[SECURITY] [DSA 225-1] New tomcat packages fix source disclosure vulnerability

2003-01-09 Thread Martin Schulze 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 225-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 9th, 2002   http://www.debian.org/security/faq
- --

Package: tomcat4
Vulnerability  : source disclosure
Problem-Type   : remote
Debian-specific: no
CVE Id : CAN-2002-1394

A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases, which allows to use a specially crafted URL to return
the unprocessed source of a JSP page, or, under special circumstances,
a static resource which would otherwise have been protected by a
security constraint, without the need for being properly
authenticated.  This is based on a variant of the exploit that was
identified as CAN-2002-1148.

For the current stable distribution (woody) this problem has been
fixed in version 4.0.3-3woody2.

The old stable distribution (potato) does not contain tomcat packages.

For the unstable distribution (sid) this problem does not exist in the
current version 4.1.16-1.

We recommend that you upgrade your tomcat packages.


Installation Instructions
- -

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:

http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.dsc
  Size/MD5 checksum:  708 0911f7c03a0ab71133fbe95bf45d0d20

http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.diff.gz
  Size/MD5 checksum:15881 de9f6f0fb39374bfe4ece1ef4824d942
http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3.orig.tar.gz
  Size/MD5 checksum:  1588186 2b2e0d859f7152e5225633933e6585d6

  Architecture independent components:


http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody2_all.deb
  Size/MD5 checksum:  1134258 680c67daebdd36eb879ce593e6362f3b

http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody2_all.deb
  Size/MD5 checksum:  1167502 34f71826d8441f967e3da0ee4ab9a1be

http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2_all.deb
  Size/MD5 checksum:   126444 e7dbc07086a7e349474bff877342cb6d


  These files will probably be moved into the stable distribution on
  its next revision.

- -
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show pkg' and http://packages.debian.org/pkg

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+HYzeW5ql+IAeqTIRAsF7AJwOJotOb7a4N02/Pk/J6dibAj6bagCbB7lY
zdY2WnKneQ1GPGV7ZMkutNk=
=mkx7
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: scrollkeeper loading external (online) DTD

2003-01-09 Thread Sebastian Henschel 
hello sebastien..

Received at 2003-01-08 / 23:10 by Sebastien Chaumat:

  The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
 
  In this file the DTD is refered by an absolute external link :
 
 !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN
 http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; 
 
  Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
 the docbookx.dtd.
 
  I can trust signed debian packages but I can't trust 
 www.oasis-open.org.
 
 More than 18 files in /usr/share/gnome/help/ induce this download.
 
 I'am about to make bug report against scrollkeeper (for acting blindly,
 and dowloading the same file more than once) and against packages that
 provides the xml files (for using external DTD instead of provinding
 it)...

 Your opinion?

file a bug report against xbill (and the others). there are (or were) some
issues with libxml2, check bug #153720.
you can tell the maintainer to include something like this in
debian/rules (target config.status):

find -name *.xml -exec perl -i -pe 
's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,'
 {} \;

the gnome-applets package does it this way.

bye,
 sebastian

-- 
::: sebastian henschel
::: kodeaffe
::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import



msg08410/pgp0.pgp
Description: PGP signature

Re: scrollkeeper loading external (online) DTD

2003-01-09 Thread Daniel O'Neill 
Thats absolutely ridiculous.

I would file one at once, that should definitely not go unchecked, at least.  I can 
appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange 
unknown files/connections or b) send out requests for such data.  Especially 
considering since it all happens without my knowledge, which thanks, now I know.  Who 
knows if the file is the original?  The checksum is verified, but that doesn't mean 
much all things considered, where did the checksum come from?

On 08 Jan 2003 22:54:12 +0100
Sebastien Chaumat [EMAIL PROTECTED] wrote:

 Hi,
 
  This a real example : 
 
  The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
 
  In this file the DTD is refered by an absolute external link :
 
 !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN
 http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; 
 
  Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
 the docbookx.dtd.
 
  I can trust signed debian packages but I can't trust 
 www.oasis-open.org.
 
 More than 18 files in /usr/share/gnome/help/ induce this download.
 
 I'am about to make bug report against scrollkeeper (for acting blindly,
 and dowloading the same file more than once) and against packages that
 provides the xml files (for using external DTD instead of provinding
 it)...
 
 Your opinion?
 
 Cheers,
 
 SEb
 
 
 
 
 
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 



msg08411/pgp0.pgp
Description: PGP signature

Re: ssh and lastlog

2003-01-09 Thread Johannes Franken 
* Thomas Gebhardt [EMAIL PROTECTED] [2003-01-07 16:23 +0100]:
 as far as I can see, one can get at least 2 out of the following 3 items:
  ^most? otherwise trivial :-)
 * sshd Privilege Separation
 * /var/log/lastlog not world readable
 * users get a lastlog message at ssh login

If you 
- set UsePrivilegeSeparation=yes in /etc/ssh/sshd_config,
- chmod o-r /var/log/lastlog,
- configure sudo (%users ALL=NOPASSWD:/usr/bin/lastlog -u *), and
- add [ ${-//[^i]/} ]  sudo /usr/bin/lastlog -u $LOGNAME 
  to /etc/profile,
the user's bash will display the date and origin of your last login
for interactive sessions.

-- 
Johannes Franken
 
Professional unix/network development
mailto:[EMAIL PROTECTED]
http://www.jfranken.de/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Gnutella? (was Re: TCP port 6352?)

2003-01-09 Thread Cristian Ionescu-Idbohrn 
On Wed, 8 Jan 2003, Javier Fernández-Sanguino Peña wrote:

 You will see that the listing for many servers/clients in the network are
 usually port 6346 [1]. But it seems port 6352 is also used sometimes.

That seems to be the case. I found some more info on this page:

  http://outpostfirewall.com/guide/rules/preset_rules/p2p.htm

(search for Gnotella outgoing connection on that page).


Cheers,
Cristian


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

unsubscribe

2003-01-09 Thread Tom Huff

Re: scrollkeeper loading external (online) DTD

2003-01-09 Thread berin 

 
 From: Hubert Chan [EMAIL PROTECTED]
 Subject: Re: scrollkeeper loading external (online) DTD
 Date: 10/01/2003 6:33:22

snip

 DTDs cannot introduce any vulnerabilities (unless the XML parser is
 horribly buggy).  The worst that can happen is that the file doesn't
 validate, and scrollkeeper complains.

snip

Is this strictly true?  There have been a few articles
on bugtraq recently around this kind of thing.
One in the area of bugs, and one around external
entities and the potential for a rogue DTD to
specify bad URIs.  In particular an external
reference might cause a parser to open a connection
to a site that the user would not wish.

Alternately, an entity reference might translate
to some form of control string for the 
application that is later using the parsed XML.

And even if the only concern is around bugs,
surely experience would indicate that given
the growing use of XML parsers in a wide range
of applications, we should be careful of all input?

External Entities :

http://online.securityfocus.com/archive/1/297714

and

DTD DoS bug :

http://www.macromedia.com/v1/handlers/index.cfm?ID=23559

(Doesn't say much).



This message was sent through MyMail http://www.mymail.com.au




replyAll
Description: PGP signature

Re: scrollkeeper loading external (online) DTD

2003-01-09 Thread Sebastian Henschel 
hello sebastien..

Received at 2003-01-08 / 23:10 by Sebastien Chaumat:

  The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
 
  In this file the DTD is refered by an absolute external link :
 
 !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN
 http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; 
 
  Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
 the docbookx.dtd.
 
  I can trust signed debian packages but I can't trust 
 www.oasis-open.org.
 
 More than 18 files in /usr/share/gnome/help/ induce this download.
 
 I'am about to make bug report against scrollkeeper (for acting blindly,
 and dowloading the same file more than once) and against packages that
 provides the xml files (for using external DTD instead of provinding
 it)...

 Your opinion?

file a bug report against xbill (and the others). there are (or were) some
issues with libxml2, check bug #153720.
you can tell the maintainer to include something like this in
debian/rules (target config.status):

find -name *.xml -exec perl -i -pe 
's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,'
 {} \;

the gnome-applets package does it this way.

bye,
 sebastian

-- 
::: sebastian henschel
::: kodeaffe
::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import


pgpKLwbKqZ2qm.pgp
Description: PGP signature

Re: scrollkeeper loading external (online) DTD

2003-01-09 Thread Daniel O'Neill 
Thats absolutely ridiculous.

I would file one at once, that should definitely not go unchecked, at least.  I 
can appreciate the motivation, but for my own sanity I'm too paranoid to a) 
accept strange unknown files/connections or b) send out requests for such data. 
 Especially considering since it all happens without my knowledge, which 
thanks, now I know.  Who knows if the file is the original?  The checksum is 
verified, but that doesn't mean much all things considered, where did the 
checksum come from?

On 08 Jan 2003 22:54:12 +0100
Sebastien Chaumat [EMAIL PROTECTED] wrote:

 Hi,
 
  This a real example : 
 
  The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
 
  In this file the DTD is refered by an absolute external link :
 
 !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN
 http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; 
 
  Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
 the docbookx.dtd.
 
  I can trust signed debian packages but I can't trust 
 www.oasis-open.org.
 
 More than 18 files in /usr/share/gnome/help/ induce this download.
 
 I'am about to make bug report against scrollkeeper (for acting blindly,
 and dowloading the same file more than once) and against packages that
 provides the xml files (for using external DTD instead of provinding
 it)...
 
 Your opinion?
 
 Cheers,
 
 SEb
 
 
 
 
 
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 


pgpua9VQx6pEu.pgp
Description: PGP signature

Re: scrollkeeper loading external (online) DTD

2003-01-09 Thread Hubert Chan 
 Sebastien == Sebastien Chaumat [EMAIL PROTECTED] writes:

Sebastien Hi, This a real example :

Sebastien  The xbill package contains :
Sebastien /usr/share/gnome/help/xbill/C/xbill.xml

Sebastien  In this file the DTD is refered by an absolute external link
Sebastien :

Sebastien !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML
Sebastien V4.1.2//EN
Sebastien http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd;

That is necessary for a DocBook file.

Sebastien  Thus : scrollkeeper-update blindly connect to
Sebastien www.oasis-open.org to get the docbookx.dtd.

Sebastien  I can trust signed debian packages but I can't trust
Sebastien www.oasis-open.org.

DTDs cannot introduce any vulnerabilities (unless the XML parser is
horribly buggy).  The worst that can happen is that the file doesn't
validate, and scrollkeeper complains.

Sebastien More than 18 files in /usr/share/gnome/help/ induce this
Sebastien download.

Sebastien I'am about to make bug report against scrollkeeper (for
Sebastien acting blindly, and dowloading the same file more than once)

IMHO, the severity of such a bug would be at most wishlist.

Sebastien and against packages that provides the xml files (for using
Sebastien external DTD instead of provinding it)...

It should not be providing the DTD.  At most, it should depend on
docbook-xml, which provides the DTD, although I would suggest making it
a Recommends rather than Depends.  AFAIK, if docbook-xml is
installed, scrollkeeper will use the local copy, rather than fetching it
over the network.  (If not, this should be another wishlist bug.)

(Hmm.  On my system (sid), scrollkeeper already depends on docbook-xml.)

-- 
Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.


pgp3SadAAFnYh.pgp
Description: PGP signature

Re: ssh and lastlog

2003-01-09 Thread Johannes Franken 
* Thomas Gebhardt [EMAIL PROTECTED] [2003-01-07 16:23 +0100]:
 as far as I can see, one can get at least 2 out of the following 3 items:
  ^most? otherwise trivial :-)
 * sshd Privilege Separation
 * /var/log/lastlog not world readable
 * users get a lastlog message at ssh login

If you 
- set UsePrivilegeSeparation=yes in /etc/ssh/sshd_config,
- chmod o-r /var/log/lastlog,
- configure sudo (%users ALL=NOPASSWD:/usr/bin/lastlog -u *), and
- add [ ${-//[^i]/} ]  sudo /usr/bin/lastlog -u $LOGNAME 
  to /etc/profile,
the user's bash will display the date and origin of your last login
for interactive sessions.

-- 
Johannes Franken
 
Professional unix/network development
mailto:[EMAIL PROTECTED]
http://www.jfranken.de/

Re: Gnutella? (was Re: TCP port 6352?)

2003-01-09 Thread Cristian Ionescu-Idbohrn 
On Wed, 8 Jan 2003, Javier Fernández-Sanguino Peña wrote:

 You will see that the listing for many servers/clients in the network are
 usually port 6346 [1]. But it seems port 6352 is also used sometimes.

That seems to be the case. I found some more info on this page:

  http://outpostfirewall.com/guide/rules/preset_rules/p2p.htm

(search for Gnotella outgoing connection on that page).


Cheers,
Cristian

unsubscribe

2003-01-09 Thread Tom Huff

Re: scrollkeeper loading external (online) DTD

2003-01-09 Thread berin 

 
 From: Hubert Chan [EMAIL PROTECTED]
 Subject: Re: scrollkeeper loading external (online) DTD
 Date: 10/01/2003 6:33:22

snip

 DTDs cannot introduce any vulnerabilities (unless the XML parser is
 horribly buggy).  The worst that can happen is that the file doesn't
 validate, and scrollkeeper complains.

snip

Is this strictly true?  There have been a few articles
on bugtraq recently around this kind of thing.
One in the area of bugs, and one around external
entities and the potential for a rogue DTD to
specify bad URIs.  In particular an external
reference might cause a parser to open a connection
to a site that the user would not wish.

Alternately, an entity reference might translate
to some form of control string for the 
application that is later using the parsed XML.

And even if the only concern is around bugs,
surely experience would indicate that given
the growing use of XML parsers in a wide range
of applications, we should be careful of all input?

External Entities :

http://online.securityfocus.com/archive/1/297714

and

DTD DoS bug :

http://www.macromedia.com/v1/handlers/index.cfm?ID=23559

(Doesn't say much).



This message was sent through MyMail http://www.mymail.com.au



replyAll
Description: PGP signature