Re: Recent updates

[Alexander Schmehl]

Hi!

* Felipe Figueiredo <[EMAIL PROTECTED]> [080218 10:01]:

> > Well, a rogue hacker would need to be quite skilled to add some kind of
> > "bad" package.
> > 
> > Let's assume he has created a bad package and got control over a mirror
> How about a simpler attack vector: compromise a devel account, and sneak in a 
> patch to be automatically incorporated to a package. Is this feasible?
> 
> I understand that this case would not reflect what the OP asked about, but 
> still.

Yes, that would be an possible attack vector.  But you would need to do
more, than just brak into a devel account.  Since package uploads of
developers need to be signed with an pre-approved gpg-key, you would
need to break into that, too (which I must confess is still possible).

However, while it would then be possible to upload packages to debians
unstable branch directly (and therefore could possibly [but IMHO
unlikely] even get a package into the testing branch), you still don't
get a package into a stable (point) release, since your manipulated
package needs to pass the review of our stable release managers.

Now keep in mind, that you in general can't get new upstream releases
into a stable point release, and since the manipulated package has been
uploaded before the manipulation, changing the source-code of the
package won't work.  So the only way you can get your manipulations in,
is via the diff.gz of the source package.  So it is more or less easy to
review, what has been changed.  Tools like "debdiff" to compare changes
between packages make it even easier.  So it is not impossible, but
quite unlickely, that a manipulated package get's into a stable point
release. (And you would still need to do some more to get your package
in.  E.G. a bug report of serious severity (or higher) which your
package claims to fix, which of course will be tested; and all that
while the Debian Developer whose account and gpg key you hacked isn't
noticing anything.)


The next attack vector would be to get a manipulated package into
Debian's unstable branch, and hope it will make it into a stable
release.  That would be complicate and unlikely, too, but I'm too lazy
now to write it all down ;)



Yours sincerely,
  Alexander


signature.asc
Description: Digital signature

Re: Recent updates

[Alexander Schmehl]

Hi!

* Jim Popovitch <[EMAIL PROTECTED]> [080217 23:42]:
[..]
> > So in general we first push upgrade to the mirrors, and then sent out
> > announcements.
> That does make good sense, for the masses (of which I am one) I suppose.

In general it does; and under normal circumstances we try to send out
the announcement as soon as possible.  Sadly we were quite busy this
weekend, so we didn't succeded this time.  I'm sorry.


[ Explanation about our digital package signatures ]
> Thanks for the explaination Alexander,

You are welcome!


Yours sincerely,
  Alexander


signature.asc
Description: Digital signature

Re: Recent updates

[Alexander Schmehl]

Hi!

* Jim Popovitch <[EMAIL PROTECTED]> [080217 21:46]:

> >glibc   Fix sunrpc memory leak
> Ahhh, glibc and libc6 are the same thing.  I forgot about that. 
> (why is that?)

Short explanation:
The Debian archive has source packages (which you as an enduser don't
see) which get compiled and become binary packages (the .deb files).  A
source package can compile several binary packages, e.g. the apache2
package creates different flavours of the apache web server, the vim
source package create different flavours of the vim editor, etc.

The source package glibc create beneath others the binary package libc6.
The announcement lists sourcepackages.


Yours sincerely,
  Alexander


signature.asc
Description: Digital signature

Re: Recent updates

[Alexander Schmehl]

Hi!

* Jim Popovitch <[EMAIL PROTECTED]> [080217 20:43]:

> > Subscribe to debian-announce:
> > http://lists.debian.org/debian-announce/debian-announce-2008/msg0.html
> I hope you are teasing, or perhaps you didn't see my first sentence
> where I stated that I had not seen any other news about this.  I have
> been subscribed to d-a, as well as d-s, and d-i, and d-v. the
> problem was the updates hit the mirrors before the announcement hit
> the wire.

Yes, as the last couple of announcement did.  The problem is, that if we
announce a new release before it is send to the mirrors, mirrors are hit
very hard hindering the sync of our mirror network.

So in general we first push upgrade to the mirrors, and then sent out
announcements.


> Normally this wouldn't be much of an issue, but the formal signed
> announcement is the only way for most of us to know that the updates
> are legit and not a nefarious action by some rogue hacker.

Well, a rogue hacker would need to be quite skilled to add some kind of
"bad" package.

Let's assume he has created a bad package and got control over a mirror
(since he can't upload the package himself that's the only way to
include it).  Of course he could add his package to the Debian archive
he has on that mirror, but since packages and releases are signed with
gpg he couldn't benefit from that, since as soon as someone tries to
install his bad package, package management would detect the wrong
signature.


Yours sincerely,
  Alexander

-- 
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html


signature.asc
Description: Digital signature

Re: Recent updates

[Alexander Schmehl]

Hi!

* Jim Popovitch <[EMAIL PROTECTED]> [080217 21:12]:

> > http://lists.debian.org/debian-announce/debian-announce-2008/msg0.html
> One additional thing that is not clear to me is that I see pending
> updates for libc6 and libc6-dev that are NOT mentioned in that
> announcement.

They are mentioned indirectly by their source package:
[..]
   glibc   Fix sunrpc memory leak
[..]

The respective bug would be #460226.


Yours sincerely,
  Alexander

-- 
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html


signature.asc
Description: Digital signature

Re: Recent updates

[Alexander Schmehl]

* Jim Popovitch <[EMAIL PROTECTED]> [080217 06:46]:
> I haven't seen any other news about this, I show 7 pending updates for
> which no DSA or notices have gone out.  Given that d.o servers have
> been hacked in the past, are these updates valid and where can I find
> official info about them?

Subscribe to debian-announce:
http://lists.debian.org/debian-announce/debian-announce-2008/msg0.html


Yours sincerely,
  Alexander

-- 
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html


signature.asc
Description: Digital signature

Re: woody kernel image

[Alexander Schmehl]

Hi!


* Paul Hink <[EMAIL PROTECTED]> [050130 21:57]:

> >> They told, there are too much kernels to maintain and droped
> >> 2.4.(18-22) They sugested to use one of the Backports.
> > And of course this is nothing to inform the ordinary users about, is
> > it?
> Just to make sure that there are no misunderstandings: I would be
> really sorry if the information I based my statements upon turned out
> to be wrong.

There is nothing to be sorry about on your side.


> I completely relied upon the correctness of the mails here
> in this thread and did not find it neccessary to search the archives
> myself. Sorry, this might have been a mistake.

In general there is no reason to doubt about information in this list.
And I could fully understand your rage (picked that word from
dictionary, not sure if it is the correct one), if the information it
was based on, was true.

(if this mail sounds a bit snooty, I need to apologize, too. it was not
intended as beeing so ;)


Yours sincerely,
  Alexander

-- 
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html


signature.asc
Description: Digital signature

Re: [OT] tales (was: woody kernel image)

[Alexander Schmehl]

* Jan Lühr <[EMAIL PROTECTED]> [050130 22:13]:

> Don't take it down personal. Jugding about DSA's I've seen, there is 
> currently 
> _no_ security-support for 2.4.18.

I didn't made any statement about security support of 2.4.18.  All I
said was, that MK can't proof her own statement, that I can't a find a
proof of it, and that we have a hint, contradicting her statement.


> For reasons I don't know, for thinks, I  don't understand, important
> patches seem to be missing.  If you have information about the status
> of sec-sup in 2.4.18 please let us know.

Did you read the mail from Joey Schulze forwarded by Jan Minar a couple
of hours ago to this list?  Security support for 2.4.18 kernels has not
been dropped.  It isn't nice, that the kernel-packages has not been
upgraded, yet.  But I'm sure, that the Security Team will gladly accept
your help, if you send them working and tested patches.


> Keep smiling
> yanosz

:)


Yours sincerely,
  Alexander

-- 
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html


signature.asc
Description: Digital signature

[OT] tales (was: woody kernel image)

[Alexander Schmehl]

Hi!

* Michelle Konzack <[EMAIL PROTECTED]> [050130 20:29]:

> > how does it come, that every time, you're telling such a story and are
> > requested for some proof, one of your services is down, you cite
> > completly unrelated URLs or you don't answer at all?
> Why not go to  and search for it ?

May I add this as an other case of "MK makes statements which she can't
proofe" to my list?  Making a statement, and telling others to proof it
for themself doesn't make your argument look very good.

But anyway, I'm subscribed to both lists, and all I can say is:

Been there, done that, got no shirt.

So until I'm showed otherwise, I'm convident, that there is no mail to
debian-devel or debian-kernel, stating that support for the 2.4.18*
kernels in the current stable release has been dropped.

And beside that, Joeys, forwarded to this list by Jan Minar a couple of
hours ago (id: <[EMAIL PROTECTED]>)
proofes, that you are wrong.


Yours sincerely,
  Alexander


PS:  I'm still waiting for proofs of other statements you made for
example in the -user-german list, like "Google runs 10 Debian
servers" or "DDs develop only Debian software, Maintainers maintain
packages" and some others.

PPS:  Are you aware that there are guys out there, thinking of
collecting all your contraticting, unproofen or proofen wrong statements
to a "Michelle Konzack"-FAQ?  Luckily for you no one has the time for
this sisyphos job.

-- 
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html


signature.asc
Description: Digital signature

Re: woody kernel image

[Alexander Schmehl]

* Michelle Konzack <[EMAIL PROTECTED]> [050130 17:45]:

> > Michelle, can You cite the Message-Id's and/or URLs to the archive,
> > please?
> Unfortunatly not (my postgresql is curently down)
> but I think, it was between April and June last year.
> Maybe after the last BUGfix in 2.4.18

Michelle, Michelle, Michelle...

how does it come, that every time, you're telling such a story and are
requested for some proof, one of your services is down, you cite
completly unrelated URLs or you don't answer at all?


Yours sincerely,
  Alexander

-- 
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html


signature.asc
Description: Digital signature

Re: security.debian.org is down ?

[Alexander Schmehl]

* Hideki Yamane <[EMAIL PROTECTED]> [040201 15:45]:

>  Does anyone know about if security.debian.org is down or not?
>  I cannot get .debs from it, and ping to it with no reply.

Citing Joey in the german irc-channel #debian.de:
14:53 < Joey[tm]> Weder noch, war einfach nicht mehr da, als wir dran
  gearbeitet haben.  wiggy kuemmert sich drum, sobald er @home
  ist

Which means: It is known, joey doesn't know (yet), whats going on, but
wiggy will take care, as soon as he arrives at home.


Yours sincerely,
  Alexander


signature.asc
Description: Digital signature

Re: security.debian.org is down ?

[Alexander Schmehl]

* Hideki Yamane <[EMAIL PROTECTED]> [040201 15:45]:

>  Does anyone know about if security.debian.org is down or not?
>  I cannot get .debs from it, and ping to it with no reply.

Citing Joey in the german irc-channel #debian.de:
14:53 < Joey[tm]> Weder noch, war einfach nicht mehr da, als wir dran
  gearbeitet haben.  wiggy kuemmert sich drum, sobald er @home
  ist

Which means: It is known, joey doesn't know (yet), whats going on, but
wiggy will take care, as soon as he arrives at home.


Yours sincerely,
  Alexander


signature.asc
Description: Digital signature

Re: Curriculum

[Alexander Schmehl]

* Samuele Giovanni Tonon <[EMAIL PROTECTED]> [030808 15:09]:

> > > What the h.ll does this mean?
> > Apparently some moron tries to find a job through SPAMming.
> maybe he wants a job inside debian.
>  we must redirect him to http://nm.debian.org :-)

So he can redesign it in flash?


Yours sincerely
  Alexander


pgp0.pgp
Description: PGP signature

Re: Curriculum

[Alexander Schmehl]

* Samuele Giovanni Tonon <[EMAIL PROTECTED]> [030808 15:09]:

> > > What the h.ll does this mean?
> > Apparently some moron tries to find a job through SPAMming.
> maybe he wants a job inside debian.
>  we must redirect him to http://nm.debian.org :-)

So he can redesign it in flash?


Yours sincerely
  Alexander


pgpDu9MHk8Cjk.pgp
Description: PGP signature

Re: request to german speaking users

[Alexander Schmehl]

I'll like to thank all of you, who offered their help, correcting and
updating this howto.


I'm sorry, if I wasn't able to answer your mail, yet. Thanks for your
patience, I'll do so, as fast as I can, but I'm a little busy these
days.


Thank you very much,
  Alexander


pgpiRStvzCsph.pgp
Description: PGP signature

Re: request to german speaking users

[Alexander Schmehl]

* Christian Kujau <[EMAIL PROTECTED]> [030629 22:32]:

> as others suggested too, the reading should be shared to a group of 
> readers.

I started to collect the "REVIEW-Status" in a seperate file, avaible
at:
http://www.cs.uni-frankfurt.de/~schmehl/securing-debian/REVIEW-STATUS

Since I have been and will very busy the last days, you can find out,
which chapters still need to be reviewed, for yourself.

Just tell me, when you start to review which chapter, so I can update
this file (that should fit in my daily schedule ;)


> so, perhaps splitting it up chapter wise is good and just in case sbd. 
> has already started the reading (with ch.1), i'll start with ch 9-10, 
> will do more if we can agree about sth

Okay, I'll mark chapter 9-10 for you.


Yours Sincerely
  Alexander


pgpe5QYGBbpVi.pgp
Description: PGP signature

Re: request to german speaking users

[Alexander Schmehl]

* Christian Kujau <[EMAIL PROTECTED]> [030701 14:48]:

> > Please get the docbook formatted code and do a revision. Then just
> > do a "diff" and sent the output.
> hm, ok, i'll try.

It's quite easy: Get the sgml source; the format is nearly self
explaining, and quite uninteressting, since you just need to correct
the contect of the document, not the style.

After you got the source, create a copy of it before you correct
anything. Then you can change anything in the document, of which you
think, it could help the reade to understand the document.

When you've done, you can create a patch file simply by typing "diff -u
«old_file» «new_file» > sdh.patch". Send me the file sdh.patch and I'll
gladly accept your changes.


Yours sincerely
  Alexander


pgpSwvHb2Nq6F.pgp
Description: PGP signature

Re: request to german speaking users

[Alexander Schmehl]

I'll like to thank all of you, who offered their help, correcting and
updating this howto.


I'm sorry, if I wasn't able to answer your mail, yet. Thanks for your
patience, I'll do so, as fast as I can, but I'm a little busy these
days.


Thank you very much,
  Alexander


pgp0.pgp
Description: PGP signature

Re: request to german speaking users

[Alexander Schmehl]

* Christian Kujau <[EMAIL PROTECTED]> [030629 22:32]:

> as others suggested too, the reading should be shared to a group of 
> readers.

I started to collect the "REVIEW-Status" in a seperate file, avaible
at:
http://www.cs.uni-frankfurt.de/~schmehl/securing-debian/REVIEW-STATUS

Since I have been and will very busy the last days, you can find out,
which chapters still need to be reviewed, for yourself.

Just tell me, when you start to review which chapter, so I can update
this file (that should fit in my daily schedule ;)


> so, perhaps splitting it up chapter wise is good and just in case sbd. 
> has already started the reading (with ch.1), i'll start with ch 9-10, 
> will do more if we can agree about sth

Okay, I'll mark chapter 9-10 for you.


Yours Sincerely
  Alexander


pgp0.pgp
Description: PGP signature

Re: request to german speaking users

[Alexander Schmehl]

* Christian Kujau <[EMAIL PROTECTED]> [030701 14:48]:

> > Please get the docbook formatted code and do a revision. Then just
> > do a "diff" and sent the output.
> hm, ok, i'll try.

It's quite easy: Get the sgml source; the format is nearly self
explaining, and quite uninteressting, since you just need to correct
the contect of the document, not the style.

After you got the source, create a copy of it before you correct
anything. Then you can change anything in the document, of which you
think, it could help the reade to understand the document.

When you've done, you can create a patch file simply by typing "diff -u
«old_file» «new_file» > sdh.patch". Send me the file sdh.patch and I'll
gladly accept your changes.


Yours sincerely
  Alexander


pgp0.pgp
Description: PGP signature

request to german speaking users

[Alexander Schmehl]

Good morning,

I just finished the translation of the security howto to german, but
some parts are very ugly hacked.

It would be very nice, if some of you would review my translation (or
at least small parts of it), and send me some patches.

You can find the latest version of it at
http://www.cs.uni-frankfurt.de/~schmehl/securing-debian/ in all usual
formats (and of course the sgml-source, too).


Greetings,
  Alexander


PS: Yes, the translation is outdated. It me quite some time. I'll try
to update her asap, but if you like, you can send me an updating patch,
too.


pgp0.pgp
Description: PGP signature

request to german speaking users

[Alexander Schmehl]

Good morning,

I just finished the translation of the security howto to german, but
some parts are very ugly hacked.

It would be very nice, if some of you would review my translation (or
at least small parts of it), and send me some patches.

You can find the latest version of it at
http://www.cs.uni-frankfurt.de/~schmehl/securing-debian/ in all usual
formats (and of course the sgml-source, too).


Greetings,
  Alexander


PS: Yes, the translation is outdated. It me quite some time. I'll try
to update her asap, but if you like, you can send me an updating patch,
too.


pgpsG8wHUsjMh.pgp
Description: PGP signature

Re: OpenSSH and debian?

[Alexander Schmehl]

* Diederik de Vries <[EMAIL PROTECTED]> [030506 17:47]:

> Today I was surfing on SecurityFocus, and saw that there was a hole in
> OpenSSH (http://www.securityfocus.com/bid/7482/info/). Debian Potato
> uses OpenSSH 3.1 p1, which seems to be exploitable.
I think you might be interessted in: http://www.debian.org/security/2002/dsa-134

> Is this true, am I missing something or what?
I think so.

cu
Alex

-- 
PGP key on demand, mailto:[EMAIL PROTECTED] with subject "get pgp-key"


pgpyY3R3tYLcq.pgp
Description: PGP signature

Re: ptrace patch for vanilla kernel 2.4.20

[Alexander Schmehl]

Good morning,

* Adam ENDRODI <[EMAIL PROTECTED]> [030423 07:59]:

> > http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html
> > http://sinuspl.net/ptrace/
> Can you tell me whether these patches are the ones which were
> known to break something?

I didn't heard of a patch to break something, yet. The second one
applied clean, and I didn't encountered any problems on four different
machines.
Did I miss something?

cu
Alex

-- 
PGP key on demand, mailto:[EMAIL PROTECTED] with subject "get pgp-key"


pgpnXjhUIvspC.pgp
Description: PGP signature

Re: ptrace patch for vanilla kernel 2.4.20

[Alexander Schmehl]

* Konstantin <[EMAIL PROTECTED]> [030422 23:03]:

> can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me
> an adress I can leech it from.

http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html

http://sinuspl.net/ptrace/


cu
Alex

-- 
PGP key on demand, mailto:[EMAIL PROTECTED] with subject "get pgp-key"


pgpUSICeMVZ2w.pgp
Description: PGP signature