JRE & JDK <1.4.1_02 vulnerable?
http://www.securityfocus.com/bid/7109 says Sun's JRE and Java SDKs versions less than 1.4.1_02 are vulnerable as well as IBM's JDK. The BID seems to indicate the vulnerability is in java.util.zip I'm not sure which versions of Java JRE's and SDKs are in Debian, but it seems to me that in Contrib there's an IBM JDK installer that might install an affected version. Can someone check into these? Don't contact [EMAIL PROTECTED] until you are confident that stable or oldstable is affected. Drew Daniels
Re: mgetty vulnerable
On Fri, 2 May 2003, Wolfgang Sourdeau wrote: > I am not subscribed to debian-security, so please include me in your Cc: > for this discussion. > Likewise. > I have noticed a "fax" user was expected in mgetty-1.1.30 (never played > with 1.1.29). The problem I have with that is that this user is required at > build time (during the make install phase). Another problem is that > Debian does not have such a user, although one used to exist temporarily > for hylafax a couple of years ago. Now, hylafax is using uucp, so is > pppd and every communication server package I know of in Debian. > > The problem here seems to be that mgetty's sendfax was running under > used root. Now, if we use uucp (which I have modified mgetty 1.1.30 for > last week), I don't see where the problem is. I don't see the point in > requesting the creation of a user for one little program nor do I judge > this compromise (using uucp) as a security issue. > > Please correct me if I am wrong though. > http://www.securityfocus.com/bid/7302 lists some more information. I don't think Debian has this vulnerability either, but I haven't checked. Under Credits you can find a Gentoo and Redhat advisory. Are there any group or world readable directory issues as is suggested to me? I'm talking about for durring installation *and* in normal use. > ps: now it seems Debian mgetty's sendfax is broken since 1.1.30, but > this is another issue which will be fixed before next week. > Off topic, but related... I've been having trouble with mgetty and vgetty for years now. I had it almost working they way I wanted, but then it answered the phone and wouldn't hang up... after that vgetty or mgetty couldn't answer the phone, even after reboot... but I haven't looked into this for a long time now and that box might have fs problems now. Drew Daniels
Re: MAC-based ssh
On Fri, May 02, 2003 at 12:26:04PM +0200, Hans van Leeuwen wrote: > My company has created an application that allows remote users to edit > their DNS-records. This app needs to restart bind on the remote nameservers. bind never needs to be restarted, use rndc or dns updates with key. bastian -- Captain's Log, star date 21:34.5...
Security Audit tools
http://serg.cs.drexel.edu/phpnuke/html/modules.php?name=Project&pa=showproject&pid=1 lists Bunch which is an interesting tool to show modularity. I haven't yet tried it. Also on this site they link to CoSAK which is an interesting newer security audit tool set. Has anyone tried these tools? Drew Daniels
Re: MAC-based ssh
On Fri, 2 May 2003, Phillip Hofmeister wrote: > On Fri, 02 May 2003 at 12:26:04PM +0200, Hans van Leeuwen wrote: > > I have decided to do this thrue SSH by putting the client key in > > authorized_keys2. But this seems a little risky, so I was wondering if > > it was possible to get sshd to only allow the client MAC-address. > > SSHD cannot do what you are asking it to do, in fact I don't think there > are many TCP/IP Applications that can. The MAC address is WELL below > the layer 5,6,7 that most internet applications reside in. > Doesn't TCP/IP have only at most 4 layers? Peter Ondraska > Many applications can pick up layer 3 and 4 data (IP Address and port) > but the layer 2 information (MAC) is usually only a concern for the O/S > Kernel. > > Some of the other options discussed in this thread might be a better > solution. > > -- > Phillip Hofmeister > Network Administrator/Systems Engineer > IP3 Inc. > http://www.ip3security.com > > PGP/GPG Key: > http://www.zionlth.org/~plhofmei/ > wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import > -- > Excuse #163: RPC_PMAP_FAILURE > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: MAC-based ssh
On Fri, 02 May 2003 at 12:26:04PM +0200, Hans van Leeuwen wrote: > I have decided to do this thrue SSH by putting the client key in > authorized_keys2. But this seems a little risky, so I was wondering if > it was possible to get sshd to only allow the client MAC-address. SSHD cannot do what you are asking it to do, in fact I don't think there are many TCP/IP Applications that can. The MAC address is WELL below the layer 5,6,7 that most internet applications reside in. Many applications can pick up layer 3 and 4 data (IP Address and port) but the layer 2 information (MAC) is usually only a concern for the O/S Kernel. Some of the other options discussed in this thread might be a better solution. -- Phillip Hofmeister Network Administrator/Systems Engineer IP3 Inc. http://www.ip3security.com PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #163: RPC_PMAP_FAILURE
Re: [despammed] Re: Secure remote syslogging?
On Thursday 01 May 2003 09:24 am, Adam Lydick wrote: > Alternatives: (the traditional line printer was already mentioned), any > sort of write-only media will do the trick (eg: CD-RW). You might have > to flush batches of log entries to the CD for it to work. I'm not sure > what min packet size on UDF FS is. Ten sectors: 1 for incremental data 1 for new ICB (inode) to identify the data 1 for new VAT (virtual allocation table) to map new ICB 7 sectors packet writing overhead (4 run-in, 2 run-out, 1 link) -- Rob
Re: sendmail + mailscanner
Hy, please consider that amavis and mailscanner are completly different mail scanners. AFAIK: There is no standard debian package containing amavis for sendmail, only for postfix. The error messages in Your log are generated, by mailscanner. I would say that Your mailscanner expects an other version of f-prot than You use. What You can do is to "mail the author of MailScanner". Regards, Tibor Repasi Matteo Vescovi wrote: >May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in >MailScanner's F-Prot output parser, or F-Prot's output format has changed! >F-Prot said this "Switches: -ARCHIVE -OLD". Please mail the author of >MailScanner > >
Re: MAC-based ssh
Oliver Hitz wrote: It is also possible to further restrict this connection. Something like command="/etc/init.d/bind restart",from="..." ssh-rsa ... This does the job. Only I execute 'bind restart' thrue a small C-program with a suid-bit. Thanks for the help everybody! Hans
Re: mgetty vulnerable
Hi, I am not subscribed to debian-security, so please include me in your Cc: for this discussion. I have noticed a "fax" user was expected in mgetty-1.1.30 (never played with 1.1.29). The problem I have with that is that this user is required at build time (during the make install phase). Another problem is that Debian does not have such a user, although one used to exist temporarily for hylafax a couple of years ago. Now, hylafax is using uucp, so is pppd and every communication server package I know of in Debian. The problem here seems to be that mgetty's sendfax was running under used root. Now, if we use uucp (which I have modified mgetty 1.1.30 for last week), I don't see where the problem is. I don't see the point in requesting the creation of a user for one little program nor do I judge this compromise (using uucp) as a security issue. Please correct me if I am wrong though. Wolfgang ps: now it seems Debian mgetty's sendfax is broken since 1.1.30, but this is another issue which will be fixed before next week. pgpvZAd2D11WW.pgp Description: PGP signature
Re: MAC-based ssh
On Fri May 02, 2003 at 02:34:17PM +0200, Oliver Hitz wrote: > On 02 May 2003, Hans van Leeuwen wrote: > > I have decided to do this thrue SSH by putting the client key in > > authorized_keys2. But this seems a little risky, so I was wondering if > > it was possible to get sshd to only allow the client MAC-address. > [...] > It is also possible to further restrict this connection. Something > like > > command="/etc/init.d/bind restart",from="..." ssh-rsa ... > > will restart bind for every such connection without giving the user > any other possibilities. Check sshd(8) for more options. Better for an unprivileged user: command="sudo /etc/init.d/bind restart",from="..." ssh-rsa ... so long Thomas -- .''`. Obviously we do not want to leave zombies around. - W. R. Stevens : :' : Thomas Krennwallner `. `'` 1024D/67A1DA7B 9484 D99D 2E1E 4E02 5446 DAD9 FF58 4E59 67A1 DA7B `-http://bigfish.ull.at/~djmaecki/
Re: Woody security updates
> If the jigdo system was updated once a month (at least), we would be able to > do most upgrade using CDs, which will be greatly appreciated in developping > countries (I'm in Vietnam) since the Internet access is still expensive for > individuals. It exists a possibility to use apt "offline". You can use the package apt-zip or the method described by /usr/share/doc/apt/offline.html/index.html in the apt-package. (I prefer the second option.) Like this you - and the debian servers - have to handle less traffic. Regards Uwe -- Uwe Zeisberger cat /*dev/null; echo 'Hello World!'; cat > /dev/null <<*/ () { } int main() { printf("Hello World!\n");} /* */
Re: sendmail + mailscanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 14 April 2003 21:31, Répási Tibor wrote: > Hy, > > just follow the steps described in /usr/share/sendmail/examples/amavis > download the lates sources and it works. I've installed it a few weeks > ago and it is running well. I'm using it with f-prot, but You can config > it for any antivir software You want. > > Regards, > Tibor Repasi Hi Tibor! I followed your advice and installed mailscanner with f-prot. Now, when I fetch the mails and mailscanner scans them, I see in my /var/log/mail.log: May 2 14:11:17 blackhawk mailscanner[237]: Scanning 2 messages, 8063 bytes May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Search: .". Please mail the author of MailScanner May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Action: Report only". Please mail the author of MailScanner May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Files: "Dumb" scan of all files". Please mail the author of MailScanner May 2 14:11:53 blackhawk mailscanner[237]: Either you've found a bug in MailScanner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "Switches: -ARCHIVE -OLD". Please mail the author of MailScanner May 2 14:11:53 blackhawk mailscanner[237]: Scanned 2 messages, 8063 bytes in 0 seconds What's the problem here? How could I say to fetchmail (or mailscanner, I don't know!) that this is not a problem but only the output of the f-prot antivirus? Thanks for your help. Matteo - -- Debian GNU/Linux. The most software. The most people. The biggest is still the best. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+smQ/wpmiLhhMAcoRAsXNAJ0Zsb3q3sEVFUvk4q0Der1zHK1skwCfYX+v +CXnxtp3qdegPaGJ0BCg/to= =lG7/ -END PGP SIGNATURE-
Re: MAC-based ssh
On 02 May 2003, Hans van Leeuwen wrote: > I have decided to do this thrue SSH by putting the client key in > authorized_keys2. But this seems a little risky, so I was wondering if > it was possible to get sshd to only allow the client MAC-address. If these remote users always connect from the same IP address, then you should put this into authorized_keys: from="hostname or ip" ssh-rsa ...public-key... It is also possible to further restrict this connection. Something like command="/etc/init.d/bind restart",from="..." ssh-rsa ... will restart bind for every such connection without giving the user any other possibilities. Check sshd(8) for more options. Oliver
Re: MAC-based ssh
Danny De Cock wrote: hi, using mac addresses for client authentication seems to me as an extremely risky business as a mac address can easily be copied/cloned/spoofed... imho, it does not offer any authentication at all... I understand that MAC-adresses can be spoofed, but I thought I would use it as an extra layer of protection. Of course a valid key will also be needed. Hans
Re: MAC-based ssh
Kay-Michael Voit wrote: did you consider just to blockother mac-addresses through iptables? Yes, but the MAC should just be checked for one specific user. but... i don't know, what you are doing there, but are you sure you want to grant every user ssh acces No, just one user with limited rights. That user executes a C-script that becomes root and reloads bind. Only this users key is trusted. i would suggest to use a webinterface, for example with php, which puts commands into a database, or something similar (perhaps a text file could do it, too) and then run a cronjob, let's say, every 10 mins with a script that restarts bind. But isn't ssh more secure than a web interface (even when using SSL)? Using your method, anybody who hackes the webapp has total root access... We thought about the cron-option, but as soon as a domain is registered, the Dutch TLD-organisation checks if there is a valid DNS-record. Therefore bind needs to be reloaded as soon as the mail is send to the TLD-org. We could que all mail and send it thrue a cronjob as well, but this seems a bit complicated for the task.
Re[2]: MAC-based ssh
DDC> using mac addresses for client authentication seems to me as an extremely DDC> risky business as a mac address can easily be copied/cloned/spoofed... DDC> imho, it does not offer any authentication at all... i under stood it as additional security to certificates or passwords (more like security by obscurity)
Re: MAC-based ssh
Hello, are you really sure, that your dns server and all customers are located in the same ip subnet? Authentication via the mac address of your internet router does not seem to be very secure idea... ;) achim -- Demokratie beruht auf drei Prinzipien: auf der Freiheit des Gewissens, auf der Freiheit der Rede und auf der Klugheit, keine der beiden in Anspruch zu nehmen. [ Mark Twain ] PGP: DCBF 6A6B 87A8 741C FBF8 27AC 2DBA 62D2 7A57 6D88
Re: MAC-based ssh
Hans van Leeuwen <[EMAIL PROTECTED]> writes: > My company has created an application that allows remote users to > edit their DNS-records. This app needs to restart bind on the remote > nameservers. I think this is the wrong solution. A better idea is a cron job on the nameserver periodically reloading the zone files (which are what you're editing, right?). Another solution, requiring more work, is to use secure dynamic updates (as detailed by RFC 3007). -- Espen Wiborg <[EMAIL PROTECTED]> Do not meddle in the affairs of gurus, for they can make your life miserable by doing nothing.
Re: MAC-based ssh
did you consider just to blockother mac-addresses through iptables? but... i don't know, what you are doing there, but are you sure you want to grant every user ssh access? i assume you need to be root for this? how are you going to solve it over ssh? and how do you prevent users from just shutting down your bind? i would suggest to use a webinterface, for example with php, which puts commands into a database, or something similar (perhaps a text file could do it, too) and then run a cronjob, let's say, every 10 mins with a script that restarts bind. HvL> Hello, HvL> My company has created an application that allows remote users to edit HvL> their DNS-records. This app needs to restart bind on the remote nameservers. HvL> I have decided to do this thrue SSH by putting the client key in HvL> authorized_keys2. But this seems a little risky, so I was wondering if HvL> it was possible to get sshd to only allow the client MAC-address. HvL> I've looked around, but for some reason search-engines tend to send me HvL> to www.apple.com ;-)
Re: MAC-based ssh
hi, using mac addresses for client authentication seems to me as an extremely risky business as a mac address can easily be copied/cloned/spoofed... imho, it does not offer any authentication at all... g. On Fri, 2 May 2003, Hans van Leeuwen wrote: > Hello, > > My company has created an application that allows remote users to edit > their DNS-records. This app needs to restart bind on the remote > nameservers. > > I have decided to do this thrue SSH by putting the client key in > authorized_keys2. But this seems a little risky, so I was wondering if > it was possible to get sshd to only allow the client MAC-address. > > I've looked around, but for some reason search-engines tend to send me > to www.apple.com ;-) > > Hans
MAC-based ssh
Hello, My company has created an application that allows remote users to edit their DNS-records. This app needs to restart bind on the remote nameservers. I have decided to do this thrue SSH by putting the client key in authorized_keys2. But this seems a little risky, so I was wondering if it was possible to get sshd to only allow the client MAC-address. I've looked around, but for some reason search-engines tend to send me to www.apple.com ;-) Hans
Re: mgetty vulnerable?
* Drew Scott Daniels ([EMAIL PROTECTED]) [030502 01:20]: > [...] There is as far as I can see (only) one important security enhancement in the newer mgettys, and this is running the fax-out-scripts not as root. There is no proof that the old mgettys are vulnerable, but it's never a good idea to run anything as root unless absolutly neccessary. Wolfgang and I are just working to get this running on debian testing/unstable (but _this_ update is not trivial, so it's not just an "apply patch" to get it to the woody version). If anyone has the important desire to use this right now, he should take the sources from unstable and recompile (and make the neccassary enhancements). Everyone else should wait for about an week, then there should be a working version. As minor and major bug fixes are more or less the only changes in mgetty, I would recommend the version in unstable as the security update for everyone who needs it. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C Fachbegriffe des Schienenverkehrs #1 von Marc Haber in dasr Alles wird billiger: 50 % Preiserhöhung für Stammkunden.
Re: Woody security updates
Hi .*, > Matthias Faulstich <[EMAIL PROTECTED]> wrote: > > Does this jigdo - file load the latest security updates or are there any > > other > > places to download / create CD-Images? Paul Hink écrivait : > AFAIK no. I think you'll have to apt-get update && apt-get upgrade > immediately after the installation because CDs can never be as up to > date as security.debian.org is. If the jigdo system was updated once a month (at least), we would be able to do most upgrade using CDs, which will be greatly appreciated in developping countries (I'm in Vietnam) since the Internet access is still expensive for individuals. Cheers, J.C. -- Jean Christophe ANDRÉ <[EMAIL PROTECTED]> http://www.vn.refer.org/ Coordonnateur technique régional / Associé technologie projet Reflets Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 / Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ou \ \ Word ; voir ici : http://www.fsf.org/philosophy/no-word-attachments.fr.html /