Security update for Debian Testing - 2010-11-24

2010-11-23 Thread Testing Security Team 
This automatic mail gives an overview over security issues that were recently 
fixed in Debian Testing. The majority of fixed packages migrate to testing 
from unstable. If this would take too long, fixed packages are uploaded to the 
testing-security repository instead. It can also happen that vulnerable 
packages are removed from Debian testing.

Migrated from unstable:
===
cups 1.4.4-7:
CVE-2010-2941: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2941
   http://bugs.debian.org/603344



How to update:
--
Make sure the line

deb http://security.debian.org squeeze/updates main contrib non-free

is present in your /etc/apt/sources.list. Of course, you also need the line
pointing to your normal squeeze mirror. You can use

aptitude update  aptitude dist-upgrade

to install the updates.


More information:
-
More information about which security issues affect Debian can be found in the 
security tracker:

http://security-tracker.debian.org/tracker/

A list of all known unfixed security issues is at

http://security-tracker.debian.org/tracker/status/release/testing


-- 
To UNSUBSCRIBE, email to 
debian-testing-security-announce-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1pl3mr-0002e5...@soler.debian.org

Re: [SECURITY] [DSA-2125-1] New openssl packages fix buffer overflow

2010-11-23 Thread Martin Bretschneider 

Am 22.11.2010 21:17, schrieb Stefan Fritsch:

Ich würde es trotzdem updaten, TLS wird auf mira für email genommen und 
bei openvpn auf vpn.



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-2125-1  secur...@debian.org
http://www.debian.org/security/   Stefan Fritsch
November 22, 2010 http://www.debian.org/security/faq
- 

Package: openssl
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
Debian Bug : 603709
CVE Id(s)  : CVE-2010-3864

A flaw has been found in the OpenSSL TLS server extension code parsing
which on affected servers can be exploited in a buffer overrun attack.
This allows an attacker to cause an appliation crash or potentially to
execute arbitrary code.

However, not all OpenSSL based SSL/TLS servers are vulnerable: A server
is vulnerable if it is multi-threaded and uses OpenSSL's internal caching
mechanism.  In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround) are NOT
affected.

This upgrade fixes this issue. After the upgrade, any services using the
openssl libraries need to be restarted. The checkrestart script from the
debian-goodies package or lsof can help to find out which services need
to be restarted.

A note to users of the tor packages from the Debian backports or Debian
volatile: This openssl update causes problems with some versions of tor.
You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2,
respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable
is not affected by these problems.

For the stable distribution (lenny), the problem has been fixed in
openssl version 0.9.8g-15+lenny9.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.9.8o-3.

We recommend that you upgrade your openssl packages.

Upgrade instructions
- 

wget url
 will fetch the file for you
dpkg -i file.deb
 will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
 will update the internal database
apt-get upgrade
 will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny (stable)
- -

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

   
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
 Size/MD5 checksum:  3354792 acf70a16359bf3658bdfb74bda1c4419
   
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.dsc
 Size/MD5 checksum: 1973 1efb69f23999507bf2e74f5b848744af
   
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.diff.gz
 Size/MD5 checksum:60451 9aba44ed40b0c9c8ec82bd6cd33c44b8

alpha architecture (DEC Alpha)

   
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_alpha.deb
 Size/MD5 checksum:  2583248 3b3f0cbec4ec28eb310466237648db8f
   
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_alpha.deb
 Size/MD5 checksum:  1028998 79fe8cdd601aecd9f956033a04fb8da5
   
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_alpha.udeb
 Size/MD5 checksum:   722114 a388304bf86381229c306e79a5e85bf8
   
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_alpha.deb
 Size/MD5 checksum:  2814160 e0f6fc697f5e9c87b44aa15eb58c3ea8
   
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_alpha.deb
 Size/MD5 checksum:  4369318 c3cf8c7ec27f86563c34f45e986e17c4

amd64 architecture (AMD x86_64 (AMD64))

   
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_amd64.deb
 Size/MD5 checksum:   975850 778916e8b0df8e216121cd5185d7ca43
   
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_amd64.deb
 Size/MD5 checksum:  2243180 ff6a898ccd6fb49d5fbec9f4bd3cb6da
   
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_amd64.udeb
 Size/MD5 checksum:   638414 9ea111d66ac5f394d35fb69defa5dd27
   
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_amd64.deb
 Size/MD5 checksum:  1627632 9f08e1da5cf9279cee4700e89dc6ee6d
   
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_amd64.deb
 Size/MD5 checksum:  1043320 9ada82a7417c0d714a38c3a7184c2401

arm

Hardening Debian

2010-11-23 Thread Daniel Hood 
Does anyone have a good checklist or script to harden a vanilla debian
box after installation?

Dan


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktinouo_zt2xdva+2v7t-cfobzr81fndnmr0hw...@mail.gmail.com

Re: Hardening Debian

2010-11-23 Thread CHACO 
On Tue, Nov 23, 2010 at 5:48 PM, Daniel Hood dsmh...@gmail.com wrote:

 Does anyone have a good checklist or script to harden a vanilla debian
 box after installation?



http://www.debian.org/doc/manuals/securing-debian-howto/

-- 
Diego Chacón Rojas
diego.cha...@gmail.com
San Jose Costa Rica

.-.
/v\L   I   N   U   X
   // \\
  /(   )\
^^-^^
This is Unix-Land. In quiet nights, you can hear the Windows machines
reboot
USER350910
MACHINE 244435
No me envie correos en formatos propietarios
http://www.gnu.org/philosophy/no-word-attachments.es.html
http://www.debian.org/intro/about.es.html

Re: Hardening Debian

2010-11-23 Thread Julien Reveret 
 On Tue, Nov 23, 2010 at 5:48 PM, Daniel Hood dsmh...@gmail.com wrote:

 Does anyone have a good checklist or script to harden a vanilla debian
 box after installation?



 http://www.debian.org/doc/manuals/securing-debian-howto/


RTFM is the law, the securing debian howto is a good start. On top of
that, I guess the use of a tool such as lynis[1] can help you. There are
other scripts like this one: http://code.google.com/p/unix-privesc-check/

[1] http://www.rootkit.nl/projects/lynis.html or aptitude install lynis



-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/dac7576c8117fe2beb3770b8b407ce8d.squir...@www.c0a8.org