Re: When will kernel-image-2.4.23 be available ?
On Thursday, 2003-12-04 at 01:46:43 +0100, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: Nah, just look at /proc/cpuinfo, /proc/pci (or use lspci), dmesg, etc It's almost all there for you. Not like the old days... lshw is fine for collecting the above information. If you need more detection try discover (Progeny) or Kudzu (Redhat) both available in debian. Before I install Debian or when I need fine hardware detection afterwards, I boot Knoopix on the system. IIRC that uses kudzu. Selecting them right modules on new hardware you barely know is always a challenge, so a Life CD Debian is very handy. I carry a Knoppix with me at almost any time... And a Debian Stable CD 1. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: When will kernel-image-2.4.23 be available ?
On Thursday, 2003-12-04 at 07:47:53 +0100, Matthias Faulstich wrote: Having the kernel-souces, knowledge about make-kpkg and a propper working .config for a previously kernel is one thing, but having a debian patched kernel (or kernel-sources) is a second. E.g. cramfs for initrd still doesn't work with a 2.4.23 vanilla kernel. Speaking of a patched Debian kernel. My machines are currently running my own build based on kernel-source-2.4.20. I don't mind upgrading to a later kernel. BUT! Does anybody have a patch for the do_brk vuln on any kernel-source package = 2.4.20 as they are currently in the archives? I would like to build a new kernel with the vuln patched ASAP, rather than wait for the upload to reopen. Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: extrange passwd behaviour
- Original Message - From: Ruben Porras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 12:21 AM Subject: Re: extrange passwd behaviour El jue, 04-12-2003 a las 22:05, Kevin escribi: I've discovered that login, sudo, gdm only take care of the first 8 characters of the passwd. The following characters don't count. See the following example (I've created a new user just to make the test) If you are not using md5 passwords will have a max length of 8 characters. If you're using md5 your pam config for passwd etc should look something like this: passwordrequiredpam_unix.so md5 And the passwords in the shadow file should start with $1$ The problem was that I was not using md5 passwd. I don't know why /etc/pam.d/passwd was set to allow fall-through to the 'other' service. The debconf configuration of passwd says that md5 should be enabled. I've tried to run dpkg-reconfigure passwd with no effect, but that is another problem and off-topic here. Putting the line by hand works perfectly. Thanks. Hi In Debian default /etc/login.defs # # Number of significant characters in the password for crypt(). # Default is 8, don't change unless your crypt() is better. # If using MD5 in your PAM configuration, set this higher. # PASS_MAX_LEN8 -- Riku -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
have the compromized debian servers been cleaned?
Hi, I am going to install a few new debian servers, but I worry about the integratity of the packages because of the incident of compromised debian servers some days ago. Can anybody confirm me if these servers are clean now? Thank you Mo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: have the compromized debian servers been cleaned?
They are clean. On Fri, 05 Dec 2003, Mo Zhen Guang wrote: Hi, I am going to install a few new debian servers, but I worry about the integratity of the packages because of the incident of compromised debian servers some days ago. Can anybody confirm me if these servers are clean now? Thank you Mo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: have the compromized debian servers been cleaned?
On Friday 05 December 2003 08:22, Mo Zhen Guang wrote: Hi, I am going to install a few new debian servers, but I worry about the integratity of the packages because of the incident of compromised debian servers some days ago. Can anybody confirm me if these servers are clean now? The server containing the packages was never compromised, so there should be no problem there. According to http://www.wiggy.net/debian/ the servers themselves have been reinstalled, yes. Best, Kjetil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Upgrading Kernels...
On Thursday 04 December 2003 18:48, Eric D Nielsen wrote: I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. OK. I'm a rather new user myself, but to ease the workload on the security team, who allready have their hands ful, I'll attempt an answer, but I basically just reiterate what I've heard here... :-) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? Yep. If you check the recent archives of this list (they are up now, right? I'm on a GPRS link, so I'm not going over to check), you'll see that you're not supposed to be running the bf2.4 kernel, you were supposed to go for a CPU-specific kernel shortly after installation. I must admit that I never saw anything about going for a CPU-specific kernel from the stuff I read when installing... But when I first did it, a friend of mine was telling me come on, you want your own kernel, own kernels are cool, go for it. So I did... To the rest of the folks here: Do the installation guide (or the installer dialog) tell you to change the kernel? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? AFA I've understood, the idea is that you shouldn't have the bf2.4 variant shortly after installation. I might be wrong, but I got the impression they were not going to be patched. I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Yeah, I know how that feels... I've got difficulties physically getting to my main server too. It's a box I had donated, it runs excellently when it is up, but I often have to boot it several times to get it running. Upgrading a kernel implies a reboot (I think), so that's really scary. However, I think you have no option but to plunge into it... It was mentioned here a couple of days ago that there are certain differences between the bf2.4 kernel and the CPU-specific kernels in that in the latter some things are compiled as modules, rather than into the kernel. ne2k ethernet cards were mentioned specifically. So, there you may have a hint about why you haven't any of the other kernels working with your network. Loading the modules might fix the problem. I'm certainly not qualified to help you further here, but it is a track you can pursue. Start with once you get physical access to first, of course... :-) Best, Kjetil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: When will kernel-image-2.4.23 be available ?
On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote: BUT! Does anybody have a patch for the do_brk vuln on any kernel-source package = 2.4.20 as they are currently in the archives? I would like to build a new kernel with the vuln patched ASAP, rather than wait for the upload to reopen. http://linux.bkbits.net:8080/linux-2.4/diffs/mm/[EMAIL PROTECTED] /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: When will kernel-image-2.4.23 be available ?
Quoting Thomas Sjögren [EMAIL PROTECTED]: On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote: BUT! Does anybody have a patch for the do_brk vuln on any kernel-source package = 2.4.20 as they are currently in the archives? I would like to build a new kernel with the vuln patched ASAP, rather than wait for the upload to reopen. http://linux.bkbits.net:8080/linux-2.4/diffs/mm/[EMAIL PROTECTED] Thanks, Thomas! This is exactly what I needed. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: When will kernel-image-2.4.23 be available ?
On Fri, 5 Dec 2003, Thomas [iso-8859-1] Sjögren wrote: On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote: BUT! Does anybody have a patch for the do_brk vuln on any kernel-source package = 2.4.20 as they are currently in the archives? I would like to build a new kernel with the vuln patched ASAP, rather than wait for the upload to reopen. http://linux.bkbits.net:8080/linux-2.4/diffs/mm/[EMAIL PROTECTED] i see other code fragments that has a similar PAGE_ALIGN() problem - sounds like the macro needs to be cleaned up ? c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?
Philipp Schulte wrote: How do I find out which patches exactly are compiled in the Debian kernel source? Just in case anybody else wonders: I asked Herbert Xu and he told me about the README.Debian which is included in the kernel-source-packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: extrange passwd behaviour
Quoting Bernd Eckenfels [EMAIL PROTECTED]: In article [EMAIL PROTECTED] you wrote: I've discovered that login, sudo, gdm only take care of the first 8 characters of the passwd. Dont know why and for which debian versions it is default, I have some mixed ones. Why? Because it uses DES and DES uses 56 bit keys. Eight 7 bit chars give you exactly 56 bits... I've always wondered if the high bit does indeed make no difference. Right now, I have only Solaris to try. ... Nope, the high bit is ignored on Solaris. I'll have to try this at home tonight with Debian and FreeBSD. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Adam ENDRODI wrote: Just a humble question: how the average user who doesn't use the kernel sources provided by Debian and cannot follow lk should have known about the bug? The changelog read ``Add TASK_SIZE check to do_brk()'', there's no indication that it's a security fix. I'm really curious how you cope with it. Usually, kernel security issues are resolved in the following way: * bugs are discovered * some vendor is notified (it used to be a Red Hat employee) * all active branches are fixed in BK, with cryptic log messages * vendors prepare release * next official stable kernel is released * vendors release advisories * now it's clear that the official release contains security fixes Keep in mind that there is no official security contact for the kernel, and no established bug handling procedure. Time to fix is now measured in months, and official kernel release schedules do not take security issues into account (nowadays, not even critical data loss mandates a coordinated emergency release). In short: Don't run official, unpatched kernels. Use vendor kernels. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Marcel Weber wrote: I want to correct myself: CAN-2003-0961 dates from the 26th November 2003, as far I could see on the CVE.org site. This means that unless every discovered bug would be fixed, this incident could not have been avoided. This is of course not realistic. You can't infer much data from the assignment date. The CVE process is a bit more complicated these days. BTW, the guys at isecl.pl believe that their exploit leaked to the underground. So it might have been discovered by the good guys, but it leaked somewhere during the delayed disclosure process. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Grsecurity and ssh
Hello, I have built a chroot environment for ssh with makejail. I have had no problem to do that, i can log into the chroot environment. It works very well. :) Now i would like to use the GNU/Linux kernel with grsecurity patch. I have compiled and installed this kernel but when i want to log into the system via ssh (the service start also), i have the following error due to grsecurity: grsec: denied attempt to double chroot to /[...] by (sshd:14334) UID(0) EUID(0), parent (sshd:20587) UID(0) EUID(0) I have seen an option about double chroot in the kernel but i would like to know how i can resolve this problem without deactivate this option. Have you an idea ? I have an another problem with pam. I have following the securing debian manual and put this line into /etc/pam.d/ssh : password required pam_cracklib.so retry=3 minlen=8 difok=3 password required pam_unix.so use_authok nullok md5 And commented this : password required pam_unix.so I have installed libpam_cracklib and i have choosen md5 password during the installation. But i have this error when i want to change a password : passwd: Critical error - immediate abort I have done a stupid error i think but if someone could explain me why i have this error ? ;) Thanks for your help... Arnaud Fontaine - signature Arnaud Fontaine [EMAIL PROTECTED] - http://www.andesi.org/ GnuPG Public Key available at http://www.andesi.org/gpg/dsdebian.asc Fingerprint: 22B6 B676 332E 23BC CA7D 174D 6D41 235A 23A2 500A -- fortune Momma always said: There is only so much fortune a man really needs - and the rest is for showin' off Forrest Gump pgp0.pgp Description: PGP signature
Re: extrange passwd behaviour
In article [EMAIL PROTECTED] you wrote: Dont know why and for which debian versions it is default, I have some mixed ones. Why? Because it uses DES and DES uses 56 bit keys. Eight 7 bit chars give you exactly 56 bits... *lol* i was talking about i dont know why it is default to use unsecure crypt() instead of md5. But I can think of something like compatibility (to what?) :) Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Grsecurity and ssh
Arnaud Fontaine wrote: Now i would like to use the GNU/Linux kernel with grsecurity patch. I have compiled and installed this kernel but when i want to log into the system via ssh (the service start also), i have the following error due to grsecurity: grsec: denied attempt to double chroot to /[...] by (sshd:14334) UID(0) EUID(0), parent (sshd:20587) UID(0) EUID(0) The privilege separation code invokes chroot(), too. Is there a do not create any new file descriptors process attribute in grsecurity? If there is, OpenSSH should toggle instead of calling chroot() to an empty directory, which is a poor replacement. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
rsync attempts?
I see repeated attempts to connect to my public rsync Debian server: Dec 6 00:20:01 rsync connection attempt from 217.21.40.1 (217.21.40.1:29558-x.x.x.x:873) rsync and kernel are patched, but I wonder if there is anything one can do to identify/catch/??? a potential intruder. -Igor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rsync attempts?
On Sat, Dec 06, 2003 at 12:25:09AM +0100, Igor Mozetic wrote: I see repeated attempts to connect to my public rsync Debian server: Dec 6 00:20:01 rsync connection attempt from 217.21.40.1 (217.21.40.1:29558-x.x.x.x:873) rsync and kernel are patched, but I wonder if there is anything one can do to identify/catch/??? a potential intruder. some ISPs will respond to complaints, if their customers ar staging attacks, most don't, you will want to script some kind of reporting tool, use whois to find the owner of the subnet... in this case they may do something about it: Belarusian State University There is aris too: Package: aris-extractor Priority: optional Section: admin Installed-Size: 164 Maintainer: Matt Zimmerman [EMAIL PROTECTED] Architecture: i386 Version: 1.6.2-4 Depends: debconf, libc6 (= 2.2.4-4), libcurl2-ssl (= 7.9.5-1), libssl0.9.6, libstdc++2.10-glibc2.2 Recommends: snort Filename: pool/main/a/aris-extractor/aris-extractor_1.6.2-4_i386.deb Size: 38072 MD5sum: 7e95297b99c3725d60c94f8a24acebb0 Description: Scan system logs for security incidents and report them to ARIS The Attack Registry and Intelligence Service (ARIS) is a free, user-integrated attack-trending system hosted by SecurityFocus that allows administrators and operators of Intrusion Detection Systems (IDSs) to track, evaluate and respond to security alerts and attacks in a proactive manner. . As an integral piece of the ARIS Analzyer service, SecurityFocus's open-source ARIS Extractor utility distills data provided by IDS attack-list logs to build client portfolios that provide meaningful, graphical analysis of potentially malicious network incidents. By filtering out insignificant or benign data and converting it to a common format (xml), ARIS Extractor streamlines incident reporting for both security professionals and home users in a way that allows IDS operators to focus only on relevant attacks and incidents. Additionally, ARIS Extractor ensures client confidentiality through secure file-transfer protocols and optional IP address suppression. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Kernel signed binaries
As part of a lockdown system I'm interested in setting up a system which will only allow the execution of signed binaries. There are a couple of different implementations of this I've seen the most promising and up to date appears to be 'digsig'[0]. Has anybody used anything similar, or have any pointers to other implementations? Steve -- [0] = http://disec.sourceforge.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Upgrading Kernels...
- Original Message - From: Eric D Nielsen [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Thursday, December 04, 2003 7:48 PM Subject: Upgrading Kernels... I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. I've seen several of the security annoucements concerning new/patched versions of several of the Linux kernels, but I'm seldom sure if it applies to me. apt-get update; apt-get upgrade normally do not find any packages. (I have the security server in the source list.) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Please advise. Thank you. Eric Nielsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Hi It seems at kernel-image-2.4.18-bf2.4 and kernel-image-2.4.18-1-686 are patched. and i belive all of stock kernels are patched. bf2.4 variant published i remembered at 2.12.03. Traditionally Debian apt-get update/upgrade can't upgrade kernel. This is'nt always true. May be you should tray apt-get install kernel-image-2.4.18.bf2.4 if kernel is older this will install new kernel over your existing on. hope this help Riku
Re: When will kernel-image-2.4.23 be available ?
On Thursday, 2003-12-04 at 07:47:53 +0100, Matthias Faulstich wrote: Having the kernel-souces, knowledge about make-kpkg and a propper working .config for a previously kernel is one thing, but having a debian patched kernel (or kernel-sources) is a second. E.g. cramfs for initrd still doesn't work with a 2.4.23 vanilla kernel. Speaking of a patched Debian kernel. My machines are currently running my own build based on kernel-source-2.4.20. I don't mind upgrading to a later kernel. BUT! Does anybody have a patch for the do_brk vuln on any kernel-source package = 2.4.20 as they are currently in the archives? I would like to build a new kernel with the vuln patched ASAP, rather than wait for the upload to reopen. Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: When will kernel-image-2.4.23 be available ?
On Thursday, 2003-12-04 at 01:46:43 +0100, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: Nah, just look at /proc/cpuinfo, /proc/pci (or use lspci), dmesg, etc It's almost all there for you. Not like the old days... lshw is fine for collecting the above information. If you need more detection try discover (Progeny) or Kudzu (Redhat) both available in debian. Before I install Debian or when I need fine hardware detection afterwards, I boot Knoopix on the system. IIRC that uses kudzu. Selecting them right modules on new hardware you barely know is always a challenge, so a Life CD Debian is very handy. I carry a Knoppix with me at almost any time... And a Debian Stable CD 1. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: extrange passwd behaviour
- Original Message - From: Ruben Porras [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Friday, December 05, 2003 12:21 AM Subject: Re: extrange passwd behaviour El jue, 04-12-2003 a las 22:05, Kevin escribió: I've discovered that login, sudo, gdm only take care of the first 8 characters of the passwd. The following characters don't count. See the following example (I've created a new user just to make the test) If you are not using md5 passwords will have a max length of 8 characters. If you're using md5 your pam config for passwd etc should look something like this: passwordrequiredpam_unix.so md5 And the passwords in the shadow file should start with $1$ The problem was that I was not using md5 passwd. I don't know why /etc/pam.d/passwd was set to allow fall-through to the 'other' service. The debconf configuration of passwd says that md5 should be enabled. I've tried to run dpkg-reconfigure passwd with no effect, but that is another problem and off-topic here. Putting the line by hand works perfectly. Thanks. Hi In Debian default /etc/login.defs # # Number of significant characters in the password for crypt(). # Default is 8, don't change unless your crypt() is better. # If using MD5 in your PAM configuration, set this higher. # PASS_MAX_LEN8 -- Riku -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
have the compromized debian servers been cleaned?
Hi, I am going to install a few new debian servers, but I worry about the integratity of the packages because of the incident of compromised debian servers some days ago. Can anybody confirm me if these servers are clean now? Thank you Mo
Re: have the compromized debian servers been cleaned?
They are clean. On Fri, 05 Dec 2003, Mo Zhen Guang wrote: Hi, I am going to install a few new debian servers, but I worry about the integratity of the packages because of the incident of compromised debian servers some days ago. Can anybody confirm me if these servers are clean now? Thank you Mo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: have the compromized debian servers been cleaned?
On Friday 05 December 2003 08:22, Mo Zhen Guang wrote: Hi, I am going to install a few new debian servers, but I worry about the integratity of the packages because of the incident of compromised debian servers some days ago. Can anybody confirm me if these servers are clean now? The server containing the packages was never compromised, so there should be no problem there. According to http://www.wiggy.net/debian/ the servers themselves have been reinstalled, yes. Best, Kjetil
Re: Upgrading Kernels...
On Thursday 04 December 2003 18:48, Eric D Nielsen wrote: I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. OK. I'm a rather new user myself, but to ease the workload on the security team, who allready have their hands ful, I'll attempt an answer, but I basically just reiterate what I've heard here... :-) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? Yep. If you check the recent archives of this list (they are up now, right? I'm on a GPRS link, so I'm not going over to check), you'll see that you're not supposed to be running the bf2.4 kernel, you were supposed to go for a CPU-specific kernel shortly after installation. I must admit that I never saw anything about going for a CPU-specific kernel from the stuff I read when installing... But when I first did it, a friend of mine was telling me come on, you want your own kernel, own kernels are cool, go for it. So I did... To the rest of the folks here: Do the installation guide (or the installer dialog) tell you to change the kernel? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? AFA I've understood, the idea is that you shouldn't have the bf2.4 variant shortly after installation. I might be wrong, but I got the impression they were not going to be patched. I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Yeah, I know how that feels... I've got difficulties physically getting to my main server too. It's a box I had donated, it runs excellently when it is up, but I often have to boot it several times to get it running. Upgrading a kernel implies a reboot (I think), so that's really scary. However, I think you have no option but to plunge into it... It was mentioned here a couple of days ago that there are certain differences between the bf2.4 kernel and the CPU-specific kernels in that in the latter some things are compiled as modules, rather than into the kernel. ne2k ethernet cards were mentioned specifically. So, there you may have a hint about why you haven't any of the other kernels working with your network. Loading the modules might fix the problem. I'm certainly not qualified to help you further here, but it is a track you can pursue. Start with once you get physical access to first, of course... :-) Best, Kjetil
Re: When will kernel-image-2.4.23 be available ?
On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote: BUT! Does anybody have a patch for the do_brk vuln on any kernel-source package = 2.4.20 as they are currently in the archives? I would like to build a new kernel with the vuln patched ASAP, rather than wait for the upload to reopen. http://linux.bkbits.net:8080/linux-2.4/diffs/mm/[EMAIL PROTECTED] /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Marcel Weber wrote: I want to correct myself: CAN-2003-0961 dates from the 26th November 2003, as far I could see on the CVE.org site. This means that unless every discovered bug would be fixed, this incident could not have been avoided. This is of course not realistic. You can't infer much data from the assignment date. The CVE process is a bit more complicated these days. BTW, the guys at isecl.pl believe that their exploit leaked to the underground. So it might have been discovered by the good guys, but it leaked somewhere during the delayed disclosure process.
Grsecurity and ssh
Hello, I have built a chroot environment for ssh with makejail. I have had no problem to do that, i can log into the chroot environment. It works very well. :) Now i would like to use the GNU/Linux kernel with grsecurity patch. I have compiled and installed this kernel but when i want to log into the system via ssh (the service start also), i have the following error due to grsecurity: grsec: denied attempt to double chroot to /[...] by (sshd:14334) UID(0) EUID(0), parent (sshd:20587) UID(0) EUID(0) I have seen an option about double chroot in the kernel but i would like to know how i can resolve this problem without deactivate this option. Have you an idea ? I have an another problem with pam. I have following the securing debian manual and put this line into /etc/pam.d/ssh : password required pam_cracklib.so retry=3 minlen=8 difok=3 password required pam_unix.so use_authok nullok md5 And commented this : password required pam_unix.so I have installed libpam_cracklib and i have choosen md5 password during the installation. But i have this error when i want to change a password : passwd: Critical error - immediate abort I have done a stupid error i think but if someone could explain me why i have this error ? ;) Thanks for your help... Arnaud Fontaine - signature Arnaud Fontaine [EMAIL PROTECTED] - http://www.andesi.org/ GnuPG Public Key available at http://www.andesi.org/gpg/dsdebian.asc Fingerprint: 22B6 B676 332E 23BC CA7D 174D 6D41 235A 23A2 500A -- fortune Momma always said: There is only so much fortune a man really needs - and the rest is for showin' off Forrest Gump pgpAwDasQzW6n.pgp Description: PGP signature
Re: Grsecurity and ssh
Arnaud Fontaine wrote: Now i would like to use the GNU/Linux kernel with grsecurity patch. I have compiled and installed this kernel but when i want to log into the system via ssh (the service start also), i have the following error due to grsecurity: grsec: denied attempt to double chroot to /[...] by (sshd:14334) UID(0) EUID(0), parent (sshd:20587) UID(0) EUID(0) The privilege separation code invokes chroot(), too. Is there a do not create any new file descriptors process attribute in grsecurity? If there is, OpenSSH should toggle instead of calling chroot() to an empty directory, which is a poor replacement.
Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Adam ENDRODI wrote: Just a humble question: how the average user who doesn't use the kernel sources provided by Debian and cannot follow lk should have known about the bug? The changelog read ``Add TASK_SIZE check to do_brk()'', there's no indication that it's a security fix. I'm really curious how you cope with it. Usually, kernel security issues are resolved in the following way: * bugs are discovered * some vendor is notified (it used to be a Red Hat employee) * all active branches are fixed in BK, with cryptic log messages * vendors prepare release * next official stable kernel is released * vendors release advisories * now it's clear that the official release contains security fixes Keep in mind that there is no official security contact for the kernel, and no established bug handling procedure. Time to fix is now measured in months, and official kernel release schedules do not take security issues into account (nowadays, not even critical data loss mandates a coordinated emergency release). In short: Don't run official, unpatched kernels. Use vendor kernels.
Re: extrange passwd behaviour
In article [EMAIL PROTECTED] you wrote: Dont know why and for which debian versions it is default, I have some mixed ones. Why? Because it uses DES and DES uses 56 bit keys. Eight 7 bit chars give you exactly 56 bits... *lol* i was talking about i dont know why it is default to use unsecure crypt() instead of md5. But I can think of something like compatibility (to what?) :) Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
rsync attempts?
I see repeated attempts to connect to my public rsync Debian server: Dec 6 00:20:01 rsync connection attempt from 217.21.40.1 (217.21.40.1:29558-x.x.x.x:873) rsync and kernel are patched, but I wonder if there is anything one can do to identify/catch/??? a potential intruder. -Igor
Kernel signed binaries
As part of a lockdown system I'm interested in setting up a system which will only allow the execution of signed binaries. There are a couple of different implementations of this I've seen the most promising and up to date appears to be 'digsig'[0]. Has anybody used anything similar, or have any pointers to other implementations? Steve -- [0] = http://disec.sourceforge.net/
Re: rsync attempts?
On Sat, Dec 06, 2003 at 12:25:09AM +0100, Igor Mozetic wrote: I see repeated attempts to connect to my public rsync Debian server: Dec 6 00:20:01 rsync connection attempt from 217.21.40.1 (217.21.40.1:29558-x.x.x.x:873) rsync and kernel are patched, but I wonder if there is anything one can do to identify/catch/??? a potential intruder. some ISPs will respond to complaints, if their customers ar staging attacks, most don't, you will want to script some kind of reporting tool, use whois to find the owner of the subnet... in this case they may do something about it: Belarusian State University There is aris too: Package: aris-extractor Priority: optional Section: admin Installed-Size: 164 Maintainer: Matt Zimmerman [EMAIL PROTECTED] Architecture: i386 Version: 1.6.2-4 Depends: debconf, libc6 (= 2.2.4-4), libcurl2-ssl (= 7.9.5-1), libssl0.9.6, libstdc++2.10-glibc2.2 Recommends: snort Filename: pool/main/a/aris-extractor/aris-extractor_1.6.2-4_i386.deb Size: 38072 MD5sum: 7e95297b99c3725d60c94f8a24acebb0 Description: Scan system logs for security incidents and report them to ARIS The Attack Registry and Intelligence Service (ARIS) is a free, user-integrated attack-trending system hosted by SecurityFocus that allows administrators and operators of Intrusion Detection Systems (IDSs) to track, evaluate and respond to security alerts and attacks in a proactive manner. . As an integral piece of the ARIS Analzyer service, SecurityFocus's open-source ARIS Extractor utility distills data provided by IDS attack-list logs to build client portfolios that provide meaningful, graphical analysis of potentially malicious network incidents. By filtering out insignificant or benign data and converting it to a common format (xml), ARIS Extractor streamlines incident reporting for both security professionals and home users in a way that allows IDS operators to focus only on relevant attacks and incidents. Additionally, ARIS Extractor ensures client confidentiality through secure file-transfer protocols and optional IP address suppression. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
