Re: goals for hardening Debian: ideas and help wanted
On Tue, Apr 29, 2014 at 11:35:26AM +0800, Paul Wise wrote: > On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote: > > > - security patches should be clearly marked as such in every *.patch > > file > > That sounds like a good idea, could you add it to the wiki page? It's not always easy to say wether a patch is security relevant but for the obvious ones (e.g. those with a CVE assigned) I put them into debian/patches/security and noticed other packages doing the same. This makes it simple to distinguish them in i.e. gitweb without having to look into every patch for the DEP-3 header. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140429065533.ga3...@bogon.m.sigxcpu.org
Re: goals for hardening Debian: ideas and help wanted
On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote: > - security patches should be clearly marked as such in every *.patch > file That sounds like a good idea, could you add it to the wiki page? > - easy create and run programs from chroot and alternate users Could you detail what you mean by this? It sounds like you want either virtual machines or something like docker.io: https://packages.debian.org/sid/docker.io > - apt-get should automaticaly check checksums That happens now, if you find an instance where it does not, please file a severity serious bug report on apt with enough detail for the maintainers to debug and fix it. https://www.debian.org/Bugs/Reporting -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6fk8+7x-hrhnv-+jhn2yrnkouobgzy6c7hsg5e3oze...@mail.gmail.com
Re: L2TP/IPSec on Mac OSX stop working after openswan upgrade [with patches]
On mar., 2014-04-29 at 08:23 +0800, Liu DongMiao wrote: > Related bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744717 > > From the changelog of debian, I know that your are the maintainer of > openswan in debian: > openswan (1:2.6.37-3+deb7u1) wheezy-security; urgency=high > * Non-maintainer upload by the Security Team. Actually, as the changelog said, I'm *not* the maintainer, I did the upload as a security team member. We'll issue a regression fix update to handle this case (and another one). Can you please provide all the information (including any patch) to that bug report, please? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: L2TP/IPSec on Mac OSX stop working after openswan upgrade [with patches]
-- Best regards, Liu DongMiao 2014-04-29 8:23 GMT+08:00 Liu DongMiao : > Dear Yves-Alexis Perez and Debian Security Team, > > Related bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744717 > > From the changelog of debian, I know that your are the maintainer of > openswan in debian: > openswan (1:2.6.37-3+deb7u1) wheezy-security; urgency=high > * Non-maintainer upload by the Security Team. > * debian/patches: > - CVE-2013-2053 added, fix pre-authentication buffer overflow in atodn() / > atoid() (CVE-2013-2053).closes: > #709144 > - CVE-2013-6466 added, fix pre-authentication remote denial of service in > IKEv2 daemon (CVE-2013-6466)closes: > #737406 > -- Yves-Alexis Perez Sun, 23 Mar 2014 16:12:16 +0100 > > After upgrade the openswan in wheezy to 1:2.6.37-3+deb7u1, I found > that I cannot connect to ipsec from mac os x and ios any more. And > there are some guys encoutered the same problem as me: > http://superuser.com/questions/740545/l2tp-ipsec-stopped-working-after-openssl-upgrade > (however, the subject was mis understanding). > > After checking the patch, I found the it's CVE-2013-6466.patch, it > removes the compatible code for mac os x and ios, which use a bad > draft. Now, I have fixed this, and test on mac os x and ios. However, > I didn't test on other platform, such as linux, windows. > > I'm attaching the patch, and if you cannot see it, you can download it > from http://piebridge.me/openswan_osx_nat_d_baddraft.patch > > -- > Best regards, > Liu DongMiao openswan_osx_nat_d_baddraft.patch Description: Binary data
L2TP/IPSec on Mac OSX stop working after openswan upgrade [with patches]
Dear Yves-Alexis Perez and Debian Security Team, Related bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744717 >From the changelog of debian, I know that your are the maintainer of openswan in debian: openswan (1:2.6.37-3+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - CVE-2013-2053 added, fix pre-authentication buffer overflow in atodn() / atoid() (CVE-2013-2053).closes: #709144 - CVE-2013-6466 added, fix pre-authentication remote denial of service in IKEv2 daemon (CVE-2013-6466)closes: #737406 -- Yves-Alexis Perez Sun, 23 Mar 2014 16:12:16 +0100 After upgrade the openswan in wheezy to 1:2.6.37-3+deb7u1, I found that I cannot connect to ipsec from mac os x and ios any more. And there are some guys encoutered the same problem as me: http://superuser.com/questions/740545/l2tp-ipsec-stopped-working-after-openssl-upgrade (however, the subject was mis understanding). After checking the patch, I found the it's CVE-2013-6466.patch, it removes the compatible code for mac os x and ios, which use a bad draft. Now, I have fixed this, and test on mac os x and ios. However, I didn't test on other platform, such as linux, windows. I'm attaching the patch, and if you cannot see it, you can download it from http://piebridge.me/openswan_osx_nat_d_baddraft.patch -- Best regards, Liu DongMiao -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CACTknu8_eM-bzzi5_x=qCQc7JSu=slegssjmtnycm+zrbvg...@mail.gmail.com
Re: goals for hardening Debian: ideas and help wanted
On Thu, 24 Apr 2014 10:57:39 +0800 Paul Wise wrote: > Hi all, > > I have written a non-exhaustive list of goals for hardening the Debian > distribution, the Debian project and computer systems of the Debian > project, contributors and users. > > https://wiki.debian.org/Hardening/Goals > > If you have more ideas, please add them to the wiki page. > > If you have more information, please add it to the wiki page. > > If you would like to help, please choose an item and start work. > - security patches should be clearly marked as such in every *.patch file - easy create and run programs from chroot and alternate users - apt-get should automaticaly check checksums -- http://markorandjelovic.hopto.org One should not be afraid of humans. Well, I am not afraid of humans, but of what is inhuman in them. Ivo Andric, "Signs near the travel-road" -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140429020744.26376...@eunet.rs
RE: [SECURITY] [DSA 2916-1] libmms security update
Can you please provide the original URL for this advisory? Thanks; AT&T Advisory Group -Original Message- From: Moritz Muehlenhoff [mailto:j...@debian.org] Sent: Monday, April 28, 2014 12:47 PM To: debian-security-annou...@lists.debian.org Subject: [SECURITY] [DSA 2916-1] libmms security update Importance: High -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2916-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff April 28, 2014 http://www.debian.org/security/faq - - Package: libmms CVE ID : CVE-2014-2892 Alex Chapman discovered that a buffer overflow in processing "MMS over HTTP" messages could result in the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 0.6-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 0.6.2-3+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.6.2-4. We recommend that you upgrade your libmms packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTXoWvAAoJEBDCk7bDfE424hkP/jUv5rBxjQmzJPaqqfzLAvDz Zz98k1lw5+BoXBlWF8OiabNm7oVJYGbJOPwFMwJXnOWNvY3g8PvSn332mefXnyqC y2cMnyLR3OBMe7XM3dQZbKveyVhq7a1lrig002+Leihihcomlq/1BE+F3mrTpix0 nbWMW1kliXG/c2IpHprJNOdNMGZaA4+wtHrBIvpmJ5B3zw48YSKpq3TvuvsLdYr8 BzKzdcF0nHQ7oRpSKnpuk4IEj0cWKLkt8oo+9LCQS0UwW3vGg0sx5rqZpbGIOLyz a88fDOJGTE8EnNz5svuYNGcK1Rp6ovGS0e7OFt12NEjdZuGF96n7bIoonx4qO5Uz 4SChgNqC8pCpCqMbBfn79wpkSVijak7MYpb4IaHtTPRm2bzftj4tikms0HUZmkZ7 apXa0t+3dFqMCNWJRRitu4q3XAjahANhAUtfeec6kYkVhMxM5hz5IZqOy+VmkvJr cX71dH9oRV6mzyMyPUGG6gYtxGwcCB0fcdISx6P0yERCrcIU8+yndOKaS6vu6eQR VoiKkPmYFrM67DmkCGttXS91m1flTGgSz1u6228Z/tnE7BNWKQuGsiAGnjF7tY9v ndcgJ2kQw+hkS+KLaqZX0iLw70vqOke96djlxGU81a16Z9us+3sh1SbE55Qm0pZe 1apUKqp4U8tlwdHwiRZ8 =ESif -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140428164714.GA3373@pisco.westfalen.local -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/17e19d27f0d5c74583892cd00d7d69930c0fa...@misout7msgusr9o.itservices.sbc.com
R: [SECURITY] [DSA 2916-1] libmms security update
-Original Message- From: Moritz Muehlenhoff Date: Mon, 28 Apr 2014 18:47:14 To: Reply-To: debian-security@lists.debian.org Subject: [SECURITY] [DSA 2916-1] libmms security update -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2916-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff April 28, 2014 http://www.debian.org/security/faq - - Package: libmms CVE ID : CVE-2014-2892 Alex Chapman discovered that a buffer overflow in processing "MMS over HTTP" messages could result in the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 0.6-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 0.6.2-3+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.6.2-4. We recommend that you upgrade your libmms packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTXoWvAAoJEBDCk7bDfE424hkP/jUv5rBxjQmzJPaqqfzLAvDz Zz98k1lw5+BoXBlWF8OiabNm7oVJYGbJOPwFMwJXnOWNvY3g8PvSn332mefXnyqC y2cMnyLR3OBMe7XM3dQZbKveyVhq7a1lrig002+Leihihcomlq/1BE+F3mrTpix0 nbWMW1kliXG/c2IpHprJNOdNMGZaA4+wtHrBIvpmJ5B3zw48YSKpq3TvuvsLdYr8 BzKzdcF0nHQ7oRpSKnpuk4IEj0cWKLkt8oo+9LCQS0UwW3vGg0sx5rqZpbGIOLyz a88fDOJGTE8EnNz5svuYNGcK1Rp6ovGS0e7OFt12NEjdZuGF96n7bIoonx4qO5Uz 4SChgNqC8pCpCqMbBfn79wpkSVijak7MYpb4IaHtTPRm2bzftj4tikms0HUZmkZ7 apXa0t+3dFqMCNWJRRitu4q3XAjahANhAUtfeec6kYkVhMxM5hz5IZqOy+VmkvJr cX71dH9oRV6mzyMyPUGG6gYtxGwcCB0fcdISx6P0yERCrcIU8+yndOKaS6vu6eQR VoiKkPmYFrM67DmkCGttXS91m1flTGgSz1u6228Z/tnE7BNWKQuGsiAGnjF7tY9v ndcgJ2kQw+hkS+KLaqZX0iLw70vqOke96djlxGU81a16Z9us+3sh1SbE55Qm0pZe 1apUKqp4U8tlwdHwiRZ8 =ESif -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140428164714.GA3373@pisco.westfalen.local -- This e-mail (including attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient, please contact the sender and delete the e-mail from your system. Rif. L. D. 196/2003. Le informazioni, i dati e le notizie contenute nella presente comunicazione e i relativi allegati sono di natura privata e come tali possono essere riservate e sono, comunque, destinate esclusivamente ai destinatari indicati in epigrafe. La diffusione, distribuzione e/o la copia del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, sia ai sensi dell'art. 616 c.p., sia ai sensi del Dlgs 196/2003. Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di darcene immediata comunicazione anche inviando un messaggio di ritorno all' indirizzo e-mail del mittente. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1121288231-1398704204-cardhu_decombobulator_blackberry.rim.net-1763912055-@b26.c10.bise7.blackberry