Bits from the Testing Security team

2005-03-15 Thread Micah Anderson
[ note: Reply-To: set to debian-devel ]

This is a quick summary of the Debian Testing Security Team[1] work
and a request for some aid to help sort out some difficult Sarge
security problems.

Contents of this message:
What the Testing Security Team has been up to
How can I leverage my powerful brain to aid you?
Let the games begin!
This is fun, how else can I help?


Background information
--

The first thing the Debian Testing Security Team did was to check all
security holes since the release of Debian 3.0 to ensure that all the
holes are fixed in Sarge.

Now that this has finished, we are busy checking to make sure that
security problems that have already been fixed in unstable as well as
stable do not continue to affect testing. 

We are also dealing with new holes as they are made known. Every day
we get an updated list of Mitre's comprehensive list of known security
problems, known affectionatly as CAN numbers[2]. We've been going
through old CANs as well as the newly released CANs and check
changelogs, advisories, test proof-of-conecpts, dig out patches from
other vendor's kernels, whatever is needed to confidently determine
whether sarge is vulnerable to the particular CAN or not. We then
record our findings, file bugs, write patches, do NMUs as necessary,
track fixed packages and work with the Debian Release Managers to make
sure fixes reach testing quickly. The result of this is the Testing
Security issues page[2] which shows how many holes are unfixed (that
we know of) in testing as well as the associated bugs and debian
package versions required to plug the hole. In addition to this, it
also indicates how many unprocessed TODO items are still remaining for
us to process.[4]

How can I leverage my powerful brain to aid you?


I'm glad you asked! Your brain is much bigger than our individual
brains, so we need the collective help of everyone to brainstorm
solutions to some difficult remaining CANs. Our goal is to reduce our
TODO count to zero, but we need your help.

There are a few CANs that are pretty vague in their broad
applicability, they potentially cover a number of packages and we need
help figuring out which packages those would be. Bonus points if you
can tell us if the package is affected by its associated CAN, extra
bonus points if you tell us the bug number that you filed to alert the
package maintainer of the security hole, tagged it security and added
a patch. So without further ado, here they are, if you have any
information that can help us, please follow-up to debian-devel.

Let the games begin!


1. What packages contain X.400 (CAN-2003-0565)[5]?

2. What packages contain S/MIME besides mozilla, because the current
version (mozilla 2:1.7.3) contains safe NSS 3.9.1 (CAN-2003-0564)[6]?

3. What packages modify JPEG images (CAN-2005-0406)[7]? Please limit
your answers to those packages that do not modify the EXIF thumbnail,
we dont need to hear "imagemagick" or "the gimp." If you use this jpg[8]
whose thumbnail contains a green swirl instead of the red one you can
test this. Basically if the file is loaded into a program doing the
right thing (e.g. gimp) and saved again, the swirl in the thumbnail
turns red. If a program is doing the wrong thing (e.g. convert[9]), the
thumbnail stays green. convert exiftest.jpg -draw "rectangle 0,0
300,300 fill black" out.jpg will draw a black rectangle over the
swirl, but the thumbnail in out.jpg still has the green swirl.

4. What packages contain libtiff code (besides libtiff4 3.6.1-4 which is
not affected due to DSA-617-1)? (CAN-2004-1308)[10]?

5. What ftp programs are affected by directory traversal
vulnerabilities (CAN-2002-1345)[11]?

6. What packages in Debian are SMTP mailscanners that can be
potentially bypassed by fragmenting messages (CAN-2002-1121)[12].

7. Is our xpdf vulnerable to CAN-2005-0206[13]?


This is fun, how else can I help?
-

Glad you asked! Any with a interest in participating are welcome to
join the team, Debian Developers and others with the skills and desire
to help. The team can be contacted through its mailing list[14]. There
is a second mailing list[15] that receives commit messages to our
repository. An alioth project page[1] is also available. Have a read
of this message[16] if you are interested in participating, the
details are there about how to start helping check CANs on a regular
basis.


What do I win? huh? Huh?!
-

You get a little sticker that says:

"I donated to Sarge today!" [swirl here]

Ok, not really, but you do get our gratitude, these are annoying and
difficult. Thanks.


[1] http://secure-testing.alioth.debian.org/
[2] http://cve.mitre.org/cve/candidates/downloads/full-can.html
[3] http://merkel.debian.org/~joeyh/testing-security.html
[4] An alternate page tracks archive changes more quickly, but may be
inaccurate due 

unsuscribe

2005-03-15 Thread Diego Labonia

>-- Mensaje Original --
>Date: Mon, 14 Mar 2005 17:22:59 +0100 (CET)
>To: debian-security-announce@lists.debian.org (Debian Security Announcements)
>From: [EMAIL PROTECTED] (Martin Schulze)
>Subject: [SECURITY] [DSA 693-1] New luxman packages fix local root exploit
>Reply-To: debian-security@lists.debian.org
>
>
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>- --
>Debian Security Advisory DSA 693-1 [EMAIL PROTECTED]
>http://www.debian.org/security/ Martin Schulze
>March 14, 2005  http://www.debian.org/security/faq
>- --
>
>Package: luxman
>Vulnerability  : buffer overflow
>Problem-Type   : local
>Debian-specific: no
>CVE ID : CAN-2005-0385
>
>Kevin Finisterre discovered a buffer overflow in luxman, an SVGA based
>PacMan clone, that could lead to the execution of arbitrary commands
>as root.
>
>For the stable distribution (woody) this problem has been fixed in
>version 0.41-17.2.
>
>For the unstable distribution (sid) this problem has been fixed in
>version 0.41-20.
>
>We recommend that you upgrade your luxman package.
>
>
>Upgrade Instructions
>- 
>
>wget url
>will fetch the file for you
>dpkg -i file.deb
>will install the referenced file.
>
>If you are using the apt-get package manager, use the line for
>sources.list as given below:
>
>apt-get update
>will update the internal database
>apt-get upgrade
>will install corrected packages
>
>You may use an automated update by adding the resources from the
>footer to the proper configuration.
>
>
>Debian GNU/Linux 3.0 alias woody
>- 
>
>  Source archives:
>
>http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.2.dsc
>  Size/MD5 checksum:  570 a55086f936bbcfe22598ac0aeb94f8da
>
> http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.2.diff.gz
>  Size/MD5 checksum: 7105 8719173e012bab5680d138d25e30b619
>
> http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41.orig.tar.gz
>  Size/MD5 checksum:   268279 aa389327578e2d65f3f5035193e407cb
>
>  Intel IA-32 architecture:
>
>
> http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.2_i386.deb
>  Size/MD5 checksum:   290762 c4123222e992a37dcf609768a20e7e8f
>
>
>  These files will probably be moved into the stable distribution on
>  its next update.
>
>- 
>-
>For apt-get: deb http://security.debian.org/ stable/updates main
>For dpkg-ftp: ftp://security.debian.org/debian-security 
>dists/stable/updates/main
>Mailing list: debian-security-announce@lists.debian.org
>Package info: `apt-cache show ' and http://packages.debian.org/
>
>-BEGIN PGP SIGNATURE-
>Version: GnuPG v1.4.0 (GNU/Linux)
>
>iD8DBQFCNbpiW5ql+IAeqTIRAhtSAJ0d3a6I8wMPZUxKMaOGXtd5oZ7MJgCeI3NF
>FIFFNlRq/R/T9Qs2asyHLSo=
>=NXet
>-END PGP SIGNATURE-
>
>
>-- 
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>


__

Obtenga gratis su cuenta @Argentina.com con AntiVirus, 20mb de espacio, 
acceso POP3 y SMTP en 24 ciudades www.Argentina.com



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]