Re: Problems with tripwire:
Petro wrote: > Is there a file-security scanner like tripwire (or like AIDE) that > works across a network? I'm envisioning something that does local > file scanning, then transmits the resulting table to a remote (more > secure) host where the verification is done. Try samhain or freeveracity: http://samhain.sourceforge.net/surround.html?main_q.html&2 http://www.freeveracity.org/ GTi -- For encrypted messages please use my public key, key-ID: 0xA9E35B01 The fingerprint is A684 87F3 C7AA 9728 3C1B 85BF 0500 B2C7 A9E3 5B01 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MS Front page extensions for Linux
On Tue, Mar 12, 2002 at 11:31:34AM +0800, Marcel Welschbillig wrote: > Hi, > > Is there any known security issues with installing micro$oft Front Page > extensions on a Debian Apache web server? I am reluctant to infect my > nice Linux web server with micro$oft code. > Well you did use the right word "infect"... With micro$oft's track record do you really think the frontpage extensions would be any different? Jeremy
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Tue, Mar 12, 2002 at 05:18:34PM +1300, John Morton wrote: > On Tuesday 12 March 2002 15:52, Steve Langasek wrote: > > > Doesnt dpkg also compile with a static zlib? Why does it not make > > > this list? > > What Internet-accessible port are you running dpkg on? :) > > dpkg doesn't normally run on a network port, so exploiting it doesn't > > get you local access unless you already have it; and it's not suid, so > > running it from commandline doesn't let you get root. Therefore, there > > is no security hole opened by a vulnerability in dpkg. > I think this reasoning is flawed - a vulnerable zlib in dpkg would be > exploited by a trojaned deb package that someone unwittingly downloads, and > as dpkg tends to be run as root, that would buy the attacker root privilages. > Admittedly, as things stand, a trojaned package could do many of those things > with doctored install scripts anyway, but this vulnerability does matter if > the package has to be uncompressed just to examine it. True. Regardless of how much of a risk this really is, one of the dpkg maintainers has indicated that a fixed package is on its way. Regards, Steve Langasek postmodern programmer pgpbeqMESABzt.pgp Description: PGP signature
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, Mar 11, 2002 at 08:52:54PM -0600, Steve Langasek wrote: > dpkg doesn't normally run on a network port, so exploiting it doesn't get > you local access unless you already have it; and it's not suid, so running > it from commandline doesn't let you get root. Therefore, there is no > security hole opened by a vulnerability in dpkg. Not so; other, more subtle attack vectors are possible. For example, the superuser could use dpkg-deb --extract on a hostile binary .deb. This should be a safe operation, given a properly controlled environment, but by exploiting this bug, dpkg could be tricked into executing arbitrary code. -- - mdz
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Tuesday 12 March 2002 15:52, Steve Langasek wrote: > > Doesnt dpkg also compile with a static zlib? Why does it not make > > this list? > > What Internet-accessible port are you running dpkg on? :) > > dpkg doesn't normally run on a network port, so exploiting it doesn't > get you local access unless you already have it; and it's not suid, so > running it from commandline doesn't let you get root. Therefore, there > is no security hole opened by a vulnerability in dpkg. I think this reasoning is flawed - a vulnerable zlib in dpkg would be exploited by a trojaned deb package that someone unwittingly downloads, and as dpkg tends to be run as root, that would buy the attacker root privilages. Admittedly, as things stand, a trojaned package could do many of those things with doctored install scripts anyway, but this vulnerability does matter if the package has to be uncompressed just to examine it. John
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
> Doesnt dpkg also compile with a static zlib? Why does it not make > this list? No, it doesn't. The potato version of dpkg forks a copy of gzip. Any other versions don't get security support. :) -- Mike Stone
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
Unless your are going to dial into a malicious ISP, I doubt this will be a problem (AFAIK, but don't quote me). Most of my servers are stable/testing hybrids, including 2 running 2.4 (and I have been very happy with them). Update your sources.list to have both stable and testing (and make sure you called them that, not potato/woody), and then do an "apt-get install apt". Which will install testing's apt onto your stable box, along with any dependencies. Then add this to your apt.conf file: APT::Default-Release "stable"; You can then install packages (and dependencies) from testing via "apt-get install ssh -t testing". Otherwise packages will be pulled from stable. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Chuck Peters" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, March 12, 2002 5:07 PM Subject: Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow > > ii ppp2.4.1-0.bunk.2 Point-to-Point Protocol (PPP) daemon. > > How does this affect ppp servers running potato with the unofficial 2.4 > packages provided by Adrian Bunk? > > Does anyone have any recommendations for fixing this potential exploit? > > > Thanks, > Chuck > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
MS Front page extensions for Linux
Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. Thanks ! -- Regards, Marcel Welschbillig
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix bufferoverflow
ii ppp2.4.1-0.bunk.2 Point-to-Point Protocol (PPP) daemon. How does this affect ppp servers running potato with the unofficial 2.4 packages provided by Adrian Bunk? Does anyone have any recommendations for fixing this potential exploit? Thanks, Chuck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, Mar 11, 2002 at 05:16:43PM -0600, Jor-el wrote: > On Mon, 11 Mar 2002, Michael Stone wrote: > > -BEGIN PGP SIGNED MESSAGE- > > - -- > > Debian Security Advisory DSA 122-1 [EMAIL PROTECTED] > > http://www.debian.org/security/ Michael Stone > > March 11th, 2002 > > - -- > > Package: zlib, various > > Vulnerability : malloc error (double free) > > Problem-Type : potential remote root > > Debian-specific: no > > The compression library zlib has a flaw in which it attempts to free > > memory more than once under certain conditions. This can possibly be > > exploited to run arbitrary code in a program that includes zlib. If a > > network application running as root is linked to zlib, this could > > potentially lead to a remote root compromise. No exploits are known at > > this time. This vulnerability is assigned the CVE candidate name of > > CAN-2002-0059. > > The zlib vulnerability is fixed in the Debian zlib package version > > 1.1.3-5.1. A number of programs either link statically to zlib or include > > a private copy of zlib code. These programs must also be upgraded > > to eliminate the zlib vulnerability. The affected packages and fixed > > versions follow: > > amaya 2.4-1potato1 > > dictd 1.4.9-9potato1 > > erlang 49.1-10.1 > > freeamp 2.0.6-2.1 > > mirrordir 0.10.48-2.1 > > ppp 2.3.11-1.5 > > rsync 2.3.2-1.6 > > vrweb 1.5-5.1 > Hi, > Doesnt dpkg also compile with a static zlib? Why does it not make > this list? What Internet-accessible port are you running dpkg on? :) dpkg doesn't normally run on a network port, so exploiting it doesn't get you local access unless you already have it; and it's not suid, so running it from commandline doesn't let you get root. Therefore, there is no security hole opened by a vulnerability in dpkg. Steve Langasek postmodern programmer pgpZ1xIbVmaoG.pgp Description: PGP signature
Re: MS Front page extensions for Linux
On Tue, Mar 12, 2002 at 11:31:34AM +0800, Marcel Welschbillig wrote: > Hi, > > Is there any known security issues with installing micro$oft Front Page > extensions on a Debian Apache web server? I am reluctant to infect my > nice Linux web server with micro$oft code. > Well you did use the right word "infect"... With micro$oft's track record do you really think the frontpage extensions would be any different? Jeremy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, Mar 11, 2002 at 05:16:43PM -0600, Jor-el wrote: > > amaya 2.4-1potato1 > > dictd 1.4.9-9potato1 > > erlang 49.1-10.1 > > freeamp 2.0.6-2.1 > > mirrordir 0.10.48-2.1 > > ppp 2.3.11-1.5 > > rsync 2.3.2-1.6 > > vrweb 1.5-5.1 > > > Hi, > > Doesnt dpkg also compile with a static zlib? Why does it not make > this list? dpkg in stable (1.6.15) does not link with zlib at all. -- - mdz
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, 11 Mar 2002, Jor-el wrote: > > The zlib vulnerability is fixed in the Debian zlib package version > > 1.1.3-5.1. A number of programs either link statically to zlib or include > > a private copy of zlib code. These programs must also be upgraded > > to eliminate the zlib vulnerability. The affected packages and fixed > > versions follow: > > amaya 2.4-1potato1 > > dictd 1.4.9-9potato1 > > erlang 49.1-10.1 > > freeamp 2.0.6-2.1 > > mirrordir 0.10.48-2.1 > > ppp 2.3.11-1.5 > > rsync 2.3.2-1.6 > > vrweb 1.5-5.1 > > > Hi, > > Doesnt dpkg also compile with a static zlib? Why does it not make > this list? It does, and you are correct. I guess an upload will be forthcoming from me. There also happens to be an assertion bug that I have a fix for as well.
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Tue, Mar 12, 2002 at 05:18:34PM +1300, John Morton wrote: > On Tuesday 12 March 2002 15:52, Steve Langasek wrote: > > > Doesnt dpkg also compile with a static zlib? Why does it not make > > > this list? > > What Internet-accessible port are you running dpkg on? :) > > dpkg doesn't normally run on a network port, so exploiting it doesn't > > get you local access unless you already have it; and it's not suid, so > > running it from commandline doesn't let you get root. Therefore, there > > is no security hole opened by a vulnerability in dpkg. > I think this reasoning is flawed - a vulnerable zlib in dpkg would be > exploited by a trojaned deb package that someone unwittingly downloads, and > as dpkg tends to be run as root, that would buy the attacker root privilages. > Admittedly, as things stand, a trojaned package could do many of those things > with doctored install scripts anyway, but this vulnerability does matter if > the package has to be uncompressed just to examine it. True. Regardless of how much of a risk this really is, one of the dpkg maintainers has indicated that a fixed package is on its way. Regards, Steve Langasek postmodern programmer msg05941/pgp0.pgp Description: PGP signature
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
Jor-el wrote: > Doesnt dpkg also compile with a static zlib? Why does it not make > this list? Yeah, dpkg-deb does. Presumaly you already have to trust debs you install, but this could affect using dpkg to examine the contents of untrusted debs.. -- see shy jo
Problems with tripwire:
I have tripwire installed on one of my servers (Debian Stable), and I've managed to get the configuration pretty quiet, but I'm having a little problem with one or two of them. The particular section of tw.config looks like: /var@@AW !/var/log/ksymoops/ /var/log@@LOGSEARCH /var/lib@@LOGSEARCH /var/backups@@LOGSEARCH !/var/spool !/var/run !/var/cache !/var/lock !/var/state/ where @@AW is: @@define AW +pinugsm17-ac2345689 The problem is that I still get: Changed files/directories include: added: -r--r--r-- root32630 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.ksyms added: -r--r--r-- root 78 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.modules added: -r--r--r-- root32630 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.ksyms added: -r--r--r-- root 78 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.modules deleted: -r--r--r-- root32630 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.ksyms deleted: -r--r--r-- root 78 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.modules deleted: -r--r--r-- root32630 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.ksyms deleted: -r--r--r-- root 78 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.modules deleted: -r--r--r-- root32630 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.ksyms deleted: -r--r--r-- root 78 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.modules changed: -rw-r--r-- root 52 Mar 11 06:25:02 2002 /var/state/logrotate/status Now, according to my understanding, the ! in front of /var/log/ksymoops/ should be telling tripwire to ignore things under there, right? Obviously, it's not. Additionally: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. -- Share and Enjoy.
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, Mar 11, 2002 at 08:52:54PM -0600, Steve Langasek wrote: > dpkg doesn't normally run on a network port, so exploiting it doesn't get > you local access unless you already have it; and it's not suid, so running > it from commandline doesn't let you get root. Therefore, there is no > security hole opened by a vulnerability in dpkg. Not so; other, more subtle attack vectors are possible. For example, the superuser could use dpkg-deb --extract on a hostile binary .deb. This should be a safe operation, given a properly controlled environment, but by exploiting this bug, dpkg could be tricked into executing arbitrary code. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Tuesday 12 March 2002 15:52, Steve Langasek wrote: > > Doesnt dpkg also compile with a static zlib? Why does it not make > > this list? > > What Internet-accessible port are you running dpkg on? :) > > dpkg doesn't normally run on a network port, so exploiting it doesn't > get you local access unless you already have it; and it's not suid, so > running it from commandline doesn't let you get root. Therefore, there > is no security hole opened by a vulnerability in dpkg. I think this reasoning is flawed - a vulnerable zlib in dpkg would be exploited by a trojaned deb package that someone unwittingly downloads, and as dpkg tends to be run as root, that would buy the attacker root privilages. Admittedly, as things stand, a trojaned package could do many of those things with doctored install scripts anyway, but this vulnerability does matter if the package has to be uncompressed just to examine it. John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
MS Front page extensions for Linux
Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. Thanks ! -- Regards, Marcel Welschbillig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, Mar 11, 2002 at 05:16:43PM -0600, Jor-el wrote: > On Mon, 11 Mar 2002, Michael Stone wrote: > > -BEGIN PGP SIGNED MESSAGE- > > - -- > > Debian Security Advisory DSA 122-1 [EMAIL PROTECTED] > > http://www.debian.org/security/ Michael Stone > > March 11th, 2002 > > - -- > > Package: zlib, various > > Vulnerability : malloc error (double free) > > Problem-Type : potential remote root > > Debian-specific: no > > The compression library zlib has a flaw in which it attempts to free > > memory more than once under certain conditions. This can possibly be > > exploited to run arbitrary code in a program that includes zlib. If a > > network application running as root is linked to zlib, this could > > potentially lead to a remote root compromise. No exploits are known at > > this time. This vulnerability is assigned the CVE candidate name of > > CAN-2002-0059. > > The zlib vulnerability is fixed in the Debian zlib package version > > 1.1.3-5.1. A number of programs either link statically to zlib or include > > a private copy of zlib code. These programs must also be upgraded > > to eliminate the zlib vulnerability. The affected packages and fixed > > versions follow: > > amaya 2.4-1potato1 > > dictd 1.4.9-9potato1 > > erlang 49.1-10.1 > > freeamp 2.0.6-2.1 > > mirrordir 0.10.48-2.1 > > ppp 2.3.11-1.5 > > rsync 2.3.2-1.6 > > vrweb 1.5-5.1 > Hi, > Doesnt dpkg also compile with a static zlib? Why does it not make > this list? What Internet-accessible port are you running dpkg on? :) dpkg doesn't normally run on a network port, so exploiting it doesn't get you local access unless you already have it; and it's not suid, so running it from commandline doesn't let you get root. Therefore, there is no security hole opened by a vulnerability in dpkg. Steve Langasek postmodern programmer msg05937/pgp0.pgp Description: PGP signature
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, 11 Mar 2002, Michael Stone wrote: > -BEGIN PGP SIGNED MESSAGE- > > - -- > Debian Security Advisory DSA 122-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Michael Stone > March 11th, 2002 > - -- > > Package: zlib, various > Vulnerability : malloc error (double free) > Problem-Type : potential remote root > Debian-specific: no > > The compression library zlib has a flaw in which it attempts to free > memory more than once under certain conditions. This can possibly be > exploited to run arbitrary code in a program that includes zlib. If a > network application running as root is linked to zlib, this could > potentially lead to a remote root compromise. No exploits are known at > this time. This vulnerability is assigned the CVE candidate name of > CAN-2002-0059. > > The zlib vulnerability is fixed in the Debian zlib package version > 1.1.3-5.1. A number of programs either link statically to zlib or include > a private copy of zlib code. These programs must also be upgraded > to eliminate the zlib vulnerability. The affected packages and fixed > versions follow: > amaya 2.4-1potato1 > dictd 1.4.9-9potato1 > erlang 49.1-10.1 > freeamp 2.0.6-2.1 > mirrordir 0.10.48-2.1 > ppp 2.3.11-1.5 > rsync 2.3.2-1.6 > vrweb 1.5-5.1 > Hi, Doesnt dpkg also compile with a static zlib? Why does it not make this list? Regards, Jor-el
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
> Doesnt dpkg also compile with a static zlib? Why does it not make > this list? No, it doesn't. The potato version of dpkg forks a copy of gzip. Any other versions don't get security support. :) -- Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix bufferoverflow
On Mon, 11 Mar 2002, Jor-el wrote: > > The zlib vulnerability is fixed in the Debian zlib package version > > 1.1.3-5.1. A number of programs either link statically to zlib or include > > a private copy of zlib code. These programs must also be upgraded > > to eliminate the zlib vulnerability. The affected packages and fixed > > versions follow: > > amaya 2.4-1potato1 > > dictd 1.4.9-9potato1 > > erlang 49.1-10.1 > > freeamp 2.0.6-2.1 > > mirrordir 0.10.48-2.1 > > ppp 2.3.11-1.5 > > rsync 2.3.2-1.6 > > vrweb 1.5-5.1 > > > Hi, > > Doesnt dpkg also compile with a static zlib? Why does it not make > this list? It does, and you are correct. I guess an upload will be forthcoming from me. There also happens to be an assertion bug that I have a fix for as well. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
Jor-el wrote: > Doesnt dpkg also compile with a static zlib? Why does it not make > this list? Yeah, dpkg-deb does. Presumaly you already have to trust debs you install, but this could affect using dpkg to examine the contents of untrusted debs.. -- see shy jo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Problems with tripwire:
I have tripwire installed on one of my servers (Debian Stable), and I've managed to get the configuration pretty quiet, but I'm having a little problem with one or two of them. The particular section of tw.config looks like: /var@@AW !/var/log/ksymoops/ /var/log@@LOGSEARCH /var/lib@@LOGSEARCH /var/backups@@LOGSEARCH !/var/spool !/var/run !/var/cache !/var/lock !/var/state/ where @@AW is: @@define AW +pinugsm17-ac2345689 The problem is that I still get: Changed files/directories include: added: -r--r--r-- root32630 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.ksyms added: -r--r--r-- root 78 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.modules added: -r--r--r-- root32630 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.ksyms added: -r--r--r-- root 78 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.modules deleted: -r--r--r-- root32630 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.ksyms deleted: -r--r--r-- root 78 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.modules deleted: -r--r--r-- root32630 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.ksyms deleted: -r--r--r-- root 78 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.modules deleted: -r--r--r-- root32630 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.ksyms deleted: -r--r--r-- root 78 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.modules changed: -rw-r--r-- root 52 Mar 11 06:25:02 2002 /var/state/logrotate/status Now, according to my understanding, the ! in front of /var/log/ksymoops/ should be telling tripwire to ignore things under there, right? Obviously, it's not. Additionally: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, 11 Mar 2002, Michael Stone wrote: > -BEGIN PGP SIGNED MESSAGE- > > - -- > Debian Security Advisory DSA 122-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Michael Stone > March 11th, 2002 > - -- > > Package: zlib, various > Vulnerability : malloc error (double free) > Problem-Type : potential remote root > Debian-specific: no > > The compression library zlib has a flaw in which it attempts to free > memory more than once under certain conditions. This can possibly be > exploited to run arbitrary code in a program that includes zlib. If a > network application running as root is linked to zlib, this could > potentially lead to a remote root compromise. No exploits are known at > this time. This vulnerability is assigned the CVE candidate name of > CAN-2002-0059. > > The zlib vulnerability is fixed in the Debian zlib package version > 1.1.3-5.1. A number of programs either link statically to zlib or include > a private copy of zlib code. These programs must also be upgraded > to eliminate the zlib vulnerability. The affected packages and fixed > versions follow: > amaya 2.4-1potato1 > dictd 1.4.9-9potato1 > erlang 49.1-10.1 > freeamp 2.0.6-2.1 > mirrordir 0.10.48-2.1 > ppp 2.3.11-1.5 > rsync 2.3.2-1.6 > vrweb 1.5-5.1 > Hi, Doesnt dpkg also compile with a static zlib? Why does it not make this list? Regards, Jor-el -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rootkit detection
He might have meant that he doesn't want to run the risk of getting a poor utility thinking that it is a good one(risk of security by ignorance), so he's asking for recommendations from people that might know something. However, he should understand program/technology limitations (e.g. they might not detect the latest root kit) and evaluate the tool on a "test" box before putting it into production. This is only a starting point, and from here should seek to educate himself. Philip Thiem On Sun, Mar 10, 2002 at 07:30:56PM -0800, Alvin Oga wrote: > but what kind of risk are you referring to ??
Re: best way to create pop only accounts
On Mon, Mar 11, 2002 at 04:10:10PM +0100, Alexander Reelsen wrote: > Hiya > > On Mon, Mar 11, 2002 at 03:40:18PM +0100, Javier Fernández-Sanguino Peña > wrote: > > On Mon, Mar 11, 2002 at 09:21:45AM -0300, Pedro Zorzenon Neto wrote: > > >Which is the best way to create a POP only account? just change the > > > last field in /etc/passwd to /bin/false? > > No. My 2 cents (of Euro): use a directory for POP authentication > > using the appropiate PAM modules, you could easily setup LDAP for this and > > there are quite a number of POP3 daemons that provide LDAP schemas which > > can be readily used in, for example, OpenLDAP. > PAM is definately the way to go here. You can use the debian packages of > for example your popdeamon-of-choice and just install the backend yourself > (if you need to). Doing this via LDAP is a neat way, but you could also do > the authentication and/or storing of all the mail via MySQL. > > I bet you are already using PAM to authenticate via /etc/passwd, you're > just not realize this :-) > > Check out the (not always easy to read) documentation about PAM, however > it's worth a read. > The main important documentation is the one that comes with the modules (libpam-ldap,libpam-mysql...) which I think is no so hard to read. One trick about this, you can easly manage services accessed by your users by inserting where tags in pam or other software configs. A quick example overview for mysql: Table user: (user_id,user_name,realname,shell,password,uid,gid,homedir,sys,pop,imap,ftp) and respectively use the following in /etc/pam.d/imap where=imap=1 /etc/pam.d/qpopper where=pop=1 /etc/nss-mysql*.conf users.where_clause = user.sys = 1; /etc/proftpd.conf SQLWhereClause "ftp=1" So if one of the precedents tags are equal to 0 ... user can't use the service. Regards, Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpbwl1Wry9LX.pgp Description: PGP signature
Re: Ssh and others compiled with tcpwrappers (Re: ssh without reverse DNS lookup)
On Mon, 11 Mar 2002, Javier Fernández-Sanguino Peña wrote: > On Mon, Mar 11, 2002 at 01:12:58PM +0100, Javier Coso Gutierrez wrote: > > You have in the "/etc/hosts.deny" this: > > ALL:PARANOID > > That's exactly what I was thinking about.. many programs in > Debian are now compiled with the tcpwrappers library: ssh, portmap, > in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME > activator daemon), nessus and many others. > > Are there any others people know of? (I included this same stuff > today in the Debian Security Manual CVS image) # apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \ sed 's/,libwrap0$//;s/^[[:space:]]\+//' Cheers, Cristian
Re: rootkit detection
He might have meant that he doesn't want to run the risk of getting a poor utility thinking that it is a good one(risk of security by ignorance), so he's asking for recommendations from people that might know something. However, he should understand program/technology limitations (e.g. they might not detect the latest root kit) and evaluate the tool on a "test" box before putting it into production. This is only a starting point, and from here should seek to educate himself. Philip Thiem On Sun, Mar 10, 2002 at 07:30:56PM -0800, Alvin Oga wrote: > but what kind of risk are you referring to ?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: best way to create pop only accounts
The apache project has a full featured mail system called james. It's written in Java and seems very full featured. The specs are impressive but I haven't used it myself. You may want to check it out. :wq Tim Uckun US Investigations Services/Due Diligence http://www.diligence.com/
Re: best way to create pop only accounts
On Mon, Mar 11, 2002 at 04:10:10PM +0100, Alexander Reelsen wrote: > Hiya > > On Mon, Mar 11, 2002 at 03:40:18PM +0100, Javier Fernández-Sanguino Peña wrote: > > On Mon, Mar 11, 2002 at 09:21:45AM -0300, Pedro Zorzenon Neto wrote: > > >Which is the best way to create a POP only account? just change the > > > last field in /etc/passwd to /bin/false? > > No. My 2 cents (of Euro): use a directory for POP authentication > > using the appropiate PAM modules, you could easily setup LDAP for this and > > there are quite a number of POP3 daemons that provide LDAP schemas which > > can be readily used in, for example, OpenLDAP. > PAM is definately the way to go here. You can use the debian packages of > for example your popdeamon-of-choice and just install the backend yourself > (if you need to). Doing this via LDAP is a neat way, but you could also do > the authentication and/or storing of all the mail via MySQL. > > I bet you are already using PAM to authenticate via /etc/passwd, you're > just not realize this :-) > > Check out the (not always easy to read) documentation about PAM, however > it's worth a read. > The main important documentation is the one that comes with the modules (libpam-ldap,libpam-mysql...) which I think is no so hard to read. One trick about this, you can easly manage services accessed by your users by inserting where tags in pam or other software configs. A quick example overview for mysql: Table user: (user_id,user_name,realname,shell,password,uid,gid,homedir,sys,pop,imap,ftp) and respectively use the following in /etc/pam.d/imap where=imap=1 /etc/pam.d/qpopper where=pop=1 /etc/nss-mysql*.conf users.where_clause = user.sys = 1; /etc/proftpd.conf SQLWhereClause "ftp=1" So if one of the precedents tags are equal to 0 ... user can't use the service. Regards, Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com msg05930/pgp0.pgp Description: PGP signature
Re: Ssh and others compiled with tcpwrappers (Re: ssh without reverseDNS lookup)
On Mon, 11 Mar 2002, Javier Fernández-Sanguino Peña wrote: > On Mon, Mar 11, 2002 at 01:12:58PM +0100, Javier Coso Gutierrez wrote: > > You have in the "/etc/hosts.deny" this: > > ALL:PARANOID > > That's exactly what I was thinking about.. many programs in > Debian are now compiled with the tcpwrappers library: ssh, portmap, > in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME > activator daemon), nessus and many others. > > Are there any others people know of? (I included this same stuff > today in the Debian Security Manual CVS image) # apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \ sed 's/,libwrap0$//;s/^[[:space:]]\+//' Cheers, Cristian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: best way to create pop only accounts
Hiya On Mon, Mar 11, 2002 at 03:40:18PM +0100, Javier Fernández-Sanguino Peña wrote: > On Mon, Mar 11, 2002 at 09:21:45AM -0300, Pedro Zorzenon Neto wrote: > >Which is the best way to create a POP only account? just change the > > last field in /etc/passwd to /bin/false? > No. My 2 cents (of Euro): use a directory for POP authentication > using the appropiate PAM modules, you could easily setup LDAP for this and > there are quite a number of POP3 daemons that provide LDAP schemas which > can be readily used in, for example, OpenLDAP. PAM is definately the way to go here. You can use the debian packages of for example your popdeamon-of-choice and just install the backend yourself (if you need to). Doing this via LDAP is a neat way, but you could also do the authentication and/or storing of all the mail via MySQL. I bet you are already using PAM to authenticate via /etc/passwd, you're just not realize this :-) Check out the (not always easy to read) documentation about PAM, however it's worth a read. MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED]GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C
Re: best way to create pop only accounts
On Mon, Mar 11, 2002 at 09:21:45AM -0300, Pedro Zorzenon Neto wrote: > Hi, > >Which is the best way to create a POP only account? just change the > last field in /etc/passwd to /bin/false? No. My 2 cents (of Euro): use a directory for POP authentication using the appropiate PAM modules, you could easily setup LDAP for this and there are quite a number of POP3 daemons that provide LDAP schemas which can be readily used in, for example, OpenLDAP. Javi
Re: best way to create pop only accounts
The apache project has a full featured mail system called james. It's written in Java and seems very full featured. The specs are impressive but I haven't used it myself. You may want to check it out. :wq Tim Uckun US Investigations Services/Due Diligence http://www.diligence.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: best way to create pop only accounts
Pedro Zorzenon Neto writes: > Hi, > >Which is the best way to create a POP only account? just change the > last field in /etc/passwd to /bin/false? What about using qmail with vpopmail ? Simple, efficient, and really disconnected from the underlying server ... -- Davy Gigan System & Network Administration [Please no HTML, I'm not a browser] University Of Caen (France) [Pas d'HTML, je ne suis pas un navigateur]
Re: ssh without reverse DNS lookup
El 11 de mar de 2002, a las 12:24 +, Alan James escribio: [...] > > ReverseMappingCheck no > [...] -- Fin de mensaje original -- But this is only in "SSH protocol version 2", isn.t it?? I.m trying to look for this in version 1 and I don.t found it. Bye, -- --- Javier Coso Gutierrez Centrocom: http://www.centrocom.es E-mail: [EMAIL PROTECTED] Agencia de Comunicación Interactiva --- La felicidad solo se encontrara en el amor verdadero
Re: best way to create pop only accounts
Hi, If I were you I'd use Dbmail (www.dbmail.org, cvs version). It has got all this and more. Best regards, Eelco On 11-03-2002 13:21, "Pedro Zorzenon Neto" <[EMAIL PROTECTED]> wrote: > Hi, > > Which is the best way to create a POP only account? just change the > last field in /etc/passwd to /bin/false? > > I want that the user will not be able to do anything on the machine > but retriving mail. > > I will enable APOP in qpopper or use some ssl wrapper for POP3, will > disable the plain password POP3. > > If I use APOP, then it uses /etc/pop.auth. I could then put "*" in > the password field in /etc/shadow as it will never match any password. > > What do you think about this? > > Thanks, >Pedro > -- IC&S tel: (31) 30 23 22 878 fax: (31) 30 23 22 305 http://www.ic-s.nl - http://www.fastxs.nl My pgpkey is @ http://www.ic-s.nl/keys/eelco.txt
Re: best way to create pop only accounts
Hiya On Mon, Mar 11, 2002 at 03:40:18PM +0100, Javier Fernández-Sanguino Peña wrote: > On Mon, Mar 11, 2002 at 09:21:45AM -0300, Pedro Zorzenon Neto wrote: > >Which is the best way to create a POP only account? just change the > > last field in /etc/passwd to /bin/false? > No. My 2 cents (of Euro): use a directory for POP authentication > using the appropiate PAM modules, you could easily setup LDAP for this and > there are quite a number of POP3 daemons that provide LDAP schemas which > can be readily used in, for example, OpenLDAP. PAM is definately the way to go here. You can use the debian packages of for example your popdeamon-of-choice and just install the backend yourself (if you need to). Doing this via LDAP is a neat way, but you could also do the authentication and/or storing of all the mail via MySQL. I bet you are already using PAM to authenticate via /etc/passwd, you're just not realize this :-) Check out the (not always easy to read) documentation about PAM, however it's worth a read. MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED]GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh without reverse DNS lookup
On Mon, 11 Mar 2002 09:02:17 -0300, Pedro Zorzenon Neto <[EMAIL PROTECTED]> wrote: > I've looked in "man sshd" and "man ssh" and I didn't see any >configuration option which bypass the reverse lookup, enabling >connections from machines without reverse DNS lookup. How can I do >this? (I don't want to add each machine to /etc/hosts) in /etc/ssh/sshd_config: ReverseMappingCheck no > Which are the security problems when I bypassing this lookup? I can't think of any.
Ssh and others compiled with tcpwrappers (Re: ssh without reverse DNS lookup)
On Mon, Mar 11, 2002 at 01:12:58PM +0100, Javier Coso Gutierrez wrote: > You have in the "/etc/hosts.deny" this: > ALL:PARANOID That's exactly what I was thinking about.. many programs in Debian are now compiled with the tcpwrappers library: ssh, portmap, in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME activator daemon), nessus and many others. Are there any others people know of? (I included this same stuff today in the Debian Security Manual CVS image) Javi PS: BTW tcpchk does not take this into account (I'm going to file a bug now)
best way to create pop only accounts
Hi, Which is the best way to create a POP only account? just change the last field in /etc/passwd to /bin/false? I want that the user will not be able to do anything on the machine but retriving mail. I will enable APOP in qpopper or use some ssl wrapper for POP3, will disable the plain password POP3. If I use APOP, then it uses /etc/pop.auth. I could then put "*" in the password field in /etc/shadow as it will never match any password. What do you think about this? Thanks, Pedro
Re: best way to create pop only accounts
On Mon, Mar 11, 2002 at 09:21:45AM -0300, Pedro Zorzenon Neto wrote: > Hi, > >Which is the best way to create a POP only account? just change the > last field in /etc/passwd to /bin/false? No. My 2 cents (of Euro): use a directory for POP authentication using the appropiate PAM modules, you could easily setup LDAP for this and there are quite a number of POP3 daemons that provide LDAP schemas which can be readily used in, for example, OpenLDAP. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh without reverse DNS lookup
On Mon, 11 Mar 2002 09:02:17 -0300
"Pedro Zorzenon Neto" <[EMAIL PROTECTED]> wrote:
> ssh_exchange_identification: Connection closed by remote host
This message means that a connection was made to the server but was closed
before SSH protocol was initiated.
This is usually caused by a libwrap setting which prohibits the connection.
Check your /etc/hosts.allow and /etc/hosts.deny settings and 'man hosts_access'
rather than 'man {ssh,sshd}'.
regards
Brad Beck - linux guru in beta
Re: ssh without reverse DNS lookup
You have in the "/etc/hosts.deny" this: ALL:PARANOID Try something like this "/etc/hosts.deny" => ALL:ALL "/etc/hosts.allow" => sshd:ALL For more information "man 5 hosts.access & man 5 hosts_options" Bye ;) -- --- Javier Coso Gutierrez Centrocom: http://www.centrocom.es E-mail: [EMAIL PROTECTED] Agencia de Comunicación Interactiva --- No rompas el silencio si no es para mejorarlo.
ssh without reverse DNS lookup
Hi, ssh in potato is set to always try to use reverse DNS lookup. If the client is not registered in the DNS server, then it gets an answer: "ssh_exchange_identification: Connection closed by remote host" I've looked in "man sshd" and "man ssh" and I didn't see any configuration option which bypass the reverse lookup, enabling connections from machines without reverse DNS lookup. How can I do this? (I don't want to add each machine to /etc/hosts) Which are the security problems when I bypassing this lookup? Thanks in advance, Pedro
Re: best way to create pop only accounts
Pedro Zorzenon Neto writes: > Hi, > >Which is the best way to create a POP only account? just change the > last field in /etc/passwd to /bin/false? What about using qmail with vpopmail ? Simple, efficient, and really disconnected from the underlying server ... -- Davy Gigan System & Network Administration [Please no HTML, I'm not a browser] University Of Caen (France) [Pas d'HTML, je ne suis pas un navigateur] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh without reverse DNS lookup
El 11 de mar de 2002, a las 12:24 +, Alan James escribio: [...] > > ReverseMappingCheck no > [...] -- Fin de mensaje original -- But this is only in "SSH protocol version 2", isn.t it?? I.m trying to look for this in version 1 and I don.t found it. Bye, -- --- Javier Coso Gutierrez Centrocom: http://www.centrocom.es E-mail: [EMAIL PROTECTED] Agencia de Comunicación Interactiva --- La felicidad solo se encontrara en el amor verdadero -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: best way to create pop only accounts
Hi, If I were you I'd use Dbmail (www.dbmail.org, cvs version). It has got all this and more. Best regards, Eelco On 11-03-2002 13:21, "Pedro Zorzenon Neto" <[EMAIL PROTECTED]> wrote: > Hi, > > Which is the best way to create a POP only account? just change the > last field in /etc/passwd to /bin/false? > > I want that the user will not be able to do anything on the machine > but retriving mail. > > I will enable APOP in qpopper or use some ssl wrapper for POP3, will > disable the plain password POP3. > > If I use APOP, then it uses /etc/pop.auth. I could then put "*" in > the password field in /etc/shadow as it will never match any password. > > What do you think about this? > > Thanks, >Pedro > -- IC&S tel: (31) 30 23 22 878 fax: (31) 30 23 22 305 http://www.ic-s.nl - http://www.fastxs.nl My pgpkey is @ http://www.ic-s.nl/keys/eelco.txt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh without reverse DNS lookup
On Mon, 11 Mar 2002 09:02:17 -0300, Pedro Zorzenon Neto <[EMAIL PROTECTED]> wrote: > I've looked in "man sshd" and "man ssh" and I didn't see any >configuration option which bypass the reverse lookup, enabling >connections from machines without reverse DNS lookup. How can I do >this? (I don't want to add each machine to /etc/hosts) in /etc/ssh/sshd_config: ReverseMappingCheck no > Which are the security problems when I bypassing this lookup? I can't think of any. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ssh and others compiled with tcpwrappers (Re: ssh without reverse DNS lookup)
On Mon, Mar 11, 2002 at 01:12:58PM +0100, Javier Coso Gutierrez wrote: > You have in the "/etc/hosts.deny" this: > ALL:PARANOID That's exactly what I was thinking about.. many programs in Debian are now compiled with the tcpwrappers library: ssh, portmap, in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME activator daemon), nessus and many others. Are there any others people know of? (I included this same stuff today in the Debian Security Manual CVS image) Javi PS: BTW tcpchk does not take this into account (I'm going to file a bug now) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
best way to create pop only accounts
Hi, Which is the best way to create a POP only account? just change the last field in /etc/passwd to /bin/false? I want that the user will not be able to do anything on the machine but retriving mail. I will enable APOP in qpopper or use some ssl wrapper for POP3, will disable the plain password POP3. If I use APOP, then it uses /etc/pop.auth. I could then put "*" in the password field in /etc/shadow as it will never match any password. What do you think about this? Thanks, Pedro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh without reverse DNS lookup
On Mon, 11 Mar 2002 09:02:17 -0300
"Pedro Zorzenon Neto" <[EMAIL PROTECTED]> wrote:
> ssh_exchange_identification: Connection closed by remote host
This message means that a connection was made to the server but was closed before SSH
protocol was initiated.
This is usually caused by a libwrap setting which prohibits the connection.
Check your /etc/hosts.allow and /etc/hosts.deny settings and 'man hosts_access' rather
than 'man {ssh,sshd}'.
regards
Brad Beck - linux guru in beta
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh without reverse DNS lookup
You have in the "/etc/hosts.deny" this: ALL:PARANOID Try something like this "/etc/hosts.deny" => ALL:ALL "/etc/hosts.allow" => sshd:ALL For more information "man 5 hosts.access & man 5 hosts_options" Bye ;) -- --- Javier Coso Gutierrez Centrocom: http://www.centrocom.es E-mail: [EMAIL PROTECTED] Agencia de Comunicación Interactiva --- No rompas el silencio si no es para mejorarlo. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ssh without reverse DNS lookup
Hi, ssh in potato is set to always try to use reverse DNS lookup. If the client is not registered in the DNS server, then it gets an answer: "ssh_exchange_identification: Connection closed by remote host" I've looked in "man sshd" and "man ssh" and I didn't see any configuration option which bypass the reverse lookup, enabling connections from machines without reverse DNS lookup. How can I do this? (I don't want to add each machine to /etc/hosts) Which are the security problems when I bypassing this lookup? Thanks in advance, Pedro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
