[SECURITY] [DSA 225-1] New tomcat packages fix source disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 225-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 9th, 2002 http://www.debian.org/security/faq - -- Package: tomcat4 Vulnerability : source disclosure Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1394 A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases, which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by a security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was identified as CAN-2002-1148. For the current stable distribution (woody) this problem has been fixed in version 4.0.3-3woody2. The old stable distribution (potato) does not contain tomcat packages. For the unstable distribution (sid) this problem does not exist in the current version 4.1.16-1. We recommend that you upgrade your tomcat packages. Installation Instructions - - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.dsc Size/MD5 checksum: 708 0911f7c03a0ab71133fbe95bf45d0d20 http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2.diff.gz Size/MD5 checksum:15881 de9f6f0fb39374bfe4ece1ef4824d942 http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3.orig.tar.gz Size/MD5 checksum: 1588186 2b2e0d859f7152e5225633933e6585d6 Architecture independent components: http://security.debian.org/pool/updates/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody2_all.deb Size/MD5 checksum: 1134258 680c67daebdd36eb879ce593e6362f3b http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody2_all.deb Size/MD5 checksum: 1167502 34f71826d8441f967e3da0ee4ab9a1be http://security.debian.org/pool/updates/contrib/t/tomcat4/tomcat4_4.0.3-3woody2_all.deb Size/MD5 checksum: 126444 e7dbc07086a7e349474bff877342cb6d These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+HYzeW5ql+IAeqTIRAsF7AJwOJotOb7a4N02/Pk/J6dibAj6bagCbB7lY zdY2WnKneQ1GPGV7ZMkutNk= =mkx7 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scrollkeeper loading external (online) DTD
hello sebastien.. Received at 2003-01-08 / 23:10 by Sebastien Chaumat: The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? file a bug report against xbill (and the others). there are (or were) some issues with libxml2, check bug #153720. you can tell the maintainer to include something like this in debian/rules (target config.status): find -name *.xml -exec perl -i -pe 's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,' {} \; the gnome-applets package does it this way. bye, sebastian -- ::: sebastian henschel ::: kodeaffe ::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import msg08410/pgp0.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat [EMAIL PROTECTED] wrote: Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] msg08411/pgp0.pgp Description: PGP signature
Re: ssh and lastlog
* Thomas Gebhardt [EMAIL PROTECTED] [2003-01-07 16:23 +0100]: as far as I can see, one can get at least 2 out of the following 3 items: ^most? otherwise trivial :-) * sshd Privilege Separation * /var/log/lastlog not world readable * users get a lastlog message at ssh login If you - set UsePrivilegeSeparation=yes in /etc/ssh/sshd_config, - chmod o-r /var/log/lastlog, - configure sudo (%users ALL=NOPASSWD:/usr/bin/lastlog -u *), and - add [ ${-//[^i]/} ] sudo /usr/bin/lastlog -u $LOGNAME to /etc/profile, the user's bash will display the date and origin of your last login for interactive sessions. -- Johannes Franken Professional unix/network development mailto:[EMAIL PROTECTED] http://www.jfranken.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Gnutella? (was Re: TCP port 6352?)
On Wed, 8 Jan 2003, Javier Fernández-Sanguino Peña wrote: You will see that the listing for many servers/clients in the network are usually port 6346 [1]. But it seems port 6352 is also used sometimes. That seems to be the case. I found some more info on this page: http://outpostfirewall.com/guide/rules/preset_rules/p2p.htm (search for Gnotella outgoing connection on that page). Cheers, Cristian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
Re: scrollkeeper loading external (online) DTD
From: Hubert Chan [EMAIL PROTECTED] Subject: Re: scrollkeeper loading external (online) DTD Date: 10/01/2003 6:33:22 snip DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. snip Is this strictly true? There have been a few articles on bugtraq recently around this kind of thing. One in the area of bugs, and one around external entities and the potential for a rogue DTD to specify bad URIs. In particular an external reference might cause a parser to open a connection to a site that the user would not wish. Alternately, an entity reference might translate to some form of control string for the application that is later using the parsed XML. And even if the only concern is around bugs, surely experience would indicate that given the growing use of XML parsers in a wide range of applications, we should be careful of all input? External Entities : http://online.securityfocus.com/archive/1/297714 and DTD DoS bug : http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 (Doesn't say much). This message was sent through MyMail http://www.mymail.com.au replyAll Description: PGP signature
Re: scrollkeeper loading external (online) DTD
hello sebastien.. Received at 2003-01-08 / 23:10 by Sebastien Chaumat: The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? file a bug report against xbill (and the others). there are (or were) some issues with libxml2, check bug #153720. you can tell the maintainer to include something like this in debian/rules (target config.status): find -name *.xml -exec perl -i -pe 's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,' {} \; the gnome-applets package does it this way. bye, sebastian -- ::: sebastian henschel ::: kodeaffe ::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import pgpKLwbKqZ2qm.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat [EMAIL PROTECTED] wrote: Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] pgpua9VQx6pEu.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Sebastien == Sebastien Chaumat [EMAIL PROTECTED] writes: Sebastien Hi, This a real example : Sebastien The xbill package contains : Sebastien /usr/share/gnome/help/xbill/C/xbill.xml Sebastien In this file the DTD is refered by an absolute external link Sebastien : Sebastien !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML Sebastien V4.1.2//EN Sebastien http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; That is necessary for a DocBook file. Sebastien Thus : scrollkeeper-update blindly connect to Sebastien www.oasis-open.org to get the docbookx.dtd. Sebastien I can trust signed debian packages but I can't trust Sebastien www.oasis-open.org. DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. Sebastien More than 18 files in /usr/share/gnome/help/ induce this Sebastien download. Sebastien I'am about to make bug report against scrollkeeper (for Sebastien acting blindly, and dowloading the same file more than once) IMHO, the severity of such a bug would be at most wishlist. Sebastien and against packages that provides the xml files (for using Sebastien external DTD instead of provinding it)... It should not be providing the DTD. At most, it should depend on docbook-xml, which provides the DTD, although I would suggest making it a Recommends rather than Depends. AFAIK, if docbook-xml is installed, scrollkeeper will use the local copy, rather than fetching it over the network. (If not, this should be another wishlist bug.) (Hmm. On my system (sid), scrollkeeper already depends on docbook-xml.) -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgp3SadAAFnYh.pgp Description: PGP signature
Re: ssh and lastlog
* Thomas Gebhardt [EMAIL PROTECTED] [2003-01-07 16:23 +0100]: as far as I can see, one can get at least 2 out of the following 3 items: ^most? otherwise trivial :-) * sshd Privilege Separation * /var/log/lastlog not world readable * users get a lastlog message at ssh login If you - set UsePrivilegeSeparation=yes in /etc/ssh/sshd_config, - chmod o-r /var/log/lastlog, - configure sudo (%users ALL=NOPASSWD:/usr/bin/lastlog -u *), and - add [ ${-//[^i]/} ] sudo /usr/bin/lastlog -u $LOGNAME to /etc/profile, the user's bash will display the date and origin of your last login for interactive sessions. -- Johannes Franken Professional unix/network development mailto:[EMAIL PROTECTED] http://www.jfranken.de/
Re: Gnutella? (was Re: TCP port 6352?)
On Wed, 8 Jan 2003, Javier Fernández-Sanguino Peña wrote: You will see that the listing for many servers/clients in the network are usually port 6346 [1]. But it seems port 6352 is also used sometimes. That seems to be the case. I found some more info on this page: http://outpostfirewall.com/guide/rules/preset_rules/p2p.htm (search for Gnotella outgoing connection on that page). Cheers, Cristian
unsubscribe
Re: scrollkeeper loading external (online) DTD
From: Hubert Chan [EMAIL PROTECTED] Subject: Re: scrollkeeper loading external (online) DTD Date: 10/01/2003 6:33:22 snip DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. snip Is this strictly true? There have been a few articles on bugtraq recently around this kind of thing. One in the area of bugs, and one around external entities and the potential for a rogue DTD to specify bad URIs. In particular an external reference might cause a parser to open a connection to a site that the user would not wish. Alternately, an entity reference might translate to some form of control string for the application that is later using the parsed XML. And even if the only concern is around bugs, surely experience would indicate that given the growing use of XML parsers in a wide range of applications, we should be careful of all input? External Entities : http://online.securityfocus.com/archive/1/297714 and DTD DoS bug : http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 (Doesn't say much). This message was sent through MyMail http://www.mymail.com.au replyAll Description: PGP signature