Asking for documentation help (Re: IPSec questions...)
I was wondering... could someone write a How to build VPN's in Debian small documentation for inclusion in the Debian Security HOWTO (http://www.debian.org/doc/ddp) it could make for a nice chapter in there. Topics to comment about: - FreeSwan - CIPE - Ssh - ... Any volunteer? Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[] .
Title: °Ë»ö¿£Áø ¾ÆÀ̵ûµûµû ÀÎÅͳݿ¡´Â ¸¹Àº Á¤º¸¿Í ±× Á¤º¸¸¦ ã¾ÆÁÖ´Â °Ë»ö¿£ÁøÀÌ ÀÖ½À´Ï´Ù. ÇÏÁö¸¸ °Ë»ö¿£ÁøµéÀÌ ³Ê¹«³ª ¸¹Àº Á¤º¸¸¦ Á¦°øÇØ ÁÖ´Â °á°ú ¿ÀÈ÷·Á Á¤º¸¸¦ ã´Âµ¥ ¸¹Àº ³ë·Â°ú ½Ã°£À» ÇãºñÇÏ´Â °á°ú¸¦ ÃÊ·¡ÇÏ°í ÀÖ½À´Ï´Ù. ÀÌÁ¦´Â ¾òÀ» ¼ö ¾ø´Â ¸¹Àº ¾çÀÇ °Ë»ö°á°úº¸´Ù´Â ½Å·Ú¼º ÀÖ´Â Á¤º¸¸¦ ¿ä±¸ÇÏ´Â ½Ã´ë°¡ µÇ¾ú½À´Ï´Ù. ÀÎÅͳݿ¡ »êÀçÇØ ÀÖ´Â »çÀÌÆ® Áß¿¡´Â ¿ì¸®°¡ ²À ÇÊ¿äÇÑ Á¤º¸µéÀ» ´ã°í ÀÖ´Â »çÀÌÆ®°¡ ¸¹ÀÌ Àִµ¥, ÀÌ »çÀÌÆ® µéÀ» ±¸ºÐÇϸé Æ÷Å»,º¸Å»,Çãºê »çÀÌÆ®¶ó°í ÇÕ´Ï´Ù. ¾ÆÀ̵ûµûµû´Â ÀÌ·± »çÀÌÆ®¸¦ ã¾ÆÁÖ´Â Ä«Å×°í¸® ¹× Å°¿öµå °Ë»ö¿£ÁøÀÔ´Ï´Ù. °¢ Ä«Å×°í¸® º°·Î ½Å·Ú¼º ÀÖ´Â ¾ö¼±µÈ »çÀÌÆ®¸¸ ³×ƼÁðÀÇ ¾ç½ÉÀ¸·Î µî·Ï°ü¸®ÇÏ´Â °Ë»ö¿£ÁøÀÌ¸ç ±ÍÇϲ²¼µµ Ä«Å×°í¸® ´ã´çÀÚ°¡ µÇ½Ç ¼ö ÀÖ½À´Ï´Ù. Ä«Å×°í¸® ´ã´çÀÌ µÇ½Ã¸é ¢ß¾ÆÀÌ¿£À¥ÀÇ ÁÖ½Ä 1ÁÖ¸¦ ¹«»óÀ¸·Î µå¸®¸ç pop3 e-mail °èÁ¤À» µå¸³´Ï´Ù. ("¿¹" [EMAIL PROTECTED]") ¶ÇÇÑ,±× Ä«Å×°í¸®¸¦ °ü¸®ÇÒ ¼ö ÀÖ´Â ±ÇÇÑ°ú ÇØ´ç Ä«Å×°í¸®¿¡ ´ã´çÀÚ ¾ÆÀ̵𸦠µî·ÏÇÕ´Ï´Ù. (µî·Ï½ÅûÀ» ÇϽÅÈÄ ´ã´ç°ü¸®ÀÚ·Î login ÇϽøé Ä«Å×°í¸®¸¦ Á÷Á¢ °ü¸®ÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù.) ȸ¿ø°¡ÀÔÀ» ÇϽðí ȸ¿øÀÌ µÇ½Ã¸é ¢ß ¾ÆÀÌ¿£À¥ÀÇ ÁÖ½Ä 1ÁÖ¸¦ ¹«»óÀ¸·Î µå¸³´Ï´Ù. ÀÎÅͳÝÀº ³×ƼÁðÀÌ ÁÖÀÎÀÌ°í ¾ÆÀ̵ûµûµû´Â ³×ƼÁðÀÇ °ÍÀ̱⠶§¹®ÀÔ´Ï´Ù! http://iwww.net (¾ÆÀ̵ûµûµû)·Î ¹æ¹®ÇØ ÁÖ¼¼¿ä ¾ÆÀ̵ûµûµûÀÇ À̳äÀº ¿ì¸® ³×ƼÁðÀÌ °®°íÀÖ´Â À¯ÀÍÇÑ Á¤º¸¸¦ ¼·Î °øÀ¯ÇÏ°í »õ·Î¿î ³×ƼÁð¹®È¸¦ âÃâÇϴ°ÍÀÔ´Ï´Ù. ±ÍÇϲ²¼µµ ¾ÆÀ̵ûµûµûÀÇ ÇÑ °¡Á·ÀÌ µÇ¾îÁÖ½Ã±æ ºÎŹµå¸³´Ï´Ù. ´Ã °Ç°ÇϽðí ÇູÇϼ¼¿ä~~~°¨»çÇÕ´Ï´Ù. 1ÀÏ Æò±Õ ¹æ¹® 774,500 hit(2002.01.07) ³×ƼÁð ´ã´ç Ä«Å×°í¸® 745 °³ Á÷Á¢ ¹æ¹®Çϼż Æò°¡ÇØ ÁֽʽÿÀ! ==http://iwww.net À¯ÀÍÇÑ »çÀÌÆ®¶ó°í Æò°¡µÇ½Ã¸é ÁÖÀ§ºÐµé¿¡°Ô ¾Ë·ÁÁֽñæ¹Ù¶ø´Ï´Ù. ( ¾ÆÀ̵ûµûµû = iwww ) ±ÍÇϲ² ºÒÆíÀ» ³¢ÃÄ µå·È´Ù¸é ¿ë¼¸¦ ¹Ù¶ø´Ï´Ù. ±ÍÇÏÀÇ ¸ÞÀÏÀº ÀÎÅͳݿ¡¼ À¥¼ÇÎÁß ÃëµæÇÏ¿´À¸¸ç ±ÍÇÏÀÇ ¾î¶°ÇÑ Á¤º¸µµ °®°íÀÖÁö ¾Ê½À´Ï´Ù. ´ÙÀ½ºÎÅÍ´Â ÀÎÅͳÝ,Á¤º¸Åë½Å,¹ÙÀÌ·¯½º¹é½Å µî À¯ÀÍÇÑ Á¤º¸¸¸À» º¸³»µå¸³´Ï´Ù. ¾ÆÀ̵ûµûµûÀÇ °¡Á·ÀÌ µÇ½Ã¸é Àüü°¡Á· ¸ÞÀÏÀ» ÅëÇÏ¿© À¯ÀÍÇÑ Á¤º¸¸¦ ¹Þ¾Æº¸½Ç ¼ö ÀÖ½À´Ï´Ù. °øÁö»çÇ×À» Âü°íÇÏ½Ã¸é ¾ÆÀ̵ûµûµû ³»ºÎ»çÁ¤À» ¾Æ½Ç ¼ö ÀÖ½À´Ï´Ù. ¹Ù·Î°¡¼ º¸±â ³×ƼÁðÀÇ °í°ßÀ» ¼ö·ÅÇÏ´Â °ø°³°Ô½ÃÆÇÀ» ¿î¿µÁßÀÔ´Ï´Ù. ¹Ù·Î°¡¼ º¸±â ±×·¡µµ ¼ö½ÅÀ» ¿øÄ¡ ¾ÊÀ¸½Ç °æ¿ì ¼ö½Å°ÅºÎ¸¦ Ŭ¸¯ÇϽʽÿÀ! ¼ö½Å°ÅºÎ
Don't panic (ssh)
Good Morning, While you are talking about ssh issues... From my log : Jan 13 09:50:58 news sshd[897]: scanned from 216.78.148.184 with +SSH-1.0-SSH_Version_Mapper. Don't panic. Jan 13 09:50:58 news sshd[896]: Did not receive identification string from +216.78.148.184 Should I really Not Panic ? :) Thanks,Jacques -- 0CBE 3F8A 5A77 A35C 27C7 2D42 3EC5 806B 9178 088D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
Jacques Lav!gnotte wrote: Jan 13 09:50:58 news sshd[897]: scanned from 216.78.148.184 with +SSH-1.0-SSH_Version_Mapper. Don't panic. Jan 13 09:50:58 news sshd[896]: Did not receive identification string from +216.78.148.184 Should I really Not Panic ? :) Not if your SSH daemon is up to date :-) Actually, this message is left by the « scanssh » utility (see http://www.monkey.org/~provos/scanssh/), which is used by sysadmins (or crackers) to detect weak SSH daemons on whole networks. -- Thomas Seyrat. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote: TS Not if your SSH daemon is up to date :-) Is the SSHD in the latest potato fully up-to-date, though? I am a very recent convert to Debian, having been an avid Slackware fan for the last seven years. However one of my (very old) Slack boxen was compromised on Christmas Day via the sshd CRC32 vulnerability and I decided to replace it with Debian, a distro which has seriously impressed me. Not wanting the same problem to reoccur, after installation configuration I checked my version of sshd. As far as I could ascertain the sshd which comes with the current potato release is OpenSSH 1.something (can't say exactly what now as I've removed it and my notes are all at home), however iirc it was only using version 1 of the SSH protocols, which leaves the vulnerability in place. I removed the Debian SSH package manually installed OpenSSH 3.0.2p1 which is invulnerable (so far!) to all known vulnerabilities as long as version 1 of the SSH protocol isn't used, even as a fallback. Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPEK8BWByUNb+aO+GEQJfogCghHz4ajXP81s4OwS2/HOMx8sbXgIAoJLo moxb226Bpj+mLJ7wp4PVsJbK =wRJH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Once again: Spam (from hananet.net, korea)
Anybody residing near to the korean border who can take the great scissor and cut off the cable from korea to the civilized world? Nothing but spam coming from this foolish idiots... Sorry but that makes me very angry now. No chance to block this bastards? Dietmar, annoyed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
On Mon, Jan 14, 2002 at 11:07:38AM +, Iain Tatch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote: TS Not if your SSH daemon is up to date :-) Is the SSHD in the latest potato fully up-to-date, though? I am a very recent convert to Debian, having been an avid Slackware fan for the last seven years. However one of my (very old) Slack boxen was compromised on Christmas Day via the sshd CRC32 vulnerability and I decided to replace it with Debian, a distro which has seriously impressed me. Not wanting the same problem to reoccur, after installation configuration I checked my version of sshd. As far as I could ascertain the sshd which comes with the current potato release is OpenSSH 1.something (can't say exactly what now as I've removed it and my notes are all at home), however iirc it was only using version 1 of the SSH protocols, which leaves the vulnerability in place. I removed the Debian SSH package manually installed OpenSSH 3.0.2p1 which is invulnerable (so far!) to all known vulnerabilities as long as version 1 of the SSH protocol isn't used, even as a fallback. Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. Anyone with more indepth knowledge like to coment? Crispin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Debian security being trashed in Linux Today comments
http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote: Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Is there any way to find out what flavour of Debian I have which is more detailed than this: iain@starfish:~$ cat /etc/debian_version 2.2 Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPELMV2ByUNb+aO+GEQJQ9gCgi8S43E7EeimjmNgVxdVQ0lIcBcgAoNxK VUCUJvFQB8mjDD47v4eFyyly =6JW1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Adam Warner wrote: On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
Iain Tatch wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable. -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Don't panic (ssh)
How do you disable ssh1 protocol with the current ssh on potato ? ..Craig -Original Message- From: Daniel Polombo [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 2:45 PM To: Iain Tatch Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Don't panic (ssh) Iain Tatch wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable. -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
Craigsc [EMAIL PROTECTED] writes: How do you disable ssh1 protocol with the current ssh on potato ? I don't think you have to. See http://www.debian.org/security/2001/dsa-086. Or have I really been so asleep as not to notice a major thou shalt not use ssh1 even though we applied all the fixes AS PER FAQ to the old version alert??? That might be commendable behaviour, but it hasn't been mandated by Debian that I saw. ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 13:05:57 Craigsc wrote: How do you disable ssh1 protocol with the current ssh on potato ? I may be very wrong here as I've only been using Debian for 3 days now, but as far as I can see the current sshd on potato only supports ssh1 protocol. That's why I removed the package and self-compiled the latest sources from www.openssh.org to ensure I had only ssh2 protocol compiled in. I've had a box compromised through the ssh1 CRC32 vulnerability once, I'm not going to let it happen again! Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPELbYWByUNb+aO+GEQL/FACeMwMQY9nvTPpORPRdKpd6X5ret8EAoIcI 966spRQfdUFlD2D8KHY8TAN/ =9qaj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /etc/passwd-shell
On Saturday, January 12, 2002, at 02:46 PM, Hubert Chan wrote: I think that if you boot into single mode (e.g. type linux single at the LILO prompt), you'll drop into whatever shell is defined for root. More importantly, will it break if, e.g., fsck fails and drops you into single-user mode? You mentioned the solution for lilo, though I prefer init=/sbin/sash. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Don't panic (ssh)
Debian has back ported the fix for the CRC-32 vulnerability into both OpenSSH (1.2.3-9.3) and ssh-nonfree/ssh-socks (1.2.27-6.2) for Debian stable. This is documented at: http://www.debian.org/security/2001/dsa-086 This would appear to remove any concern about using SSH version 1 protocol as long as you are running the updated sshd. The published vulnerabilities for ssh1 have been against the implementation in the sshd appliction itself, not in the ssh1 protocol. The current Debian versions have addressed the implememtation issues. Please correct me if I am mistaken... Thanks, Denny -Original Message- From: Craigsc [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 7:06 AM To: Debian-Security; Daniel Polombo Subject: RE: Don't panic (ssh) How do you disable ssh1 protocol with the current ssh on potato ? ..Craig -Original Message- From: Daniel Polombo [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 2:45 PM To: Iain Tatch Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Don't panic (ssh) Iain Tatch wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable. -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
On Mon, 14 Jan 2002 13:10:08 + Tim Haynes [EMAIL PROTECTED] wrote: Craigsc [EMAIL PROTECTED] writes: How do you disable ssh1 protocol with the current ssh on potato ? I don't think you have to. See http://www.debian.org/security/2001/dsa-086. I dont know about potato, but ssh v1 definitly works in sid. Glenn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . Indeed. My only experience with trying to get an exploitable package patched was rather disappointing though. I believe (not being a Debian developer myself) that [EMAIL PROTECTED] goes to debian-private which is only available to developers. It then requires the developer of the package you're reporting about to be awake enough to /do/ something about the bug you are reporting. I had problems with apache whose old maintainer didn't really seem to care (bug 104187 for the gory details) So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. -- --( Have you seen a man who's lost his luggage? )-- Simon ( -- Suitcase) Nomis Htag.pl 0.0.19 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
* [Dietmar Braun] No chance to block this bastards? Simple anti-spam function for .procmailrc: :0 fhw * ^Content-Type: text/html|\ ^Subject:.*=\?ks_c_5601-1987\? Spambox Oystein -- When in doubt: Recompile. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
* [Oystein Viggen] * [Dietmar Braun] No chance to block this bastards? Simple anti-spam function for .procmailrc: Oops.. I'm sleeping in front of the keyboard again. The correct recipe would be like this: :0 * ^Content-Type: text/html|\ ^Subject:.*=\?ks_c_5601-1987\? Spambox Oystein -- When in doubt: Recompile. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
At 15:21 14.01.2002 +0100, Oystein Viggen wrote: :0 * ^Content-Type: text/html|\ ^Subject:.*=\?ks_c_5601-1987\? Spambox Oystein In my opinion, this is only a workaround. Providers should close their routes to this spammers or block their IP addresses - this could be the only way to change the koreans minds. Dietmar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg05231/pgp0.pgp Description: PGP signature
Re: Once again: Spam (from hananet.net, korea)
Dietmar Braun wrote: In my opinion, this is only a workaround. Providers should close their routes to this spammers or block their IP addresses - this could be the only way to change the koreans minds. well, the mail is from [EMAIL PROTECTED] ping iwww.net - 211.171.252.68 whois 211.171.252.68 [...] E-Mail : [EMAIL PROTECTED] Seems like [EMAIL PROTECTED] depends from kidc.net whois iwww.net and whois kidc.net tells us they are not the same. So if you want a result, don't write to [EMAIL PROTECTED] (may be the same guy than [EMAIL PROTECTED]), directly write to [EMAIL PROTECTED] (the provider) Honnestly, I won't do so. There is not enough mail for me. But if someone want... Regis. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
On 14/01/02, [EMAIL PROTECTED] wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. OpenSSH supports both, RSA and DSA keys for SSH protocol version 2. Please read the manpage for ssh and look for the paragraph called SSH protocol version 2 where this is explained. But you are right about the CRC32 attack. The crc32 compensation attack is a vulnerability in the SSH protocol version 1. An analysis of this exploit can be found at: http://staff.washington.edu/dittrich/misc/ssh-analysis.txt And here's an excerpt from a mail (MID: [EMAIL PROTECTED]) about the rules, which clients or servers are vulnerable. The comments are from Markus Friedl, one of the openssh authors: , | the rules are simpler: | | 1) protocol 2 only | | all | SSH-2.0-* | are not affected, since no protocol v1 is iisnvolved. | | 2) protocol 1 und 2 support | | since | SSH-1.99-* | supports both protocol versions, it gets more difficult. | for the commercial server, you never know the version | of the server that will be called for the fallback, | you have to assume that all | SSH-1.99-[23]* | are affected, and | SSH-1.99-OpenSSH[-_].x.y | are affected for versions x.y 2.3 | | 3) protocol 1 only | SSH-1.5-OpenSSH[-_].x.y | is affected versions x.y 2.3 | | and the commercial versions. | | SSH-1.5-1.2.2[456789] | SSH-1.5-1.2.3[01] | | so: ` Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 msg05233/pgp0.pgp Description: PGP signature
Re: Debian security being trashed in Linux Today comments
Noah L. Meyerhans [EMAIL PROTECTED] writes: On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. Agreed. You have to decide for the situation at hand; as it happens, my favourite colo swerver runs Testing, on the grounds that one of these days, Stable will change en-masse and the last thing I want is for ssh not to restart in my daily dist-upgrades of nearly every package on the box - the machine came home for a bit of TLC one time and got put onto Testing so the daily dist-upgrade only does a few packages rather than the whole lot. In the meantime, security patches (notably only _mutt_ anyway) can come down from Unstable. Cheers, ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
On Mon, Jan 14, 2002 at 12:17:15PM +, Iain Tatch wrote: On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote: Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. There are actually two *separate* CRC32-related flaws in ssh. The first is a protocol design flaw that allows the injection of data into an ssh session. This is the 'CRC32 compensation' attack. Modern ssh1 implementations have code to detect this, which leads to the next flaw: The remote root flaw is a bug in the CRC32 compensation attack detector. In OpenSSH this has been fixed since 2.3.0 - nearly a year old. It's still probably better to run only ssh2 if you have a choice, but if you're still running ssh1 your system is not wide open. The Debian stable sshd has had the apropriate patches backported to it, so it's not vulnerable to this remote root hole. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign 3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news! 9A26 BB92 6329 2D3E 199D 8C7B X / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
Dietmar Braun [EMAIL PROTECTED] wrote on 14/01/2002 (12:21) : Anybody residing near to the korean border who can take the great scissor and cut off the cable from korea to the civilized world? Nothing but spam coming from this foolish idiots... Well if one should do like you say then one would have to cut off Germany and USA too as I get spam from both countries, most from the latter of course. I think procmail is your friend. Preben -- () Join the worldwide campaign to protect fundamental human rights. '||} {||' http://www.amnesty.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (15:24) : * [Oystein Viggen] :0 * ^Content-Type: text/html|\ ^Subject:.*=\?ks_c_5601-1987\? Spambox Why not simply: :0 * ^Content-Type: text/html Spambox I have never gotten a html mail worth reading. Preben -- «.., chaos is found in greatest abundance wherever order is being sought. It always defeats order, because it is better organized.» -- Interesting Times, Terry Pratchett -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Asking for documentation help (Re: IPSec questions...)
On Mon, Jan 14, 2002 at 10:31:38AM +0100, Javier Fernández-Sanguino Peña wrote: I was wondering... could someone write a How to build VPN's in Debian small documentation for inclusion in the Debian Security HOWTO (http://www.debian.org/doc/ddp) it could make for a nice chapter in there. I can't necessarily volunteer right now, as I'm far too busy, but I can certainly put in some effort and provide some technical help. I use FreeS/WAN in just about every configuration it supports, all on Debian. I'd happily volunteer to write the whole chapter, but I don't forsee having enough free time for that until sometime in mid March. If anybody wants to work on it, though, let me know, and I'll lend a hand. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg05238/pgp0.pgp Description: PGP signature
Re: Once again: Spam (from hananet.net, korea)
Well if one should do like you say then one would have to cut off Germany and USA too as I get spam from both countries, most from the latter of course. Ok, I admit that this isn't practicable (I shouldn't write mails when I am VERY angry...), but the point is: from USA and Germany, we normally get also mails we want and we need. From Korea/China and other spammers heaven, we get nothing but spam - there is no mail from these countries I had to admit that I wanted it... Dietmar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (17:14) : Note the |, thats an OR. My rule kills all html-mail but also (I believe), all that unintelligible Korean spam. Ah I missed that. Preben -- () Join the worldwide campaign to protect fundamental human rights. '||} {||' http://www.amnesty.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
The most cost-effective marketing tool
we are the World's Largest distributor of direct company news and other business communications materials. we can broadcast your web site news or your business, or a new service within your business ( you can add your logo/photo to your press release ) to every Newspaper, Magazine, Television and Cable Channel, AM/FM Radio Station and all major media outlets in the top daily and national newspapers, top industry and segment publications, TV, Radio, and top online news sources in the world. Direct e-mail service that generates new lists based on the target market for your products/services,we specialize in helping increase business contacts and sales through the use of targeted consumer and business lists. For more information welcome to:http://www.longf.com
Re: Once again: Spam (from hananet.net, korea)
On Mon, Jan 14, 2002 at 04:54:31PM +0100, Dietmar Braun wrote: Well if one should do like you say then one would have to cut off Germany and USA too as I get spam from both countries, most from the latter of course. Ok, I admit that this isn't practicable (I shouldn't write mails when I am VERY angry...), What about SECURITY about this thread ??? Be 'civilized' people and please stop it. Jacques -- 0CBE 3F8A 5A77 A35C 27C7 2D42 3EC5 806B 9178 088D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
Dietmar Braun wrote: from USA and Germany, we normally get also mails we want and we need. From Korea/China and other spammers heaven, we get nothing but spam - there is no mail from these countries I had to admit that I wanted it... Ignoring in your blind nationalistic fury that there are indeed Debian developers in both those countries[1], of course. -- see shy jo [1] For values of Korea approaching South Korea, anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
At 11:30 14.01.2002 -0500, Joey Hess wrote: Ignoring in your blind nationalistic fury that there are indeed Debian developers in both those countries[1], of course. There is no need to call me nationalistic just because I am angry about spammers in this groups. But its enough now, I won't post anything about that any more here, ok? Despite of this complaints at the police and the provider don't help - we all know that. Back to business now, sorry for having disturbed. Dietmar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
Dries Kimpe [EMAIL PROTECTED] writes: Hmm, am I right in assuming that all (current) non-LKM rootkits use write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that there's no write access would be a good idea. Yes, but it's a tremendous task. Quite a few device drivers have bugs which enable root to write kernel memory. OTOH, if somebody obtains root privileges, he can probably plant a kernel in the swapfile and instruct the boot loader to load it on the next reboot. AFAIK, most if not all checksumming tools don't deal properly with such scenarios. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Asking for documentation help (Re: IPSec questions...)
On Monday, 2002-01-14 at 10:31:38 +0100, Javier Fernández-Sanguino Peña wrote: I was wondering... could someone write a How to build VPN's in Debian small documentation for inclusion in the Debian Security HOWTO (http://www.debian.org/doc/ddp) it could make for a nice chapter in there. Topics to comment about: - FreeSwan - CIPE - Ssh - ... Any volunteer? Not this one: ENOTUITS. But I'd like to suggest to incorporate information from http://www.shorewall.net/PPTP.htm and http://poptop.lineo.com/setup_pptp_server.html on PPTP and MPPE. At least temporarily until the US vs. Non-US problem for the kernel and PPP goes away. I just set up PPTP and the description at the two sites applies to Debian, too. Obstacles that should be removed: 1) integrate MPPE in the kernel. 2) patch PPP for MPPE and MSCHAPv2. 3) upgrade PPTP to 1.0.1. I sincerely hope this can happen soon. Until then, SuSE is ways easier to set up for PPTP. (Dunno what they deliver in the US, but here in Germany, they have those patches integrated.) Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote: On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. Maybe you can put the text, the spreadsheet, and the graph on a website? Archive maintainers, what happens to attachments like those in the mentioned mail? I don't keep debian-security mails around, so I can't see what MIME-type the attachments had. The binary crap must be the spreadsheet which has been inlined. Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 06:16:46PM +0100, Lupe Christoph wrote: I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. Maybe you can put the text, the spreadsheet, and the graph on a website? Ummm not likely. Archive maintainers, what happens to attachments like those in the mentioned mail? I don't keep debian-security mails around, so I can't see what MIME-type the attachments had. The binary crap must be the spreadsheet which has been inlined. As I said, attachments are not parsed correctly by the archiving software. And no, the spreadsheet should have been sent as a MIME attachment (used mutt). Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
On Mon, 14 Jan 2002, Dave Kline wrote: OTOH, if somebody obtains root privileges, he can probably plant a kernel in the swapfile and instruct the boot loader to load it on the next reboot. AFAIK, most if not all checksumming tools don't deal properly with such scenarios. Quite a scary scenario. How could one plant a file in swap? How could you access that file? If swap is enabled, the kernel knows where it is swapping, so you have the first part of the deal (assuming you will swapoff that swap partition/file). For the bootloader part, it is very platform-dependent, and some ones (such as grub) will be a pain in the ass if you only have swap partitions (as opposed to swap files). It IS possible, but it is much harder than pigging back code on the kernel without module support. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Debian security being trashed in Linux Today comments
It renders fine in IE. :) The binary data is, I presume, the two files that Javier attached, as stated in the message: quote I adjoint some data: - a Gnumeric spreadsheet with all the information - a PNG graphic with this year's distribution of time-to-fix (in days) made by gnuplot with the previous data /quote j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Lupe Christoph [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 12:17 PM To: Javier Fernández-Sanguino Peña Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Debian security being trashed in Linux Today comments On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote: On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg0 0257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. Maybe you can put the text, the spreadsheet, and the graph on a website? Archive maintainers, what happens to attachments like those in the mentioned mail? I don't keep debian-security mails around, so I can't see what MIME-type the attachments had. The binary crap must be the spreadsheet which has been inlined. Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, 14 Jan 2002, Daniel Polombo wrote: Adam Warner wrote: Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror As woody draws closer and closer to being stable, and potato draws closer and closer to the legendary dinosaurs which roamed the earth with regards to its outdated software, perhaps this comittment to woody's security could be revisted. I would be surprised if a lot of the criticsm that is coming out on this issue is not related to the fact that a lot of people have moved from potato to woody because they cannot continue to use potato due to the requirements of certain software or underlying libraries, and are thus burned by this security policy. Lets face it, potato has some ancient software that is getting outdated, you can hardly find any software that uses db2 anymore, and it is not trivial to backport from db3, the version of perl makes usage and installation of anything that was done in the last 5 years difficult... potato is great, if you want to only use the packages which come with it, it is great as a server which doesn't need any changes, but if you want to do anything semi-new, or outside of the package scope, you have to move to woody, or just wait. With that movement comes a significant loss in security policy. Now that woody draws near to being stable, perhaps the policy can be altered to accomodate for that. Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Okay, this has gone far enough. The reason that s.d.o only deals with stable is that stable is the only part of Debian that by it's nature cannot change. For unstable (and now testing) if there's a security bug, any DD can put up a NMU if it's severe enough, or the regular maintainer can fix it in a [relatively] short amount of time. It's just not feasable to expect a change to propagate in stable, because stable doesn't change at all, except in very small spurts: there have been 5 revisions to potato in the last [going on 2] years. THIS is the reason that there's no s.d.o support for testing and unstable. So when woody becomes stable, there WILL be s.d.o support for woody, because woody won't change. Unitl they become [stagnant,stable], there is just not enough reason to have s.d.o support for a distribution. On Mon, 14 Jan 2002, Micah Anderson wrote: On Mon, 14 Jan 2002, Daniel Polombo wrote: Adam Warner wrote: Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror As woody draws closer and closer to being stable, and potato draws closer and closer to the legendary dinosaurs which roamed the earth with regards to its outdated software, perhaps this comittment to woody's security could be revisted. I would be surprised if a lot of the criticsm that is coming out on this issue is not related to the fact that a lot of people have moved from potato to woody because they cannot continue to use potato due to the requirements of certain software or underlying libraries, and are thus burned by this security policy. Lets face it, potato has some ancient software that is getting outdated, you can hardly find any software that uses db2 anymore, and it is not trivial to backport from db3, the version of perl makes usage and installation of anything that was done in the last 5 years difficult... potato is great, if you want to only use the packages which come with it, it is great as a server which doesn't need any changes, but if you want to do anything semi-new, or outside of the package scope, you have to move to woody, or just wait. With that movement comes a significant loss in security policy. Now that woody draws near to being stable, perhaps the policy can be altered to accomodate for that. Micah -- void hamlet() {#define question=((bb)||(!bb))} Who is John Galt? [EMAIL PROTECTED] that's who! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Of course, libc problems are a bit unfair for comparison. Red Hat runs the official CVS repository, and they probably knew about the problem by mid-November or something like that (the fix was committed on 2001-11-29, IIRC). -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 07:19:29PM +0100, Javier Fernández-Sanguino Peña wrote: I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. As I said, attachments are not parsed correctly by the archiving software. And no, the spreadsheet should have been sent as a MIME attachment (used mutt). Does anyone know if we can tweak mhonarc to handle this more gracefully? -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (15:24) : :0 * ^Content-Type: text/html|\ Look here: ^ ^Subject:.*=\?ks_c_5601-1987\? Spambox You should also filter on: Content-Type: text/html; charset=ks_c_5601-1987 Or just use spamassassin (package in sid and woody) and the rule CHARSET_FARAWAY, it's a great antispam filter. Alain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote: Adam Warner wrote: On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Well, maybe you should follow Tim's advice and go check the security team's FAQ : Weren't my comments enough for you to to be able to interpret WHY I said I was really impressed? I have known and understood the security FAQ for a long time Daniel. Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. http://www.debian.org/security/2002/dsa-097 This problem has been fixed in Exim version 3.12-10.2 for the stable distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and unstable distribution. Oops the security team breached their FAQ :-) Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror Which is why I uncommented the main distribution sites in sources.list and got the updates for testing/unstable right away. That's why I was impressed. Because I am aware of the FAQ. Still I hope such care about the security of testing/unstable continues and note the comments of John Galt. I have noticed many instances where unstable has been secure when stable has not (before an update). Bugs that are found in Potato are not always relevant to the quick moving new binaries and code in unstable. I feel happy about the security of my unstable systems and am not aware of any vulnerabilities that I have read about at Linux Weekly News that presently affect my installations. I have had to keep up with a few fixes to Zope in the past but there was a huge Python transition being undertaken at the time. Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Asking for documentation help (Re: IPSec questions...)
On January 14, 2002 02:31 am, Javier Fernández-Sanguino Peña wrote: I w as wondering... could someone write a How to build VPN's in Debian small documentation for inclusion in the Debian Security HOWTO (http://www.debian.org/doc/ddp) it could make for a nice chapter in there. Topics to comment about: - FreeSwan - CIPE - Ssh - ... Any volunteer? Javi I would'nt mind getting involved with the Debian project, even it is just wriiting docs for the community. I don't have any pratical experience with FreeSWAN at all, however, I have statically compiled BIND 9 and placed it in a chroot jail on Debian. I wonder if it would hard to packge a chroot'ed setup of BIND9 once it completely configured? Anyway, I would be glad to contribute to any aspect of Debian itself. Just let me know what I can do. Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote: It renders fine in IE. :) Yeah, but it has the binary crap at the end. It renders like that in moz too. (both running on the family 'doze PC while I type this mail through PuTTY.) The binary data is, I presume, the two files that Javier attached, as stated in the message: quote I adjoint some data: - a Gnumeric spreadsheet with all the information - a PNG graphic with this year's distribution of time-to-fix (in days) made by gnuplot with the previous data /quote The binary crap is probably the spreadsheet by itself, but maybe the image too. The download link for bin0.bin is the image. It is not PNG, but rather a gzipped xwd. I don't know why it's .bin instead of .xwd.gz. I recompressed it as a real PNG, and attached it to this mail, for your viewing pleasure :) PNG gets 3.5 times better compression, probably because this image only uses 8 bits of colour, and the xwd was 24bit. Someone else mentioned that this graph should go up on a website, but someone else shot them down. I think the suggestion was just for this image in particular, not that this should be done for every image-attachment on all lists. Anyway, I agree that it would be cool to have this graph and the data available on a web site. (With the data in a two-column ascii list, rather than a spreadsheet or something that needs to be downloaded and dealt with separately.) Of course, then we might need to make up excuses, or preferably find solutions, for the exceptionally long bugs. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE fix-time.png Description: PNG image
Re: Don't panic (ssh)
On Mon, Jan 14, 2002 at 11:07:38AM +, Iain Tatch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote: TS Not if your SSH daemon is up to date :-) Is the SSHD in the latest potato fully up-to-date, though? I am a very recent convert to Debian, having been an avid Slackware fan for the last seven years. However one of my (very old) Slack boxen was compromised on Christmas Day via the sshd CRC32 vulnerability and I decided to replace it with Debian, a distro which has seriously impressed me. Not wanting the same problem to reoccur, after installation configuration I checked my version of sshd. As far as I could ascertain the sshd which comes with the current potato release is OpenSSH 1.something (can't say exactly what now as I've removed it and my notes are all at home), however iirc it was only using version 1 of the SSH protocols, which leaves the vulnerability in place. According to SSH, the secure shell Oreilly and Associates... Insertion or compensation attack: Although not an especially easy attack to mount, this is a serious vulnerability. The attack results from composition properties of CRC-32 together with certain bulk ciphers in certain modes. The attack can be avoided altogether by using the 3DES cipher, which is immune. SSH1 1.2.25, F-Secure SSH1 1.3.5 and later versions as well as all versions of OpenSSH include the crc32 compensation attack detector, designed to detect and prevent this attack. The detector renders the attack harder to mount, but doesn't prevent it entirely. SSH-2 uses cryptographically strong integrity checks to avoid such problems. Kind Regards Crispin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 12:17:15PM -0700, John Galt wrote: Okay, this has gone far enough. The reason that s.d.o only deals with stable is that stable is the only part of Debian that by it's nature cannot change. For unstable (and now testing) if there's a security bug, any DD can put up a NMU if it's severe enough, or the regular maintainer can fix it in a [relatively] short amount of time. It's just not feasable to expect a change to propagate in stable, because stable doesn't change at all, except in very small spurts: there have been 5 revisions to potato in the last [going on 2] years. THIS is the reason that there's no s.d.o support for testing and unstable. So when woody becomes stable, there WILL be s.d.o support for woody, because woody won't change. Unitl they become [stagnant,stable], there is just not enough reason to have s.d.o support for a distribution. I think this was well known already, but now that we're sure everyone knows this, I think Micah's idea is interesting. When things are a long way from a freeze/release, you're right, John, it's ok to let security be handled in the current haphazard way it does now. However, how is the testing release (currently woody) going to get any testing if nobody uses it because it's security isn't good enough? Some say you should never run unstable or testing on a machine connected to the internet, but almost all computers are connected to the Internet, at least as clients. This especially applies to the home computers of the average hacker, which is the kind of person who would usefully test and provide feedback on woody. A home system is somewhere I would use a system that wasn't guaranteed to be secure, and where I might have to shut down daemons if no security fix was available for a problem that affected them. (of course I want my machine to be secure, but I can live without guarantees and check on things myself.) I actually use woody on my home NAT firewall, which also runs exim and sshd. (These are the only daemons allowing connections from the outside world on this machine.) Hmm, if a security problem which affects unstable and/or testing, but not stable, is found, what happens? I presume it would get mentioned here, but is a DSA sent out when it's fixed? Would I have to read Bugtraq or something to get notification as soon as it's found (so I could shut down an insecure daemon until the problem was fixed.) I'd rather temporarily give up the ability to ssh into my home machine and check my email than leave it open to attack. On Mon, 14 Jan 2002, Micah Anderson wrote: As woody draws closer and closer to being stable, and potato draws closer and closer to the legendary dinosaurs which roamed the earth with regards to its outdated software, perhaps this comittment to woody's security could be revisted. I would be surprised if a lot of the criticsm that is coming out on this issue is not related to the fact that a lot of people have moved from potato to woody because they cannot continue to use potato due to the requirements of certain software or underlying libraries, and are thus burned by this security policy. [...] Now that woody draws near to being stable, perhaps the policy can be altered to accomodate for that. I agree. To get testing better tested (by providing the service more people need to run it), and to get the security team familiar with the soon-to-be-stable release, there could be a mechanism for security fixes to get done on woody, etc. I don't know what kind of security promises would be appropriate, or what, but I think it would be a good idea to do something along these lines. Maybe someone should make a list of packages that the security team would take time to deal with in woody, and add packages to it over time. Starting with popular packages and/or packages classified as required/important might make sense. Here's another idea: Only worry about remote exploits for non-stable dists. Many of the security advisories apply to local security only, and don't let a remote attacker get into the machine in the first place. (Many of them would help an attacker get root after getting a shell running as e.g. nobody or http). Only worrying about remote exploits in soon-to-be-released dists would let a lot more people run them safely, since a lot of home systems are single user, or at least the other users are trusted/not skilled. (Think family members and roommates. If they crack your system, you can put glue on their doorknob or a snowball in their boots :) For important servers where you really care, like in a business environment, you would certainly want to stick with stable, so no new holes will be introduced, nothing breaks, etc. For systems where you are prepared to live with a little danger, you can run testing and give stuff a workout. When there are known local exploits that haven't been fixed in the dist you're running, it's like running your daemons
Re: Asking for documentation help (Re: IPSec questions...)
On Mon, Jan 14, 2002 at 07:52:59AM -0700, Stefan Srdic wrote: I would'nt mind getting involved with the Debian project, even it is just wriiting docs for the community. Even if it's *just* writing docs for the community? A lot of people don't seem to realize it, but that's one of the most important things you can do to contribute! In many cases, the code is all there but the only people who know how to use it are the people who wrote it! I don't have any pratical experience with FreeSWAN at all, however, I have statically compiled BIND 9 and placed it in a chroot jail on Debian. I wonder if it would hard to packge a chroot'ed setup of BIND9 once it completely configured? I recall there being discussion a while back about packaging chroot bind. I don't know whether or not anything came of it at all. There is a chroot bind HOWTO already. Last I knew, this only addressed bind 8 and did so from either a distribution independent or (worse) a Redhat specific point of view. I'm not sure where you would want to publish your bind 9 docs. Perhaps they'd be put to best use if contributed to the Securing Debian howto. Or you could offer them to the author of the chroot bind HOWTO, possibly adding the Debian specific stuff as an appendix to the main document or something. I would be glad to contribute to any aspect of Debian itself. Just let me know what I can do. If you're serious about your willingness to contribute documentation, see http://www.debian.org/doc/ddp/ To me, it seems that a lot of the docs there have a great deal of potential, but there's a lot of duplication of effort. I'd really love to see a relatively major, broadly scoped document linked directly from the www.debian.org, similar to the FreeBSD Handbook. That's my suggestion, anyway. There's plenty of work to be done. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg05265/pgp0.pgp Description: PGP signature
Re: Debian security being trashed in Linux Today comments
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Cordes [EMAIL PROTECTED] writes: [...] To get testing better tested (by providing the service more people need to run it), and to get the security team familiar with the soon-to-be-stable release, there could be a mechanism for security fixes to get done on woody, etc. I don't know what kind of security promises would be appropriate, or what, but I think it would be a good idea to do something along these lines. Maybe someone should make a list of packages that the security team would take time to deal with in woody, and add packages to it over time. Starting with popular packages and/or packages classified as required/important might make sense. Currently, testing is getting frozen in steps as far as I understand the process. What about providing proper security updates for those parts that have already been frozen? These would have be dealt with in a special way to get upgraded anyway so you might as well provide the upgrade as a proper security update. This could also serve as a handle for the folks who are coordinating the release process. - -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.6 http://mailcrypt.sourceforge.net/ iD8DBQE8Q7YAFsfyfWvjfZARAn2mAKCh20XSbZlJ+wjtiOJP/zGv8z3yTwCgxOlw S0PF5uSNo7KeuY9ONzBCYl8= =FSYR -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Once again: Spam (from hananet.net, korea)
Anybody residing near to the korean border who can take the great scissor and cut off the cable from korea to the civilized world? You mean Korean people are barbarous? but the point is: from USA and Germany, we normally get also mails we want and we need. From Korea/China and other spammers heaven, we get nothing but spam - there is no mail from these countries I had to admit that I wanted it... Though I am very shameful due to this kinda junk mail as a KOREAN, your opinion is very biased. :( In Korea, many actions are taken for preventing these spam mails from being delivered. Korea suffers from this kinda junk mails. Two debian related books are published and 5 official maintainers and lots of debian users contribute many things to Debian or Debian-KR(http://www.debian.or.kr) project in both i10n and i18n. Not all mails from Korea are spam. :) Dietmar Yooseong -- Yooseong Yang [EMAIL PROTECTED] Debian(-KR) Developer http://www.debian.org http://www.debian.or.kr http://pcel3.snu.ac.kr/~yooseong CCs of replies from mailing lists are encouraged msg05267/pgp0.pgp Description: PGP signature
RE: sshd sending packets outside lan during local connection
Thank you it worked. I added the dns info about the host trying to connect in the firewalls /etc/hosts file and I guess it was able to resolve the host name without doing a dns look-up externally. Thanks From: Jason Sopko [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: RE: sshd sending packets outside lan during local connection Date: Sun, 13 Jan 2002 22:44:42 -0500 I didn't look at your tcpdump output but I'd assume it's trying to resolve the in-addr.arpa record for the internal IP address and failing. Try setting up BIND to resolve PTR records for the internal network IP addresses and make sure that the server is configured to look to itself for DNS. Hope this helps. ///Jason -Original Message- From: Jeff Stevens [mailto:[EMAIL PROTECTED] Sent: Sunday, January 13, 2002 10:27 PM To: debian-security@lists.debian.org Subject: sshd sending packets outside lan during local connection I am using Debian Potato 2.2.19ide-pci and running openssh (3.0.2p1) and bind (version: 1:8.2.3-0.potato.1). It is also being used as a firewall for a local network. It has 2 nic cards, one with an internal ip and one with an external ip. When I ssh locally (to the internal ip)to this firewall it sends out packets to my ISP. If I unplug the external ip nic before entering the password then the connection pauses for about a minute before connecting. I am no expert as I have just started using Debian, but it seems like the password is being sniffed. I'm not exactly sure what the tcpdump output shows (ATTACHED with route info) but it seems to be doing a domain name look up (but I could be wrong). I have no idea why it would have to do a domain look-up because I connect via ip address (ssh [EMAIL PROTECTED]) which is inside the local network. Earlier I made the mistake of offering bind publicly. I recently changed this but I don't know if I was compromised during the time it was public. I am hoping this is just a misconfiguration problem. Any suggestions would be greatly appreciated. Thanks in advance. --Jeff Debian user _ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Asking for documentation help (Re: IPSec questions...)
I was wondering... could someone write a How to build VPN's in Debian small documentation for inclusion in the Debian Security HOWTO (http://www.debian.org/doc/ddp) it could make for a nice chapter in there. Topics to comment about: - FreeSwan - CIPE - Ssh - ... Any volunteer? Javi
[홍보] 네티즌이 만든 검색엔진 아이따따따입니다.
Title: 검색엔진 아이따따따 인터넷에는 많은 정보와 그 정보를 찾아주는 검색엔진이 있습니다. 하지만 검색엔진들이 너무나 많은 정보를 제공해 주는 결과 오히려 정보를 찾는데 많은 노력과 시간을 허비하는 결과를 초래하고 있습니다. 이제는 얻을 수 없는 많은 양의 검색결과보다는 신뢰성 있는 정보를 요구하는 시대가 되었습니다. 인터넷에 산재해 있는 사이트 중에는 우리가 꼭 필요한 정보들을 담고 있는 사이트가 많이 있는데, 이 사이트 들을 구분하면 포탈,보탈,허브 사이트라고 합니다. 아이따따따는 이런 사이트를 찾아주는 카테고리 및 키워드 검색엔진입니다. 각 카테고리 별로 신뢰성 있는 엄선된 사이트만 네티즌의 양심으로 등록관리하는 검색엔진이며 귀하께서도 카테고리 담당자가 되실 수 있습니다. 카테고리 담당이 되시면 ㈜아이엔웹의 주식 1주를 무상으로 드리며 pop3 e-mail 계정을 드립니다. ("예" [EMAIL PROTECTED]") 또한,그 카테고리를 관리할 수 있는 권한과 해당 카테고리에 담당자 아이디를 등록합니다. (등록신청을 하신후 담당관리자로 login 하시면 카테고리를 직접 관리하실 수 있습니다.) 회원가입을 하시고 회원이 되시면 ㈜ 아이엔웹의 주식 1주를 무상으로 드립니다. 인터넷은 네티즌이 주인이고 아이따따따는 네티즌의 것이기 때문입니다! http://iwww.net (아이따따따)로 방문해 주세요 아이따따따의 이념은 우리 네티즌이 갖고있는 유익한 정보를 서로 공유하고 새로운 네티즌문화를 창출하는것입니다. 귀하께서도 아이따따따의 한 가족이 되어주시길 부탁드립니다. 늘 건강하시고 행복하세요~~~감사합니다. 1일 평균 방문 774,500 hit(2002.01.07) 네티즌 담당 카테고리 745 개 직접 방문하셔서 평가해 주십시오! ==http://iwww.net 유익한 사이트라고 평가되시면 주위분들에게 알려주시길바랍니다. ( 아이따따따 = iwww ) 귀하께 불편을 끼쳐 드렸다면 용서를 바랍니다. 귀하의 메일은 인터넷에서 웹서핑중 취득하였으며 귀하의 어떠한 정보도 갖고있지 않습니다. 다음부터는 인터넷,정보통신,바이러스백신 등 유익한 정보만을 보내드립니다. 아이따따따의 가족이 되시면 전체가족 메일을 통하여 유익한 정보를 받아보실 수 있습니다. 공지사항을 참고하시면 아이따따따 내부사정을 아실 수 있습니다. 바로가서 보기 네티즌의 고견을 수렴하는 공개게시판을 운영중입니다. 바로가서 보기 그래도 수신을 원치 않으실 경우 수신거부를 클릭하십시오! 수신거부
Re: Don't panic (ssh)
Jacques Lav!gnotte wrote: Jan 13 09:50:58 news sshd[897]: scanned from 216.78.148.184 with +SSH-1.0-SSH_Version_Mapper. Don't panic. Jan 13 09:50:58 news sshd[896]: Did not receive identification string from +216.78.148.184 Should I really Not Panic ? :) Not if your SSH daemon is up to date :-) Actually, this message is left by the « scanssh » utility (see http://www.monkey.org/~provos/scanssh/), which is used by sysadmins (or crackers) to detect weak SSH daemons on whole networks. -- Thomas Seyrat.
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote: TS Not if your SSH daemon is up to date :-) Is the SSHD in the latest potato fully up-to-date, though? I am a very recent convert to Debian, having been an avid Slackware fan for the last seven years. However one of my (very old) Slack boxen was compromised on Christmas Day via the sshd CRC32 vulnerability and I decided to replace it with Debian, a distro which has seriously impressed me. Not wanting the same problem to reoccur, after installation configuration I checked my version of sshd. As far as I could ascertain the sshd which comes with the current potato release is OpenSSH 1.something (can't say exactly what now as I've removed it and my notes are all at home), however iirc it was only using version 1 of the SSH protocols, which leaves the vulnerability in place. I removed the Debian SSH package manually installed OpenSSH 3.0.2p1 which is invulnerable (so far!) to all known vulnerabilities as long as version 1 of the SSH protocol isn't used, even as a fallback. Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPEK8BWByUNb+aO+GEQJfogCghHz4ajXP81s4OwS2/HOMx8sbXgIAoJLo moxb226Bpj+mLJ7wp4PVsJbK =wRJH -END PGP SIGNATURE-
Once again: Spam (from hananet.net, korea)
Anybody residing near to the korean border who can take the great scissor and cut off the cable from korea to the civilized world? Nothing but spam coming from this foolish idiots... Sorry but that makes me very angry now. No chance to block this bastards? Dietmar, annoyed.
Re: Don't panic (ssh)
On Mon, Jan 14, 2002 at 11:07:38AM +, Iain Tatch wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 10:35:17 Thomas Seyrat wrote: TS Not if your SSH daemon is up to date :-) Is the SSHD in the latest potato fully up-to-date, though? I am a very recent convert to Debian, having been an avid Slackware fan for the last seven years. However one of my (very old) Slack boxen was compromised on Christmas Day via the sshd CRC32 vulnerability and I decided to replace it with Debian, a distro which has seriously impressed me. Not wanting the same problem to reoccur, after installation configuration I checked my version of sshd. As far as I could ascertain the sshd which comes with the current potato release is OpenSSH 1.something (can't say exactly what now as I've removed it and my notes are all at home), however iirc it was only using version 1 of the SSH protocols, which leaves the vulnerability in place. I removed the Debian SSH package manually installed OpenSSH 3.0.2p1 which is invulnerable (so far!) to all known vulnerabilities as long as version 1 of the SSH protocol isn't used, even as a fallback. Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. Anyone with more indepth knowledge like to coment? Crispin
Debian security being trashed in Linux Today comments
http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Regards, Adam
Re: Debian security being trashed in Linux Today comments
Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . ~Tim -- http://spodzone.org.uk/
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote: Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Is there any way to find out what flavour of Debian I have which is more detailed than this: [EMAIL PROTECTED]:~$ cat /etc/debian_version 2.2 Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPELMV2ByUNb+aO+GEQJQ9gCgi8S43E7EeimjmNgVxdVQ0lIcBcgAoNxK VUCUJvFQB8mjDD47v4eFyyly =6JW1 -END PGP SIGNATURE-
Re: Debian security being trashed in Linux Today comments
Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Debian security being trashed in Linux Today comments
On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . I'm aware that Debian manages to get advisories out extremely quickly--in some cases before any other distribution. But I'm not aware of the history of the second posters claims. I did recently note that the latest exim advisory was released on 4 January but the fix for uncontrolled program execution was posted by Philip Hazel on 19 December. That's no 48 hours. And the patch was even provided in the post [in this case I suspect the post by Philip Hazel was missed]. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Regards, Adam
Re: Debian security being trashed in Linux Today comments
Adam Warner wrote: On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror -- Daniel
Re: Don't panic (ssh)
Iain Tatch wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable. -- Daniel
RE: Don't panic (ssh)
How do you disable ssh1 protocol with the current ssh on potato ? ..Craig -Original Message- From: Daniel Polombo [mailto:[EMAIL PROTECTED] Sent: Monday, January 14, 2002 2:45 PM To: Iain Tatch Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org Subject: Re: Don't panic (ssh) Iain Tatch wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable. -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
Craigsc [EMAIL PROTECTED] writes: How do you disable ssh1 protocol with the current ssh on potato ? I don't think you have to. See http://www.debian.org/security/2001/dsa-086. Or have I really been so asleep as not to notice a major thou shalt not use ssh1 even though we applied all the fixes AS PER FAQ to the old version alert??? That might be commendable behaviour, but it hasn't been mandated by Debian that I saw. ~Tim -- http://spodzone.org.uk/
Re: Don't panic (ssh)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14 January 2002 at 13:05:57 Craigsc wrote: How do you disable ssh1 protocol with the current ssh on potato ? I may be very wrong here as I've only been using Debian for 3 days now, but as far as I can see the current sshd on potato only supports ssh1 protocol. That's why I removed the package and self-compiled the latest sources from www.openssh.org to ensure I had only ssh2 protocol compiled in. I've had a box compromised through the ssh1 CRC32 vulnerability once, I'm not going to let it happen again! Cheers - -- Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc Versace Prada mean nothing to me, You buy your friends but I'll hate you for free Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com -BEGIN PGP SIGNATURE- Version: PGP 6.5i iQA/AwUBPELbYWByUNb+aO+GEQL/FACeMwMQY9nvTPpORPRdKpd6X5ret8EAoIcI 966spRQfdUFlD2D8KHY8TAN/ =9qaj -END PGP SIGNATURE-
Re: /etc/passwd-shell
On Saturday, January 12, 2002, at 02:46 PM, Hubert Chan wrote: I think that if you boot into single mode (e.g. type linux single at the LILO prompt), you'll drop into whatever shell is defined for root. More importantly, will it break if, e.g., fsck fails and drops you into single-user mode? You mentioned the solution for lilo, though I prefer init=/sbin/sash.
RE: Don't panic (ssh)
Debian has back ported the fix for the CRC-32 vulnerability into both OpenSSH (1.2.3-9.3) and ssh-nonfree/ssh-socks (1.2.27-6.2) for Debian stable. This is documented at: http://www.debian.org/security/2001/dsa-086 This would appear to remove any concern about using SSH version 1 protocol as long as you are running the updated sshd. The published vulnerabilities for ssh1 have been against the implementation in the sshd appliction itself, not in the ssh1 protocol. The current Debian versions have addressed the implememtation issues. Please correct me if I am mistaken... Thanks, Denny -Original Message- From: Craigsc [mailto:[EMAIL PROTECTED] Sent: Monday, January 14, 2002 7:06 AM To: Debian-Security; Daniel Polombo Subject: RE: Don't panic (ssh) How do you disable ssh1 protocol with the current ssh on potato ? ..Craig -Original Message- From: Daniel Polombo [mailto:[EMAIL PROTECTED] Sent: Monday, January 14, 2002 2:45 PM To: Iain Tatch Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org Subject: Re: Don't panic (ssh) Iain Tatch wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable. -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
On Mon, 14 Jan 2002 13:10:08 + Tim Haynes [EMAIL PROTECTED] wrote: Craigsc [EMAIL PROTECTED] writes: How do you disable ssh1 protocol with the current ssh on potato ? I don't think you have to. See http://www.debian.org/security/2001/dsa-086. I dont know about potato, but ssh v1 definitly works in sid. Glenn
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . Indeed. My only experience with trying to get an exploitable package patched was rather disappointing though. I believe (not being a Debian developer myself) that [EMAIL PROTECTED] goes to debian-private which is only available to developers. It then requires the developer of the package you're reporting about to be awake enough to /do/ something about the bug you are reporting. I had problems with apache whose old maintainer didn't really seem to care (bug 104187 for the gory details) So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. -- --( Have you seen a man who's lost his luggage? )-- Simon ( -- Suitcase) Nomis Htag.pl 0.0.19
Re: Once again: Spam (from hananet.net, korea)
* [Dietmar Braun] No chance to block this bastards? Simple anti-spam function for .procmailrc: :0 fhw * ^Content-Type: text/html|\ ^Subject:.*=\?ks_c_5601-1987\? Spambox Oystein -- When in doubt: Recompile.
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ Javi
Re: Once again: Spam (from hananet.net, korea)
* [Oystein Viggen] * [Dietmar Braun] No chance to block this bastards? Simple anti-spam function for .procmailrc: Oops.. I'm sleeping in front of the keyboard again. The correct recipe would be like this: :0 * ^Content-Type: text/html|\ ^Subject:.*=\?ks_c_5601-1987\? Spambox Oystein -- When in doubt: Recompile.
Re: Once again: Spam (from hananet.net, korea)
At 15:21 14.01.2002 +0100, Oystein Viggen wrote: :0 * ^Content-Type: text/html|\ ^Subject:.*=\?ks_c_5601-1987\? Spambox Oystein In my opinion, this is only a workaround. Providers should close their routes to this spammers or block their IP addresses - this could be the only way to change the koreans minds. Dietmar
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpU5YkjWmtBQ.pgp Description: PGP signature
Re: Once again: Spam (from hananet.net, korea)
Dietmar Braun wrote: In my opinion, this is only a workaround. Providers should close their routes to this spammers or block their IP addresses - this could be the only way to change the koreans minds. well, the mail is from [EMAIL PROTECTED] ping iwww.net - 211.171.252.68 whois 211.171.252.68 [...] E-Mail : [EMAIL PROTECTED] Seems like [EMAIL PROTECTED] depends from kidc.net whois iwww.net and whois kidc.net tells us they are not the same. So if you want a result, don't write to [EMAIL PROTECTED] (may be the same guy than [EMAIL PROTECTED]), directly write to [EMAIL PROTECTED] (the provider) Honnestly, I won't do so. There is not enough mail for me. But if someone want... Regis.
Re: Don't panic (ssh)
On 14/01/02, [EMAIL PROTECTED] wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. OpenSSH supports both, RSA and DSA keys for SSH protocol version 2. Please read the manpage for ssh and look for the paragraph called SSH protocol version 2 where this is explained. But you are right about the CRC32 attack. The crc32 compensation attack is a vulnerability in the SSH protocol version 1. An analysis of this exploit can be found at: http://staff.washington.edu/dittrich/misc/ssh-analysis.txt And here's an excerpt from a mail (MID: [EMAIL PROTECTED]) about the rules, which clients or servers are vulnerable. The comments are from Markus Friedl, one of the openssh authors: , | the rules are simpler: | | 1) protocol 2 only | | all | SSH-2.0-* | are not affected, since no protocol v1 is iisnvolved. | | 2) protocol 1 und 2 support | | since | SSH-1.99-* | supports both protocol versions, it gets more difficult. | for the commercial server, you never know the version | of the server that will be called for the fallback, | you have to assume that all | SSH-1.99-[23]* | are affected, and | SSH-1.99-OpenSSH[-_].x.y | are affected for versions x.y 2.3 | | 3) protocol 1 only | SSH-1.5-OpenSSH[-_].x.y | is affected versions x.y 2.3 | | and the commercial versions. | | SSH-1.5-1.2.2[456789] | SSH-1.5-1.2.3[01] | | so: ` Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 pgp6qKOImSObb.pgp Description: PGP signature
The most cost-effective marketing tool
we are the World's Largest distributor of direct company news and other business communications materials. we can broadcast your web site news or your business, or a new service within your business ( you can add your logo/photo to your press release ) to every Newspaper, Magazine, Television and Cable Channel, AM/FM Radio Station and all major media outlets in the top daily and national newspapers, top industry and segment publications, TV, Radio, and top online news sources in the world. Direct e-mail service that generates new lists based on the target market for your products/services,we specialize in helping increase business contacts and sales through the use of targeted consumer and business lists. For more information welcome to:http://www.longf.com
Re: Debian security being trashed in Linux Today comments
Noah L. Meyerhans [EMAIL PROTECTED] writes: On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. Agreed. You have to decide for the situation at hand; as it happens, my favourite colo swerver runs Testing, on the grounds that one of these days, Stable will change en-masse and the last thing I want is for ssh not to restart in my daily dist-upgrades of nearly every package on the box - the machine came home for a bit of TLC one time and got put onto Testing so the daily dist-upgrade only does a few packages rather than the whole lot. In the meantime, security patches (notably only _mutt_ anyway) can come down from Unstable. Cheers, ~Tim -- http://spodzone.org.uk/
Re: Don't panic (ssh)
On Mon, Jan 14, 2002 at 12:17:15PM +, Iain Tatch wrote: On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote: Have I missed something and was I already OK, or is the current stable potato release shipping with a potential ssh security hole? AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. There are actually two *separate* CRC32-related flaws in ssh. The first is a protocol design flaw that allows the injection of data into an ssh session. This is the 'CRC32 compensation' attack. Modern ssh1 implementations have code to detect this, which leads to the next flaw: The remote root flaw is a bug in the CRC32 compensation attack detector. In OpenSSH this has been fixed since 2.3.0 - nearly a year old. It's still probably better to run only ssh2 if you have a choice, but if you're still running ssh1 your system is not wide open. The Debian stable sshd has had the apropriate patches backported to it, so it's not vulnerable to this remote root hole. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign 3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news! 9A26 BB92 6329 2D3E 199D 8C7B X / \
Re: Once again: Spam (from hananet.net, korea)
Dietmar Braun [EMAIL PROTECTED] wrote on 14/01/2002 (12:21) : Anybody residing near to the korean border who can take the great scissor and cut off the cable from korea to the civilized world? Nothing but spam coming from this foolish idiots... Well if one should do like you say then one would have to cut off Germany and USA too as I get spam from both countries, most from the latter of course. I think procmail is your friend. Preben -- () Join the worldwide campaign to protect fundamental human rights. '||} {||' http://www.amnesty.org/
Re: Once again: Spam (from hananet.net, korea)
Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (15:24) : * [Oystein Viggen] :0 * ^Content-Type: text/html|\ ^Subject:.*=\?ks_c_5601-1987\? Spambox Why not simply: :0 * ^Content-Type: text/html Spambox I have never gotten a html mail worth reading. Preben -- «.., chaos is found in greatest abundance wherever order is being sought. It always defeats order, because it is better organized.» -- Interesting Times, Terry Pratchett
Re: Asking for documentation help (Re: IPSec questions...)
On Mon, Jan 14, 2002 at 10:31:38AM +0100, Javier Fernández-Sanguino Peña wrote: I was wondering... could someone write a How to build VPN's in Debian small documentation for inclusion in the Debian Security HOWTO (http://www.debian.org/doc/ddp) it could make for a nice chapter in there. I can't necessarily volunteer right now, as I'm far too busy, but I can certainly put in some effort and provide some technical help. I use FreeS/WAN in just about every configuration it supports, all on Debian. I'd happily volunteer to write the whole chapter, but I don't forsee having enough free time for that until sometime in mid March. If anybody wants to work on it, though, let me know, and I'll lend a hand. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpQBDg7Qa0aJ.pgp Description: PGP signature
Re: Once again: Spam (from hananet.net, korea)
Well if one should do like you say then one would have to cut off Germany and USA too as I get spam from both countries, most from the latter of course. Ok, I admit that this isn't practicable (I shouldn't write mails when I am VERY angry...), but the point is: from USA and Germany, we normally get also mails we want and we need. From Korea/China and other spammers heaven, we get nothing but spam - there is no mail from these countries I had to admit that I wanted it... Dietmar
Re: Once again: Spam (from hananet.net, korea)
Hi, Dietmar Braun schrieb: Ok, I admit that this isn't practicable (I shouldn't write mails when I am VERY angry...), but the point is: from USA and Germany, we normally get also mails we want and we need. From Korea/China and other spammers heaven, we get nothing but spam - not we, you! i think your opinion is typical german and someone else already mentioned, we can filter spam, but not the discussion about spam. please to go to the police, unsubscribe this list or write emails to the responsible provider. but please don´t anser to my mail and consider, YOU are angry and YOU are making me angry. Thanks, Ralf
Re: Once again: Spam (from hananet.net, korea)
* [Preben Randhol] Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (15:24) : * [Oystein Viggen] :0 * ^Content-Type: text/html|\ Look here: ^ ^Subject:.*=\?ks_c_5601-1987\? Spambox Why not simply: :0 * ^Content-Type: text/html Spambox I have never gotten a html mail worth reading. Note the |, thats an OR. My rule kills all html-mail but also (I believe), all that unintelligible Korean spam. (The recipe I actually use has more than ten of these lines, including one for those trailing random numbers with spaces in front.) Oystein -- When in doubt: Recompile.
Re: Once again: Spam (from hananet.net, korea)
Oystein Viggen [EMAIL PROTECTED] wrote on 14/01/2002 (17:14) : Note the |, thats an OR. My rule kills all html-mail but also (I believe), all that unintelligible Korean spam. Ah I missed that. Preben -- () Join the worldwide campaign to protect fundamental human rights. '||} {||' http://www.amnesty.org/
Re: Once again: Spam (from hananet.net, korea)
Dietmar Braun wrote: from USA and Germany, we normally get also mails we want and we need. From Korea/China and other spammers heaven, we get nothing but spam - there is no mail from these countries I had to admit that I wanted it... Ignoring in your blind nationalistic fury that there are indeed Debian developers in both those countries[1], of course. -- see shy jo [1] For values of Korea approaching South Korea, anyway.
Re: Once again: Spam (from hananet.net, korea)
At 11:30 14.01.2002 -0500, Joey Hess wrote: Ignoring in your blind nationalistic fury that there are indeed Debian developers in both those countries[1], of course. There is no need to call me nationalistic just because I am angry about spammers in this groups. But its enough now, I won't post anything about that any more here, ok? Despite of this complaints at the police and the provider don't help - we all know that. Back to business now, sorry for having disturbed. Dietmar
Re: I've been hacked by DevilSoul
Dries Kimpe [EMAIL PROTECTED] writes: Hmm, am I right in assuming that all (current) non-LKM rootkits use write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that there's no write access would be a good idea. Yes, but it's a tremendous task. Quite a few device drivers have bugs which enable root to write kernel memory. OTOH, if somebody obtains root privileges, he can probably plant a kernel in the swapfile and instruct the boot loader to load it on the next reboot. AFAIK, most if not all checksumming tools don't deal properly with such scenarios. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: Asking for documentation help (Re: IPSec questions...)
On Monday, 2002-01-14 at 10:31:38 +0100, Javier Fernández-Sanguino Peña wrote: I was wondering... could someone write a How to build VPN's in Debian small documentation for inclusion in the Debian Security HOWTO (http://www.debian.org/doc/ddp) it could make for a nice chapter in there. Topics to comment about: - FreeSwan - CIPE - Ssh - ... Any volunteer? Not this one: ENOTUITS. But I'd like to suggest to incorporate information from http://www.shorewall.net/PPTP.htm and http://poptop.lineo.com/setup_pptp_server.html on PPTP and MPPE. At least temporarily until the US vs. Non-US problem for the kernel and PPP goes away. I just set up PPTP and the description at the two sites applies to Debian, too. Obstacles that should be removed: 1) integrate MPPE in the kernel. 2) patch PPP for MPPE and MSCHAPv2. 3) upgrade PPTP to 1.0.1. I sincerely hope this can happen soon. Until then, SuSE is ways easier to set up for PPTP. (Dunno what they deliver in the US, but here in Germany, they have those patches integrated.) Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm|
Re: I've been hacked by DevilSoul
OTOH, if somebody obtains root privileges, he can probably plant a kernel in the swapfile and instruct the boot loader to load it on the next reboot. AFAIK, most if not all checksumming tools don't deal properly with such scenarios. Quite a scary scenario. How could one plant a file in swap? How could you access that file? -A. Dave Florian Weimer wrote: Dries Kimpe [EMAIL PROTECTED] writes: Hmm, am I right in assuming that all (current) non-LKM rootkits use write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that there's no write access would be a good idea. Yes, but it's a tremendous task. Quite a few device drivers have bugs which enable root to write kernel memory. OTOH, if somebody obtains root privileges, he can probably plant a kernel in the swapfile and instruct the boot loader to load it on the next reboot. AFAIK, most if not all checksumming tools don't deal properly with such scenarios.