Re: Debian Server restored after Compromise. Which kernels???

[Hemlock]

> > Why not try compiling your own kernel?
> > make-kpkg makes it quite simple for us non developer types.
> > All you need to do is install kernel-package, and perhaps gcc, make, g++ 
if
> > they don't already come down with kernel-package.
> > /usr/share/doc/kernel-package has the readme that shows you how to 
compile
> > your own .deb.
> Yes, it can be done. Two points:
> 
> 1) I've lost mail from Leopold ... If I remember correctly, the 
> vulnerable kernels were up to 2.6.17.4. Should 2.6.17.5 be needed? 
> I've not heard about this.
I believe from debian.org's newsletter, it is kernel's less than
2.6.17.4, therefore 2.6.17.3 and lower.

http://www.debian.org/News/2006/20060713

Also, kernel.org changelog for 2.6.17.4 talks about fixing the local exploit.

http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-
2.6.17.y.git;a=log;h=4f9619cdd90ac846fa0ca6e9e8a9d87a0d6b4f57

> 2) It has often been told on this list that kernel packages provided 
> by Debian cover most needs, implying that going to compile kernels 
> is a waste of resources in most cases.
Perhaps, but since we're living in the world of debian non-stable kernels,
(because our hardware is too new), then we must find fixes or patches for
security exploits. If we can't find such a debian .deb immediately,
I'm happy to make my own. Of course, 90% of the time I wait for a .deb to 
appear.
 
Cheers,


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[Francesco Pietra]

On Saturday 15 July 2006 19:30, Hemlock wrote:
> > > > > I'm in a similar situation.
> > > > > I just ended up grabbing the source from kernel.org
> > > > > and recompiling with debian's kernel-package package.
> > > > > (kernel 2.6.17.4)
> > > > > Did this both for i386 and AMD64 machines.
> > > >
> > > > Thank you for clarifying.
> > > >
> > > > Perhaps a naive observation: to save enrgies (and make a treasure of
> > > > op competence) why not putting your deb packages (if they are deb)
> > > > for download? Is any server that could accept them?
> > >
> > > This would, offhand, *seem* to be a job for Debian security.
> >
> > Thank you for courage in saying that. But I know little about the
> > policy of Debian to this concern, and, most of all, I understand
> > that volunteers may lack the time at the moment for what seems to be
> > the most economical (and secure) procedure. francesco
>
> Why not try compiling your own kernel?
> make-kpkg makes it quite simple for us non developer types.
> All you need to do is install kernel-package, and perhaps gcc, make, g++ if
> they don't already come down with kernel-package.
> /usr/share/doc/kernel-package has the readme that shows you how to compile
> your own .deb.
Yes, it can be done. Two points:

1) I've lost mail from Leopold ... If I remember correctly, the vulnerable 
kernels were up to 2.6.17.4. Should 2.6.17.5 be needed? I've not heard about 
this.

2) It has often been told on this list that kernel packages provided by Debian 
cover most needs, implying that going to compile kernels is a waste of 
resources in most cases.

3)It has been repeatedly advised on this list to avoid as much as possible to 
recompile and recompile again what may be already available. It is curious 
that packages for the most unusual tasks are continuously offered while 
kernels not, even in a period of attacks to so many defective kernels.

This is not to object too much to what I know only at the surface. But I am 
well aware of energetic problems and multi opteron machines (not to tell of 
the equivalent very hot intels) take non-negligible energy to work. Which 
also makes the point why going to 64bit for tasks that are equally well dealt 
with at 32bit.

You may object that vs a flying machine or even a car (if not missiles and 
bombs) a 64bit machine is nearly nothing. You are right.

cheers
francesco

>
> Cheers,


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[Hemlock]

> > > > I'm in a similar situation.
> > > > I just ended up grabbing the source from kernel.org
> > > > and recompiling with debian's kernel-package package.
> > > > (kernel 2.6.17.4)
> > > > Did this both for i386 and AMD64 machines.
> > >
> > > Thank you for clarifying.
> > >
> > > Perhaps a naive observation: to save enrgies (and make a treasure of op
> > > competence) why not putting your deb packages (if they are deb) for
> > > download? Is any server that could accept them?
> >
> > This would, offhand, *seem* to be a job for Debian security.
> 
> Thank you for courage in saying that. But I know little about the 
> policy of Debian to this concern, and, most of all, I understand 
> that volunteers may lack the time at the moment for what seems to be 
> the most economical (and secure) procedure. francesco

Why not try compiling your own kernel?
make-kpkg makes it quite simple for us non developer types.
All you need to do is install kernel-package, and perhaps gcc, make, g++ if 
they don't already come down with kernel-package.
/usr/share/doc/kernel-package has the readme that shows you how to compile
your own .deb.

Cheers,



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[Jean-Luc Coulon (f5ibh)]

Le 15.07.2006 12:58:02, [EMAIL PROTECTED] a écrit :

On Sat, Jul 15, 2006 at 05:22:19AM +0200, Francesco Pietra wrote:
> On Saturday 15 July 2006 03:34, Hemlock wrote:
> > > Now that it is clear which kernels are defective, what should
one do
> > > with defective kernel on both i386 Debian etch and amd64 Debian
> > > etch? The list of Debian packages
> > >
> > > http://www.debian.org/distrib/packages
> > >
> > > does not offer > 2.6.17.4 kernels for these systems. Should one
> > > download  from
> >
> > I'm in a similar situation.
> > I just ended up grabbing the source from kernel.org
> > and recompiling with debian's kernel-package package.
> > (kernel 2.6.17.4)
> > Did this both for i386 and AMD64 machines.
>
> Thank you for clarifying.
>
> Perhaps a naive observation: to save enrgies (and make a treasure of
op
> competence) why not putting your deb packages (if they are deb) for
download?
> Is any server that could accept them?


Maybe also anybody could make available his own packages with his own  
backdoor in it? ;)


Jean-Luc


pgpIKosMYE6eD.pgp
Description: PGP signature

Re: Debian Server restored after Compromise. Which kernels???

[Francesco Pietra]

On Saturday 15 July 2006 12:58, [EMAIL PROTECTED] wrote:
> On Sat, Jul 15, 2006 at 05:22:19AM +0200, Francesco Pietra wrote:
> > On Saturday 15 July 2006 03:34, Hemlock wrote:
> > > > Now that it is clear which kernels are defective, what should one do
> > > > with defective kernel on both i386 Debian etch and amd64 Debian
> > > > etch? The list of Debian packages
> > > >
> > > > http://www.debian.org/distrib/packages
> > > >
> > > > does not offer > 2.6.17.4 kernels for these systems. Should one
> > > > download  from
> > >
> > > I'm in a similar situation.
> > > I just ended up grabbing the source from kernel.org
> > > and recompiling with debian's kernel-package package.
> > > (kernel 2.6.17.4)
> > > Did this both for i386 and AMD64 machines.
> >
> > Thank you for clarifying.
> >
> > Perhaps a naive observation: to save enrgies (and make a treasure of op
> > competence) why not putting your deb packages (if they are deb) for
> > download? Is any server that could accept them?
>
> This would, offhand, *seem* to be a job for Debian security.

Thank you for courage in saying that. But I know little about the policy of 
Debian to this concern, and, most of all, I understand that volunteers may 
lack the time at the moment for what seems to be the most economical (and 
secure) procedure.
francesco
>
> -- hendrik
>
> > cheers
> > francesco
> >
> > > Cheers,
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact
> > [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[hendrik]

On Sat, Jul 15, 2006 at 05:22:19AM +0200, Francesco Pietra wrote:
> On Saturday 15 July 2006 03:34, Hemlock wrote:
> > > Now that it is clear which kernels are defective, what should one do
> > > with defective kernel on both i386 Debian etch and amd64 Debian
> > > etch? The list of Debian packages
> > >
> > > http://www.debian.org/distrib/packages
> > >
> > > does not offer > 2.6.17.4 kernels for these systems. Should one
> > > download  from
> >
> > I'm in a similar situation.
> > I just ended up grabbing the source from kernel.org
> > and recompiling with debian's kernel-package package.
> > (kernel 2.6.17.4)
> > Did this both for i386 and AMD64 machines.
> 
> Thank you for clarifying.
> 
> Perhaps a naive observation: to save enrgies (and make a treasure of op 
> competence) why not putting your deb packages (if they are deb) for download? 
> Is any server that could accept them?

This would, offhand, *seem* to be a job for Debian security.

-- hendrik

> 
> cheers
> francesco
> >
> > Cheers,
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[Francesco Pietra]

On Saturday 15 July 2006 03:34, Hemlock wrote:
> > Now that it is clear which kernels are defective, what should one do
> > with defective kernel on both i386 Debian etch and amd64 Debian
> > etch? The list of Debian packages
> >
> > http://www.debian.org/distrib/packages
> >
> > does not offer > 2.6.17.4 kernels for these systems. Should one
> > download  from
>
> I'm in a similar situation.
> I just ended up grabbing the source from kernel.org
> and recompiling with debian's kernel-package package.
> (kernel 2.6.17.4)
> Did this both for i386 and AMD64 machines.

Thank you for clarifying.

Perhaps a naive observation: to save enrgies (and make a treasure of op 
competence) why not putting your deb packages (if they are deb) for download? 
Is any server that could accept them?

cheers
francesco
>
> Cheers,


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[Hemlock]

> 
> Now that it is clear which kernels are defective, what should one do 
> with defective kernel on both i386 Debian etch and amd64 Debian 
> etch? The list of Debian packages
> 
> http://www.debian.org/distrib/packages
> 
> does not offer > 2.6.17.4 kernels for these systems. Should one 
> download  from
> 

I'm in a similar situation.
I just ended up grabbing the source from kernel.org
and recompiling with debian's kernel-package package.
(kernel 2.6.17.4)
Did this both for i386 and AMD64 machines.

Cheers,




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[Francesco Pietra]

On Friday 14 July 2006 19:05, Török Edvin wrote:
> On 7/14/06, Art Edwards <[EMAIL PROTECTED]> wrote:
> > Thanks very much for this post. However, I am confused about
> > Do you mean 2.6.13 up to 2.6.13.4? As written, 2.6.13 up to 2.6.17.4
> > would include all of the 2.6.14, 2.6.15, and 2.6.16 kernels, rendering
> > the last part of that line inconsistent. This has propagated through the
> > debian lists, so, at the least, a clarification would be very useful. the
> > span of kernels effected.
>
> Have a look at:
> http://www.securityfocus.com/bid/18874 it lists the kernels.
> Up to 2.6.17.4 they are vulnerable, and in the 2.6.16 line it is fixed
> in  2.6.16.24

Now that it is clear which kernels are defective, what should one do with 
defective kernel on both i386 Debian etch and amd64 Debian etch? The list of 
Debian packages

http://www.debian.org/distrib/packages

does not offer > 2.6.17.4 kernels for these systems. Should one download  from

http://www.securityfocus.com/bid/18874 
?
Does that tarbal require a kernel compilation? I can easily imagine: Yes. What 
does mean "the vendor" in such list? How long it will take until > 2.6.17.4 
kernels become available as deb packages for etch?

I can also imagine that a machine used normally detached from internet, and 
only connected there for
#aptitude update (upgrade)
with only Debian official on sources.list, as for a machine used for 
computation, there is no problem of kernel vulnerability. True?

Thank you
francesco
>
> Cheers,
> Edwin

Re: Debian Server restored after Compromise. Which kernels???

[Art Edwards]

I just looked on the site you forwarded. It lists 

Linux kernel 2.6.10
Linux kernel 2.6.9 
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
Linux kernel 2.6.8 

This is not consistent with the statement that the stable kernel (2.6.8)
is unaffected. Which is true? We have a superannuated Beowulf running the
2.6.8-2.k7 image, and my laptop is currently at 2.6.10.

Art Edwards

On Fri, Jul 14, 2006 at 08:05:53PM +0300, Török Edvin wrote:
> On 7/14/06, Art Edwards <[EMAIL PROTECTED]> wrote:
> >Thanks very much for this post. However, I am confused about
> >Do you mean 2.6.13 up to 2.6.13.4? As written, 2.6.13 up to 2.6.17.4 would
> >include all of the 2.6.14, 2.6.15, and 2.6.16 kernels, rendering the
> >last part of that line inconsistent. This has propagated through
> >the debian lists, so, at the least, a clarification would be very useful.
> >the span of kernels effected.
> Have a look at:
> http://www.securityfocus.com/bid/18874 it lists the kernels.
> Up to 2.6.17.4 they are vulnerable, and in the 2.6.16 line it is fixed
> in  2.6.16.24
> 
> Cheers,
> Edwin
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[Török Edvin]

On 7/14/06, Art Edwards <[EMAIL PROTECTED]> wrote:

Thanks very much for this post. However, I am confused about
Do you mean 2.6.13 up to 2.6.13.4? As written, 2.6.13 up to 2.6.17.4 would
include all of the 2.6.14, 2.6.15, and 2.6.16 kernels, rendering the
last part of that line inconsistent. This has propagated through
the debian lists, so, at the least, a clarification would be very useful.
the span of kernels effected.

Have a look at:
http://www.securityfocus.com/bid/18874 it lists the kernels.
Up to 2.6.17.4 they are vulnerable, and in the 2.6.16 line it is fixed
in  2.6.16.24

Cheers,
Edwin


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Server restored after Compromise. Which kernels???

[Art Edwards]

Thanks very much for this post. However, I am confused about 
Do you mean 2.6.13 up to 2.6.13.4? As written, 2.6.13 up to 2.6.17.4 would
include all of the 2.6.14, 2.6.15, and 2.6.16 kernels, rendering the
last part of that line inconsistent. This has propagated through
the debian lists, so, at the least, a clarification would be very useful.
the span of kernels effected. 

I assume that this is also a problem for 32bit machines?

Art Edwards

On Thu, Jul 13, 2006 at 08:24:48PM +0200, Leopold Palomo-Avellaneda wrote:
> 
> 
> --  Missatge transmès  --
> 
> Subject: Debian Server restored after Compromise
> Date: Dijous 13 Juliol 2006 19:54
> From: Martin Schulze <[EMAIL PROTECTED]>
> To: Debian News Channel 
> 
> 
> The Debian Projecthttp://www.debian.org/
> Debian Server restored after Compromise  [EMAIL PROTECTED]
> July 13th, 2006 http://www.debian.org/News/2005/20060713
> 
> 
> Debian Server restored after Compromise
> 
> One core Debian server has been reinstalled after a compromise and
> services have been restored.  On July 12th the host gluck.debian.org
> has been compromised using a local root vulnerability in the Linux
> kernel.  The intruder had access to the server using a compromised
> developer account.
> 
> The services affected and temporarily taken down are: cvs, ddtp,
> lintian, people, popcon, planet, ports, release.
> 
> 
> Details
> ---
> 
> At least one developer account has been compromised a while ago and
> has been used by an attacker to gain access to the Debian server.  A
> recently discovered local root vulnerability in the Linux kernel has
> then been used to gain root access to the machine.
> 
> At 02:43 UTC on July 12th suspicious mails were received and alarmed
> the Debian admins.   The following investigation turned out that a
> developer account was compromised and that a local kernel
> vulnerability has been exploited to gain root access.
> 
> At 04:30 UTC on July 12th gluck has been taken offline and booted off
> trusted media.  Other Debian servers have been locked down for further
> investigation whether they were compromised as well.  They will be
> upgraded to a corrected kernel before they will be unlocked.
> 
> Due to the short window between exploiting the kernel and Debian
> admins noticing, the attacker hadn't had time/inclination to cause
> much damage.  The only obviously compromised binary was /bin/ping.
> 
> The compromised account did not have access to any of the restricted
> Debian hosts.  Hence, neither the regular nor the security archive had
> a chance to be compromised.
> 
> An investigation of developer passwords revealed a number of weak
> passwords whose accounts have been locked in response.
> 
> The machine status is here: 
> 
> 
> Kernel vulnerability
> 
> 
> The kernel vulnerability that has been used for this compromise is
> referenced as CVE-2006-2451.  It only exists in the Linux kernel
> 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24.


> The bug allows a local user to gain root privileges via the
> PR_SET_DUMPABLE argument of the prctl function and a program that
> causes a core dump file to be created in a directory for which the
> user does not have permissions.
> 
> The current stable release, Debian GNU/Linux 3.1 alias 'sarge',
> contains Linux 2.6.8 and is thus not affected by this problem.  The
> compromised server ran Linux 2.6.16.18.
> 
> If you run Linux 2.6.13 up to versions before 2.6.17.4, or Linux
> 2.6.16 up to versions before 2.6.16.24, please update your kernel
> immediately.
> 
> 
> About Debian
> 
> 
> Debian GNU/Linux is a free operating system, developed by more than
> thousand volunteers from all over the world who collaborate via the
> Internet.  Debian's dedication to Free Software, its non-profit nature,
> and its open development model make it unique among GNU/Linux
> distributions.
> 
> The Debian project's key strengths are its volunteer base, its dedication
> to the Debian Social Contract, and its commitment to provide the best
> operating system possible.
> 
> 
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
> ---
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]