Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
This one time, at band camp, Peter Palfrader said: debian.org kernel packages don't however. Which makes it not exactly suiteable for a nagios check for is the running kernel the one on the fileystem. This one time, at band camp, Noah Meyerhans said: I compare the ctime of the kernel image on the system with the machine's uptime. It's the machine's been rebooted since the kernel image changed, we're up to date, otherwise we're still running an older kernel. The attached shell script shows how. You should be able to do this with a nagios check... I also do some rummaging around to figure out what the meta package is currently depending on, so that I know what vesion Debian currently considers newest, then compare that to /proc/version. That only works for etch and newer kernel images, though, so I think I'll fall back to Noah's method for older machines. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: apt-get may accept inconsistent data
On Mon, May 05, 2008 at 01:03:33AM +0200, Goswin von Brederlow wrote: I ment what Release file. Because the etch security one does have the md5sums of Packages in it. This has been modified too and the md5sum listed for the packages file has changed. apt-get sends a http GET request for Packages.bz2. Part of this request is this information: Cache-Control: max-age=0 If-Modified-Since: Sun, 27 Apr 2008 09:15:01 GMT Cache-Control: max-age=0 If-Modified-Since: Sun, 27 Apr 2008 09:15:01 GMT If apt-get would send this instead, squid would work as expected: Cache-Control: must-revalidate If-Modified-Since: Sun, 27 Apr 2008 09:15:01 GMT a possible workaround is use apt-get update with additional option: apt-get update -o Acquire::http::No-Cache=True Apt-get should not even send an If-Modified query imho. After fetching the Release file is already knows with near certainty if the local file is current or not. It should check the Checksums of the local file and then either keep it or fetch it. Asking If-Modified-Since can only lead to triggering a bug like the squid one. You are right. There is no need to ask any proxy and to rely on the answer, because apt-get should be able to find out what to do. -- Stefan Tichy ( dlist at pi4tel dot de ) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get may accept inconsistent data
Stefan Tichy [EMAIL PROTECTED] writes: On Mon, May 05, 2008 at 01:03:33AM +0200, Goswin von Brederlow wrote: I ment what Release file. Because the etch security one does have the md5sums of Packages in it. This has been modified too and the md5sum listed for the packages file has changed. apt-get sends a http GET request for Packages.bz2. Part of this request is this information: Cache-Control: max-age=0 If-Modified-Since: Sun, 27 Apr 2008 09:15:01 GMT Cache-Control: max-age=0 If-Modified-Since: Sun, 27 Apr 2008 09:15:01 GMT If apt-get would send this instead, squid would work as expected: Cache-Control: must-revalidate must-revalidate is only valid in a server response. See RFC2612 section 14.9. Using Cache-Control: max-age=0 is the correct way for a client to force cache revalidation. This sounds like a squid bug. You may work around it, but let's just face it: If you accept a buggy proxy, then there is no way to ensure valid content. Bjørn -- I mean, your narrow-mindedness is matched only by your narrow-mindedness -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1550-1] New suphp packages fix local privilege escalation
Hi, Adrian Minta wrote: Try apache2-mpm-itk. Is better than suphp IMHO ! I saw it, but its description reads Please note that this MPM is highly experimental, and is not from the same tree as the other MPMs., so I did not consider using it on a production server. For what it's worth, libapache2-mod-suphp has no such disclaimer, so I considered it safer to use. Anyway, I don't think a security update should break existing setups like this one did. Cheers, Nicolas Boullis, slightly disappointed PS: sorry Adrian for the duplicate message, I did not intend to send this message privately to you. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
On Mon, 05 May 2008, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: Apropos. Is there a way to get that information from a vmlinuz file on disk? Without booting it, that is. Interesting enough my (somewhat older) file command does only print x86 boot sector, but I think some magic files supported it. Otherwise you can use strings vmlinux | fgrep 2. This does not appear to work well on at least armel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
On Mon, 05 May 2008, Peter Palfrader wrote: On Mon, 05 May 2008, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: Apropos. Is there a way to get that information from a vmlinuz file on disk? Without booting it, that is. Interesting enough my (somewhat older) file command does only print x86 boot sector, but I think some magic files supported it. Otherwise you can use strings vmlinux | fgrep 2. This does not appear to work well on at least armel. Or, more generally, when the kernel is compressed. http://svn.noreply.org/svn/weaselutils/trunk/nagios-check-running-kernel is what I delopyed on .debian.org so far. Cheers, and thanks, weasel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1569-1] New cacti packages fix multiple vulnerabilities
hi guys, as i alerted you on IRC, this update renders cacti unusable. see: #479618 and #479621 . it's pretty clear that the upload was done without any testing, and furthermore without first submitting a bug on the cacti package. tsk tsk :) sean On Monday 05 May 2008 05:58:54 pm Thijs Kinkhorst wrote: Debian Security Advisory DSA-1569-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst May 05, 2008 http://www.debian.org/security/faq Package: cacti Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0783 CVE-2008-0785 It was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible. For the stable distribution (etch), this problem has been fixed in version 0.8.6i-3.3. For the unstable distribution (sid), this problem has been fixed in version 0.8.7b-1. We recommend that you upgrade your cacti package. Upgrade instructions wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch --- Source archives: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.tar. gz Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63 http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3.diff. gz Size/MD5 checksum:36683 4b795036336167be4bf6cd2ef2987114 http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3.dsc Size/MD5 checksum: 873 74f26b805c7cf676f573000b50230179 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3_all.d eb Size/MD5 checksum: 959394 a9d1a594ff7d2386b28296a2c8909cd5 These files will probably be moved into the stable distribution on its next update. --- -- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DSA 1548-1] New xpdf packages fix arbitrary code exitution
* Message by -Devin Carraway- from Thu 2008-04-17: Package: xpdf Vulnerability : multiple Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2008-1693 [...] For the unstable distribution (sid), these problems were fixed in version 3.02-1.2. Is that really the case? I checked the file[1] and found no traces from the fix[2] in it. [1] http://ftp.de.debian.org/debian/pool/main/x/xpdf/xpdf_3.02-1.3.diff.gz [2] http://ftp.de.debian.org/debian/pool/main/x/xpdf/xpdf_3.01-9.1+etch4.diff.gz file debian/patches/36_CVE-2008-1693_embedded-font-typesafety.patch Or maybe 3.02 does not need that fix (in contrast to 3.01)? But then, I found that the patch 36_CVE-2008-1693_embedded-font-typesafety.patch can be applied cleanly against 3.02 sources. Thank you for a clarification. Lasse pgpmq2KktvWxn.pgp Description: PGP signature