Re: [VUA 51-1] Updated clamav version
* Jim Popovitch ([EMAIL PROTECTED]) [081211 07:52]: On Thu, Dec 11, 2008 at 00:55, Andreas Barth [EMAIL PROTECTED] wrote: --- Debian Volatile Update Announcement VUA 51-1 http://volatile.debian.org [EMAIL PROTECTED] Stephen Gran Dec 11, 2008 --- Package : clamav Version : 0.94.dfsg.2-1~volatile1 Importance : medium CVE IDs : CVE-2008-5050 CVE-2008-5314 [snip] and install them with dpkg, or add deb http://volatile.debian.org/debian-volatile etch/volatile main deb-src http://volatile.debian.org/debian-volatile etch/volatile main FAIL! Sorry, something went wrong with pushing. Now: *** 0.94.dfsg.2-1~volatile1 0 500 http://volatile.debian.org etch/volatile/main Packages Sorry for the trouble. Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bug in tar 1.14-2.1
* Martin Zobel-Helas ([EMAIL PROTECTED]) [060324 16:00]: Looks like just rebuilding the security version resolves that error, for whatever reason. Julien and me just cross checked that and got the same result. If noone minds we reupload tar with a bumped version number to s-p-u. Is a binary-only upload enough? If so, why not just queue a binNMU by the buildd? (And one should check all the archs BTW, and also add a test suite one day :) Cheers, Andi -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sendmail vulnerability
* Andreas Piper ([EMAIL PROTECTED]) [060323 09:45]: Hello, ISS has reported a serious flaw in sendmail before 8.13.6, see http://xforce.iss.net/xforce/alerts/id/216 and http://sendmail.org/8.13.6.html Is a security fix of the sendmail-package(s) in view, or should I try to install sendmail 8.13.6 standalone? A package is being prepared and should be available soon. Cheers, Andi -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org mirrors?
* Arnaud Fontaine ([EMAIL PROTECTED]) [050929 22:26]: Is it possible to have a warranty that the package in the mirror archive hasn't be modified by someone else ? Maybe my question is stupid but i wasn't able to find an answer on replicator website ;). The Release-file is digitally signed, and contains checksums of the Packages files. The Packages files contain checksums of the packages. Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: WTF: Debian security, ex. Linux kernel vulnerabilities
* Steinar H. Gunderson ([EMAIL PROTECTED]) [050920 16:21]: On Tue, Sep 20, 2005 at 03:50:14PM +0200, Andreas Barth wrote: s.d.o is not offline, just the full bandwith is used by people downloading a security update. Do we need mirrors for security.debian.org? I would be happy to host such a mirror if debian-security would want it. Including your offer, there are at least 4 offers I know of as of now. And if we ask, I'm pretty sure we're able to get much more. Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: WTF: Debian security, ex. Linux kernel vulnerabilities
* Bob Tanner ([EMAIL PROTECTED]) [050920 16:39]: Same here. Reach out to the community and let us help. Well, the basic problem with mirrors is: * How can we be sure that all mirrors are synced _very_ fast? We will probably get more negative feedback if some mirrors are delayed by more than 10 minutes (and some of our normal mirrors are _way_ worse). * How do we make sure that potential issues can be fixed fast enough? Of course, none of these questions is unsolveable, and there are currently discussions underway how we can do it sensible, but it's not as trivial as one might hope in the beginning of that discussion. Still, thank you very much for your offer (and I really hope that we can make use of the mirroring offters one day). Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org timeouts
* Noèl Köthe ([EMAIL PROTECTED]) [050919 21:19]: anybody knows what's the problem with klecker/security.d.o? The link to the outside world is fully saturated currently. There are ideas discussed how we can add more machines / bandwith, but that's not a short-term solution. The whole day I get timeouts but I could update xfree(woody)/xorg(sarge) on some machine but I didn't find the DSA for it. The update is a real update, and the DSA will follow as soon as the load is in an acceptable range to move all files to their final place ... Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org timeouts
* Bartosz Fenski aka fEnIo ([EMAIL PROTECTED]) [050919 22:46]: On Mon, Sep 19, 2005 at 10:04:14PM +0200, Florian Weimer wrote: BTW, I don't understand why this was posted to debian-curiosa, either. I got into the habit of reading important announcements for the users on http://planet.debian.net. Now it seems debian-curiosa is another place for them. I wonder what else should I read to keep in touch with such important information? Basically, we considered that mail to be too snappy to send them to d-s-a or so. A good idea for a better mail is still welcome :) Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security archive defective!?
Hi, * Marek Szuba ([EMAIL PROTECTED]) [050901 02:32]: Another thing the present state of the archive makes a major pain in the arse is mirroring. Since crip is listed in the Sources file, the non-binary part of the security mirror I keep for the local network has effectively ceased to exist, as even with --ignore-small-errors debmirror doesn't like missing files at all and doesn't install the new Sources file in place. I really wish this would be taken care of quickly... After all it's just a question of copying one file. I strongly recommend to use anonftpsync for mirroring any of the debian archives (though, with security, that could be unlucky much, as all of the old stuff is still around :( ). Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: anonftpsync (was: security archive defective!?)
* martin f krafft ([EMAIL PROTECTED]) [050901 09:58]: also sprach Andreas Barth [EMAIL PROTECTED] [2005.09.01.0858 +0200]: I strongly recommend to use anonftpsync for mirroring any of the debian archives What's the advantage over debmirror? That it just works? :) That all the neccessary directories and symlinks are mirrored, including project/trace. Also, AFAIUI debmirror creates a much higher load on the server you're pulling from than anonftpsync (as debmirror opens lots of rsync-connections, whereas anonftpsync just does two). I have seen lots of interessting issues with debmirror, but none with anonftpsync till now (and I'm working on the debian mirrors, so I've seen lots of different mirrors all over the world, with lots of interessting failures). Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security archive defective!?
* Michael Stone ([EMAIL PROTECTED]) [050818 15:23]: On Thu, Aug 18, 2005 at 03:01:27PM +0200, Sven Mueller wrote: Did I expect something that isn't granted (that the source orig.tar.gz should be in the security pool with the other files) IIRC, the orig file isn't in the security archive if it's the same one that's in the main archive. IIRC (and the developers reference supports this view), it's in the security archive in any case (as the security archive is just a normal installation of the debian archive software). Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
* Steve Kemp ([EMAIL PROTECTED]) [050731 20:00]: On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote: Any chance of an elaboration? I wasn't privy to any previous discussion on this and I'm interested. What's the problem with searching bugzilla for security patches on given versions, and applying them? Is it the sheer volume? http://kitenet.net/~joey/blog/entry/bug_hiding_systems-2005-07-30-06-25.html Summery: Even when new fixed packages are available the original bugs reported in Mozilla's BugZilla system are non public, as are patches. Mozilla *appears* to have no interest in supply patches which *only* fix security holes to distributors. Their line is more upgrade to the newest version. Whilst the new versions do fix the holes, they traditionally also break things built against them, such as extensions, galeon, etc. I thought some member of the Debian security team has access to the hidden bug reports. Can't that member extract the relevant patches then? Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Old security bugs tagged woody
* Florian Weimer ([EMAIL PROTECTED]) [050716 00:49]: Many developers close security bugs which are tagged woody only, even though security support for oldstable has not been discontinued officially. How shall we bridge the apparent gap between documented policy and existing practice? Given our resources, I'd say fix the policy. Any objections? Two remarks: 1. There is no reason to close bugs against woody at all anymore due to version tracking support. 2. As long as we have security support in place, it is wrong to close any woody security bugs. Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
* Herwig Wittmann ([EMAIL PROTECTED]) [050714 17:58]: I do not want to rude in any way- please try to excuse my way of putting things, but does anybody have a prediction how probable it is for such a thing to happen again? Is there a role/function in debian that is responsible for reviewing bugtraq or similiar sources, and is ensured that this role is fulfilled every day? We are about to add more ressources to that role. Also, new cvs ids are checked to see whether they apply to Debian or not. Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cvs 1.11.1p1debian-11 is in wrong distribution
* Peter Lundkvist ([EMAIL PROTECTED]) [050705 23:40]: cvs 1.11.1p1debian-11 seems to be in the wrong distribution: should be in woody-security (oldstable) but is in sarge-security. This is a known issue, and one of the left-overs from trying to fix the problems with the scripts on security.debian.org after release. Please just ignore it. :) Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [MIB-Admin] [SECURITY] [DSA 563-2] New cyrus-sasl packages really fix arbitrary code execution
* Manuel Moeller ([EMAIL PROTECTED]) [041012 22:40]: dieses Sicherheitsloch wurde heute schon einmal geschlossen. Well, but now the packages are even working. ;) Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 563-1] New cyrus-sasl packages fix arbitrary code execution
* Philip Ross ([EMAIL PROTECTED]) [041012 16:30]: This update for woody has broken ldapsearch form ldap-utils. ldapsearch now segfaults at startup. Please downgrade for the moment, there is an issue with the update. We know the reason, and I hope that a fixed package will be available soon. Please postpone updates for now. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 563-1] New cyrus-sasl packages fix arbitrary code execution
* Henrique de Moraes Holschuh ([EMAIL PROTECTED]) [041012 17:10]: Since I did the NMUs for sid/sarge, I wonder if there is something wrong with the patch for SASL 1.5? It seems to work very well in SASL 2, but if it is going bonkers on SASL 1.5, I will have to re-NMU it to fix it in sid and sarge, for starters. The patch from 1.5.28-6.1 to 1.5.28-6.2 is ok. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why not push to stable?
* martin f krafft ([EMAIL PROTECTED]) [040626 13:55]: also sprach Andika Triwidada [EMAIL PROTECTED] [2004.06.26.1337 +0200]: I am aware of the reason why s.d.o is not mirrored. What do you mean by not mirrored? there are so many of them, like for instance http://public.planetmirror.com/pub/debian-security/ sure, but they are not supposed to be used (or at least not in productive systems), because security updates must reach everyone quickly, but mirrors add up to 24 hours of propagation delay. what's the problem with: deb mirror deb security.d.o In this case, the file is taken from the mirror if it exists already there, and otherwise from security.d.o. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why not push to stable?
* martin f krafft ([EMAIL PROTECTED]) [040626 15:55]: Note that I am not trying to undermine or criticise or change the Debian security policy. I just want to understand it. For example, if the packages would be pushed into stable, when would the official CD-images be updated? After each security update? But, AFAIK, there are discussion about restricting files in stable-proposed-updates to _accepted_ contributions for the next stable release. If this would be done, than you could just add s-p-u to your list first, and security.d.o second, and it would work for you. (Warning: Currently, any DD could upload anything to s-p-u, and not all packages there are accepted into stable. So, it might be considered a bad idea to add this to the sources.list.) Vheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
* Thomas Sjögren ([EMAIL PROTECTED]) [040105 16:10]: If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt Patch: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] There's one other security problems open in 2.4.* (24), see http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] (second is fix for the first fix). Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
* Thomas Sjögren ([EMAIL PROTECTED]) [040105 16:10]: If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt Patch: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] There's one other security problems open in 2.4.* (24), see http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] (second is fix for the first fix). Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: Screen in woody vulnerable to CAN-2003-0972 ?
* Frédéric Bothamy ([EMAIL PROTECTED]) [031230 14:55]: I would like to know if the package screen in woody (version 3.9.11-5) is vulnerable to CAN-2003-0972 access to the utmp-group in Debian, not root access. This has been discussed somewhere (d-devel?) not too long ago, or there is even a bug report for that. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Screen in woody vulnerable to CAN-2003-0972 ?
* Frédéric Bothamy ([EMAIL PROTECTED]) [031230 14:55]: I would like to know if the package screen in woody (version 3.9.11-5) is vulnerable to CAN-2003-0972 access to the utmp-group in Debian, not root access. This has been discussed somewhere (d-devel?) not too long ago, or there is even a bug report for that. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: LSM-based systems and debian packages
* Russell Coker ([EMAIL PROTECTED]) [031201 05:10]: On Mon, 1 Dec 2003 07:43, Andreas Barth [EMAIL PROTECTED] wrote: What about the gettys? I'm asking this because I wrote the initial mail because of mgetty, a package where I expect some non-standard setup (though of course, I could be wrong, as I don't know much about this topic). Getty policy is pretty simple. Get run from init, open a terminal device, then spawn /bin/login. fbgetty requires one extra capability than other getty's, but fbgetty should be considered deprecated anyway. Well, mgetty (and vgetty for voice) does also in addition to normal login - receive faxes (and can start a whole bunch of things with receiving faxes, like printing, forwarding per mail, ...) - receive voice messages (to these apply the same option as to faxes) - fire up pppd - fire up uucico - fire up [any custom programm, if configured by the system administrator] Does the same apply to mgetty as to any other getty? (If yes, does this mean that I don't have to do anything now?) Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LSM-based systems and debian packages
Hi, well, if this mail seems to be silly for persons with good knowledge of LSM-based systems, I'm sorry. But I can't give me the answers myself, so I'm asking here. The last time (and especially the last days) have IMHO shown that it would be good for any Linux machine to run with more security than the historic root and users-concept (with a few exceptions of course). So, as a package maintainer I want to support this as good as I can. As LSM will be part of Linux 2.6, it would IMHO be wise to base support on LSM. But I have little to no knowledge of the implementation of these systems (but have heard about the base theory for such things). So, my question is: Is it possible for me as a package maintainer to specifiy the needed rights for my programms in a way that as much systems as possible can use these without the need for a sysadmin to change anything? Or would each LSM-based system need it's own configuration? And if so, which should be supported by a package, and how? What I would even like more is a HOWTO What a debian package maintainer should do to support LSM-based security-systems properly (and this should become part of the Developers Reference). I'm willing to create a template of such a HOWTO in parallel to adding support to LSM to my packages, if I can; and this would mean that someone with knowledge would be willing to guide me, and answer my (partly very unknowing) questions about a lot of more or less simple things. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security patches
* Russell Coker ([EMAIL PROTECTED]) [031130 21:40]: On Mon, 1 Dec 2003 05:10, Milan P. Stanic [EMAIL PROTECTED] wrote: On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote: It's a pity that the developers of other security systems didn't get involved, it would be good to have a choice of LIDS, HP's system, DTE, and others in the standard kernel. LIDS uses LSM in 2.5/2.6 kernel series, IIRC. LIDS does not appear to be in 2.6 at all. It seems that there are at least patches for 2.6, see http://www.lids.org/ (or http://lsm.immunix.org/lsm_modules.html ) Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LSM-based systems and debian packages
Hi, well, if this mail seems to be silly for persons with good knowledge of LSM-based systems, I'm sorry. But I can't give me the answers myself, so I'm asking here. The last time (and especially the last days) have IMHO shown that it would be good for any Linux machine to run with more security than the historic root and users-concept (with a few exceptions of course). So, as a package maintainer I want to support this as good as I can. As LSM will be part of Linux 2.6, it would IMHO be wise to base support on LSM. But I have little to no knowledge of the implementation of these systems (but have heard about the base theory for such things). So, my question is: Is it possible for me as a package maintainer to specifiy the needed rights for my programms in a way that as much systems as possible can use these without the need for a sysadmin to change anything? Or would each LSM-based system need it's own configuration? And if so, which should be supported by a package, and how? What I would even like more is a HOWTO What a debian package maintainer should do to support LSM-based security-systems properly (and this should become part of the Developers Reference). I'm willing to create a template of such a HOWTO in parallel to adding support to LSM to my packages, if I can; and this would mean that someone with knowledge would be willing to guide me, and answer my (partly very unknowing) questions about a lot of more or less simple things. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: LSM-based systems and debian packages
Hi, thanks for your fast reply. Just a few more questions: * Russell Coker ([EMAIL PROTECTED]) [031130 21:10]: On Mon, 1 Dec 2003 04:27, Andreas Barth [EMAIL PROTECTED] wrote: Is it possible for me as a package maintainer to specifiy the needed rights for my programms in a way that as much systems as possible can use these without the need for a sysadmin to change anything? Or would each LSM-based system need it's own configuration? And if so, which should be supported by a package, and how? There will be support in RPM for packages that contain SE Linux policy. For Debian such support will come later (if at all) as the plan is to centrally manage all policy for free software, and it's not difficult to apply custom policy for non-free software. Managing at one place is IMHO a disadvantage for e.g. backported packages, extra packages, ... I would have favored some central place like /usr/share/lintian/overrides is for lintian where every package could drop it's special file - but of course, if the persons with more wisdom decide this than it's ok from my point of view, and I'll follow this. There are patches for cron, xdm type programs, procps, psmisc, pam, and logrotate for SE Linux which will hopefully get accepted into Debian packages soon. What about the gettys? I'm asking this because I wrote the initial mail because of mgetty, a package where I expect some non-standard setup (though of course, I could be wrong, as I don't know much about this topic). The best thing at the moment is to do things that are good for security even on non-SE Linux machines. Don't have the daemon re-write it's own config files in /etc. Have a separate process to access password files and manipulate data from them. /etc/passwd (or more exact: getpwuid etc) is not considered a password file, isn't it? Don't copy files into a chroot for every invocation (Postfix is difficult because of this), or if you must copy such files around then make it easy to discover where it is to modify the process (Postfix startup scripts are difficult to understand and manage). Documentation on exactly what cron jobs do would be good too, as they are particularly painful to get right. You mean: Just standard good behaviour for maintability of code? Putting a file in /etc/logrotate.d is not considered usage of cron? Some remark about another mail I got in private: It's not that I want to do only something for LSM-based systems. I'll try to support any security enhancement that's in Debian. So I'll certainly do something for SELinux if this is needed, as SELinux runs with the standard kernel and is compatible with LSM (which itself is approved by Linus, and I'm certainly not in the position to overrule Linus decisions). If it's also usefull to do something for grsecurity, I would also do this; however, it would be _really_ usefull if the grsecurity-patch would be compatible with the standard Debian kernel. Talking about what should be done to improve security is always a nice thing. However, much more important is to actually _do_ something (and do could of course include, but is not limited to making good proposals). If someone stands up and says: I'll handle grsecurity, so that it applys cleanly to the Debian kernel, and try to solve problems with any application, I would applaude to it, and do everything I can that a grsecurity-kernel is included in Sarge, and that as much as possible applications are prepared for grsecurity. However, if I face a situation where SELinux is probably included in Sarge in an almost mature setup, and grsecurity even doesn't apply cleanly to a standard Debian kernel, I'll of course first handle SELinux, and then grsecurity. Please don't see this as any judgement of better fitness of any of these security setups. And if you want to change my preferences: Any of you could do that: Just step forward, provide a clean grsecurity-patch, and provide the necessary infos for the package maintainers what they should do. I'd love to integrate support for as many security enhancements as possible, and it's always good if the users of debian have something to choose from. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: Security patches
* Russell Coker ([EMAIL PROTECTED]) [031130 21:40]: On Mon, 1 Dec 2003 05:10, Milan P. Stanic [EMAIL PROTECTED] wrote: On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote: It's a pity that the developers of other security systems didn't get involved, it would be good to have a choice of LIDS, HP's system, DTE, and others in the standard kernel. LIDS uses LSM in 2.5/2.6 kernel series, IIRC. LIDS does not appear to be in 2.6 at all. It seems that there are at least patches for 2.6, see http://www.lids.org/ (or http://lsm.immunix.org/lsm_modules.html ) Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: Debian servers hacked?
* George Georgalis ([EMAIL PROTECTED]) [031126 20:55]: That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on debian-changes@lists.debian.org Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. That are packages that were security updates (since r1), and are now part of r2. Please see the dates in the changelogs for details. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: OpenSSH in Woody
* Francois Sauterey ([EMAIL PROTECTED]) [030922 22:36]: Le 13:56 22/09/03 -0400, George Georgalis nous a écrit : ** Message d'origine ** Most of my debian installs took the recent ssh updates without a hiccup, but two of them deposited the file /etc/ssh/sshd_not_to_be_run before restarting and left no daemon listening. and what's about ssh/potato ? I don't see any thing about a new upgrade foir ssh in potato ? Because potato doesn't get any security upgrades any more. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OpenSSH in Woody
* Francois Sauterey ([EMAIL PROTECTED]) [030922 22:36]: Le 13:56 22/09/03 -0400, George Georgalis nous a écrit : ** Message d'origine ** Most of my debian installs took the recent ssh updates without a hiccup, but two of them deposited the file /etc/ssh/sshd_not_to_be_run before restarting and left no daemon listening. and what's about ssh/potato ? I don't see any thing about a new upgrade foir ssh in potato ? Because potato doesn't get any security upgrades any more. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: SSH Update for Potato?
* Shane Machon ([EMAIL PROTECTED]) [030917 06:50]: On a more general note, is potato still supported by the Security Team? No. There was a notice sometimes ago. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH Update for Potato?
* Shane Machon ([EMAIL PROTECTED]) [030917 06:50]: On a more general note, is potato still supported by the Security Team? No. There was a notice sometimes ago. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: ssh vulnerability in the wild
* Thomas Horsten ([EMAIL PROTECTED]) [030916 17:32]: Is there an emergency patch/workaround for this, if disabling ssh is not an option? Are systems with Privilege Separation affected? Filtering access to allow only trusted machines. But please remember: Each allowed machine could exploit your machine. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulnerability in the wild
* Ted Roby ([EMAIL PROTECTED]) [030916 19:05]: Does this vulnerability require a login? Is a system safe if it does not allow root login, and password logins? No. (And: The patch is uploaded to stable-security, and to unstable, so just upgrade.) Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulnerability in the wild
* Thomas Horsten ([EMAIL PROTECTED]) [030916 17:32]: Is there an emergency patch/workaround for this, if disabling ssh is not an option? Are systems with Privilege Separation affected? Filtering access to allow only trusted machines. But please remember: Each allowed machine could exploit your machine. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: ssh vulnerability in the wild
* Ted Roby ([EMAIL PROTECTED]) [030916 19:05]: Does this vulnerability require a login? Is a system safe if it does not allow root login, and password logins? No. (And: The patch is uploaded to stable-security, and to unstable, so just upgrade.) Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
php with different user ids under apache?
Hi, what is the recommended approch to allow the usage of different user ids for php with apache? - mod_php with apache means that the scripts are executed under apaches uid, and suexec doesn't work. - apache2 does not have php4 support (see http://lists.debian.org/debian-devel/2003/debian-devel-200308/msg03198.html) - php as cgi-modules doesn't provide support for mysql and a lot of other things since woody. So, what is the recommended way to execute php code with different uids for different users? Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
php with different user ids under apache?
Hi, what is the recommended approch to allow the usage of different user ids for php with apache? - mod_php with apache means that the scripts are executed under apaches uid, and suexec doesn't work. - apache2 does not have php4 support (see http://lists.debian.org/debian-devel/2003/debian-devel-200308/msg03198.html) - php as cgi-modules doesn't provide support for mysql and a lot of other things since woody. So, what is the recommended way to execute php code with different uids for different users? Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: pam doesn't see nis
* Huegesh Marimuthu ([EMAIL PROTECTED]) [030820 13:35]: I guess you just have to add +:: in /etc/passwd; + in /etc/shadow and it will be okay. Wrong. This was even deprecated when I started using Linux in 1996. No, nis is just broken on sid. See e.g. http://bugs.debian.org/204682 To the original poster: If you want really working code, take woody. Security updates are also only for woody. It is appreciated if you help testing and bug fixing, but it is not recommended for production use. And please remember - sid is the boy next door who destroys toys. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pam doesn't see nis
* Huegesh Marimuthu ([EMAIL PROTECTED]) [030820 13:35]: I guess you just have to add +:: in /etc/passwd; + in /etc/shadow and it will be okay. Wrong. This was even deprecated when I started using Linux in 1996. No, nis is just broken on sid. See e.g. http://bugs.debian.org/204682 To the original poster: If you want really working code, take woody. Security updates are also only for woody. It is appreciated if you help testing and bug fixing, but it is not recommended for production use. And please remember - sid is the boy next door who destroys toys. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: recommendations for FTP server
* Stephen Gran ([EMAIL PROTECTED]) [030621 01:05]: Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. What about webdav, http://www.webdav.org/? This is a filesystem over http(s). Using it as client with Linux is quite easy, and also MS-Users can connect quite easily from a Windows box using standard microsoft tools (i.e. Explorer). I'm using it instead of non-anonymous ftp, and I'm quite happy. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
* Stephen Gran ([EMAIL PROTECTED]) [030621 01:05]: Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. What about webdav, http://www.webdav.org/? This is a filesystem over http(s). Using it as client with Linux is quite easy, and also MS-Users can connect quite easily from a Windows box using standard microsoft tools (i.e. Explorer). I'm using it instead of non-anonymous ftp, and I'm quite happy. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: mgetty vulnerable?
* Drew Scott Daniels ([EMAIL PROTECTED]) [030502 01:20]: [...] There is as far as I can see (only) one important security enhancement in the newer mgettys, and this is running the fax-out-scripts not as root. There is no proof that the old mgettys are vulnerable, but it's never a good idea to run anything as root unless absolutly neccessary. Wolfgang and I are just working to get this running on debian testing/unstable (but _this_ update is not trivial, so it's not just an apply patch to get it to the woody version). If anyone has the important desire to use this right now, he should take the sources from unstable and recompile (and make the neccassary enhancements). Everyone else should wait for about an week, then there should be a working version. As minor and major bug fixes are more or less the only changes in mgetty, I would recommend the version in unstable as the security update for everyone who needs it. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C Fachbegriffe des Schienenverkehrs #1 von Marc Haber in dasr Alles wird billiger: 50 % Preiserhöhung für Stammkunden.
Re: 288-1: openssl and stunnel
* Robert Varga ([EMAIL PROTECTED]) [030423 18:05]: On Thu, 17 Apr 2003, Arthur van Dorp wrote: As I use stunnel I wonder what these problems might be. I've updated my testing machine which is set up similar to my production server and didn't find a problem yet. But my testing possibilities are limited on this machine. I guess you won't get these problems when you are running stunnel in pipe or pipe-client mode. It is supposed to run in multi-threaded mode only when it is listening on a port. My stunnel listens on a port and has no problem. Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C Fachbegriffe des Schienenverkehrs #1 von Marc Haber in dasr Alles wird billiger: 50 % Preiserhöhung für Stammkunden.
Re: 288-1: openssl and stunnel
* Arthur van Dorp ([EMAIL PROTECTED]) [030417 21:20]: Todays security advisory about openssl speaks about possibly breaking existing applications: Unfortunately, RSA blinding is not thread-safe and will cause failures for programs that use threads and OpenSSL such as stunnel. However, since the proposed fix would change the binary interface (ABI), programs that are dynamically linked against OpenSSL won't run anymore. This is a dilemma we can't solve. As I use stunnel I wonder what these problems might be. I've updated my testing machine which is set up similar to my production server and didn't find a problem yet. But my testing possibilities are limited on this machine. I also don't have a problem with stunnel (standard woody) and the upgraded OpenSSL libs. Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C Fachbegriffe des Schienenverkehrs #1 von Marc Haber in dasr Alles wird billiger: 50 % Preiserhöhung für Stammkunden.
