The recent RCE in libcue and tracker3 GNOME settings in Bookworm

2023-10-12 Thread Konstantin Khomoutov 
Hi!

After the recent RCE in libcue DSA-5524-1, CVE-2023-43641, [1], I've decided
to re-check that I have scanning of the ~/Downloads directory disabled for
GNOME Search. The Settings app of GNOME says it's disabled but if I do

  gsettings get org.freedesktop.Tracker3.Miner.Files index-single-directories

it lists '@DOWNLOADS' along with '$HOME' (scanning of which is enabled).
IOW, it looks exactly as a bug discussed back then in [2,3].

I have executed 

 gsettings set org.freedesktop.Tracker3.Miner.Files \
   index-single-directories '['\''$HOME'\'']'

and

 systemctl --user restart tracker-miner-fs-3.service

to have the scanning of ~/Downloads disabled for sure (I hope) but this got me
thinking: is this situation warrants filing a bug against GNOME in Debian?

I should note that I have upgraded Debian on this particular device twice,
to the first Debian version with GNOME which has been installed was 10.
It's quite possible that the bug got triggered on an older version, and merely
presisted through upgrades, and if so, it may only affect the users in the
same situation.

 1. https://lists.debian.org/debian-security-announce/2023/msg00217.html
 2. 
https://discussion.fedoraproject.org/t/is-tracker-scanning-downloads-again-despite-the-folder-being-ignored/24828/7
 3. https://bugzilla.redhat.com/show_bug.cgi?id=1900227

Re: Securing Debian Manual too old?

2023-06-23 Thread Konstantin Khomoutov 
On Fri, Jun 23, 2023 at 12:40:19PM +0200, Stephan Seitz wrote:

> I found the Securing Debian Manual
> (https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html).
> This version is from 2017.
> 
> It has „Chapter 6. Automatic hardening of Debian systems” which mentions
> Harden packages and Bastille. None of these packages exist anymore in Debian
> 11 or 12.
> 
> https://bastille-linux.sourceforge.net/running_bastille_on.htm#debian lets
> you follow a link to http://packages.debian.org/bastille but without
> results.
> 
> So what happened here?

I cannot say anything on the Securing Debian manual but when you're interested
in digging up the fate of a particular package in Debian, you can roll like
this:

 1) Go to the "package tracker", and search for the package of interest.
In this particular case, there was no need to search as a plain guess
that it should (have been) named "bastille" worked -
https://tracker.debian.org/bastille is the URL of interest.

 2) There, you can examine the package's status - it's sort of a dashboard.
In the case of bastille, you can see that the last entry in the log
of the package activity says it has been removed from unstable.

Examining that [1] will tell you the reason, and provide further pointers.


 1. 
https://tracker.debian.org/news/589646/bug718783-removed-packages-from-unstable/

Re: Does net install cryptographically verify downloaded data?

2018-07-05 Thread Konstantin Khomoutov 
On Thu, Jul 05, 2018 at 12:02:28PM +0300, Georgi Guninski wrote:

> Does net install cryptographically verify downloaded data?
> 
> Searching the iso for gpg/keyrings didn't return any results for me.

Look for the package "debian-archive-keyring". APT depends on it and
uses the keys it provides to verify digital signatures of all the
packages it installs.

See the apt-secure(8) manual page for more info.

Re: Does net install cryptographically verify downloaded data?

2018-07-05 Thread Konstantin Khomoutov 
On Thu, Jul 05, 2018 at 12:02:28PM +0300, Georgi Guninski wrote:

> Does net install cryptographically verify downloaded data?
> 
> Searching the iso for gpg/keyrings didn't return any results for me.

Sorry, sent too fast, so missed two crucial bits:

 - The net install image contain a minimal set of packages to
   "bootstrap" the installation from. This includes the package which
   installs the keys used to sign the Release files in the Debian
   archive which will be used by the netinstall process.

 - While individual packages are signed, APT actually verifies that
   the Release file it obtained from the archive has correct signature
   and. The Release file contains the checksums of the Packages files,
   which contain the checksums of the individual packages.

   Hence the validity of the signature of the Release file authenticates
   the individual packages indirectly - via checksumming.

Re: [SECURITY] [DSA 4187-1] linux security update

2018-05-03 Thread Konstantin Khomoutov 
On Thu, May 03, 2018 at 10:53:00AM +0200, richard lucassen wrote:

> > > There are multiple reports on #ganeti that this update breaks
> > > networking in certain circumstances, probably multiple tun/tap
> > > device configurations. No more details or a proper bug report yet
> > > as I haven't experienced this myself, but mentioning in case it
> > > saves anyone else breakage.[...]
> > 
> > I believe I understand this. Creating a tun/tap device using a name
> > pattern such as "tun%d" (or empty name) will now fail if the number
> > substituted is not 0.  There is an upstream fix for this that I failed
> > to spot in time.
> 
> There is also an big increase in time before random is initialized:
> 
> [  182.811840] random: crng init done
> 
> This is a machine on bare metal. On other environments like proxmox I've
> seen:
> 
> [  303.993638] random: crng init done
> 
> Downgrading to the previous kernel resolves the problem (normally a few
> seconds). One of the consequences is that openntpd (or a program like
> rdate) hangs until the crng is initialized.

I'd think it's a fix for [1], [2] but it does not appear on the list of
CVEs fixed.

1. https://security-tracker.debian.org/tracker/CVE-2018-1108
2. https://bugs.chromium.org/p/project-zero/issues/detail?id=1559

Re: Debian Desktop Environment

2015-10-27 Thread Konstantin Khomoutov 
On Tue, 27 Oct 2015 12:29:53 +0100
Mateusz Kozłowski  wrote:

> Could You tell me which debian desktop environment is the most
> security and the best privacy and which You recommned for debian
> users? (KDE, XFCE, GNOME etc.)?

Please ask this question on debian-users instead.

This list is highly technical and dedicated to concrete security
problems in Debian packages, not general questions (especially such
"primarily opinion-based", like yours).

Re: about bash and Debian Lenny

2014-10-01 Thread Konstantin Khomoutov 
On Wed, 1 Oct 2014 14:45:55 +0300
Nikolay Hristov ge...@stemo.bg wrote:

  I made lenny packages for my machines. I could share them if you
  want?
[...]
 Which part of I don't want to use deb packages from different
 sources because I cannot trust them you didnt understand? ;-)

Still, when someone offers their help there really is no need
to play a smart ass as you did.  The only thing you might achieve doing
that is a) direct rebuttals (my e-mail) and b) mild propositions to
build patched packages yourself.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141001155857.039ea736d8e6e1d4b481b...@domain007.com

Re: [SECURITY] [DSA 2318-1] cyrus-imapd-2.2 security update

2011-10-10 Thread Konstantin Khomoutov 
On Mon, 10 Oct 2011 12:04:21 +0200
Vladislav Kurz vladislav.k...@webstep.net wrote:

  --
  Debian Security Advisory DSA-2318-1
  secur...@debian.org
  http://www.debian.org/security/
  Nico Golde Oct 6, 2011
  http://www.debian.org/security/faq
  --
  
  Package: cyrus-imapd-2.2
  Vulnerability  : multiple
  Problem type   : remote
  Debian-specific: no
  Debian bug : none
  CVE IDs: CVE-2011-3372 CVE-2011-3208
 
 Hello everybody,
 
 i wonder if there is something wrong with this DSA. I manage a lot of
 servers with cyrus, but the update is available only on one of them
 (squeeze, amd64), and not on the others (squeeze/lenny, i386). I do
 not use nntp, so I feel safe, but it might indicate some build
 problems.
Same thing here with Lenny/i386
I have
deb http://security.debian.org/ lenny/updates main
in my sources.list


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20111010151020.0d873206.kos...@domain007.com

Re: Number of apache2 process MaxClients ?

2010-10-29 Thread Konstantin Khomoutov 
On Fri, 29 Oct 2010 12:06:51 -0400
Min Wang ser.ba...@gmail.com wrote:

 I have apache2.conf using prefork with MaxClient setting to 30 ( on
 Lenny)
 
 but on system I saw more than 100 apache2 processes
 
 Isn't the MaxClients supposed to limit total apache2 processes to be
 30?
 
 Something may be wrong/security issue?
 
 
 # pstree
 
 init-+-apache2-+-94*[apache2---{apache2}]
  | `-7*[apache2]
 
 
 /etc/apache2.conf
 
 # prefork MPM
 IfModule prefork.c
 StartServers 5
 MinSpareServers  5
 MaxSpareServers 10
 MaxClients  30
 MaxRequestsPerChild  0
 /IfModule

Mine /etc/apache2/apache2.conf (on Lenny) contains this section:

IfModule mpm_prefork_module
StartServers  5
MinSpareServers   5
MaxSpareServers  10
MaxClients  150
MaxRequestsPerChild   0
/IfModule

so may be you should try adjusting the IfModule argument?

The Apache page [1] also lists mpm_prefork_module under module
identifier. 

1. http://httpd.apache.org/docs/2.0/mod/prefork.html


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101029203641.bd56de4d.kos...@domain007.com

Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation

2010-01-28 Thread Konstantin Filtschew 

The behavior of the etch package changed too. Do not install the package
on production system yet.


The limit in /etc/postfix/main.cf stopped working:
maildrop_destination_recipient_limit= 1

Almost all E-Mails are rejected and sender get errors like this:

u...@doamin.com: user unknown. Command output: ERR: authdaemon:
s_connect() failed: Permission denied Invalid user specified.

I've tried to change the permission for common files, but this won't fix
the problem. Something is wrong with the behavior to the previous
version.



On Thu, 2010-01-28 at 14:10 +0200, Antti-Juhani Kaijanaho wrote:
 On Thu, Jan 28, 2010 at 12:37:52PM +0100, Steffen Joeris wrote:
  For the stable distribution (lenny), this problem has been fixed in
  version 2.0.4-3+lenny1.
 
 This update appears to have dropped the hard dependency on courier-authlib.  
 As
 a result, mail starts bouncing.
 


-- 
Building an operation system without source code,
is like buying a self assemble space shuttle
without instructions.


signature.asc
Description: This is a digitally signed message part

Re: How safely to stop using backports repo?

2009-05-28 Thread Konstantin Khomoutov 

sthu.d...@gmail.com wrote:


Is there a automatic way that can give me a list of the packages came
from backports repo?

Install grep-dctrl and do
$ grep-status -F Version ~bpo -a -F Status installed -s Package
It will print the list of installed packages which have ~bpo in their
names -- a common substring usually found in packages from backports.org.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: Tutorial for iptables

2009-01-28 Thread Konstantin Khomoutov 

cyril franke wrote:


Hello list,

I just started learning firewall setup with iptables
and found the following tutorial useful:
http://www.iptablesrocks.org/

The canonical tutorial is http://iptables-tutorial.frozentux.net/


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: Target filesystem

2006-06-09 Thread Konstantin Khomoutov 
On Fri, Jun 09, 2006 at 07:47:45AM -0400, Brent Clark wrote:

 I seem to be experiencing problems booting up (Thank goodness for Knoppix)
Why not just a Debian rescue CD?

 There are a host of errors, but the end message is:
 Target filesystem doesn't have /sbin/init
I think your kernel just get a wrong device for root filesystem, i.e.
the actual root fs is on, say, /dev/hdX and the kernel uses /dev/hdY
(which is readable, but not root, e.g. /var, /usr or whatever).

 Would anyone know how to force this to work?
 From what I gather it cant detect the filesystem (think its a modprobe 
 problem)
Since you have offered next to zero information about your problem, I
may just guess:
1) You have a stock kernel but no initrd specified in boot
configuration.
2) Your kernel gets wrong root fs.

I think against the can't detect filesystem idea because a device with
unknown filesystem is unmountable.

P.S.
You should definitely provide more info about your setup. Telepathic
skills are not common among people.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Request for comments: iptables script for use on laptops.

2006-05-23 Thread Konstantin Khomoutov 
On Tue, May 23, 2006 at 02:04:13AM +0200, Uwe Hermann wrote:

[...]
   iptables -A INPUT  -j ACCEPT -s 127.0.0.1  # local host
   iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
 Correct me if I'm wrong, but I think this would also allow incoming
 traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
 his IP address to appear to be 127.0.0.1 could send _any_ traffic
 to you and you would ACCEPT it, basically rendering the firewall
 useless. Did I miss anything?
Kernel shoots any packet it considers as being martian -- e.g. packets
from 127.0.0.0/8 cannot appear on any interface except lo.
The same applies to the reverse case: no packet coming from external
interface but claiming to be destined to 127.0.0.0/8 woun't be passed
further by the kernel.

See RFC 1812 for explanations.

One can switch logging records about killed martian packets with
net/ipv4/conf/ethN/log_martians=1
in /etc/sysctl.conf

[...]
I agree to your other comments.

P.S.
I think the best way to secure the box is the simplest: allow incoming
packets with states ESTABLISHED and RELATED, deny all others (except for
OpenVPN or whatever remote access is needed).

May be it's also worth accepting ICMP Ping packets.

All special ICMP packets needed for proper functioning of TCP/IP (PMTU
discovery for example) fall to the RELATED domain and are passed to the
stack.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Grsecurity patches on Debian

2005-02-07 Thread Konstantin Filtschew 
hi,

I use Grsecurity with High level for over 2 years now on 2.4.X without
any problems running debian woody. These daemons works fine:
ssh
postfix
courier-imap (with and without ssl)
courier-pop (with and without ssl)
apache
apache-ssl
mysql
snort
and a view other ...

The best way would be for you to test this configuration offline on a
system with the same packages and then install it on the production
system.

For further question and special question you can contact the grsecurity
mailing list. It is a very low traffic list and brad sprengler help you
with every question or the pax team.

Greetz

Konstantin




On Tue, 8 Feb 2005 02:32:03 +0100
Xavier Sudre [EMAIL PROTECTED] wrote:

 On Monday 07 February 2005 at 16:17, Andras Got wrote:
  Hi,
  
  That's it, the chpax. I tried these things almost a year ago with
JSP 
  thingy. I googled and the like, but chpax didn't help.
  
  I meant that I selected high settings, then selected custom, then
did some 
  changes. :)
  
  A.
  
  
  Thomas Sjögren írta:
  
  On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote:
  
  You should start with grsec low and proc restricions set customly.

  Hardening your kernel is always a option. 
  
  
  Running grsec isn't a problem, I use on both clients and servers.
  Dont start with grsec low but with the custom option,
  CONFIG_GRKERNSEC_CUSTOM and read the help sections.
  
  
  The grsec default high settings, 
  
  
  IIRC it defaults to custom.
  
  
  and PaX break Jetty (java server container) in two, so it simply
won't 
  start, gradm won't help as I know. 
  
  
  changing PaX-settings is done by chpax or paxctl. gradm is for the
acl. if 
  something breaks
  chpax -peMRXs usually works, after that its about fine tuning.
  
 
 Using grsecurity with level set to High enables Pax features.
 This works well on most daemons delivered as packages in Debian Woody
 and hopefuly testing. At least this is the case for Apache, Postfix
and Cyrus.
 
 When ever there is a problem with a binary there will be a log trace
in
 the syslog specifying the binary that was terminated. You can correct
 the problem by using chpax.
 
 Xavier.
 
 -- 
 Xavier Sudre
 Homepage: http://xavier.sudre.fr/
 Email:[EMAIL PROTECTED]
 GPG key:  http://xavier.sudre.fr/gpg/xavier.asc
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]
 


 
Building an operation system without source code,
is like buying a  self assemble space shuttle without
instructions.


pgp8BqUPZYcjK.pgp
Description: PGP signature

HTTP Browser Authentification Bug and some more bugs

2004-04-01 Thread Konstantin 

hi,

further information are here:

http://www.ietf.org/rfc/rfc1945.txt

great idea until this is fixed(not mine):
Stop all http and https servers and don't visit
sites which works with the from design related unsecure http protocol!
HEY, don't blame me, it's translated from german to english, read for yourself:
http://www.heise.de/security/news/meldung/46175

there are some more:
squid has a security Problem too, don't know whether debian-packages has the same 
problem:
https://rhn.redhat.com/errata/RHSA-2004-134.html
and tcpdump has 2 overflows:
http://www.rapid7.com/advisories/R7-0017.html




Greetz

Konstantin


-- 
Building an operating system without source code is like buying
a self-assembly Space Shuttle with no instructions.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

HTTP Browser Authentification Bug and some more bugs

2004-04-01 Thread Konstantin 

hi,

further information are here:

http://www.ietf.org/rfc/rfc1945.txt

great idea until this is fixed(not mine):
Stop all http and https servers and don't visit
sites which works with the from design related unsecure http protocol!
HEY, don't blame me, it's translated from german to english, read for yourself:
http://www.heise.de/security/news/meldung/46175

there are some more:
squid has a security Problem too, don't know whether debian-packages has the 
same problem:
https://rhn.redhat.com/errata/RHSA-2004-134.html
and tcpdump has 2 overflows:
http://www.rapid7.com/advisories/R7-0017.html




Greetz

Konstantin


-- 
Building an operating system without source code is like buying
a self-assembly Space Shuttle with no instructions.

security.debian.org

2004-02-09 Thread Konstantin Filtschew 
to the admins:

security.debian.org seems to be down

Greetz

Konstantin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

security.debian.org

2004-02-09 Thread Konstantin Filtschew 
to the admins:

security.debian.org seems to be down

Greetz

Konstantin

Re: More hacked servers?

2003-11-28 Thread Konstantin Kostadinov 
Yes 'we wait for some info...
what's up the he** ???
Is this an open source project or not ???, we use it not only for apt-*** tools.



 On Thu, 27 Nov 2003, Dan Jacobson wrote:
 
   So, give the people some time and after the details are disclosed -
   learn from their experience and use it in your work.
 
  Let's examine natural disasters, e.g. a typhoon.  The pros agree that
  the public must be able to get to timely reports issued from the
  disaster control center, via e.g. local radio stations.
 
  Here in the debian world, there was one announcement posted on the
  21st, then blackness.  One assumes those in charge have been replaced
  by zombies and the typhoon is headed our way.
 
 
 I agree.
 
 A least, they can stay us informed about their actions... for example:
 
 21 sep: hacked, we moved all domain to blah, bluh, blih.
 22 sep: investiguation started, by X, X.  We think it will take X
 hours/day/month/years
 24 sep: We still investiguate, please be patient, we think we will
 terminate that in two hour/day/month/years.
 ...
 
 and so on, it's not so hard, and it's take 2 minutes or less.
 
 E.
 --
 Eric LeBlanc
 [EMAIL PROTECTED]
 --
 UNIX is user friendly.
 It's just selective about who its friends are.
 ==
 
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 


-- 

Konstantin Kostadinov

Public PGP : http://www.fadata.bg/pgp/konstantinpgp.asc
---

Your business will assume vast proportions.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: More hacked servers?

2003-11-28 Thread Konstantin Kostadinov 
Yes 'we wait for some info...
what's up the he** ???
Is this an open source project or not ???, we use it not only for apt-*** tools.



 On Thu, 27 Nov 2003, Dan Jacobson wrote:
 
   So, give the people some time and after the details are disclosed -
   learn from their experience and use it in your work.
 
  Let's examine natural disasters, e.g. a typhoon.  The pros agree that
  the public must be able to get to timely reports issued from the
  disaster control center, via e.g. local radio stations.
 
  Here in the debian world, there was one announcement posted on the
  21st, then blackness.  One assumes those in charge have been replaced
  by zombies and the typhoon is headed our way.
 
 
 I agree.
 
 A least, they can stay us informed about their actions... for example:
 
 21 sep: hacked, we moved all domain to blah, bluh, blih.
 22 sep: investiguation started, by X, X.  We think it will take X
 hours/day/month/years
 24 sep: We still investiguate, please be patient, we think we will
 terminate that in two hour/day/month/years.
 ...
 
 and so on, it's not so hard, and it's take 2 minutes or less.
 
 E.
 --
 Eric LeBlanc
 [EMAIL PROTECTED]
 --
 UNIX is user friendly.
 It's just selective about who its friends are.
 ==
 
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 


-- 

Konstantin Kostadinov

Public PGP : http://www.fadata.bg/pgp/konstantinpgp.asc
---

Your business will assume vast proportions.

Postfix and SSL

2003-09-18 Thread Konstantin 
hi,

I want to setup postfix with SSL.

On the Inet I found only tutorials with postfix v2.0
Stable use postfix v1.1 and I couldn't find any information about posfix
1.1 and SSL


thx for help

Konstantin




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Postfix and SSL

2003-09-18 Thread Konstantin 
hi,

I want to setup postfix with SSL.

On the Inet I found only tutorials with postfix v2.0
Stable use postfix v1.1 and I couldn't find any information about posfix
1.1 and SSL


thx for help

Konstantin

Re: found this in my /var/log/apache/access.log thx for help

2003-05-04 Thread Konstantin Filtschew 
thx for helping

I have the same entries in an old Cobalt Raq3 and thaught about the last
security problems in apache 1.3.26.

All cobalt raq3 use 1.3.6, which is very old.

Thanx for helping

Greetz

Konstantin Filtschew

--
may the source be with you

Snort signature download script

2003-04-26 Thread Konstantin Filtschew 
hi,

there is a signature download script posted on
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=173254

from http://www.xssass.be

I tried it, but he tells me, that the md5 checksum is wrong

you can download the script from here: http://www.xssass.be/updateSnort

who can tell me anything about the script and it's quality

thx for help

Konstantin Filtschew
__
| may the source be with you |

ptrace patch for vanilla kernel 2.4.20

2003-04-22 Thread Konstantin 
hi,

can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me
an adress I can leech it from.

thx for help

Fallen_Angel