maintainer 
 can fix it in a [relatively] short amount of time. It's just not feasable 
 to expect a change to propagate in stable, because stable doesn't change 
 at all, except in very small spurts: there have been 5 revisions to 
 potato in the last [going on 2] years.  THIS is the reason that there's no 
 s.d.o support for testing and unstable.  So when woody becomes stable, 
 there WILL be s.d.o support for woody, because woody won't change.  Unitl 
 they become [stagnant,stable], there is just not enough reason to have 
 s.d.o support for a distribution.

 I think this was well known already, but now that we're sure everyone knows
this, I think Micah's idea is interesting.  When things are a long way from
a freeze/release, you're right, John, it's ok to let security be handled in
the current haphazard way it does now.  However, how is the testing release
(currently woody) going to get any testing if nobody uses it because it's
security isn't good enough?  Some say you should never run unstable or
testing on a machine connected to the internet, but almost all computers are
connected to the Internet, at least as clients.  This especially applies to
the home computers of the average hacker, which is the kind of person who
would usefully test and provide feedback on woody.  A home system is
somewhere I would use a system that wasn't guaranteed to be secure, and
where I might have to shut down daemons if no security fix was available for
a problem that affected them. (of course I want my machine to be secure, but
I can live without guarantees and check on things myself.) I actually use
woody on my home NAT firewall, which also runs exim and sshd.  (These are
the only daemons allowing connections from the outside world on this
machine.)

 Hmm, if a security problem which affects unstable and/or testing, but not
stable, is found, what happens?  I presume it would get mentioned here, but
is a DSA sent out when it's fixed?  Would I have to read Bugtraq or
something to get notification as soon as it's found (so I could shut down an
insecure daemon until the problem was fixed.)  I'd rather temporarily give
up the ability to ssh into my home machine and check my email than leave it
open to attack.

 On Mon, 14 Jan 2002, Micah Anderson wrote:
 As woody draws closer and closer to being stable, and potato draws
 closer and closer to the legendary dinosaurs which roamed the earth
 with regards to its outdated software, perhaps this comittment to
 woody's security could be revisted. I would be surprised if a lot of
 the criticsm that is coming out on this issue is not related to the
 fact that a lot of people have moved from potato to woody because they
 cannot continue to use potato due to the requirements of certain
 software or underlying libraries, and are thus burned by this security
 policy.
 
  [...]
 
 Now that woody draws near to being stable, perhaps the policy can be
 altered to accomodate for that. 

 I agree.  To get testing better tested (by providing the service more
people need to run it), and to get the security team familiar with the
soon-to-be-stable release, there could be a mechanism for security fixes to
get done on woody, etc.  I don't know what kind of security promises would
be appropriate, or what, but I think it would be a good idea to do something
along these lines.  Maybe someone should make a list of packages that the
security team would take time to deal with in woody, and add packages to it
over time.  Starting with popular packages and/or packages classified as
required/important might make sense.

 Here's another idea: Only worry about remote exploits for non-stable dists.
Many of the security advisories apply to local security only, and don't let
a remote attacker get into the machine in the first place.  (Many of them
would help an attacker get root after getting a shell running as e.g. nobody
or http).  Only worrying about remote exploits in soon-to-be-released dists
would let a lot more people run them safely, since a lot of home systems
are single user, or at least the other users are trusted/not skilled.
(Think family members and roommates.  If they crack your system, you can put
glue on their doorknob or a snowball in their boots :) For important servers
where you really care, like in a business environment, you would certainly
want to stick with stable, so no new holes will be introduced, nothing
breaks, etc.  For systems where you are prepared to live with a little
danger, you can run testing and give stuff a workout.  When there are known
local exploits that haven't been fixed in the dist you're running, it's like
running your daemons

Re: Asking for documentation help (Re: IPSec questions...)

2002-01-14 Thread Noah L. Meyerhans 

On Mon, Jan 14, 2002 at 07:52:59AM -0700, Stefan Srdic wrote:
 
 I would'nt mind getting involved with the Debian project, even it is just 
 wriiting docs for the community.

Even if it's *just* writing docs for the community?  A lot of people
don't seem to realize it, but that's one of the most important things
you can do to contribute!  In many cases, the code is all there but the
only people who know how to use it are the people who wrote it!

 I don't have any pratical experience with FreeSWAN at all, however, I have 
 statically compiled BIND 9 and placed it in a chroot jail on Debian. I 
 wonder if it would hard to packge a chroot'ed setup of BIND9 once it 
 completely configured?

I recall there being discussion a while back about packaging chroot
bind.  I don't know whether or not anything came of it at all.  There is
a chroot bind HOWTO already.  Last I knew, this only addressed bind 8
and did so from either a distribution independent or (worse) a Redhat
specific point of view.  I'm not sure where you would want to publish
your bind 9 docs.  Perhaps they'd be put to best use if contributed to
the Securing Debian howto.  Or you could offer them to the author of
the chroot bind HOWTO, possibly adding the Debian specific stuff as an
appendix to the main document or something.

 
 I would be glad to contribute to any aspect of Debian itself. Just let me 
 know what I can do.
 

If you're serious about your willingness to contribute documentation,
see http://www.debian.org/doc/ddp/  To me, it seems that a lot of the
docs there have a great deal of potential, but there's a lot of
duplication of effort.  I'd really love to see a relatively major,
broadly scoped document linked directly from the www.debian.org, similar
to the FreeBSD Handbook.  That's my suggestion, anyway.  There's plenty
of work to be done.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 



msg05265/pgp0.pgp
Description: PGP signature

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Olaf Meeuwissen 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Peter Cordes [EMAIL PROTECTED] writes:

 [...]  To get testing better tested (by providing the service more
 people need to run it), and to get the security team familiar with
 the soon-to-be-stable release, there could be a mechanism for
 security fixes to get done on woody, etc.  I don't know what kind of
 security promises would be appropriate, or what, but I think it
 would be a good idea to do something along these lines.  Maybe
 someone should make a list of packages that the security team would
 take time to deal with in woody, and add packages to it over time.
 Starting with popular packages and/or packages classified as
 required/important might make sense.

Currently, testing is getting frozen in steps as far as I understand
the process.  What about providing proper security updates for those
parts that have already been frozen?  These would have be dealt with
in a special way to get upgraded anyway so you might as well provide
the upgrade as a proper security update.  This could also serve as a
handle for the folks who are coordinating the release process.
- -- 
Olaf Meeuwissen   Epson Kowa Corporation, Research and Development
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 http://mailcrypt.sourceforge.net/

iD8DBQE8Q7YAFsfyfWvjfZARAn2mAKCh20XSbZlJ+wjtiOJP/zGv8z3yTwCgxOlw
S0PF5uSNo7KeuY9ONzBCYl8=
=FSYR
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Yooseong Yang 

Anybody residing near to the korean border who can take the great scissor
and cut off the cable from korea to the civilized world?

You mean Korean people are barbarous? 

but the point is:
 from USA and Germany, we normally get also mails we want and we need.
  From Korea/China and other spammers heaven, we get nothing but spam - 
 there is no mail from these countries I had to admit that I wanted it...

Though I am very shameful due to this kinda junk mail as a KOREAN,
your opinion is very biased. :( 
In Korea, many actions are taken for preventing these spam mails from 
being delivered. Korea suffers from this kinda junk mails. 

Two debian related books are published and 5 official maintainers 
and lots of debian users contribute many things to Debian or 
Debian-KR(http://www.debian.or.kr) project in both 
i10n and i18n. 

Not all mails from Korea are spam. :) 

 
 Dietmar


Yooseong
--
Yooseong Yang  [EMAIL PROTECTED]
Debian(-KR) Developer 
http://www.debian.org http://www.debian.or.kr
http://pcel3.snu.ac.kr/~yooseong

CCs of replies from mailing lists are encouraged



msg05267/pgp0.pgp
Description: PGP signature

RE: sshd sending packets outside lan during local connection

2002-01-14 Thread Jeff Stevens 

Thank you
it worked.  I added the dns info about the host trying to connect in the  
firewalls /etc/hosts file and I guess it was able to resolve the host name 
without doing a dns look-up externally.


Thanks


From: Jason Sopko [EMAIL PROTECTED]
To: debian-security@lists.debian.org
Subject: RE: sshd sending packets outside lan during local connection
Date: Sun, 13 Jan 2002 22:44:42 -0500

I didn't look at your tcpdump output but I'd assume it's trying to
resolve the in-addr.arpa record for the internal IP address and failing.
Try setting up BIND to resolve PTR records for the internal network IP
addresses and make sure that the server is configured to look to itself
for DNS. Hope this helps.

///Jason

-Original Message-
From: Jeff Stevens [mailto:[EMAIL PROTECTED]
Sent: Sunday, January 13, 2002 10:27 PM
To: debian-security@lists.debian.org
Subject: sshd sending packets outside lan during local connection


I am using Debian Potato 2.2.19ide-pci and running openssh (3.0.2p1) and

bind (version: 1:8.2.3-0.potato.1).  It is also being used as a firewall
for
a local network.  It has 2 nic cards, one with an internal ip and one
with
an external ip.
When I ssh locally (to the internal ip)to this firewall it sends out
packets
to my ISP.  If I unplug the external ip nic before entering the
password
then the connection pauses for about a minute before connecting.

I am no expert as I have just started using Debian, but it seems like
the
password is being sniffed.  I'm not exactly sure what the tcpdump output

shows (ATTACHED with route info) but it seems to be doing a domain name
look
up (but I could be wrong).  I have no idea why it would have to do a
domain
look-up because I connect via ip address (ssh [EMAIL PROTECTED]) which is

inside the local network.

Earlier I made the mistake of offering bind publicly.  I recently
changed
this but I don't know if I was compromised during the time it was
public.  I
am hoping this is just a misconfiguration problem.  Any suggestions
would be
greatly appreciated.  Thanks in advance.

--Jeff
Debian user


_
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact 
[EMAIL PROTECTED]






_
Chat with friends online, try MSN Messenger: http://messenger.msn.com

Asking for documentation help (Re: IPSec questions...)

2002-01-14 Thread Javier Fernández-Sanguino Peña 
I was wondering... could someone write a How to build VPN's in
Debian small documentation for inclusion in the Debian Security HOWTO
(http://www.debian.org/doc/ddp) it could make for a nice chapter in there.
Topics to comment about:

- FreeSwan 
- CIPE
- Ssh
- ...

Any volunteer?

Javi

[홍보] 네티즌이 만든 검색엔진 아이따따따입니다.

2002-01-14 Thread 아이따따따 
Title: 검색엔진 아이따따따






   

 
  
 
  

 
  

 
   

   
 
  
 
  

 
  인터넷에는 많은 정보와 그 정보를 찾아주는 검색엔진이 있습니다.
하지만 검색엔진들이 너무나 많은 정보를 제공해 주는 결과 오히려 정보를 찾는데 많은 노력과 시간을  
허비하는 결과를 초래하고 있습니다. 


 
  
이제는 얻을 수 없는 많은 양의 검색결과보다는 신뢰성 있는 정보를 요구하는 시대가 되었습니다.  
인터넷에 산재해 있는 사이트 중에는 우리가 꼭 필요한 정보들을 담고 있는 사이트가 많이 있는데,   
이 사이트 들을 구분하면 포탈,보탈,허브 사이트라고 합니다.  


 
  
아이따따따는 이런 사이트를 찾아주는 카테고리 및 키워드 검색엔진입니다.  
각 카테고리 별로 신뢰성 있는 엄선된 사이트만 네티즌의 양심으로
등록관리하는 검색엔진이며
귀하께서도 카테고리 담당자가 되실 수 있습니다.


카테고리 담당이 되시면 ㈜아이엔웹의 주식 1주를 무상으로 드리며 pop3 e-mail 계정을 드립니다.  
("예" [EMAIL PROTECTED]")   
또한,그 카테고리를 관리할 수 있는 권한과 해당 카테고리에 담당자 아이디를 등록합니다.   
(등록신청을 하신후 담당관리자로 login 하시면 카테고리를 직접 관리하실 수 있습니다.)   

회원가입을 하시고 회원이 되시면 ㈜ 아이엔웹의 주식 1주를 무상으로 드립니다.  
인터넷은 네티즌이 주인이고 아이따따따는 네티즌의 것이기 때문입니다! 




  
  
http://iwww.net (아이따따따)로 방문해 주세요

  
  
아이따따따의 이념은 우리 네티즌이 갖고있는 유익한 정보를 서로 공유하고 새로운 네티즌문화를 
창출하는것입니다. 귀하께서도 아이따따따의 한 가족이 되어주시길 부탁드립니다.

늘 건강하시고 행복하세요~~~감사합니다.




  


  
   
 

 
  
  
  
  

 
  
  1일 평균 방문
  
  774,500 hit(2002.01.07)


   
 
  
  
  
  

 
  
  네티즌 담당 카테고리
  
  
745 개


  
  
   
 
  
직접 방문하셔서 평가해 주십시오! ==http://iwww.net
유익한 사이트라고 평가되시면 
주위분들에게 알려주시길바랍니다. ( 아이따따따 = iwww )


  

 
  

  


  
  

귀하께 불편을 끼쳐 드렸다면 용서를 바랍니다.

귀하의 메일은 인터넷에서 웹서핑중 취득하였으며 귀하의 어떠한 정보도 갖고있지 않습니다.
다음부터는 인터넷,정보통신,바이러스백신 등 유익한 정보만을 보내드립니다. 
아이따따따의 가족이 되시면 전체가족 메일을 통하여 유익한 정보를 받아보실 수 있습니다.
공지사항을 참고하시면 아이따따따 내부사정을 아실 수 있습니다.
 바로가서 보기
네티즌의 고견을 수렴하는 공개게시판을 운영중입니다.
바로가서 보기
  
그래도 수신을 원치 않으실 경우 수신거부를 클릭하십시오!

수신거부

Re: Don't panic (ssh)

2002-01-14 Thread Thomas Seyrat 
Jacques Lav!gnotte wrote:
 Jan 13 09:50:58 news sshd[897]: scanned from 216.78.148.184 with
 +SSH-1.0-SSH_Version_Mapper.  Don't panic.
 Jan 13 09:50:58 news sshd[896]: Did not receive identification string from
 +216.78.148.184
 Should I really Not Panic ? :)

  Not if your SSH daemon is up to date :-)

  Actually,  this message  is  left  by the  «  scanssh  » utility  (see
  http://www.monkey.org/~provos/scanssh/),  which is  used by  sysadmins
  (or crackers) to detect weak SSH daemons on whole networks.

-- 
Thomas Seyrat.

Re: Don't panic (ssh)

2002-01-14 Thread Iain Tatch 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14 January 2002 at 10:35:17 Thomas Seyrat wrote:

TS   Not if your SSH daemon is up to date :-)

Is the SSHD in the latest potato fully up-to-date, though? I am a very
recent convert to Debian, having been an avid Slackware fan for the last
seven years. However one of my (very old) Slack boxen was compromised on
Christmas Day via the sshd CRC32 vulnerability and I decided to replace it
with Debian, a distro which has seriously impressed me.

Not wanting the same problem to reoccur, after installation 
configuration I checked my version of sshd. As far as I could ascertain
the sshd which comes with the current potato release is OpenSSH
1.something (can't say exactly what now as I've removed it and my notes
are all at home), however iirc it was only using version 1 of the SSH
protocols, which leaves the vulnerability in place.

I removed the Debian SSH package  manually installed OpenSSH 3.0.2p1
which is invulnerable (so far!) to all known vulnerabilities as long as
version 1 of the SSH protocol isn't used, even as a fallback.

Have I missed something and was I already OK, or is the current stable potato
release shipping with a potential ssh security hole?

Cheers
- --
Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc
 Versace  Prada mean nothing to me,
   You buy your friends but I'll hate you for free
   Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com

-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQA/AwUBPEK8BWByUNb+aO+GEQJfogCghHz4ajXP81s4OwS2/HOMx8sbXgIAoJLo
moxb226Bpj+mLJ7wp4PVsJbK
=wRJH
-END PGP SIGNATURE-

Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Dietmar Braun 
Anybody residing near to the korean border who can take the great scissor 
and cut off the cable from korea to the civilized world?


Nothing but spam coming from this foolish idiots...

Sorry but that makes me very angry now.

No chance to block this bastards?

Dietmar, annoyed.

Re: Don't panic (ssh)

2002-01-14 Thread crispin 
On Mon, Jan 14, 2002 at 11:07:38AM +, Iain Tatch wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote:
 
 TS   Not if your SSH daemon is up to date :-)
 
 Is the SSHD in the latest potato fully up-to-date, though? I am a very
 recent convert to Debian, having been an avid Slackware fan for the last
 seven years. However one of my (very old) Slack boxen was compromised on
 Christmas Day via the sshd CRC32 vulnerability and I decided to replace it
 with Debian, a distro which has seriously impressed me.
 
 Not wanting the same problem to reoccur, after installation 
 configuration I checked my version of sshd. As far as I could ascertain
 the sshd which comes with the current potato release is OpenSSH
 1.something (can't say exactly what now as I've removed it and my notes
 are all at home), however iirc it was only using version 1 of the SSH
 protocols, which leaves the vulnerability in place.
 
 I removed the Debian SSH package  manually installed OpenSSH 3.0.2p1
 which is invulnerable (so far!) to all known vulnerabilities as long as
 version 1 of the SSH protocol isn't used, even as a fallback.
 
 Have I missed something and was I already OK, or is the current stable potato
 release shipping with a potential ssh security hole?

AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need 
to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as 
SSH2 so far does not support RSA keypairs and needs DSA keys.

Anyone with more indepth knowledge like to coment?

Crispin

Debian security being trashed in Linux Today comments

2002-01-14 Thread Adam Warner 
http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB

Someone with better knowledge of all the facts might want to comment on
the claim that Debian is always the last to fix security holes and the
tag team follow up I've been fighting for months now to try to convince
them to release an advisory or fix for ftpd...

Regards,
Adam

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Tim Haynes 
Adam Warner [EMAIL PROTECTED] writes:

 http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB

 Someone with better knowledge of all the facts might want to comment on
 the claim that Debian is always the last to fix security holes and the
 tag team follow up I've been fighting for months now to try to convince
 them to release an advisory or fix for ftpd...

Some of us wouldn't dare say such things without at least reviewing the
given distro's security policy, FAQ and history.

http://www.debian.org/security/ is over there --- .

~Tim
-- 
http://spodzone.org.uk/

Re: Don't panic (ssh)

2002-01-14 Thread Iain Tatch 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote:

 Have I missed something and was I already OK, or is the current stable
 potato release shipping with a potential ssh security hole?  

 AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need
 to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,
 as SSH2 so far does not support RSA keypairs and needs DSA keys.  

That's the impression I was under, too. In which case the current stable
release of Debian comes with an sshd which uses protocol 1 and is
therefore open to allowing remote root compromises.

Is there any way to find out what flavour of Debian I have which is more
detailed than this:

[EMAIL PROTECTED]:~$ cat /etc/debian_version
2.2

Cheers
- --
Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc
 Versace  Prada mean nothing to me,
   You buy your friends but I'll hate you for free
   Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com

-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQA/AwUBPELMV2ByUNb+aO+GEQJQ9gCgi8S43E7EeimjmNgVxdVQ0lIcBcgAoNxK
VUCUJvFQB8mjDD47v4eFyyly
=6JW1
-END PGP SIGNATURE-

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Wichert Akkerman 
Previously Adam Warner wrote:
 Someone with better knowledge of all the facts might want to comment on
 the claim that Debian is always the last to fix security holes and the
 tag team follow up I've been fighting for months now to try to convince
 them to release an advisory or fix for ftpd...

Someone should point them to Javier's analysis of security response
times..

Wichert.

-- 
  _
 /[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Adam Warner 
On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
 Adam Warner [EMAIL PROTECTED] writes:
 
  http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
 
  Someone with better knowledge of all the facts might want to comment on
  the claim that Debian is always the last to fix security holes and the
  tag team follow up I've been fighting for months now to try to convince
  them to release an advisory or fix for ftpd...
 
 Some of us wouldn't dare say such things without at least reviewing the
 given distro's security policy, FAQ and history.
 
 http://www.debian.org/security/ is over there --- .

I'm aware that Debian manages to get advisories out extremely
quickly--in some cases before any other distribution. But I'm not aware
of the history of the second posters claims.

I did recently note that the latest exim advisory was released on 4
January but the fix for uncontrolled program execution was posted by
Philip Hazel on 19 December. That's no 48 hours. And the patch was even
provided in the post [in this case I suspect the post by Philip Hazel
was missed].

But I was really impressed that updates for unstable/testing were
released at the same time. For those of us that use/test the bleeding
edge on our systems it's a great reassurance to see the security team
giving consideration to the security of testing/unstable.

Regards,
Adam

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Daniel Polombo 

Adam Warner wrote:


On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:



Some of us wouldn't dare say such things without at least reviewing the
given distro's security policy, FAQ and history.



But I was really impressed that updates for unstable/testing were
released at the same time. For those of us that use/test the bleeding
edge on our systems it's a great reassurance to see the security team
giving consideration to the security of testing/unstable.



Well, maybe you should follow Tim's advice and go check the security team's FAQ 
:

   Q: How is security handled for testing and unstable?

   A: The short answer is: it's not. Testing and unstable are rapidly moving
  targets and the security team does not have the resources needed to
  properly support those. If you want to have a secure (and stable)
  server you are strongly encouraged to stay with stable.

Of course, if you're using unstable, fixes tend to appear quickly, but :

- tend to is not acceptable when security is concerned
- it may take a lot more time depending on your local mirror

--
Daniel

Re: Don't panic (ssh)

2002-01-14 Thread Daniel Polombo 

Iain Tatch wrote:





AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need
to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,
as SSH2 so far does not support RSA keypairs and needs DSA keys.  


That's the impression I was under, too. In which case the current stable
release of Debian comes with an sshd which uses protocol 1 and is
therefore open to allowing remote root compromises.


Just a quick precision here : you have to _disable_ v1 in order to be 
protected from that vulnerability. The point here is not that you have to 
support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 
connections is vulnerable.


--
Daniel

RE: Don't panic (ssh)

2002-01-14 Thread Craigsc 
How do you disable ssh1 protocol with the current
ssh on potato ?

..Craig

-Original Message-
From: Daniel Polombo [mailto:[EMAIL PROTECTED]
Sent: Monday, January 14, 2002 2:45 PM
To: Iain Tatch
Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org
Subject: Re: Don't panic (ssh)


Iain Tatch wrote:



AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you
need
to use SSH2 protocol. OpenSSH supports SSH2. You need different keys
though,
as SSH2 so far does not support RSA keypairs and needs DSA keys.

 That's the impression I was under, too. In which case the current stable
 release of Debian comes with an sshd which uses protocol 1 and is
 therefore open to allowing remote root compromises.

Just a quick precision here : you have to _disable_ v1 in order to be
protected from that vulnerability. The point here is not that you have to
support v2, it's that you have to disallow v1. A recent daemon allowing ssh1
connections is vulnerable.

--
Daniel


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Tim Haynes 
Craigsc [EMAIL PROTECTED] writes:

 How do you disable ssh1 protocol with the current
 ssh on potato ?

I don't think you have to. See
http://www.debian.org/security/2001/dsa-086.

Or have I really been so asleep as not to notice a major thou shalt not
use ssh1 even though we applied all the fixes AS PER FAQ to the old
version alert???
That might be commendable behaviour, but it hasn't been mandated by Debian
that I saw.

~Tim
-- 
http://spodzone.org.uk/

Re: Don't panic (ssh)

2002-01-14 Thread Iain Tatch 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14 January 2002 at 13:05:57 Craigsc wrote:

 How do you disable ssh1 protocol with the current
 ssh on potato ?

I may be very wrong here as I've only been using Debian for 3 days now,
but as far as I can see the current sshd on potato only supports ssh1
protocol. That's why I removed the package and self-compiled the latest
sources from www.openssh.org to ensure I had only ssh2 protocol compiled
in.

I've had a box compromised through the ssh1 CRC32 vulnerability once, I'm
not going to let it happen again!

Cheers
- --
Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc
 Versace  Prada mean nothing to me,
   You buy your friends but I'll hate you for free
   Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com


-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQA/AwUBPELbYWByUNb+aO+GEQL/FACeMwMQY9nvTPpORPRdKpd6X5ret8EAoIcI
966spRQfdUFlD2D8KHY8TAN/
=9qaj
-END PGP SIGNATURE-

Re: /etc/passwd-shell

2002-01-14 Thread Anthony DeRobertis 


On Saturday, January 12, 2002, at 02:46 PM, Hubert Chan wrote:


I think that if you boot into single mode (e.g. type linux single at
the LILO prompt), you'll drop into whatever shell is defined for root.


More importantly, will it break if, e.g., fsck fails and drops 
you into single-user mode?


You mentioned the solution for lilo, though I prefer init=/sbin/sash.

RE: Don't panic (ssh)

2002-01-14 Thread Denny Fox 
Debian has back ported the fix for the CRC-32 vulnerability into both
OpenSSH (1.2.3-9.3) and ssh-nonfree/ssh-socks (1.2.27-6.2) for Debian
stable.

This is documented at:
http://www.debian.org/security/2001/dsa-086

This would appear to remove any concern about using SSH version 1
protocol as long as you are running the updated sshd.

The published vulnerabilities for ssh1 have been against the
implementation in the sshd appliction itself, not in the ssh1
protocol. The current Debian versions have addressed the
implememtation issues.

Please correct me if I am mistaken...

Thanks,

Denny

 -Original Message-
 From: Craigsc [mailto:[EMAIL PROTECTED]
 Sent: Monday, January 14, 2002 7:06 AM
 To: Debian-Security; Daniel Polombo
 Subject: RE: Don't panic (ssh)


 How do you disable ssh1 protocol with the current
 ssh on potato ?

 ..Craig

 -Original Message-
 From: Daniel Polombo [mailto:[EMAIL PROTECTED]
 Sent: Monday, January 14, 2002 2:45 PM
 To: Iain Tatch
 Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org
 Subject: Re: Don't panic (ssh)


 Iain Tatch wrote:


 
 AFAIK, all SSH1 connections are vulnerable to the CRC32
 attack. Thus you
 need
 to use SSH2 protocol. OpenSSH supports SSH2. You need
 different keys
 though,
 as SSH2 so far does not support RSA keypairs and needs DSA keys.
 
  That's the impression I was under, too. In which case the
 current stable
  release of Debian comes with an sshd which uses protocol 1 and is
  therefore open to allowing remote root compromises.

 Just a quick precision here : you have to _disable_ v1 in
 order to be
 protected from that vulnerability. The point here is not
 that you have to
 support v2, it's that you have to disallow v1. A recent
 daemon allowing ssh1
 connections is vulnerable.

 --
 Daniel


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]

Re: Don't panic (ssh)

2002-01-14 Thread Glenn McGrath 
On Mon, 14 Jan 2002 13:10:08 +
Tim Haynes [EMAIL PROTECTED] wrote:

 Craigsc [EMAIL PROTECTED] writes:
 
  How do you disable ssh1 protocol with the current
  ssh on potato ?
 
 I don't think you have to. See
 http://www.debian.org/security/2001/dsa-086.
 

I dont know about potato, but ssh v1 definitly works in sid.


Glenn

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Simon Huggins 
On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote:
 Adam Warner [EMAIL PROTECTED] writes:
  http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
 
  Someone with better knowledge of all the facts might want to comment
  on the claim that Debian is always the last to fix security holes
  and the tag team follow up I've been fighting for months now to try
  to convince them to release an advisory or fix for ftpd...
 Some of us wouldn't dare say such things without at least reviewing
 the given distro's security policy, FAQ and history.

 http://www.debian.org/security/ is over there --- .

Indeed.  My only experience with trying to get an exploitable package
patched was rather disappointing though.

I believe (not being a Debian developer myself) that [EMAIL PROTECTED]
goes to debian-private which is only available to developers.  It then
requires the developer of the package you're reporting about to be awake
enough to /do/ something about the bug you are reporting.

I had problems with apache whose old maintainer didn't really seem to
care (bug 104187 for the gory details)

So perhaps Debian security is only as good as the package maintainers?
I'm sure most maintainers do care and do investigate bugs I probably
just had a bad experience.


-- 
--(  Have you seen a man who's lost his luggage?   )--
Simon (   -- Suitcase) Nomis
 Htag.pl 0.0.19

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Oystein Viggen 
* [Dietmar Braun] 

 No chance to block this bastards?

Simple anti-spam function for .procmailrc:

:0 fhw
* ^Content-Type: text/html|\
^Subject:.*=\?ks_c_5601-1987\?
Spambox

Oystein
-- 
When in doubt: Recompile.

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Javier Fernández-Sanguino Peña 
On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
 Previously Adam Warner wrote:
  Someone with better knowledge of all the facts might want to comment on
  the claim that Debian is always the last to fix security holes and the
  tag team follow up I've been fighting for months now to try to convince
  them to release an advisory or fix for ftpd...
 
 Someone should point them to Javier's analysis of security response
 times..

Thanks' I was about to say so... BTW pointer is:
http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html

I'm going to add this to the info available in the Debian
Security Manual seems to be a FAQ

Javi

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Oystein Viggen 
* [Oystein Viggen] 

 * [Dietmar Braun] 

 No chance to block this bastards?

 Simple anti-spam function for .procmailrc:

Oops.. I'm sleeping in front of the keyboard again.  The correct recipe
would be like this:

:0
* ^Content-Type: text/html|\
^Subject:.*=\?ks_c_5601-1987\?
Spambox

Oystein
-- 
When in doubt: Recompile.

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Dietmar Braun 

At 15:21 14.01.2002 +0100, Oystein Viggen wrote:
:0
* ^Content-Type: text/html|\
^Subject:.*=\?ks_c_5601-1987\?
Spambox

Oystein

In my opinion, this is only a workaround.
Providers should close their routes to this spammers or block their IP 
addresses - this could be the only way to change the koreans minds.


Dietmar

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Noah L. Meyerhans 
On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
 So perhaps Debian security is only as good as the package maintainers?
 I'm sure most maintainers do care and do investigate bugs I probably
 just had a bad experience.

That is the case in unstable and testing, but not stable.  That is why
you're encouraged to run stable on any machine connected to the
internet.  In its case, there is a group within Debian who is
responsible for providing security updates in a timely manner with or
without assistance from the package maintainer.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpU5YkjWmtBQ.pgp
Description: PGP signature

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Régis Grison 

Dietmar Braun wrote:


In my opinion, this is only a workaround.
Providers should close their routes to this spammers or block their IP 
addresses - this could be the only way to change the koreans minds.


well, the mail is from [EMAIL PROTECTED]

ping iwww.net - 211.171.252.68

whois 211.171.252.68

[...]
E-Mail : [EMAIL PROTECTED]

Seems like [EMAIL PROTECTED] depends from kidc.net

whois iwww.net and whois kidc.net tells us they are not the same. So if 
you want a result, don't write to [EMAIL PROTECTED] (may be the same guy 
than [EMAIL PROTECTED]), directly write to [EMAIL PROTECTED] (the provider)


Honnestly, I won't do so. There is not enough mail for me. But if 
someone want...


Regis.

Re: Don't panic (ssh)

2002-01-14 Thread Christian Kurz 
On 14/01/02, [EMAIL PROTECTED] wrote:

 AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus
 you need to use SSH2 protocol. OpenSSH supports SSH2. You need
 different keys though, as SSH2 so far does not support RSA keypairs
 and needs DSA keys.

OpenSSH supports both, RSA and DSA keys for SSH protocol version 2.
Please read the manpage for ssh and look for the paragraph called SSH
protocol version 2 where this is explained. But you are right about the
CRC32 attack. The crc32 compensation attack is a vulnerability in the
SSH protocol version 1. An analysis of this exploit can be found at:

http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

And here's an excerpt from a mail (MID:
[EMAIL PROTECTED])
about the rules, which clients or servers are vulnerable. The comments
are from Markus Friedl, one of the openssh authors:

,
| the rules are simpler:
| 
| 1) protocol 2 only
| 
| all
| SSH-2.0-*
| are not affected, since no protocol v1 is iisnvolved.
| 
| 2) protocol 1 und 2 support
| 
| since
| SSH-1.99-*
| supports both protocol versions, it gets more difficult.
| for the commercial server, you never know the version
| of the server that will be called for the fallback,
| you have to assume that all
| SSH-1.99-[23]*
| are affected, and
| SSH-1.99-OpenSSH[-_].x.y
| are affected for versions x.y  2.3
| 
| 3) protocol 1 only
| SSH-1.5-OpenSSH[-_].x.y
| is affected versions x.y  2.3
| 
| and the commercial versions.
| 
| SSH-1.5-1.2.2[456789]
| SSH-1.5-1.2.3[01]
| 
| so:
`

Christian
-- 
   Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853


pgp6qKOImSObb.pgp
Description: PGP signature

The most cost-effective marketing tool

2002-01-14 Thread Direct email service 




we are the World's Largest distributor of 
direct company news and other business communications materials.
we can broadcast your web site news or your 
business, or a new service within your business ( you can add your logo/photo to 
your press release ) to every Newspaper, Magazine, Television and Cable Channel, 
AM/FM Radio Station and all major media outlets in the top daily and national 
newspapers, top industry and segment publications, TV, Radio, and top online 
news sources in the world.
Direct e-mail service that generates new lists 
based on the target market for your products/services,we specialize in helping 
increase business contacts and sales through the use of targeted consumer and 
business lists.
For more information welcome to:http://www.longf.com

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Tim Haynes 
Noah L. Meyerhans [EMAIL PROTECTED] writes:

 On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
  So perhaps Debian security is only as good as the package maintainers?
 I'm sure most maintainers do care and do investigate bugs I probably
 just had a bad experience.

 That is the case in unstable and testing, but not stable. That is why
 you're encouraged to run stable on any machine connected to the internet.
 In its case, there is a group within Debian who is responsible for
 providing security updates in a timely manner with or without assistance
 from the package maintainer.

Agreed. You have to decide for the situation at hand; as it happens, my
favourite colo swerver runs Testing, on the grounds that one of these days,
Stable will change en-masse and the last thing I want is for ssh not to
restart in my daily dist-upgrades of nearly every package on the box - the
machine came home for a bit of TLC one time and got put onto Testing so the
daily dist-upgrade only does a few packages rather than the whole lot.
In the meantime, security patches (notably only _mutt_ anyway) can come
down from Unstable.

Cheers,

~Tim
-- 
http://spodzone.org.uk/

Re: Don't panic (ssh)

2002-01-14 Thread Will Aoki 
On Mon, Jan 14, 2002 at 12:17:15PM +, Iain Tatch wrote:
 On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote:
 
  Have I missed something and was I already OK, or is the current stable
  potato release shipping with a potential ssh security hole?  
 
  AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you 
  need
  to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though,
  as SSH2 so far does not support RSA keypairs and needs DSA keys.  
 
 That's the impression I was under, too. In which case the current stable
 release of Debian comes with an sshd which uses protocol 1 and is
 therefore open to allowing remote root compromises.

There are actually two *separate* CRC32-related flaws in ssh.

The first is a protocol design flaw that allows the injection of data
into an ssh session. This is the 'CRC32 compensation' attack. Modern
ssh1 implementations have code to detect this, which leads to the next
flaw:

The remote root flaw is a bug in the CRC32 compensation attack detector.
In OpenSSH this has been fixed since 2.3.0 - nearly a year old.

It's still probably better to run only ssh2 if you have a choice, but
if you're still running ssh1 your system is not wide open.

The Debian stable sshd has had the apropriate patches backported to it,
so it's not vulnerable to this remote root hole.

-- 
William Aoki [EMAIL PROTECTED]   /\  ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92  \ /  No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B   X
   / \

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Preben Randhol 
Dietmar Braun [EMAIL PROTECTED] wrote on 14/01/2002 (12:21) :
 Anybody residing near to the korean border who can take the great scissor 
 and cut off the cable from korea to the civilized world?
 
 Nothing but spam coming from this foolish idiots...

Well if one should do like you say then one would have to cut off Germany and
USA too as I get spam from both countries, most from the latter of
course.

I think procmail is your friend.

Preben
-- 
 ()   Join the worldwide campaign to protect fundamental human rights.
'||}
{||'   http://www.amnesty.org/

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Preben Randhol 
Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (15:24) :
 * [Oystein Viggen] 
 
 :0
 * ^Content-Type: text/html|\
 ^Subject:.*=\?ks_c_5601-1987\?
 Spambox

Why not simply:

:0
* ^Content-Type: text/html
Spambox

I have never gotten a html mail worth reading.

Preben
-- 
«.., chaos is found in greatest abundance wherever order is being
sought. It always defeats order, because it is better organized.»
-- Interesting Times, Terry Pratchett

Re: Asking for documentation help (Re: IPSec questions...)

2002-01-14 Thread Noah L. Meyerhans 
On Mon, Jan 14, 2002 at 10:31:38AM +0100, Javier Fernández-Sanguino Peña wrote:
   I was wondering... could someone write a How to build VPN's in
 Debian small documentation for inclusion in the Debian Security HOWTO
 (http://www.debian.org/doc/ddp) it could make for a nice chapter in there.

I can't necessarily volunteer right now, as I'm far too busy, but I can
certainly put in some effort and provide some technical help.  I use
FreeS/WAN in just about every configuration it supports, all on Debian.

I'd happily volunteer to write the whole chapter, but I don't forsee
having enough free time for that until sometime in mid March.  If
anybody wants to work on it, though, let me know, and I'll lend a hand.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpQBDg7Qa0aJ.pgp
Description: PGP signature

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Dietmar Braun 

Well if one should do like you say then one would have to cut off Germany and
USA too as I get spam from both countries, most from the latter of
course.

Ok, I admit that this isn't practicable (I shouldn't write mails when I am 
VERY angry...),

but the point is:
from USA and Germany, we normally get also mails we want and we need.
From Korea/China and other spammers heaven, we get nothing but spam - 
there is no mail from these countries I had to admit that I wanted it...


Dietmar

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Ralf Dreibrodt 
Hi,

Dietmar Braun schrieb:
 
 Ok, I admit that this isn't practicable (I shouldn't write mails when I am
 VERY angry...),
 but the point is:
 from USA and Germany, we normally get also mails we want and we need.
  From Korea/China and other spammers heaven, we get nothing but spam -

not we, you!

i think your opinion is typical german and someone else already
mentioned, we can filter spam, but not the discussion about spam. please
to go to the police, unsubscribe this list or write emails to the
responsible provider.
but please don´t anser to my mail and consider, YOU are angry and YOU
are making me angry.

Thanks,
Ralf

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Oystein Viggen 
* [Preben Randhol] 

 Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (15:24) :
 * [Oystein Viggen] 
 
 :0
 * ^Content-Type: text/html|\
  Look here: ^
 ^Subject:.*=\?ks_c_5601-1987\?
 Spambox

 Why not simply:

 :0
 * ^Content-Type: text/html
 Spambox

 I have never gotten a html mail worth reading.

Note the |, thats an OR.  My rule kills all html-mail but also (I
believe), all that unintelligible Korean spam.

(The recipe I actually use has more than ten of these lines, including
one for those trailing random numbers with spaces in front.)

Oystein
-- 
When in doubt: Recompile.

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Preben Randhol 
Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (17:14) :
 
 Note the |, thats an OR.  My rule kills all html-mail but also (I
 believe), all that unintelligible Korean spam.

Ah I missed that.

Preben
-- 
 ()   Join the worldwide campaign to protect fundamental human rights.
'||}
{||'   http://www.amnesty.org/

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Joey Hess 
Dietmar Braun wrote:
 from USA and Germany, we normally get also mails we want and we need.
 From Korea/China and other spammers heaven, we get nothing but spam - 
 there is no mail from these countries I had to admit that I wanted it...

Ignoring in your blind nationalistic fury that there are indeed Debian
developers in both those countries[1], of course.

-- 
see shy jo

[1] For values of Korea approaching South Korea, anyway.

Re: Once again: Spam (from hananet.net, korea)

2002-01-14 Thread Dietmar Braun 

At 11:30 14.01.2002 -0500, Joey Hess wrote:
Ignoring in your blind nationalistic fury that there are indeed Debian
developers in both those countries[1], of course.

There is no need to call me nationalistic just because I am angry about
spammers in this groups.

But its enough now, I won't post anything about that any more here, ok?

Despite of this complaints at the police and the provider don't help - we 
all know that.


Back to business now, sorry for having disturbed.

Dietmar

Re: I've been hacked by DevilSoul

2002-01-14 Thread Florian Weimer 
Dries Kimpe [EMAIL PROTECTED] writes:

   Hmm, am I right in assuming that all (current) non-LKM rootkits use
 write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that
 there's no write access would be a good idea.

Yes, but it's a tremendous task.  Quite a few device drivers have bugs
which enable root to write kernel memory.

OTOH, if somebody obtains root privileges, he can probably plant a
kernel in the swapfile and instruct the boot loader to load it on the
next reboot.  AFAIK, most if not all checksumming tools don't deal
properly with such scenarios.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898

Re: Asking for documentation help (Re: IPSec questions...)

2002-01-14 Thread Lupe Christoph 
On Monday, 2002-01-14 at 10:31:38 +0100, Javier Fernández-Sanguino Peña wrote:
   I was wondering... could someone write a How to build VPN's in
 Debian small documentation for inclusion in the Debian Security HOWTO
 (http://www.debian.org/doc/ddp) it could make for a nice chapter in there.
   Topics to comment about:

   - FreeSwan 
   - CIPE
   - Ssh
   - ...

   Any volunteer?

Not this one: ENOTUITS. But I'd like to suggest to incorporate
information from http://www.shorewall.net/PPTP.htm and
http://poptop.lineo.com/setup_pptp_server.html on PPTP and
MPPE. At least temporarily until the US vs. Non-US problem
for the kernel and PPP goes away.

I just set up PPTP and the description at the two sites applies
to Debian, too.

Obstacles that should be removed:
1) integrate MPPE in the kernel.
2) patch PPP for MPPE and MSCHAPv2.
3) upgrade PPTP to 1.0.1.

I sincerely hope this can happen soon. Until then, SuSE is ways
easier to set up for PPTP. (Dunno what they deliver in the US,
but here in Germany, they have those patches integrated.)

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|

Re: I've been hacked by DevilSoul

2002-01-14 Thread Dave Kline 
OTOH, if somebody obtains root privileges, he can probably plant a 
kernel in the swapfile and instruct the boot loader to load it on the 
next reboot. AFAIK, most if not all checksumming tools don't deal 
properly with such scenarios. 


Quite a scary scenario.  How could one plant a file in swap?  How could 
you access that file?

-A. Dave


Florian Weimer wrote:


Dries Kimpe [EMAIL PROTECTED] writes:


 Hmm, am I right in assuming that all (current) non-LKM rootkits use
write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that
there's no write access would be a good idea.



Yes, but it's a tremendous task.  Quite a few device drivers have bugs
which enable root to write kernel memory.

OTOH, if somebody obtains root privileges, he can probably plant a
kernel in the swapfile and instruct the boot loader to load it on the
next reboot.  AFAIK, most if not all checksumming tools don't deal
properly with such scenarios.

  1   2   >