The recent RCE in libcue and tracker3 GNOME settings in Bookworm
Hi! After the recent RCE in libcue DSA-5524-1, CVE-2023-43641, [1], I've decided to re-check that I have scanning of the ~/Downloads directory disabled for GNOME Search. The Settings app of GNOME says it's disabled but if I do gsettings get org.freedesktop.Tracker3.Miner.Files index-single-directories it lists '@DOWNLOADS' along with '$HOME' (scanning of which is enabled). IOW, it looks exactly as a bug discussed back then in [2,3]. I have executed gsettings set org.freedesktop.Tracker3.Miner.Files \ index-single-directories '['\''$HOME'\'']' and systemctl --user restart tracker-miner-fs-3.service to have the scanning of ~/Downloads disabled for sure (I hope) but this got me thinking: is this situation warrants filing a bug against GNOME in Debian? I should note that I have upgraded Debian on this particular device twice, to the first Debian version with GNOME which has been installed was 10. It's quite possible that the bug got triggered on an older version, and merely presisted through upgrades, and if so, it may only affect the users in the same situation. 1. https://lists.debian.org/debian-security-announce/2023/msg00217.html 2. https://discussion.fedoraproject.org/t/is-tracker-scanning-downloads-again-despite-the-folder-being-ignored/24828/7 3. https://bugzilla.redhat.com/show_bug.cgi?id=1900227
Re: Securing Debian Manual too old?
On Fri, Jun 23, 2023 at 12:40:19PM +0200, Stephan Seitz wrote: > I found the Securing Debian Manual > (https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html). > This version is from 2017. > > It has „Chapter 6. Automatic hardening of Debian systems” which mentions > Harden packages and Bastille. None of these packages exist anymore in Debian > 11 or 12. > > https://bastille-linux.sourceforge.net/running_bastille_on.htm#debian lets > you follow a link to http://packages.debian.org/bastille but without > results. > > So what happened here? I cannot say anything on the Securing Debian manual but when you're interested in digging up the fate of a particular package in Debian, you can roll like this: 1) Go to the "package tracker", and search for the package of interest. In this particular case, there was no need to search as a plain guess that it should (have been) named "bastille" worked - https://tracker.debian.org/bastille is the URL of interest. 2) There, you can examine the package's status - it's sort of a dashboard. In the case of bastille, you can see that the last entry in the log of the package activity says it has been removed from unstable. Examining that [1] will tell you the reason, and provide further pointers. 1. https://tracker.debian.org/news/589646/bug718783-removed-packages-from-unstable/
Re: Does net install cryptographically verify downloaded data?
On Thu, Jul 05, 2018 at 12:02:28PM +0300, Georgi Guninski wrote: > Does net install cryptographically verify downloaded data? > > Searching the iso for gpg/keyrings didn't return any results for me. Look for the package "debian-archive-keyring". APT depends on it and uses the keys it provides to verify digital signatures of all the packages it installs. See the apt-secure(8) manual page for more info.
Re: Does net install cryptographically verify downloaded data?
On Thu, Jul 05, 2018 at 12:02:28PM +0300, Georgi Guninski wrote: > Does net install cryptographically verify downloaded data? > > Searching the iso for gpg/keyrings didn't return any results for me. Sorry, sent too fast, so missed two crucial bits: - The net install image contain a minimal set of packages to "bootstrap" the installation from. This includes the package which installs the keys used to sign the Release files in the Debian archive which will be used by the netinstall process. - While individual packages are signed, APT actually verifies that the Release file it obtained from the archive has correct signature and. The Release file contains the checksums of the Packages files, which contain the checksums of the individual packages. Hence the validity of the signature of the Release file authenticates the individual packages indirectly - via checksumming.
Re: [SECURITY] [DSA 4187-1] linux security update
On Thu, May 03, 2018 at 10:53:00AM +0200, richard lucassen wrote: > > > There are multiple reports on #ganeti that this update breaks > > > networking in certain circumstances, probably multiple tun/tap > > > device configurations. No more details or a proper bug report yet > > > as I haven't experienced this myself, but mentioning in case it > > > saves anyone else breakage.[...] > > > > I believe I understand this. Creating a tun/tap device using a name > > pattern such as "tun%d" (or empty name) will now fail if the number > > substituted is not 0. There is an upstream fix for this that I failed > > to spot in time. > > There is also an big increase in time before random is initialized: > > [ 182.811840] random: crng init done > > This is a machine on bare metal. On other environments like proxmox I've > seen: > > [ 303.993638] random: crng init done > > Downgrading to the previous kernel resolves the problem (normally a few > seconds). One of the consequences is that openntpd (or a program like > rdate) hangs until the crng is initialized. I'd think it's a fix for [1], [2] but it does not appear on the list of CVEs fixed. 1. https://security-tracker.debian.org/tracker/CVE-2018-1108 2. https://bugs.chromium.org/p/project-zero/issues/detail?id=1559
Re: Debian Desktop Environment
On Tue, 27 Oct 2015 12:29:53 +0100 Mateusz Kozłowskiwrote: > Could You tell me which debian desktop environment is the most > security and the best privacy and which You recommned for debian > users? (KDE, XFCE, GNOME etc.)? Please ask this question on debian-users instead. This list is highly technical and dedicated to concrete security problems in Debian packages, not general questions (especially such "primarily opinion-based", like yours).
Re: about bash and Debian Lenny
On Wed, 1 Oct 2014 14:45:55 +0300 Nikolay Hristov ge...@stemo.bg wrote: I made lenny packages for my machines. I could share them if you want? [...] Which part of I don't want to use deb packages from different sources because I cannot trust them you didnt understand? ;-) Still, when someone offers their help there really is no need to play a smart ass as you did. The only thing you might achieve doing that is a) direct rebuttals (my e-mail) and b) mild propositions to build patched packages yourself. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141001155857.039ea736d8e6e1d4b481b...@domain007.com
Re: [SECURITY] [DSA 2318-1] cyrus-imapd-2.2 security update
On Mon, 10 Oct 2011 12:04:21 +0200 Vladislav Kurz vladislav.k...@webstep.net wrote: -- Debian Security Advisory DSA-2318-1 secur...@debian.org http://www.debian.org/security/ Nico Golde Oct 6, 2011 http://www.debian.org/security/faq -- Package: cyrus-imapd-2.2 Vulnerability : multiple Problem type : remote Debian-specific: no Debian bug : none CVE IDs: CVE-2011-3372 CVE-2011-3208 Hello everybody, i wonder if there is something wrong with this DSA. I manage a lot of servers with cyrus, but the update is available only on one of them (squeeze, amd64), and not on the others (squeeze/lenny, i386). I do not use nntp, so I feel safe, but it might indicate some build problems. Same thing here with Lenny/i386 I have deb http://security.debian.org/ lenny/updates main in my sources.list -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111010151020.0d873206.kos...@domain007.com
Re: Number of apache2 process MaxClients ?
On Fri, 29 Oct 2010 12:06:51 -0400 Min Wang ser.ba...@gmail.com wrote: I have apache2.conf using prefork with MaxClient setting to 30 ( on Lenny) but on system I saw more than 100 apache2 processes Isn't the MaxClients supposed to limit total apache2 processes to be 30? Something may be wrong/security issue? # pstree init-+-apache2-+-94*[apache2---{apache2}] | `-7*[apache2] /etc/apache2.conf # prefork MPM IfModule prefork.c StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 30 MaxRequestsPerChild 0 /IfModule Mine /etc/apache2/apache2.conf (on Lenny) contains this section: IfModule mpm_prefork_module StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0 /IfModule so may be you should try adjusting the IfModule argument? The Apache page [1] also lists mpm_prefork_module under module identifier. 1. http://httpd.apache.org/docs/2.0/mod/prefork.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101029203641.bd56de4d.kos...@domain007.com
Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
The behavior of the etch package changed too. Do not install the package on production system yet. The limit in /etc/postfix/main.cf stopped working: maildrop_destination_recipient_limit= 1 Almost all E-Mails are rejected and sender get errors like this: u...@doamin.com: user unknown. Command output: ERR: authdaemon: s_connect() failed: Permission denied Invalid user specified. I've tried to change the permission for common files, but this won't fix the problem. Something is wrong with the behavior to the previous version. On Thu, 2010-01-28 at 14:10 +0200, Antti-Juhani Kaijanaho wrote: On Thu, Jan 28, 2010 at 12:37:52PM +0100, Steffen Joeris wrote: For the stable distribution (lenny), this problem has been fixed in version 2.0.4-3+lenny1. This update appears to have dropped the hard dependency on courier-authlib. As a result, mail starts bouncing. -- Building an operation system without source code, is like buying a self assemble space shuttle without instructions. signature.asc Description: This is a digitally signed message part
Re: How safely to stop using backports repo?
sthu.d...@gmail.com wrote: Is there a automatic way that can give me a list of the packages came from backports repo? Install grep-dctrl and do $ grep-status -F Version ~bpo -a -F Status installed -s Package It will print the list of installed packages which have ~bpo in their names -- a common substring usually found in packages from backports.org. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Tutorial for iptables
cyril franke wrote: Hello list, I just started learning firewall setup with iptables and found the following tutorial useful: http://www.iptablesrocks.org/ The canonical tutorial is http://iptables-tutorial.frozentux.net/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Target filesystem
On Fri, Jun 09, 2006 at 07:47:45AM -0400, Brent Clark wrote: I seem to be experiencing problems booting up (Thank goodness for Knoppix) Why not just a Debian rescue CD? There are a host of errors, but the end message is: Target filesystem doesn't have /sbin/init I think your kernel just get a wrong device for root filesystem, i.e. the actual root fs is on, say, /dev/hdX and the kernel uses /dev/hdY (which is readable, but not root, e.g. /var, /usr or whatever). Would anyone know how to force this to work? From what I gather it cant detect the filesystem (think its a modprobe problem) Since you have offered next to zero information about your problem, I may just guess: 1) You have a stock kernel but no initrd specified in boot configuration. 2) Your kernel gets wrong root fs. I think against the can't detect filesystem idea because a device with unknown filesystem is unmountable. P.S. You should definitely provide more info about your setup. Telepathic skills are not common among people. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
On Tue, May 23, 2006 at 02:04:13AM +0200, Uwe Hermann wrote: [...] iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 Correct me if I'm wrong, but I think this would also allow incoming traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing his IP address to appear to be 127.0.0.1 could send _any_ traffic to you and you would ACCEPT it, basically rendering the firewall useless. Did I miss anything? Kernel shoots any packet it considers as being martian -- e.g. packets from 127.0.0.0/8 cannot appear on any interface except lo. The same applies to the reverse case: no packet coming from external interface but claiming to be destined to 127.0.0.0/8 woun't be passed further by the kernel. See RFC 1812 for explanations. One can switch logging records about killed martian packets with net/ipv4/conf/ethN/log_martians=1 in /etc/sysctl.conf [...] I agree to your other comments. P.S. I think the best way to secure the box is the simplest: allow incoming packets with states ESTABLISHED and RELATED, deny all others (except for OpenVPN or whatever remote access is needed). May be it's also worth accepting ICMP Ping packets. All special ICMP packets needed for proper functioning of TCP/IP (PMTU discovery for example) fall to the RELATED domain and are passed to the stack. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Grsecurity patches on Debian
hi, I use Grsecurity with High level for over 2 years now on 2.4.X without any problems running debian woody. These daemons works fine: ssh postfix courier-imap (with and without ssl) courier-pop (with and without ssl) apache apache-ssl mysql snort and a view other ... The best way would be for you to test this configuration offline on a system with the same packages and then install it on the production system. For further question and special question you can contact the grsecurity mailing list. It is a very low traffic list and brad sprengler help you with every question or the pax team. Greetz Konstantin On Tue, 8 Feb 2005 02:32:03 +0100 Xavier Sudre [EMAIL PROTECTED] wrote: On Monday 07 February 2005 at 16:17, Andras Got wrote: Hi, That's it, the chpax. I tried these things almost a year ago with JSP thingy. I googled and the like, but chpax didn't help. I meant that I selected high settings, then selected custom, then did some changes. :) A. Thomas Sjögren írta: On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote: You should start with grsec low and proc restricions set customly. Hardening your kernel is always a option. Running grsec isn't a problem, I use on both clients and servers. Dont start with grsec low but with the custom option, CONFIG_GRKERNSEC_CUSTOM and read the help sections. The grsec default high settings, IIRC it defaults to custom. and PaX break Jetty (java server container) in two, so it simply won't start, gradm won't help as I know. changing PaX-settings is done by chpax or paxctl. gradm is for the acl. if something breaks chpax -peMRXs usually works, after that its about fine tuning. Using grsecurity with level set to High enables Pax features. This works well on most daemons delivered as packages in Debian Woody and hopefuly testing. At least this is the case for Apache, Postfix and Cyrus. When ever there is a problem with a binary there will be a log trace in the syslog specifying the binary that was terminated. You can correct the problem by using chpax. Xavier. -- Xavier Sudre Homepage: http://xavier.sudre.fr/ Email:[EMAIL PROTECTED] GPG key: http://xavier.sudre.fr/gpg/xavier.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Building an operation system without source code, is like buying a self assemble space shuttle without instructions. pgp8BqUPZYcjK.pgp Description: PGP signature
HTTP Browser Authentification Bug and some more bugs
hi, further information are here: http://www.ietf.org/rfc/rfc1945.txt great idea until this is fixed(not mine): Stop all http and https servers and don't visit sites which works with the from design related unsecure http protocol! HEY, don't blame me, it's translated from german to english, read for yourself: http://www.heise.de/security/news/meldung/46175 there are some more: squid has a security Problem too, don't know whether debian-packages has the same problem: https://rhn.redhat.com/errata/RHSA-2004-134.html and tcpdump has 2 overflows: http://www.rapid7.com/advisories/R7-0017.html Greetz Konstantin -- Building an operating system without source code is like buying a self-assembly Space Shuttle with no instructions. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
HTTP Browser Authentification Bug and some more bugs
hi, further information are here: http://www.ietf.org/rfc/rfc1945.txt great idea until this is fixed(not mine): Stop all http and https servers and don't visit sites which works with the from design related unsecure http protocol! HEY, don't blame me, it's translated from german to english, read for yourself: http://www.heise.de/security/news/meldung/46175 there are some more: squid has a security Problem too, don't know whether debian-packages has the same problem: https://rhn.redhat.com/errata/RHSA-2004-134.html and tcpdump has 2 overflows: http://www.rapid7.com/advisories/R7-0017.html Greetz Konstantin -- Building an operating system without source code is like buying a self-assembly Space Shuttle with no instructions.
security.debian.org
to the admins: security.debian.org seems to be down Greetz Konstantin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
security.debian.org
to the admins: security.debian.org seems to be down Greetz Konstantin
Re: More hacked servers?
Yes 'we wait for some info... what's up the he** ??? Is this an open source project or not ???, we use it not only for apt-*** tools. On Thu, 27 Nov 2003, Dan Jacobson wrote: So, give the people some time and after the details are disclosed - learn from their experience and use it in your work. Let's examine natural disasters, e.g. a typhoon. The pros agree that the public must be able to get to timely reports issued from the disaster control center, via e.g. local radio stations. Here in the debian world, there was one announcement posted on the 21st, then blackness. One assumes those in charge have been replaced by zombies and the typhoon is headed our way. I agree. A least, they can stay us informed about their actions... for example: 21 sep: hacked, we moved all domain to blah, bluh, blih. 22 sep: investiguation started, by X, X. We think it will take X hours/day/month/years 24 sep: We still investiguate, please be patient, we think we will terminate that in two hour/day/month/years. ... and so on, it's not so hard, and it's take 2 minutes or less. E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Konstantin Kostadinov Public PGP : http://www.fadata.bg/pgp/konstantinpgp.asc --- Your business will assume vast proportions. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: More hacked servers?
Yes 'we wait for some info... what's up the he** ??? Is this an open source project or not ???, we use it not only for apt-*** tools. On Thu, 27 Nov 2003, Dan Jacobson wrote: So, give the people some time and after the details are disclosed - learn from their experience and use it in your work. Let's examine natural disasters, e.g. a typhoon. The pros agree that the public must be able to get to timely reports issued from the disaster control center, via e.g. local radio stations. Here in the debian world, there was one announcement posted on the 21st, then blackness. One assumes those in charge have been replaced by zombies and the typhoon is headed our way. I agree. A least, they can stay us informed about their actions... for example: 21 sep: hacked, we moved all domain to blah, bluh, blih. 22 sep: investiguation started, by X, X. We think it will take X hours/day/month/years 24 sep: We still investiguate, please be patient, we think we will terminate that in two hour/day/month/years. ... and so on, it's not so hard, and it's take 2 minutes or less. E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Konstantin Kostadinov Public PGP : http://www.fadata.bg/pgp/konstantinpgp.asc --- Your business will assume vast proportions.
Postfix and SSL
hi, I want to setup postfix with SSL. On the Inet I found only tutorials with postfix v2.0 Stable use postfix v1.1 and I couldn't find any information about posfix 1.1 and SSL thx for help Konstantin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Postfix and SSL
hi, I want to setup postfix with SSL. On the Inet I found only tutorials with postfix v2.0 Stable use postfix v1.1 and I couldn't find any information about posfix 1.1 and SSL thx for help Konstantin
Re: found this in my /var/log/apache/access.log thx for help
thx for helping I have the same entries in an old Cobalt Raq3 and thaught about the last security problems in apache 1.3.26. All cobalt raq3 use 1.3.6, which is very old. Thanx for helping Greetz Konstantin Filtschew -- may the source be with you
Snort signature download script
hi, there is a signature download script posted on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=173254 from http://www.xssass.be I tried it, but he tells me, that the md5 checksum is wrong you can download the script from here: http://www.xssass.be/updateSnort who can tell me anything about the script and it's quality thx for help Konstantin Filtschew __ | may the source be with you |
ptrace patch for vanilla kernel 2.4.20
hi, can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me an adress I can leech it from. thx for help Fallen_Angel