Re: tiger reporting thousands of files with undefined groups ownership
On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: # pwck -r user news: directory /var/spool/news does not exist user uucp: directory /var/spool/uucp does not exist user majordom: directory /usr/lib/majordomo does not exist user postgres: directory /var/lib/postgres does not exist user msql: directory /var/lib/msql does not exist user list: directory /var/list does not exist user gnats: directory /var/lib/gnats/gnats-db does not exist user telnetd: directory /usr/lib/telnetd does not exist user mysql: directory /var/lib/mysql does not exist pwck: no changes Should this be there? I'm pretty sure there should be there. $ dpkg -S /var/lib/mysql mysql-server: /var/lib/mysql If you have mysql-server installed (and I bet you do since you have the 'mysql' user) then that directory might have been lost in the crash. Visual inspection of passwd and shadow doesn't help, both look OK. Yes, they might be ok. The problem is that the filesystem structure is not ok. Any more thoughts? System crash. Ouch. Javi msg07609/pgp0.pgp Description: PGP signature
Re: tiger reporting thousands of files with undefined groups ownership
On Sun, 3 Nov 2002 20:56:34 +0100 Javier Fernández-Sanguino Peña [EMAIL PROTECTED] wrote: On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: # pwck -r user news: directory /var/spool/news does not exist user uucp: directory /var/spool/uucp does not exist user majordom: directory /usr/lib/majordomo does not exist user postgres: directory /var/lib/postgres does not exist user msql: directory /var/lib/msql does not exist user list: directory /var/list does not exist user gnats: directory /var/lib/gnats/gnats-db does not exist user telnetd: directory /usr/lib/telnetd does not exist user mysql: directory /var/lib/mysql does not exist pwck: no changes Should this be there? I'm pretty sure there should be there. $ dpkg -S /var/lib/mysql mysql-server: /var/lib/mysql Actually, the msql entry also seems suspicious: $ dpkg -S /var/lib/msql dpkg: /var/lib/msql not found. What is it doing there? I haven't mini SQL installed, I couldn't even find mini SQL in the Debian packages... Should it be safe to remove msql from passwd/shadow? If you have mysql-server installed (and I bet you do since you have the 'mysql' user) then that directory might have been lost in the crash. I shouldn't have mysql installed. $ dpkg -l 'mysql*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- un mysql none (no description available) un mysql-base none (no description available) pn mysql-client none (no description available) ii mysql-common 3.23.52-2 mysql database common files (e.g. /etc/mysql un mysql-dev none (no description available) un mysql-develnone (no description available) pn mysql-doc none (no description available) pn mysql-gpl-clie none (no description available) un mysql-gpl-dev none (no description available) pn mysql-gpl-doc none (no description available) pn mysql-manual none (no description available) pn mysql-navigato none (no description available) pn mysql-server none (no description available) pn mysqltcl none (no description available) Hmm, bit of a mess here... Why do I have a few mysql packages in a Desired=Unknown state? How could I upgrade the to a Desired=Purged state? Anyway, the avalanche of files reported by tiger surely cannot be totally explained by this mysql breakage... -- Carlos Sousa http://vbc.dyndns.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
Quoting Phillip Hofmeister ([EMAIL PROTECTED]): From: David Endler [EMAIL PROTECTED] [...]In a default abuse installation in Debian Linux, both abuse.console and abuse.x11R6 can be used in exploitation; both files are set group id games, and abuse.console is set user id root. What's this about? _ 2. Remove the setuid bit from the XaoS binary by executing the following command: # chmod -s /usr/lib/games/abuse/abuse.* (noticing -rwsr-xr-x root root 37 Jul 27 17:34 /usr/bin/xaos) ^ Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tiger reporting thousands of files with undefined groups ownership
This one time, at band camp, Carlos Sousa said: On Sun, 3 Nov 2002 20:56:34 +0100 Javier Fernández-Sanguino Peña [EMAIL PROTECTED] wrote: On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: # pwck -r user news: directory /var/spool/news does not exist user uucp: directory /var/spool/uucp does not exist user majordom: directory /usr/lib/majordomo does not exist user postgres: directory /var/lib/postgres does not exist user msql: directory /var/lib/msql does not exist user list: directory /var/list does not exist user gnats: directory /var/lib/gnats/gnats-db does not exist user telnetd: directory /usr/lib/telnetd does not exist user mysql: directory /var/lib/mysql does not exist pwck: no changes Should this be there? I'm pretty sure there should be there. $ dpkg -S /var/lib/mysql mysql-server: /var/lib/mysql Actually, the msql entry also seems suspicious: $ dpkg -S /var/lib/msql dpkg: /var/lib/msql not found. What is it doing there? I haven't mini SQL installed, I couldn't even find mini SQL in the Debian packages... Should it be safe to remove msql from passwd/shadow? If you have mysql-server installed (and I bet you do since you have the 'mysql' user) then that directory might have been lost in the crash. I shouldn't have mysql installed. $ dpkg -l 'mysql*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- un mysql none (no description available) un mysql-base none (no description available) pn mysql-client none (no description available) ii mysql-common 3.23.52-2 mysql database common files (e.g. /etc/mysql un mysql-dev none (no description available) un mysql-develnone (no description available) pn mysql-doc none (no description available) pn mysql-gpl-clie none (no description available) un mysql-gpl-dev none (no description available) pn mysql-gpl-doc none (no description available) pn mysql-manual none (no description available) pn mysql-navigato none (no description available) pn mysql-server none (no description available) pn mysqltcl none (no description available) Hmm, bit of a mess here... Why do I have a few mysql packages in a Desired=Unknown state? How could I upgrade the to a Desired=Purged state? Anyway, the avalanche of files reported by tiger surely cannot be totally explained by this mysql breakage... 'un' means that it is not installed, and you've never tried to install it, unlike 'pn' which means that you once installed it, but later purged it. It looks like you have had a mysql server/client setup on this box at one point in the past, but the passwd/group entries for mysql were never removed, probably because you weren't removing mysql-common at the same time. None of this looks like a real problem. Sorry I can't help with your real problem, but this doesn't look like it. Steve -- Software is like sex; it's better when it's free. -- Linus Torvalds msg07613/pgp0.pgp Description: PGP signature
Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
i'm assuming these also apply to apache-ssl, but there doesn't appear to be a new package. is it still in the works or is apache-ssl not vulnerable? thanks, andrew On 2002/11/04 04:26:57PM +0100, Mon, Martin Schulze wrote: Package: apache Vulnerability : several Problem-Type : remote, local Debian-specific: no CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233 BugTraq ID : 5847 5884 5887 msg07614/pgp0.pgp Description: PGP signature
Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
On Mon, Nov 04, 2002 at 10:55:53AM -0500, andrew lattis wrote: i'm assuming these also apply to apache-ssl, but there doesn't appear to be a new package. is it still in the works or is apache-ssl not vulnerable? The former. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
DSA 187-1 and FrontPage extensions
Hi all, I run a FrontPage-enabled apache server on Woody. I apply the 1.3.22 FrontPage patch which is claimed by rtr.com to work with versions 1.3.22, 1.3.24, 1.3.26 and 1.3.27 to the Debian Apache sources and then build Debian binary packages. I append the procedure I use to do this below. The server has been running OK so far. I have two questions: 1. The debs I build from the Debian apache source package come out with version number 1.3.26-0woody1 whereas the debs released to cover this vulnerability have version 1.3.26-0woody3. Why is this? Have the source packages not been updated? 2. (Related) Are the binary debs I build from the current debian 1.3.26 source package safe from this vulnerability? Does anyone have any input? Please copy me directly as I am not subscribed to the list. Debian Apache FrontPage Patch and Compile Procedure --- The patch is at ftp://ftp.rtr.com/pub/fp-patch-apache_1.3.22.Z To patch the server I follow the following procedure: Download and gunzip patch file fp-patch-apache_1.3.22.Z apt-get source apache cd apache-1.3.26/upstream/tarballs tar xvzf apache_1.3.26.tar.gz cd apache_1.3.26 patch -p1 path_tofp-patch-apache_1.3.22 cd path-to-toplevelapache-1.3.26 dpkg-buildpackage -rfakeroot -b cd .. dpkg -i apache-common dpkg -i apache Best regards, George Karaolides -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA 187-1 and FrontPage extensions
On Tue, Nov 05, 2002 at 12:17:46AM +0200, George Karaolides wrote: 1. The debs I build from the Debian apache source package come out with version number 1.3.26-0woody1 whereas the debs released to cover this vulnerability have version 1.3.26-0woody3. Why is this? Have the source packages not been updated? You must have downloaded an older source package. Use the URLs in the advisory to get 1.3.26-0woody3. 2. (Related) Are the binary debs I build from the current debian 1.3.26 source package safe from this vulnerability? You should use the latest package from security.debian.org. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
On Mon, Nov 04, 2002 at 01:36:36PM +, David Wright wrote: Quoting Phillip Hofmeister ([EMAIL PROTECTED]): What's this about? _ 2. Remove the setuid bit from the XaoS binary by executing the following command: # chmod -s /usr/lib/games/abuse/abuse.* (noticing -rwsr-xr-x root root 37 Jul 27 17:34 /usr/bin/xaos) ^ Yikes. I recommend: dpkg-statoverride --update --add root root 755 /usr/bin/xaos This is permanent across upgrades, removals, and reinstalls of the xaos package. (--update tells statoverride to effect the change itself.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tiger reporting thousands of files with undefined groups ownership
On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: # pwck -r user news: directory /var/spool/news does not exist user uucp: directory /var/spool/uucp does not exist user majordom: directory /usr/lib/majordomo does not exist user postgres: directory /var/lib/postgres does not exist user msql: directory /var/lib/msql does not exist user list: directory /var/list does not exist user gnats: directory /var/lib/gnats/gnats-db does not exist user telnetd: directory /usr/lib/telnetd does not exist user mysql: directory /var/lib/mysql does not exist pwck: no changes Should this be there? I'm pretty sure there should be there. $ dpkg -S /var/lib/mysql mysql-server: /var/lib/mysql If you have mysql-server installed (and I bet you do since you have the 'mysql' user) then that directory might have been lost in the crash. Visual inspection of passwd and shadow doesn't help, both look OK. Yes, they might be ok. The problem is that the filesystem structure is not ok. Any more thoughts? System crash. Ouch. Javi pgp0a8PdSNp9a.pgp Description: PGP signature
Re: tiger reporting thousands of files with undefined groups ownership
On Sun, 3 Nov 2002 20:56:34 +0100 Javier Fernández-Sanguino Peña [EMAIL PROTECTED] wrote: On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: # pwck -r user news: directory /var/spool/news does not exist user uucp: directory /var/spool/uucp does not exist user majordom: directory /usr/lib/majordomo does not exist user postgres: directory /var/lib/postgres does not exist user msql: directory /var/lib/msql does not exist user list: directory /var/list does not exist user gnats: directory /var/lib/gnats/gnats-db does not exist user telnetd: directory /usr/lib/telnetd does not exist user mysql: directory /var/lib/mysql does not exist pwck: no changes Should this be there? I'm pretty sure there should be there. $ dpkg -S /var/lib/mysql mysql-server: /var/lib/mysql Actually, the msql entry also seems suspicious: $ dpkg -S /var/lib/msql dpkg: /var/lib/msql not found. What is it doing there? I haven't mini SQL installed, I couldn't even find mini SQL in the Debian packages... Should it be safe to remove msql from passwd/shadow? If you have mysql-server installed (and I bet you do since you have the 'mysql' user) then that directory might have been lost in the crash. I shouldn't have mysql installed. $ dpkg -l 'mysql*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- un mysql none (no description available) un mysql-base none (no description available) pn mysql-client none (no description available) ii mysql-common 3.23.52-2 mysql database common files (e.g. /etc/mysql un mysql-dev none (no description available) un mysql-develnone (no description available) pn mysql-doc none (no description available) pn mysql-gpl-clie none (no description available) un mysql-gpl-dev none (no description available) pn mysql-gpl-doc none (no description available) pn mysql-manual none (no description available) pn mysql-navigato none (no description available) pn mysql-server none (no description available) pn mysqltcl none (no description available) Hmm, bit of a mess here... Why do I have a few mysql packages in a Desired=Unknown state? How could I upgrade the to a Desired=Purged state? Anyway, the avalanche of files reported by tiger surely cannot be totally explained by this mysql breakage... -- Carlos Sousa http://vbc.dyndns.org/
unsubscribe
Re: Fwd: iDEFENSE Security Advisory 11.01.02: Buffer Overflow Vulnerability in Abuse
Quoting Phillip Hofmeister ([EMAIL PROTECTED]): From: David Endler [EMAIL PROTECTED] [...]In a default abuse installation in Debian Linux, both abuse.console and abuse.x11R6 can be used in exploitation; both files are set group id games, and abuse.console is set user id root. What's this about? _ 2. Remove the setuid bit from the XaoS binary by executing the following command: # chmod -s /usr/lib/games/abuse/abuse.* (noticing -rwsr-xr-x root root 37 Jul 27 17:34 /usr/bin/xaos) ^ Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: tiger reporting thousands of files with undefined groups ownership
This one time, at band camp, Carlos Sousa said: On Sun, 3 Nov 2002 20:56:34 +0100 Javier Fernández-Sanguino Peña [EMAIL PROTECTED] wrote: On Sat, Nov 02, 2002 at 01:18:03PM +, Carlos Sousa wrote: # pwck -r user news: directory /var/spool/news does not exist user uucp: directory /var/spool/uucp does not exist user majordom: directory /usr/lib/majordomo does not exist user postgres: directory /var/lib/postgres does not exist user msql: directory /var/lib/msql does not exist user list: directory /var/list does not exist user gnats: directory /var/lib/gnats/gnats-db does not exist user telnetd: directory /usr/lib/telnetd does not exist user mysql: directory /var/lib/mysql does not exist pwck: no changes Should this be there? I'm pretty sure there should be there. $ dpkg -S /var/lib/mysql mysql-server: /var/lib/mysql Actually, the msql entry also seems suspicious: $ dpkg -S /var/lib/msql dpkg: /var/lib/msql not found. What is it doing there? I haven't mini SQL installed, I couldn't even find mini SQL in the Debian packages... Should it be safe to remove msql from passwd/shadow? If you have mysql-server installed (and I bet you do since you have the 'mysql' user) then that directory might have been lost in the crash. I shouldn't have mysql installed. $ dpkg -l 'mysql*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- un mysql none (no description available) un mysql-base none (no description available) pn mysql-client none (no description available) ii mysql-common 3.23.52-2 mysql database common files (e.g. /etc/mysql un mysql-dev none (no description available) un mysql-develnone (no description available) pn mysql-doc none (no description available) pn mysql-gpl-clie none (no description available) un mysql-gpl-dev none (no description available) pn mysql-gpl-doc none (no description available) pn mysql-manual none (no description available) pn mysql-navigato none (no description available) pn mysql-server none (no description available) pn mysqltcl none (no description available) Hmm, bit of a mess here... Why do I have a few mysql packages in a Desired=Unknown state? How could I upgrade the to a Desired=Purged state? Anyway, the avalanche of files reported by tiger surely cannot be totally explained by this mysql breakage... 'un' means that it is not installed, and you've never tried to install it, unlike 'pn' which means that you once installed it, but later purged it. It looks like you have had a mysql server/client setup on this box at one point in the past, but the passwd/group entries for mysql were never removed, probably because you weren't removing mysql-common at the same time. None of this looks like a real problem. Sorry I can't help with your real problem, but this doesn't look like it. Steve -- Software is like sex; it's better when it's free. -- Linus Torvalds pgpJ0UxmwPCPh.pgp Description: PGP signature
Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
i'm assuming these also apply to apache-ssl, but there doesn't appear to be a new package. is it still in the works or is apache-ssl not vulnerable? thanks, andrew On 2002/11/04 04:26:57PM +0100, Mon, Martin Schulze wrote: Package: apache Vulnerability : several Problem-Type : remote, local Debian-specific: no CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233 BugTraq ID : 5847 5884 5887 pgpVhafO4LTXN.pgp Description: PGP signature
Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
On Mon, Nov 04, 2002 at 10:55:53AM -0500, andrew lattis wrote: i'm assuming these also apply to apache-ssl, but there doesn't appear to be a new package. is it still in the works or is apache-ssl not vulnerable? The former. -- - mdz
Re: DSA 187-1 and FrontPage extensions
On Tue, Nov 05, 2002 at 12:17:46AM +0200, George Karaolides wrote: 1. The debs I build from the Debian apache source package come out with version number 1.3.26-0woody1 whereas the debs released to cover this vulnerability have version 1.3.26-0woody3. Why is this? Have the source packages not been updated? You must have downloaded an older source package. Use the URLs in the advisory to get 1.3.26-0woody3. 2. (Related) Are the binary debs I build from the current debian 1.3.26 source package safe from this vulnerability? You should use the latest package from security.debian.org. -- - mdz