Re: Fwd: iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
On Mon, Nov 04, 2002 at 01:36:36PM +, David Wright wrote: > Quoting Phillip Hofmeister ([EMAIL PROTECTED]): > What's this about? _ > > > > 2. Remove the setuid bit from the XaoS binary by executing the > > following command: > > > > # chmod -s /usr/lib/games/abuse/abuse.* > > (noticing -rwsr-xr-x root root 37 Jul 27 17:34 /usr/bin/xaos) > ^ Yikes. I recommend: dpkg-statoverride --update --add root root 755 /usr/bin/xaos This is permanent across upgrades, removals, and reinstalls of the xaos package. (--update tells statoverride to effect the change itself.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DSA 187-1 and FrontPage extensions
On Tue, Nov 05, 2002 at 12:17:46AM +0200, George Karaolides wrote: > 1. The debs I build from the Debian apache source package come out with > version number 1.3.26-0woody1 whereas the debs released to cover this > vulnerability have version 1.3.26-0woody3. Why is this? Have the source > packages not been updated? You must have downloaded an older source package. Use the URLs in the advisory to get 1.3.26-0woody3. > 2. (Related) Are the binary debs I build from the current debian > 1.3.26 source package safe from this vulnerability? You should use the latest package from security.debian.org. -- - mdz
Re: DSA 187-1 and FrontPage extensions
On Tue, Nov 05, 2002 at 12:17:46AM +0200, George Karaolides wrote: > 1. The debs I build from the Debian apache source package come out with > version number 1.3.26-0woody1 whereas the debs released to cover this > vulnerability have version 1.3.26-0woody3. Why is this? Have the source > packages not been updated? You must have downloaded an older source package. Use the URLs in the advisory to get 1.3.26-0woody3. > 2. (Related) Are the binary debs I build from the current debian > 1.3.26 source package safe from this vulnerability? You should use the latest package from security.debian.org. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
DSA 187-1 and FrontPage extensions
Hi all, I run a FrontPage-enabled apache server on Woody. I apply the 1.3.22 FrontPage patch which is claimed by rtr.com to work with versions 1.3.22, 1.3.24, 1.3.26 and 1.3.27 to the Debian Apache sources and then build Debian binary packages. I append the procedure I use to do this below. The server has been running OK so far. I have two questions: 1. The debs I build from the Debian apache source package come out with version number 1.3.26-0woody1 whereas the debs released to cover this vulnerability have version 1.3.26-0woody3. Why is this? Have the source packages not been updated? 2. (Related) Are the binary debs I build from the current debian 1.3.26 source package safe from this vulnerability? Does anyone have any input? Please copy me directly as I am not subscribed to the list. Debian Apache FrontPage Patch and Compile Procedure --- The patch is at ftp://ftp.rtr.com/pub/fp-patch-apache_1.3.22.Z To patch the server I follow the following procedure: Download and gunzip patch file fp-patch-apache_1.3.22.Z apt-get source apache cd apache-1.3.26/upstream/tarballs tar xvzf apache_1.3.26.tar.gz cd apache_1.3.26 patch -p1 fp-patch-apache_1.3.22 cd apache-1.3.26 dpkg-buildpackage -rfakeroot -b cd .. dpkg -i apache-common dpkg -i apache Best regards, George Karaolides
Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
On Mon, Nov 04, 2002 at 10:55:53AM -0500, andrew lattis wrote: > i'm assuming these also apply to apache-ssl, but there doesn't appear to > be a new package. is it still in the works or is apache-ssl not > vulnerable? The former. -- - mdz
DSA 187-1 and FrontPage extensions
Hi all, I run a FrontPage-enabled apache server on Woody. I apply the 1.3.22 FrontPage patch which is claimed by rtr.com to work with versions 1.3.22, 1.3.24, 1.3.26 and 1.3.27 to the Debian Apache sources and then build Debian binary packages. I append the procedure I use to do this below. The server has been running OK so far. I have two questions: 1. The debs I build from the Debian apache source package come out with version number 1.3.26-0woody1 whereas the debs released to cover this vulnerability have version 1.3.26-0woody3. Why is this? Have the source packages not been updated? 2. (Related) Are the binary debs I build from the current debian 1.3.26 source package safe from this vulnerability? Does anyone have any input? Please copy me directly as I am not subscribed to the list. Debian Apache FrontPage Patch and Compile Procedure --- The patch is at ftp://ftp.rtr.com/pub/fp-patch-apache_1.3.22.Z To patch the server I follow the following procedure: Download and gunzip patch file fp-patch-apache_1.3.22.Z apt-get source apache cd apache-1.3.26/upstream/tarballs tar xvzf apache_1.3.26.tar.gz cd apache_1.3.26 patch -p1 fp-patch-apache_1.3.22 cd apache-1.3.26 dpkg-buildpackage -rfakeroot -b cd .. dpkg -i apache-common dpkg -i apache Best regards, George Karaolides -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
On Mon, Nov 04, 2002 at 10:55:53AM -0500, andrew lattis wrote: > i'm assuming these also apply to apache-ssl, but there doesn't appear to > be a new package. is it still in the works or is apache-ssl not > vulnerable? The former. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
i'm assuming these also apply to apache-ssl, but there doesn't appear to be a new package. is it still in the works or is apache-ssl not vulnerable? thanks, andrew On 2002/11/04 04:26:57PM +0100, Mon, Martin Schulze wrote: > > Package: apache > Vulnerability : several > Problem-Type : remote, local > Debian-specific: no > CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 > CAN-2002-1233 > BugTraq ID : 5847 5884 5887 pgpVhafO4LTXN.pgp Description: PGP signature
Re: tiger reporting thousands of files with "undefined groups ownership"
This one time, at band camp, Carlos Sousa said: > On Sun, 3 Nov 2002 20:56:34 +0100 Javier Fernández-Sanguino Peña <[EMAIL > PROTECTED]> wrote: > > > On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: > > > > > > # pwck -r > > > user news: directory /var/spool/news does not exist > > > user uucp: directory /var/spool/uucp does not exist > > > user majordom: directory /usr/lib/majordomo does not exist > > > user postgres: directory /var/lib/postgres does not exist > > > user msql: directory /var/lib/msql does not exist > > > user list: directory /var/list does not exist > > > user gnats: directory /var/lib/gnats/gnats-db does not exist > > > user telnetd: directory /usr/lib/telnetd does not exist > > > user mysql: directory /var/lib/mysql does not exist > > > pwck: no changes > > > > Should this be there? I'm pretty sure there should be there. > > $ dpkg -S /var/lib/mysql > > mysql-server: /var/lib/mysql > > Actually, the msql entry also seems suspicious: > > $ dpkg -S /var/lib/msql > dpkg: /var/lib/msql not found. > > What is it doing there? I haven't mini SQL installed, I couldn't even > find mini SQL in the Debian packages... Should it be safe to remove msql > from passwd/shadow? > > > If you have mysql-server installed (and I bet you do since you > > have the 'mysql' user) then that directory might have been lost in the > > crash. > > I shouldn't have mysql installed. > > $ dpkg -l 'mysql*' > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed > |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: > uppercase=bad) > ||/ Name VersionDescription > +++-==-==- > un mysql (no description available) > un mysql-base (no description available) > pn mysql-client(no description available) > ii mysql-common 3.23.52-2 mysql database common files (e.g. /etc/mysql > un mysql-dev (no description available) > un mysql-devel (no description available) > pn mysql-doc (no description available) > pn mysql-gpl-clie (no description available) > un mysql-gpl-dev (no description available) > pn mysql-gpl-doc (no description available) > pn mysql-manual(no description available) > pn mysql-navigato (no description available) > pn mysql-server(no description available) > pn mysqltcl(no description available) > > Hmm, bit of a mess here... > > Why do I have a few mysql packages in a Desired=Unknown state? How > could I upgrade the to a Desired=Purged state? > > Anyway, the avalanche of files reported by tiger surely cannot be > totally explained by this mysql breakage... 'un' means that it is not installed, and you've never tried to install it, unlike 'pn' which means that you once installed it, but later purged it. It looks like you have had a mysql server/client setup on this box at one point in the past, but the passwd/group entries for mysql were never removed, probably because you weren't removing mysql-common at the same time. None of this looks like a real problem. Sorry I can't help with your real problem, but this doesn't look like it. Steve -- Software is like sex; it's better when it's free. -- Linus Torvalds pgpJ0UxmwPCPh.pgp Description: PGP signature
Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
i'm assuming these also apply to apache-ssl, but there doesn't appear to be a new package. is it still in the works or is apache-ssl not vulnerable? thanks, andrew On 2002/11/04 04:26:57PM +0100, Mon, Martin Schulze wrote: > > Package: apache > Vulnerability : several > Problem-Type : remote, local > Debian-specific: no > CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 >CAN-2002-1233 > BugTraq ID : 5847 5884 5887 msg07614/pgp0.pgp Description: PGP signature
Re: Fwd: iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
Quoting Phillip Hofmeister ([EMAIL PROTECTED]): > From: "David Endler" <[EMAIL PROTECTED]> > [...]In a default abuse installation in > Debian Linux, both abuse.console and abuse.x11R6 can be used in > exploitation; both files are set group id games, and abuse.console is > set user id root. What's this about? _ > 2. Remove the setuid bit from the XaoS binary by executing the > following command: > > # chmod -s /usr/lib/games/abuse/abuse.* (noticing -rwsr-xr-x root root 37 Jul 27 17:34 /usr/bin/xaos) ^ Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: tiger reporting thousands of files with "undefined groups ownership"
This one time, at band camp, Carlos Sousa said: > On Sun, 3 Nov 2002 20:56:34 +0100 Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> >wrote: > > > On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: > > > > > > # pwck -r > > > user news: directory /var/spool/news does not exist > > > user uucp: directory /var/spool/uucp does not exist > > > user majordom: directory /usr/lib/majordomo does not exist > > > user postgres: directory /var/lib/postgres does not exist > > > user msql: directory /var/lib/msql does not exist > > > user list: directory /var/list does not exist > > > user gnats: directory /var/lib/gnats/gnats-db does not exist > > > user telnetd: directory /usr/lib/telnetd does not exist > > > user mysql: directory /var/lib/mysql does not exist > > > pwck: no changes > > > > Should this be there? I'm pretty sure there should be there. > > $ dpkg -S /var/lib/mysql > > mysql-server: /var/lib/mysql > > Actually, the msql entry also seems suspicious: > > $ dpkg -S /var/lib/msql > dpkg: /var/lib/msql not found. > > What is it doing there? I haven't mini SQL installed, I couldn't even > find mini SQL in the Debian packages... Should it be safe to remove msql > from passwd/shadow? > > > If you have mysql-server installed (and I bet you do since you > > have the 'mysql' user) then that directory might have been lost in the > > crash. > > I shouldn't have mysql installed. > > $ dpkg -l 'mysql*' > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed > |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) > ||/ Name VersionDescription > +++-==-==- > un mysql (no description available) > un mysql-base (no description available) > pn mysql-client(no description available) > ii mysql-common 3.23.52-2 mysql database common files (e.g. /etc/mysql > un mysql-dev (no description available) > un mysql-devel (no description available) > pn mysql-doc (no description available) > pn mysql-gpl-clie (no description available) > un mysql-gpl-dev (no description available) > pn mysql-gpl-doc (no description available) > pn mysql-manual(no description available) > pn mysql-navigato (no description available) > pn mysql-server(no description available) > pn mysqltcl(no description available) > > Hmm, bit of a mess here... > > Why do I have a few mysql packages in a Desired=Unknown state? How > could I upgrade the to a Desired=Purged state? > > Anyway, the avalanche of files reported by tiger surely cannot be > totally explained by this mysql breakage... 'un' means that it is not installed, and you've never tried to install it, unlike 'pn' which means that you once installed it, but later purged it. It looks like you have had a mysql server/client setup on this box at one point in the past, but the passwd/group entries for mysql were never removed, probably because you weren't removing mysql-common at the same time. None of this looks like a real problem. Sorry I can't help with your real problem, but this doesn't look like it. Steve -- Software is like sex; it's better when it's free. -- Linus Torvalds msg07613/pgp0.pgp Description: PGP signature
unsubscribe
Re: tiger reporting thousands of files with "undefined groups ownership"
On Sun, 3 Nov 2002 20:56:34 +0100 Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> wrote: > On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: > > > > # pwck -r > > user news: directory /var/spool/news does not exist > > user uucp: directory /var/spool/uucp does not exist > > user majordom: directory /usr/lib/majordomo does not exist > > user postgres: directory /var/lib/postgres does not exist > > user msql: directory /var/lib/msql does not exist > > user list: directory /var/list does not exist > > user gnats: directory /var/lib/gnats/gnats-db does not exist > > user telnetd: directory /usr/lib/telnetd does not exist > > user mysql: directory /var/lib/mysql does not exist > > pwck: no changes > > Should this be there? I'm pretty sure there should be there. > $ dpkg -S /var/lib/mysql > mysql-server: /var/lib/mysql Actually, the msql entry also seems suspicious: $ dpkg -S /var/lib/msql dpkg: /var/lib/msql not found. What is it doing there? I haven't mini SQL installed, I couldn't even find mini SQL in the Debian packages... Should it be safe to remove msql from passwd/shadow? > If you have mysql-server installed (and I bet you do since you > have the 'mysql' user) then that directory might have been lost in the > crash. I shouldn't have mysql installed. $ dpkg -l 'mysql*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- un mysql (no description available) un mysql-base (no description available) pn mysql-client(no description available) ii mysql-common 3.23.52-2 mysql database common files (e.g. /etc/mysql un mysql-dev (no description available) un mysql-devel (no description available) pn mysql-doc (no description available) pn mysql-gpl-clie (no description available) un mysql-gpl-dev (no description available) pn mysql-gpl-doc (no description available) pn mysql-manual(no description available) pn mysql-navigato (no description available) pn mysql-server(no description available) pn mysqltcl(no description available) Hmm, bit of a mess here... Why do I have a few mysql packages in a Desired=Unknown state? How could I upgrade the to a Desired=Purged state? Anyway, the avalanche of files reported by tiger surely cannot be totally explained by this mysql breakage... -- Carlos Sousa http://vbc.dyndns.org/
Re: Fwd: iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
Quoting Phillip Hofmeister ([EMAIL PROTECTED]): > From: "David Endler" <[EMAIL PROTECTED]> > [...]In a default abuse installation in > Debian Linux, both abuse.console and abuse.x11R6 can be used in > exploitation; both files are set group id games, and abuse.console is > set user id root. What's this about? _ > 2. Remove the setuid bit from the XaoS binary by executing the > following command: > > # chmod -s /usr/lib/games/abuse/abuse.* (noticing -rwsr-xr-x root root 37 Jul 27 17:34 /usr/bin/xaos) ^ Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: tiger reporting thousands of files with "undefined groups ownership"
On Sun, 3 Nov 2002 20:56:34 +0100 Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> wrote: > On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: > > > > # pwck -r > > user news: directory /var/spool/news does not exist > > user uucp: directory /var/spool/uucp does not exist > > user majordom: directory /usr/lib/majordomo does not exist > > user postgres: directory /var/lib/postgres does not exist > > user msql: directory /var/lib/msql does not exist > > user list: directory /var/list does not exist > > user gnats: directory /var/lib/gnats/gnats-db does not exist > > user telnetd: directory /usr/lib/telnetd does not exist > > user mysql: directory /var/lib/mysql does not exist > > pwck: no changes > > Should this be there? I'm pretty sure there should be there. > $ dpkg -S /var/lib/mysql > mysql-server: /var/lib/mysql Actually, the msql entry also seems suspicious: $ dpkg -S /var/lib/msql dpkg: /var/lib/msql not found. What is it doing there? I haven't mini SQL installed, I couldn't even find mini SQL in the Debian packages... Should it be safe to remove msql from passwd/shadow? > If you have mysql-server installed (and I bet you do since you > have the 'mysql' user) then that directory might have been lost in the > crash. I shouldn't have mysql installed. $ dpkg -l 'mysql*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- un mysql (no description available) un mysql-base (no description available) pn mysql-client(no description available) ii mysql-common 3.23.52-2 mysql database common files (e.g. /etc/mysql un mysql-dev (no description available) un mysql-devel (no description available) pn mysql-doc (no description available) pn mysql-gpl-clie (no description available) un mysql-gpl-dev (no description available) pn mysql-gpl-doc (no description available) pn mysql-manual(no description available) pn mysql-navigato (no description available) pn mysql-server(no description available) pn mysqltcl(no description available) Hmm, bit of a mess here... Why do I have a few mysql packages in a Desired=Unknown state? How could I upgrade the to a Desired=Purged state? Anyway, the avalanche of files reported by tiger surely cannot be totally explained by this mysql breakage... -- Carlos Sousa http://vbc.dyndns.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: tiger reporting thousands of files with "undefined groups ownership"
On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: > > # pwck -r > user news: directory /var/spool/news does not exist > user uucp: directory /var/spool/uucp does not exist > user majordom: directory /usr/lib/majordomo does not exist > user postgres: directory /var/lib/postgres does not exist > user msql: directory /var/lib/msql does not exist > user list: directory /var/list does not exist > user gnats: directory /var/lib/gnats/gnats-db does not exist > user telnetd: directory /usr/lib/telnetd does not exist > user mysql: directory /var/lib/mysql does not exist > pwck: no changes Should this be there? I'm pretty sure there should be there. $ dpkg -S /var/lib/mysql mysql-server: /var/lib/mysql If you have mysql-server installed (and I bet you do since you have the 'mysql' user) then that directory might have been lost in the crash. > Visual inspection of passwd and shadow doesn't help, both look OK. Yes, they might be ok. The problem is that the filesystem structure is not ok. > > Any more thoughts? System crash. Ouch. Javi pgp0a8PdSNp9a.pgp Description: PGP signature
Re: tiger reporting thousands of files with "undefined groups ownership"
On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: > > # pwck -r > user news: directory /var/spool/news does not exist > user uucp: directory /var/spool/uucp does not exist > user majordom: directory /usr/lib/majordomo does not exist > user postgres: directory /var/lib/postgres does not exist > user msql: directory /var/lib/msql does not exist > user list: directory /var/list does not exist > user gnats: directory /var/lib/gnats/gnats-db does not exist > user telnetd: directory /usr/lib/telnetd does not exist > user mysql: directory /var/lib/mysql does not exist > pwck: no changes Should this be there? I'm pretty sure there should be there. $ dpkg -S /var/lib/mysql mysql-server: /var/lib/mysql If you have mysql-server installed (and I bet you do since you have the 'mysql' user) then that directory might have been lost in the crash. > Visual inspection of passwd and shadow doesn't help, both look OK. Yes, they might be ok. The problem is that the filesystem structure is not ok. > > Any more thoughts? System crash. Ouch. Javi msg07609/pgp0.pgp Description: PGP signature