Re: help: no suitable connection for peer
> hi, im trying make a test lan with vpn gatway running > openswan 2.3 with debian woody. > > this is my sample lan: > >... > > > Can anybody help me with this connection setup? > > greets > > Rodrigo > Dear Rodrigo, I think your question is out of scope for this mailing list. Please check the description of the list at http://lists.debian.org/debian-security/ . Your question would be more appropriate for the user's mailing list, or alternatively try an openswam mailing list. Should you wish to try different alternatives for setting up your VPN, check these out: http://www.ontko.com/~nathanst/linux_vpns.html (and mentions whether or not something is in Debian ). Regards from your friends, Roger & google P.S. List, if I'm mistaken wrt the scope of this list, please correct me. -- Under capitalism, man exploits man. Under communism, it's just the opposite. J.K.Galbraith -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: patched 2.4.18 woody kernel image packages
On Wed, 2 Feb 2005 at 22:35:44 +, Harald Krammer wrote: > Brett Hamilton wrote: > > These kernel packages have been installed and appear to function well, but > > they are still rather new and come with no warranty. Feel free to give > > them a try, and let me know if you experience any problems. > > > > http://linux.simple.be/debian/package/ > > Is only the uselib() root exploit fixed ? Yes, see bug #289708. It's based on upstream fixes made shortly before the release of 2.4.29. S. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: patched 2.4.18 woody kernel image packages
Hi, I tested the kernel with success. :) Is only the uselib() root exploit fixed ? I looked at http://www.isec.pl/vulnerabilities.html and saw also a other problem and I think this should be solved ( kernel-image-2.4.18-1-686-smp can be affected). On http://www.isec.pl/vulnerabilities04.html you can see more problemes , they we should check. Is a list of all security problems available ? (to read all ChangesLogs are not really helpful) I hope on 2.6 with the new as-tree (e.g. 2.6.10-as2) , we will get a collections of all securty problems and it is easier to handle. Nice greetings, Harald Brett Hamilton wrote: Dear Debian Users, Due the to delay of security updated debian woody 2.4.18 kernels, I have applied Simon Heywood's patch to the kernel-source-2.4.18 (ver 14.3) and am making deb packages available for 386 and 686. These kernels have been tested to stop the uselib() kernel root exploit. http://isec.pl/vulnerabilities/isec-0021-uselib.txt We hope that this release will help improve the security on systems presently running version 13.1 of kernel-image-2.4.18. These kernel packages have been installed and appear to function well, but they are still rather new and come with no warranty. Feel free to give them a try, and let me know if you experience any problems. http://linux.simple.be/debian/package/ Thanks, --Brett -- Harald Krammer Brucknerstrasse 33 A - 4020 Linz AUSTRIA Mobil +43.(0) 664. 130 59 58 Mail: [EMAIL PROTECTED] Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
help: no suitable connection for peer
hi, im trying make a test lan with vpn gatway running openswan 2.3 with debian woody. this is my sample lan: Notebook vpn gw desktop 10.10.2.15410.10.1.231 - 192.168.0.1192.168.0.2 eth0 eth1 my ipsec.conf: version 2.0 config setup interfaces=%defaultroute virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 conn %default keyingtries=1 compress=yes disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn roadwarrior-net leftsubnet=192.168.0.0/255.255.255.0 also=roadwarrior conn roadwarrior left=eth1 leftcert=teste.pem right=%any rightsubnet=vhost:%no,%priv auto=add pfs=yes my ipsec.secrets : RSA teste.key "" im using Marcus Müller's ipsec.exe utility with Win Xp prof sp2. here is the ipsec.conf from xp: conn roadwarrior left=%any right=10.10.1.231 rightca="C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]" network=auto auto=start pfs=yes conn roadwarrior-net left=%any right=10.10.1.231 rightsubnet=192.168.0.0/255.255.255.0 rightca="C=br,ST=paraiba,L=joao pessoa,O=sefin,CN=teste,[EMAIL PROTECTED]" network=auto auto=start pfs=yes wehn im try ping 192.168.0.1 or 192.168.0.2 or 10.10.1.321 from 10.10.2.154 im receving Negotiating IP Security and 100% packet loss. im using iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p 51 -j ACCEPT iptables -A OUTPUT -p 50 -j ACCEPT iptables -A OUTPUT -p 51 -j ACCEPT iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT so.. my gw log gives me: Feb 2 16:26:15 vpn pluto[3320]: packet from 10.10.2.154:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 0004] Feb 2 16:26:15 vpn pluto[3320]: packet from 10.10.2.154:500: ignoring Vendor ID payload [FRAGMENTATION] Feb 2 16:26:15 vpn pluto[3320]: packet from 10.10.2.154:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 0 Feb 2 16:26:15 vpn pluto[3320]: packet from 10.10.2.154:500: ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819] Feb 2 16:26:15 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: responding to Main Mode from unknown peer 10.10.2.154 Feb 2 16:26:15 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: transition from state (null) to state STATE_MAIN_R1 Feb 2 16:26:15 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Feb 2 16:26:15 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: Peer ID is ID_DER_ASN1_DN: 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:15 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: no suitable connection for peer 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:16 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: Peer ID is ID_DER_ASN1_DN: 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:16 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: no suitable connection for peer 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:18 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: Peer ID is ID_DER_ASN1_DN: 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:18 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: no suitable connection for peer 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:22 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: Peer ID is ID_DER_ASN1_DN: 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:22 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: no suitable connection for peer 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:30 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: Peer ID is ID_DER_ASN1_DN: 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:30 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: no suitable connection for peer 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:46 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: Peer ID is ID_DER_ASN1_DN: 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:26:46 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: no suitable connection for peer 'C=br,ST=paraiba,L=joao pessoa,O=teste,CN=teste,[EMAIL PROTECTED]' Feb 2 16:27:18 vpn pluto[3320]: "packetdefault"[5] 0.0.0.0/0=== ...10.10.2.154===? #5: encrypted Informational Exchange messag
Re: Empty Release.gpg files and Debian Archive key for 2005
On Wed, Feb 02, 2005 at 12:21:38PM +0100, Christian Jaeger wrote: > I feel there's a lack of a central source of information about all > the public key related topics around Debian. I can't find any info on > www.debian.org. I realize there is http://wiki.debian.net, maybe that > would be a place to start such a page? How about http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-pack-sign ? > (One should also mention the other 'solutions' out there for > signature checking (some shellscripts are/have been floating around > some time ago). And mention how to check source packages. ...) Already done see above. Of course, patches and improvements are welcome. Regards Javier signature.asc Description: Digital signature
patched 2.4.18 woody kernel image packages
Dear Debian Users, Due the to delay of security updated debian woody 2.4.18 kernels, I have applied Simon Heywood's patch to the kernel-source-2.4.18 (ver 14.3) and am making deb packages available for 386 and 686. These kernels have been tested to stop the uselib() kernel root exploit. http://isec.pl/vulnerabilities/isec-0021-uselib.txt We hope that this release will help improve the security on systems presently running version 13.1 of kernel-image-2.4.18. These kernel packages have been installed and appear to function well, but they are still rather new and come with no warranty. Feel free to give them a try, and let me know if you experience any problems. http://linux.simple.be/debian/package/ Thanks, --Brett -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [sowood.co.uk #1151] Re: [sowood.co.uk #1150] AutoReply: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities
On Wed, 2 Feb 2005, Tomasz Papszun via RT wrote: >> Please stop sending automated replies to Debian mailing lists. please, next time you (rightly) complain about noise on the list, avoid quoting a few pages of said noise just to write a one-line complaint: make sure your complaint is _at least_ as long as the noise you are quoting :) take it easy... Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [sowood.co.uk #1151] Re: [sowood.co.uk #1150] AutoReply: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities
On Wed, 2 Feb 2005, Tomasz Papszun via RT wrote: Please stop sending automated replies to Debian mailing lists. please, next time you (rightly) complain about noise on the list, avoid quoting a few pages of said noise just to write a one-line complaint: make sure your complaint is _at least_ as long as the noise you are quoting :) take it easy... Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[sowood.co.uk #1151] Re: [sowood.co.uk #1150] AutoReply: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities
On Wed, 02 Feb 2005 at 17:28:53 +0100, Tomasz Papszun wrote: > On Tue, 01 Feb 2005 at 15:20:36 +, Abel wrote: > > This message has been automatically generated in response to the creation > > of a ticket regarding: "[SECURITY] [DSA 662-1] New squirrelmail package > > fixes several vulnerabilities" [...] > > Please stop sending automated replies to Debian mailing lists. > Sorry for my unneeded remark - I have read the apology from Barney Sowood only later. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[sowood.co.uk #1151] Re: [sowood.co.uk #1150] AutoReply: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities
On Tue, 01 Feb 2005 at 15:20:36 +, Abel wrote: > This message has been automatically generated in response to the creation of > a ticket regarding: "[SECURITY] [DSA 662-1] New squirrelmail package fixes > several vulnerabilities" > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [sowood.co.uk #1150]. > > Please include the string [sowood.co.uk #1150] > in the subject line of all future correspondence about this issue. You can do > this by replying to this message. > > Thank you, > > [EMAIL PROTECTED] > > - > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA 662-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > February 1st, 2005 http://www.debian.org/security/faq > - -- > > Package: squirrelmail > Vulnerability : several > Problem-Type : remote > Debian-specific: no > CVE ID : CAN-2005-0104 CAN-2005-0152 > Debian Bug : 292714 > > Several vulnerabilities have been discovered in Squirrelmail, a > commonly used webmail system. The Common Vulnerabilities and > Exposures project identifies the following problems: > > CAN-2005-0104 > > Upstream developers noticed that an unsanitised variable could > lead to cross site scripting. > > CAN-2005-0152 > > Grant Hollingworth discovered that under certain circumstances URL > manipulation could lead to the execution of arbitrary code with > the privileges of www-data. This problem only exists in version > 1.2.6 of Squirrelmail. > > For the stable distribution (woody) these problems have been fixed in > version 1.2.6-2. > > For the unstable distribution (sid) the problem that affects unstable > has been fixed in version 1.4.4-1. > > We recommend that you upgrade your squirrelmail package. > > > Upgrade Instructions > - > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.0 alias woody > - > > Source archives: > > > http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2.dsc > Size/MD5 checksum: 646 4900cffd3e5d45735f65c21476efc806 > > http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2.diff.gz > Size/MD5 checksum:21204 4614ece547701e83d640b5740bb59d51 > > http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz > Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1 > > Architecture independent components: > > > http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2_all.deb > Size/MD5 checksum: 1840668 2d23a6986ab2862bb1acd160b5a2919c > > > These files will probably be moved into the stable distribution on > its next update. > > - > - > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: debian-security-announce@lists.debian.org > Package info: `apt-cache show ' and http://packages.debian.org/ > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.5 (GNU/Linux) > > iD8DBQFB/5XHW5ql+IAeqTIRAkpkAKCe9RF1LswG8hauggRbypCgsGxfygCeK10Z > F2TH29V21YfxpuF3gCLIDxE= > =KEhs > -END PGP SIGNATURE- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > Please stop sending automated replies to Debian mailing lists. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Empty Release.gpg files and Debian Archive key for 2005
Hello. Note: maybe replace "apt-secure" with "apt/experimental" below since the package isn't called apt-secure, it's called apt and available from experimental. Firstly: I'm spending much more time handling apt-secure than I'd like, just because I'm not getting the relevant information. It would really help if there would be a central place for getting information. When are the new keys released, by whom, where are they announced? Ok they are released now, and I've found out where (see "wget" below), but it came as a surprise and coupled with other problems. At 16:58 Uhr +0100 29.01.2005, Michal J. Gajda wrote: I'm probably not the only one to notice, that Release.gpg files for unstable and testing are empty, Yes, I've seen that as well. (And apt-secure from experimental seemed to choke on that, it didn't give any sensible error message until I tried apt-get update -o Debug::Acquire::gpgv=yes) and that Debian Archive key for 2005 seems not to appear in /usr/share/apt/debian-archive.gpg. "Hum, I thought they are, on purpose, not included there, since the archive signing keys are not maintainer keys" -- ehr, I realize you're not talking about the debian-keyring package. I wasn't aware that there's such a file on the system. Hm, it's from the apt package. (How would I be able to upgrade to a newer apt package containing the new key if apt doesn't work anymore because of the missing key?.. apt would need the new key long before it was actually in use on the debian archives, so that users have the new key installed in time. And how to handle that when sarge is stable, will a newer apt be offered as part of security updates? Shouldn't the above keyring be offered in a package separate from apt?) When can I hope new Debian Archive for 2005 to appear? Who can fix the problem? Is there a workaround? (Some way to use apt and verify packages by myself?) From what I've read in the apt-secure docs (it seems they are currently at http://www.syntaxpolice.org/apt-secure/index.html ?) you should add the key to /etc/apt/trusted.gpg. # cd /etc/apt/ # gpg --no-default-keyring --keyring ./trusted.gpg --list-keys --with-fingerprint ..Debian Archive Automatic Signing Key (2004).. # wget 'http://ftp-master.debian.org/ziyi_key_2005.asc' # gpg --no-default-keyring --with-fingerprint ziyi_key_2005.asc pub 1024D/4F368D5D 2005-01-31 Debian Archive Automatic Signing Key (2005) <[EMAIL PROTECTED]> Schl.-Fingerabdruck = 4C7A 8E5E 9454 FE3F AE1E 78AD F1D5 3D8C 4F36 8D5D # gpg --no-default-keyring --keyring ./trusted.gpg --import ziyi_key_2005.asc ..Debian Archive Automatic Signing Key (2005)..importiert At 21:03 Uhr +0100 29.01.2005, Florian Weimer wrote: * Michal J. Gajda: When can I hope new Debian Archive for 2005 to appear? Who can fix the problem? I've suggested to the ftp-masters to add a new self-signature to the 2004 key as a temporary measure. This should fix the Release file signing. Hm, I can't make any sense of this statement. If you don't have the public key, no self-signature will help at all. And even if apt-secure would fetch the key from somewhere and trust it because of some signature: if it is made right, it should complain about missing real signature. So why would a self-signature help? I feel there's a lack of a central source of information about all the public key related topics around Debian. I can't find any info on www.debian.org. I realize there is http://wiki.debian.net, maybe that would be a place to start such a page? - Who is doing what in the apt-secure, package archive signing keys, ...? Is there a leader? - what's the status of apt-secure? Will it enter Debian soon? Will it later? - it seems that other Debian based distributions are already using apt-secure (while googling, I've found a blog where someone is explaining how to solve the key issues and he didn't sound like he installed apt-secure himself). Is that true? Any links about how they are doing it? (One should also mention the other 'solutions' out there for signature checking (some shellscripts are/have been floating around some time ago). And mention how to check source packages. ...) --- Lastly: it seems, that currently the woody archive is broken. A Release.gpg file is there, created with the 2005 key, but it's signature doesn't match the Release file. - Is this a bug in the master server? - Is it because not both files have been mirrored at the same time? (I'm using de.debian.org server). Is it a general problem of apt-secure?. Christian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]