Re: LKM
On Monday, 2004-01-26 at 21:38:54 +0100, Yannick Roehlly wrote: > Thiago Ribeiro <[EMAIL PROTECTED]> writes: > > Hi, When I run tiger, I got a follow error: NEW: --WARN-- > > [rootkit004f] Chkrootkit has detected a possible rootkit installation > > NEW: Warning: Possible LKM Trojan installed But I alredy list my > > proccess and did find nothing... What's can be this? > Are you runing nautilus? > Apparently, some of the nautilus processes are hidden (I don't know why) > and thus make chkrootkit complain about possible LKM infection. > Try a: $ chkrootkit -x lkm chkrootkit has an impedance mismatch with ps. This has been discussed before. antalya:~# chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / You have 4 process hidden for ps command ps -ef lists these: root 0 1 0 Jan19 ?00:00:00 [ksoftirqd_CPU0] root 0 1 0 Jan19 ?00:03:40 [kswapd] root 0 1 0 Jan19 ?00:00:00 [bdflush] root 0 1 0 Jan19 ?00:00:06 [kupdated] So ps does not give chkrootkit a PID, but /proc has those processes. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chrootkit and false LKM positive
On Tuesday, 2004-01-27 at 12:19:41 +0100, Yannick Roehlly wrote: > The false LKM positives seem to result from a bug in chkrootkit which is > not aware of the new threading model of 2.6 kernel. > See bug #222179. Not exactly true. This is also in recent 2.4.x kernels. See my other mail. I'm running 2.4.23. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org
On Monday, 2004-02-09 at 20:38:37 +, Neil McGovern wrote: > On Mon, Feb 09, 2004 at 06:17:01PM +0100, Konstantin Filtschew wrote: > > security.debian.org seems to be down > [EMAIL PROTECTED]:~$ ping security.debian.org > PING security.debian.org (130.89.175.33): 56 data bytes > 64 bytes from 130.89.175.33: icmp_seq=0 ttl=51 time=68.8 ms > 64 bytes from 130.89.175.33: icmp_seq=1 ttl=51 time=15.5 ms > 64 bytes from 130.89.175.33: icmp_seq=2 ttl=51 time=15.0 ms > 64 bytes from 130.89.175.33: icmp_seq=3 ttl=51 time=15.9 ms > 64 bytes from 130.89.175.33: icmp_seq=4 ttl=51 time=15.5 ms > --- security.debian.org ping statistics --- > 5 packets transmitted, 5 packets received, 0% packet loss > round-trip min/avg/max = 15.0/26.1/68.8 ms When I received the mail, I immediately tried to ping it. No reply. I still have the traceroute output from that time: traceroute to security.debian.org (194.109.137.218), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 0.313 ms 0.265 ms 0.294 ms 2 217.5.98.173 (217.5.98.173) 41.572 ms 14.095 ms 16.924 ms 3 217.237.157.90 (217.237.157.90) 43.417 ms 13.360 ms 13.235 ms 4 m-ec1.M.DE.net.DTAG.DE (62.154.27.234) 43.712 ms 41.187 ms 13.722 ms 5 zcr2-so-5-2-0.Munich.cw.net (208.175.230.49) 43.801 ms 80.418 ms 13.694 ms 6 zcr1-ge-4-3-0-5.Munich.cw.net (208.175.230.253) 44.627 ms 14.025 ms 13.144 ms 7 bcr2-so-0-3-0.Amsterdam.cw.net (208.173.209.149) 44.844 ms 41.744 ms 41.494 ms 8 zcr2-so-1-0-0.Amsterdamamt.cw.net (208.173.209.198) 45.590 ms 40.869 ms 42.402 ms 9 zar1-ge-0-3-0.Amsterdamamt.cw.net (208.173.220.131) 46.314 ms zar1-ge-1-3-0.Amsterdamamt.cw.net (208.173.220.147) 325.519 ms 45.989 ms 10 kpn.Amsterdamamt.cw.net (208.173.212.154) 48.013 ms 45.763 ms 39.773 ms 11 0.so-1-3-0.xr1.d12.xs4all.net (194.109.5.101) 49.062 ms 67.547 ms 41.748 ms 12 0.so-3-0-0.cr1.d12.xs4all.net (194.109.5.58) 47.961 ms * 46.106 ms 13 * * * 14 * * * Now the traceroute goes like this: traceroute to security.debian.org (130.89.175.33), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 14.812 ms 0.293 ms 0.176 ms 2 217.5.98.173 (217.5.98.173) 14.354 ms 15.059 ms 16.953 ms 3 217.237.157.90 (217.237.157.90) 33.209 ms 12.916 ms 13.132 ms 4 f-ea1.F.DE.net.DTAG.DE (62.154.18.22) 47.707 ms 44.256 ms 19.434 ms 5 208.49.136.173 (208.49.136.173) 46.733 ms 17.878 ms 21.079 ms 6 pos12-0-2488M.cr1.FRA2.gblx.net (67.17.74.149) 38.589 ms 89.690 ms 26.491 ms 7 pos0-0-2488M.cr1.AMS2.gblx.net (67.17.64.90) 45.999 ms 39.470 ms 39.688 ms 8 so0-0-0-2488M.ar1.AMS1.gblx.net (67.17.65.230) 46.996 ms 38.572 ms 39.662 ms 9 SURFnet.ge-4-2-0.ar1.AMS1.gblx.net (67.17.162.206) 40.223 ms GigaSurf-Amsterdam.ge-2-1-0.ar1.AMS1.gblx.net (208.49.125.50) 39.632 ms 39.552 ms 10 P11-0.CR1.Amsterdam1.surf.net (145.145.166.33) 38.971 ms 71.401 ms 39.665 ms 11 PO1-0.CR2.Amsterdam1.surf.net (145.145.160.2) 39.699 ms 39.121 ms 39.690 ms 12 PO0-0.AR5.Enschede1.surf.net (145.145.163.14) 44.969 ms 44.032 ms 44.446 ms 13 utwente-router.Customer.surf.net (145.145.4.2) 44.232 ms 44.670 ms 43.218 ms 14 slagroom.snt.utwente.nl (130.89.175.33) 45.313 ms 82.717 ms 44.476 ms You can see that this was probably not security.d.o being down, but some router. the packets are taking a quite different path. Maybe U Twente switched providers? > Also see http://www.debian.org/News/2004/20040202 That's old news. The machine has been reactivated. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help! File permissions keep changing...
Wow, this is so completely OT I like it... On Wednesday, 2004-02-18 at 13:58:59 +0100, Ivan Brezina wrote: > hmm, xargs does not use quotes when executing commands. This causes > problems with dirs with spaces in name. > If user has directory named "dummy root", he can easily get accsess to > /root directory. That's why GNU find and xargs have the options -print0 and -0, respectively. Names in Unixish filesystems can't have NULs in them. Stoopid(tm) example: find "foo bar" -print0 | xargs -0 ls -ld There, I made the thread even more offtopic! :-O HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote: > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Stable != bad, ask the Debian project :-P I'm using a combination of Tripwire and AIDE. Before I decided on that, I did a survey of intergity checkers. I didn't find bsign then, but integrit. At that time 3.00.05 was most current. It did not offer a variety of hashes, only SHA1. It offered no database integrity like Tripwire does (and seemingly AIDE now, too). In general it was one of the better tools, but not as flexible and versatile as AIDE and Tripwire. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Slightly OT: Setting the primary NIC
On Sunday, 2004-03-21 at 10:20:06 +0100, Sven Riedel wrote: > I'm struggeling with a problem on a multi-homed host running debian, and > as the problem is somewhat security related, I hope you'll tolerate the > question on this list :) This isn't freebsd-security ;-) > Anyway, the Host has an internal NIC and an external NIC (acting among > other things as a firewall). For some reason, all services think the > external NIC is the primary, and will try to bind to that/all requests > from samba/cups etc have a source IP from the external NIC, which > complicates the setups of the internal hosts. Are yousaying packets are being sent out of your internal interface with the source address set to that of the external interface?!? That should not happen. Please supply the output of ifconfig -a and netstat -an. > I've tried switching the order in which the modules for the NICs are > loaded (eth0 became eth1 and vice versa), the order in which the NICs > are activated with ifup and some other things, to no avail. I haven't > found anything at the debian site wrt this problem either - all I can > say is that the old distribution on the machine didn't have this > problem (but that was the only saving grace of that distro). You are most definitely looking in the wrong place. > Can anyone tell me how I can tell the machine which NIC is the primary? There is no such thing as a primary NIC. Unless a daemon explicitly binds a socket to a specific IP address and send a packet through that socket, the source IP address is set to that of the interface the packet is sent on. So you have a weird configuration for sure. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Slightly OT: Setting the primary NIC
On Sunday, 2004-03-21 at 03:17:45 -0800, Brandon High wrote: > On Sun, Mar 21, 2004 at 11:58:00AM +0100, Lupe Christoph wrote: > > > Can anyone tell me how I can tell the machine which NIC is the primary? > > There is no such thing as a primary NIC. Unless a daemon explicitly > > binds a socket to a specific IP address and send a packet through that > Could it be that he means the NIC that the default route applies to? > netstat -rn would show that. I doubt that. he couldn't reach the others machine if the packets went the default route. Sven? Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody Backport of tripwire
On Thursday, 2004-04-22 at 20:32:42 -0400, Phillip Hofmeister wrote: > Can anyone refer me to a woody backport of tripwire (or a version such > as 2.3.1.2+)? I recently did a backport, but it's not up for downloads. I could mail it to you, or you can do it yourself from the package source. If you do that, you will need to use CXX=g++-3.0 GCC=gcc-3.0 dpkg-buildpackage -rfakeroot -us -uc (Or similar) g++ 2.95 will not do. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apt-get update
On Friday, 2004-05-14 at 11:52:58 +0200, [EMAIL PROTECTED] wrote: > I have just made some changes in my firewall and now I am having problems > with apt-get update because when connecting to > http://ftp2.de.debian.org > nothing happens and with netstat -lanp I see SYN/SENT and nothing more You could just try with a browser, or do "telnet ftp2.de.debian.org 80" to make sure it's nothing to do with apt-get. > Does anybody have the same problem ?? No answer for me, too. > Is ftp2.de.debian.org down It does not answer to pings, but you tried that, didn't you? And if you did a traceroute, too, you must have seen that 195.71.13.76 is the last replying hop. Or did you forbid ICMP Echo and traceroute for yourself in your firewall? Anyway. 195.71.13.76 belongs to mediaWays/Telefonica Deutschland GmBH. And ftp2.de.debian.org (195.71.9.196) belongs to them, too. So you may want to send mail to [EMAIL PROTECTED] to inquire. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Q: server monitoring
On Thursday, 2004-04-29 at 21:46:33 +0200, Holger Eitzenberger wrote: > can someone recommend a tool to monitor (hardware, network, ...) > some linux servers, e. g. nagios (www.nagios.org)? What > other free tools are available? I'm running mon for availability testing and Munin (was LRRD) for performance monitoring. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [bulletproof.net.au #29025] [Comment] [SECURITY] [DSA 525-1] New apache packages fix buffer overflow in mod_proxy
On Monday, 2004-06-28 at 12:55:58 +1000, Lorenzo Modesto via RT wrote: ... whatever ... > This e-mail and any attachments are confidential and may be legally > privileged. Only the intended recipient may access or use it and no > confidentiality or privilege is waived or lost by mistaken > transmission. If you are not the intended recipient you must not > copy or disclose this email's contents to any person and you must > delete it and notify us immediately. Bulletproof Networks uses > virus scanning software but excludes all liability for viruses or > similar in any attachment as well as for any error or > incompleteness in the contents of this e-mail. Especially given this Stoopid(tm) footer, you should keep your RT mails off debian-security and any other lists you feed into RT. Thank you, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Ihre Anfrage: Support-JOB 14077 -- WG: [EMAIL PROTECTED]: [SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities]
Hallo! Wenn Ihr schon Mailinglisten direkt in Euer WSupportsystem fuettert, sorgt bitte dafuer, dass keine automatisch generierten Antworten an die Mailingliste gehen. Ihr koenntet sonst von erzuernten Leserder mailingliste Zupportanfrage zu Kernelbinaries erhalten... Also baut das lieber bald um! Danke, Lupe Christoph On Thursday, 2004-07-22 at 12:28:59 +0200, ET Support wrote: > Guten Tag, > wir haben Ihre Anfrage erhalten und bearbeiten diese schnellstmoeglich. > Folgende Informationen wurden erfasst: > Bearbeitungs-Nr:14077 > Subject:WG: [EMAIL PROTECTED]: [SECURITY] [DSA 531-1] New > php4 packages fixmultiple vulnerabilities] > Datum: 7/22/2004 12:28 > Ein Hinweis: Bitte antworten Sie nicht auf diese mail! Sie wurde automatisch > generiert, um Sie darueber zu informieren, dass wir Ihre Anfrage erhalten > haben. Bei Rueckfragen geben Sie bitte die in dieser Antwort zugewiesene > Bearbeitungsnummer an, um unseren Mitarbeitern und dem Support einen > schnellen Zugriff auf den Vorgang zu gewaehrleisten. > Mit freundlichen Gruessen, > ECCE TERRAM Serviceteam > == Anhang > Job 14077 mit Betreff WG: [EMAIL PROTECTED]: [SECURITY] [DSA 531-1] New php4 > packages fixmultiple vulnerabilities] > > From [EMAIL PROTECTED] Thu Jul 22 12:28:59 2004 > > Return-Path: <[EMAIL PROTECTED]> > > Received: by ecce-terram.de (Smail3.2.0.101) > > from dmz6.zeit.de (194.77.156.241) with esmtp > > id ; Thu, 22 Jul 2004 12:28:58 +0200 (MET DST) > > Received: from mailserver1.zeit.de (mailserver1.zeit.de [172.20.10.22]) by > > dmz6.zeit.de > > (Content Technologies SMTPRS 4.3.12) with ESMTP id <[EMAIL PROTECTED]> for > > <[EMAIL PROTECTED]>; > > Thu, 22 Jul 2004 12:25:46 +0200 > > content-class: urn:content-classes:message > > MIME-Version: 1.0 > > Content-Type: text/plain; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 > > Subject: WG: [EMAIL PROTECTED]: [SECURITY] [DSA 531-1] New php4 packages fix > > multiple vulnerabilities] > > X-JASServer: JAS 2.3h C1994,1995,1996,1998,1999 R.Kaltefleiter > > Date: Thu, 22 Jul 2004 12:25:45 +0200 > > Message-ID: <[EMAIL PROTECTED]> > > X-MS-Has-Attach: > > X-MS-TNEF-Correlator: > > Thread-Topic: [EMAIL PROTECTED]: [SECURITY] [DSA 531-1] New php4 packages fix > > multiple vulnerabilities] > > Thread-Index: AcRvCQLogB0h00u8SD+Xhc2r3Ou4LgAzRNNg > > From: "Dehne, Ulrich" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Also sprach ET Support --- -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Machine-readable form for debian security advisories
On Thursday, 2004-08-12 at 14:26:44 +1000, Joshua Goodall wrote: > Therefore I see a need for a machine readable DSA format. I know there's > a defined format to the current header, but I'd like to expand on that. > It will look something like: Please do not invent yet anoither format if you can avoid it. You don't mention VuXML (http://www.vuxml.org/), so I suppose you did not know it. Please have a look there. Thank you, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Machine-readable form for debian security advisories
On Thursday, 2004-08-12 at 17:25:32 +1000, Joshua Goodall wrote: > As I understand it, VuXML has a slightly different semantic. It > expresses that specified binary package versions will have a certain > vulnerability and implies they should be deinstalled or upgraded to > some version for which the vulnerability does not exist. The DSA series > always gives "less than" information and states you must upgrade to the > version listed. I have to confess I only use VuXML and have never look at it closely. If you find VuXML deficient for use with Debian and wish to extend or change it, it's probably best if you discuss this with the people who invented it. I can't comment on your statements and diff. So please leave me out of the discussion. I'm getting enough mail already ;-) > These nits aside, I can probably use VuXML for my project, even if it > means extending the DTD. Thanks for pointing it out! That's something I *can* comment on: Glad you found it useful. So I hope to see VuXML being used for Debian as well in the future. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Encrypt file while you are using it
On Monday, 2008-11-24 at 16:12:56 +0100, Manuel Gomez wrote: > Hi, i would like to maintain encrypt an archive in all moment, so i > would like to know what software can be this. > Now i am using Truecrypt, but when i mount the encrypted directory it's > vulnerable. I want to mount the file and that the file can remains > encrypt. Whenever you are able to read a file, it has to exist in unencrypted form. Let's say you have an editor or viewer that has builtin-in decryption. It will read the encrypted file, and decrypt it. to be able to work on it, the program has to keep the decrypted form. It also has to send it to some device for you to be able to work on it. The decrypted form will be readable from /dev/mem or /proc//mem. by the superuser and (procfs only) your user. It will also be possible for at least the superuser to intercept what is going to the device. There is nothing you can do to prevent these kinds of attacks. So, storing your files in an encrypted filesystem with permissions set so that only your user (and the superuser) can read the files is no less secure than storing the files individually encrypted. HTH, Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exploit in Upgrade Chain?
On Thursday, 2009-02-12 at 12:11:01 -0800, The Well - Systems Administrator wrote: > 600 on /etc is technically more secure than the default 755 with normal > POSIX systems, not less. If this is an exploit, it's one that locks > things down tighter than they should normally be. :) Giacomo is correct > that these incorrect perms can cause other issues, though not security > related ones that I can think of. Mode 600 will deny /etc to everybody except root while it will change nothing for root. If you have any services on your system that run under non-root UIDs, and that have config under /etc, you hose them with any mode that removes the eXecute bit for "others". So it's not an exploit, it's a Denial of Service. Which I believe *is* security related... Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Exploit in Upgrade Chain?
On Friday, 2009-02-13 at 11:55:54 +0200, Izak Burger wrote: > On Thu, Feb 12, 2009 at 10:37 PM, Lupe Christoph > wrote: > > Mode 600 will deny /etc to everybody except root while it will change > > nothing for root. If you have any services on your system that run under > > non-root UIDs, and that have config under /etc, you hose them with any > > mode that removes the eXecute bit for "others". > Mode 600 (on a directory) lacks the access bit, so even root will have > a hard time getting much joy out of /etc. You will need at least 700 > to give root access. But UID 0 ignores the access mode. With root, you can even access /etc if it has mode 000: # ls -ld /etc /etc/passwd d- 176 root root 12288 2009-02-13 01:08 /etc -rw-r--r-- 1 root root 2292 2008-10-30 16:54 /etc/passwd Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: > last week, there was an article on heise security about MTAs[1] which > relay mails for hosts having a reverse resolution of 'localhost'. Doing > a small test shows that sendmail on etch seems to be vulnerable, too. I > need to have a localhost RELAY line in my access file (which is not > default AFAIK). > Will there be a DSA on this issue, since it seems to turn Sendmail > installations with allowed localhost RELAYing into Open Relays? Are you saying you want a DSA for a package that does not have that particular vulnerability, but allows a user to create it? "Doctor, it hurts when I do this!" "Don't do it, then." Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Monday, 2009-08-10 at 14:03:44 +0200, Thomas Liske wrote: > #Lupe Christoph wrote: >> On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: >>> last week, there was an article on heise security about MTAs[1] which >>> relay mails for hosts having a reverse resolution of 'localhost'. >>> Doing a small test shows that sendmail on etch seems to be >>> vulnerable, too. I need to have a localhost RELAY line in my access >>> file (which is not default AFAIK). >>> Will there be a DSA on this issue, since it seems to turn Sendmail >>> installations with allowed localhost RELAYing into Open Relays? >> Are you saying you want a DSA for a package that does not have that >> particular vulnerability, but allows a user to create it? > if an access line like: > Connect:localhost RELAY > turns a MTA into an Open Relay than I would prefere a DSA, since the ACL > implementation is broken IMHO. Well, a line like this: Connect:spammer.comRELAY does the same, so, as I said, just don't do it. I still don't see why on one hand you say that you need a localhost line, and then complain that it hurts you. Why can't you use 127.0.0.1 or localhost.mydomain? Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Monday, 2009-08-10 at 14:35:06 +0200, Bernhard R. Link wrote: > * Lupe Christoph [090810 13:53]: > > On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote: > > > last week, there was an article on heise security about MTAs[1] which > > > relay mails for hosts having a reverse resolution of 'localhost'. Doing > > > a small test shows that sendmail on etch seems to be vulnerable, too. I > > > need to have a localhost RELAY line in my access file (which is not > > > default AFAIK). > > > Will there be a DSA on this issue, since it seems to turn Sendmail > > > installations with allowed localhost RELAYing into Open Relays? > > Are you saying you want a DSA for a package that does not have that > > particular vulnerability, but allows a user to create it? > > "Doctor, it hurts when I do this!" "Don't do it, then." > "Help, help my computer does funny things!" "Don't power it up, then." That's not what I meant. Admitted, the quote is more funny than exact (and it isn;t particularly funny...). What I mean is that a lot of software allows the user to shoot himself in various body parts. One such example is rm. As in "rm * .o". Oooops. More related to the OP, sendmail allows you to configure an open relay in a number of ways, not all of them as easily identified as the "localhost" problem. It has a built-in write-only language... But why would the posssibility to configure the package to open a relay warrant a DSA? It would IMNSHO only when the package came preconfigured to do that. > Almost all security holes need to user to do something. (If only to > power up the machine, to install some packages, to connect to the > internet, to give accounts to users). The question cannot be that > something has to be done do make people vulnerable, but whether properly > sane and educated people can guess that something opens a security > problem. I interpret this to mean that there should be DSAs for all problems *made possible* by Debian packages, rather than those *caused* by the package. Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
OK, I give up. And shut up. Please file a bug against the sendmail package, with the information that sendmail allows you to enter "Connect:localhost RELAY" in /etc/mail/access. And another one that "Connect:127.0.0.1 RELAY" opens up the same hole as "Connect:localhost RELAY". Since I have no sendmail installation to use for testing, I can't reproduce the second problem. The sendmail package maintainer will probably require the submitter to provide details which I can't. Thank you, Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: sendmail & localhost rDNS
On Tuesday, 2009-08-11 at 10:32:04 +0200, Bernhard R. Link wrote: > * Lupe Christoph [090810 21:13]: > > > Almost all security holes need to user to do something. (If only to > > > power up the machine, to install some packages, to connect to the > > > internet, to give accounts to users). The question cannot be that > > > something has to be done do make people vulnerable, but whether properly > > > sane and educated people can guess that something opens a security > > > problem. > > I interpret this to mean that there should be DSAs for all problems *made > > possible* by Debian packages, rather than those *caused* by the package. > What I try to tell you is that I do not share your interpretion of > "caused". > If bash had a bug to always include . in PATH, would that cause > a problem or make a problem possible? (After all, noone forces you do > switch to other peoples directories before doing ls). That would be a defect in the package that requires no user configuration. The equivalent of "Connect:localhost RELAY" would be this in .bashrc: PATH=.:$PATH . > If a webbrowser has a problem executing arbitrary stuff told by the > website visited, is that a security problem "caused" or made possible by > the webbrowser. (After all, if you do not visit untrusted sites, there > is no problem). That is a defect in the webbrowser. It requires no user configuration. > If sshd had a bug so that "PermitRootLogin without-password" (which is not > the default) allowed people to login without any identification as root > instead of what it is supposed to be, would that be bug caused by ssh > or a bug made possible by ssh? That is a bug because sshd does not what is documented. Suppose sshd_config had an option "PermitRootLogin always", meaning that no password or key is required to log in as root. Would it be a bug of sshd to include this option or a misfeature? > So it is in my eyes to criteria at all that the user has to change some > configuration. The question is whether this change is supposed to cause > the effects it does and if a user can be expected to understand the > effects. Please go ahead and file security-related bugs against all packages that allow the user to open security holes by changing the default configuration. I suppose we should agree to disagree and terminate this thread here. Of course I will not restrict your freedom to answer to this mail, but I will leave your reply unanswered because I believe we won't ever agree. Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
On Wednesday, 2014-04-09 at 12:42:16 +0200, Rob van der Putten wrote: > AFAIK all services that use TLS + open-ssl are effected. > I generated new keys for Apache, Asterisk, Exim and imap and > restarted those services. > According to a post on slashdot SSH is not effected. I don't know if > this is correct. It would probably be a good idea not to rely on a fixed list of services which would exclude programs the user installed from other sources, but use something like this: grep libssl.so /proc/*/maps (Assuming that libcrypto.so did not change in this update.) I admit that mapping the list of processes to services is hard, so the best way would probably be to filter the list by known executables and list the unknowns for the user to restart by hand. Lupe Christoph -- | The politician's syllogism:| | We must do something | | This is something | | Therefore, we must do this.| -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140409112033.ga7...@lupe-christoph.de
Re: Debians security features in comparison to Ubuntu
On Sunday, 2014-05-18 at 14:46:21 +0200, Moritz Mühlenhoff wrote: > Ubuntu only provides security support for the "main" and "restricted" > archive sections: https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support > But since the "universe" section is enabled by default, you'll end up > with a lot of unpatched security vulnerabilities on Ubuntu systems. That must be why there are only 535 update packages for Trusty's Universe (for 35524 packages) and 1371 updates for Precise's 29406 packages... I admit that the numbers for multiverse are much lower (27 and 1), so your point is valid as soon as you enable the multiverse (672 and 741 packages). I guess you wouldn't get a very capable Ubuntu system if you disabled the Universe. Here is a table: Relase | Section| Packages | Security Updates Precise | Main | 8076 | 5407 Precise | Universe |29406 | 1371 Precise | Multiverse | 672 | 73 Trusty | Main | 8566 | 526 Trusty | Universe |35524 | 266 Trusty | Multiverse | 741 | 27 Numbers for Wheezy and Squeeze: Relase | Section | Packages | Security Updates Wheezy | Main |35944 | 1193 Wheezy | Non-free | 475 | 0 Wheezy | Contrib | 210 | 0 Squeeze | Main |28212 | 1777 Squeeze | Non-free | 403 | 0 Squeeze | Contrib | 187 | 1 So by sheer numbers Ubuntu has the better security. But I'm the first to admit that those numbers don't mean a lot except that somebody was really busy building packages... Lupe Christoph -- | The politician's syllogism:| | We must do something | | This is something | | Therefore, we must do this.| -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140518140522.ge22...@lupe-christoph.de
Re: [SECURITY] [DSA 2954-1] dovecot security update
On Tuesday, 2014-06-10 at 08:14:50 -0400, Michael Stone wrote: > On Tue, Jun 10, 2014 at 02:08:48PM +0200, Matus UHLAR - fantomas wrote: > >I want to say that debian LTS team are volunteers, but they are not "other" > >than debian security team, because some of them are in both teams. > >afaik "other" would imply that people from LTS are not in the debian > >security team, while "rather" would not. > "rather" in context implies that the debian security team is paid > "rather" than being volunteers. Saying "LTS consists of a different > set of volunteers than the debian security team" conveys what you're > trying to say, I think. http://thesaurus.com/browse/rather%20than Synonyms for rather than adv alternatively rather alternative preferably on behalf of alternately as a substitute in lieu in place of in preference on second thought Or, shorter, what he says ;-) Lupe Christoph PS: I love how this slides into set theory ;-) -- | The politician's syllogism:| | We must do something | | This is something | | Therefore, we must do this.| -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140610130343.gb30...@lupe-christoph.de
Re: [SECURITY] [DSA 3032-1] bash security update
On Thursday, 2014-09-25 at 10:13:31 -0400, Michael Stone wrote: > On Thu, Sep 25, 2014 at 10:54:38AM -0300, Henrique de Moraes Holschuh wrote: > In general it's a good idea to have /bin/sh point to something other > than bash. That's the default on current debian systems, but might > not be the case on systems which were upgraded. Use > dpkg-reconfigure dash > to change that. There are still cases where the login shell will > come into play, but the biggest worms crawling around are leveraging > /bin/sh. I'd first check with ls -l /bin/sh. This is how it should look: lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash BTW, I wonder why this isn't done with the alternatives system. My guess is that /bin/sh is so crucial for system operation and especially update-alternatives that it can't. Lupe Christoph -- | The politician's syllogism:| | We must do something | | This is something | | Therefore, we must do this.| -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140925143310.gg3...@lupe-christoph.de
Re: apache security issue (with upstream new release)
Quoting Phillip Hofmeister <[EMAIL PROTECTED]>: > I believe your justification can be found: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188 > I'm not saying I agree fully with it...but I do understand it... Given that some of the affected directives can be used in .htaccess files, the potential for an ordinary user to exploit this is there. This allows access to the user the Apache work processes run as. Not much, but depending on local setup, this can be harmful. So I believe it should be fixed. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | This message was sent using IMP, the Internet Messaging Program.
Re: passwd character limitations
On Friday, 2003-10-31 at 18:41:20 -0500, Michael Stone wrote: > >I'm looking for a list of characters that are not allowable (or that > >cause problems) for passwords if any under a standard Debian GNU/Linux > >install (using md5). > AFAIK, there aren't any. You may run into limitations in particular > programs, but there shouldn't be any limits on the input to the hash > function whose output is stored in the shadow file.[0] > 0. With the obvious exception that C strings don't like null bytes. So > try to avoid hitting the null key on your keyboard. :) You forgot that a ':' as part of the encrypted password will cause problems ;-) Actually, MD5 passwords seem to be encoded with a quite restricted character set. Alas, the manpages provide no information on this, only on the encoding of crypt()ed passwords. Perhaps you should file a bug against the passwd packages... Reading /usr/share/perl5/Crypt/PasswdMD5.pm which claims to be "based on the implementation found on FreeBSD 2.2.[56]-RELEASE", MD5 passwords consist of the invariant string '$1$' and the encrypted password encoded with the alphabet [./a-zA-Z]. This is similar to Base64 encoding, but uses a different alphabet. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
3.0r2 or hacked packages?
Hi! Last night my apt-get update ... oicked up a number of unexpected packages: The following packages will be upgraded bsdutils console-data debianutils mount nano procmail procps util-linux util-linux-locales zlib1g zlib1g-dev 11 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 2743kB of archives. After unpacking 96.3kB will be used. Get:1 http://ftp.de.debian.org stable/main bsdutils 1:2.11n-7 [39.5kB] Get:2 http://ftp.de.debian.org stable/main debianutils 1.16.2woody1 [32.9kB] Get:3 http://ftp.de.debian.org stable/main mount 2.11n-7 [99.3kB] Get:4 http://ftp.de.debian.org stable/main util-linux 2.11n-7 [330kB] Get:5 http://ftp.de.debian.org stable/main console-data 1999.08.29-24.2 [869kB] Get:6 http://ftp.de.debian.org stable/main nano 1.0.6-3 [184kB] Get:7 http://ftp.de.debian.org stable/main procps 1:2.0.7-8.woody1 [145kB] Get:8 http://ftp.de.debian.org stable/main procmail 3.22-5 [136kB] Get:9 http://ftp.de.debian.org stable/main zlib1g-dev 1:1.1.4-1.0woody0 [218kB] Get:10 http://ftp.de.debian.org stable/main zlib1g 1:1.1.4-1.0woody0 [44.1kB] Get:11 http://ftp.de.debian.org stable/main util-linux-locales 2.11n-7 [646kB] The packages are not from stable/updates but from stable/main. I'm wondering if one of the people who cracked the servers managed to smuggle something "interesting" into the archives. Or is this just 3.0r2-to-be? I'm always worried when I see updates for stable without an announcement. Please enlighten me. ;-) Thanks! Lupe Christoph PS: I'd like to compare these packages to the installed versions. How can I do that with the least amount of hassle? -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: When will kernel-image-2.4.23 be available ?
On Thursday, 2003-12-04 at 07:47:53 +0100, Matthias Faulstich wrote: > Having the kernel-souces, knowledge about make-kpkg and a propper > working .config for a previously kernel is one thing, but having a debian > patched kernel (or kernel-sources) is a second. > E.g. cramfs for initrd still doesn't work with a 2.4.23 vanilla kernel. Speaking of a patched Debian kernel. My machines are currently running my own build based on kernel-source-2.4.20. I don't mind upgrading to a later kernel. BUT! Does anybody have a patch for the do_brk vuln on any kernel-source package >= 2.4.20 as they are currently in the archives? I would like to build a new kernel with the vuln patched ASAP, rather than wait for the upload to reopen. Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: When will kernel-image-2.4.23 be available ?
On Thursday, 2003-12-04 at 01:46:43 +0100, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > Nah, just look at /proc/cpuinfo, /proc/pci (or use lspci), dmesg, etc > > It's almost all there for you. Not like the old days... > lshw is fine for collecting the above information. If you need more > detection try discover (Progeny) or Kudzu (Redhat) both available in debian. Before I install Debian or when I need fine hardware detection afterwards, I boot Knoopix on the system. IIRC that uses kudzu. Selecting them right modules on new hardware you barely know is always a challenge, so a Life CD Debian is very handy. I carry a Knoppix with me at almost any time... And a Debian Stable CD 1. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: When will kernel-image-2.4.23 be available ?
Quoting Thomas Sjögren <[EMAIL PROTECTED]>: > On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote: > > BUT! Does anybody have a patch for the do_brk vuln on any kernel-source > > package >= 2.4.20 as they are currently in the archives? I would like to > > build a new kernel with the vuln patched ASAP, rather than wait for the > > upload to reopen. > http://linux.bkbits.net:8080/linux-2.4/diffs/mm/[EMAIL PROTECTED] Thanks, Thomas! This is exactly what I needed. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | This message was sent using IMP, the Internet Messaging Program.
Re: extrange passwd behaviour
Quoting Bernd Eckenfels <[EMAIL PROTECTED]>: > In article <[EMAIL PROTECTED]> you wrote: > > I've discovered that login, sudo, gdm only take care of the first 8 > > characters of the passwd. > Dont know why and for which debian versions it is default, I have some mixed > ones. Why? Because it uses DES and DES uses 56 bit keys. Eight 7 bit chars give you exactly 56 bits... I've always wondered if the high bit does indeed make no difference. Right now, I have only Solaris to try. ... Nope, the high bit is ignored on Solaris. I'll have to try this at home tonight with Debian and FreeBSD. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | This message was sent using IMP, the Internet Messaging Program.
Re: extrange passwd behaviour
On Friday, 2003-12-05 at 20:39:16 +0100, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > >> Dont know why and for which debian versions it is default, I have some > >> mixed > >> ones. > > Why? Because it uses DES and DES uses 56 bit keys. Eight 7 bit chars > > give you exactly 56 bits... > *lol* > i was talking about "i dont know why it is default to use unsecure crypt() > instead of md5". If you find it funny I misunderstood you ... I don't find it funny I can't reply to you. Mail to your addess bounce. :-P > But I can think of something like "compatibility" (to what?) :) Ever heard about X/Open and their Unix standards? I'd bet they specify this in exceeding detail. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: extrange passwd behaviour
On Saturday, 2003-12-06 at 17:03:02 +0900, Hideki Yamane wrote: > >i was talking about "i dont know why it is default to use unsecure crypt() > >instead of md5". > >But I can think of something like "compatibility" (to what?) :) > to ...maybe NIS ? > # if the reason why using crypt is NIS compatibility, people >who uses NIS system is not so many, so I think it's better >that defalt value is md5 than crypt. Can't be NIS. NIS will transport any password style faithfully. Of course the master server must support MD5 passwords if you change your password and the passwd command sends an MD5 password to the yppasswordd. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: extrange passwd behaviour
On Sunday, 2003-12-07 at 00:58:59 +0900, Hideki Yamane wrote: > >Can't be NIS. NIS will transport any password style faithfully. Of > >course the master server must support MD5 passwords if you change your > >password and the passwd command sends an MD5 password to the > >yppasswordd. > I've heard about non-Linux NIS client (for example, solaris8 and > SFU - Windows Service for Unix) cannot use MD5 password for NIS. > Is it not true? Can't tell about Windows. But Solaris up to the most recent released version (Solaris 9) can only use DES passwords. I believe I read that Solaris 10 will add support for MD5. FreeBSD supports MD5 passwords. So it's not non-Linux. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: secure file permissions
On Sunday, 2003-12-07 at 09:27:04 +0100, mi wrote: > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? You want to change them, so I guess you should know why. BTW, try running ls as a user when /etc/group and /etc/passwd are 600. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: aide, apt-get and remote management...
Hello!
We don't use AIDE exclusively at a client site, but in combination
with Tripwire. We think tripwire is a little more secure becuse it
uses signed databases. So we protect aide.db with Tripwire. AIDE is
used for the parts tripwire can't do because of it's limited
configurability.
Here is an AIDE policy we use at the client site:
=/root$ StaticDir
/root/.bash_history Databases
/root/.ncftp/prefs ConfFiles
/root/.ncftp/firewall ConfFiles
/root/.ncftp/prefs_v3 ConfFiles
/root/.ncftp Databases
/root/.razor/razor-agent.conf ConfFiles
/root/.razor/ Databases
/root/.spamassassin Databases
/root/.viminfo Databases
/root/ ConfFiles
/etc$ StaticDir
/etc/ntp.drift Databases
/etc/ ConfFiles
/dev$ StaticDir
/dev/ Databases
=/dev/pts$ StaticDir
!/dev/pts/
/var/run$ StaticDir
/var/run/ Databases
=/etc/tripwire$ R-tiger-rmd160-sha1
/etc/tripwire/pinot-local.key R
/etc/tripwire/site.key R
/etc/tripwire/tw.cfgR
/etc/tripwire/twcfg.txt R
/etc/tripwire/twpol.txt E+p+n+u+g
/etc/tripwire/tw.polE+p+n+u+g
/etc/tripwire/tw.pol.bakE+p+n+u+g
This is the twpol.txt:
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
rulename = "Critical system boot files",
severity = $(SIG_HI),
emailto = "tripwire-reports"
)
{
/boot -> $(SEC_CRIT) ;
/lib/modules-> $(SEC_CRIT) ;
}
#
# Critical executables
#
(
rulename = "Root file-system executables",
severity = $(SIG_HI),
emailto = "tripwire-reports"
)
{
/bin-> $(SEC_BIN) ;
/sbin -> $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
rulename = "Root file-system libraries",
severity = $(SIG_HI),
emailto = "tripwire-reports"
)
{
/lib-> $(SEC_BIN) ;
}
#
# These files change every time the system boots
#
(
rulename = "System boot changes",
severity = $(SIG_HI),
emailto = "tripwire-reports"
)
{
/var/lock -> $(SEC_CONFIG) ;
# /var/run-> $(SEC_CONFIG) ; # daemon PIDs
# /var/log-> $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
emailto = "tripwire-reports"
)
{
/dev-> $(Device) ;
!/dev/pts ;
# /proc -> $(Device) ;
/proc/bus -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/driver-> $(Device) ;
/proc/execdomains -> $(Device) ;
/proc/fb-> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/fs-> $(Device) ;
/proc/ide -> $(Device) ;
/proc/interrupts-> $(Device) ;
/proc/iomem -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/irq -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/ksyms -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/mdstat-> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/misc -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts-> $(Device) ;
/proc/mtrr -> $(Device) ;
/proc/net -> $(Device) ;
/proc/partitions-> $(Device) ;
/proc/pci -> $(Device) ;
/proc/self -> $(Device) ;
/proc/slabinfo -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/swaps -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/sysvipc -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/uptime-> $(Device) ;
/proc/version -> $(Device) ;
}
#
# Binaries
#
(
rulename = "Other binaries",
severity = $(SIG_MED),
emailto = "tripwire-reports"
)
{
/usr/local/sbin -> $(SEC_BIN) ;
/usr/local/bin -> $(SEC_BIN) ;
/usr/sbin -> $(SEC_BIN) ;
/usr/bin-> $(SEC_BIN) ;
}
#
# Libraries
#
(
rulename = "Other libraries",
severity = $(SIG_MED),
emailto = "tripwire-reports"
)
{
/usr/local/lib -> $(SEC_BIN) ;
/usr/lib-> $(SEC_BIN) ;
}
#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
rulename = "Invari
Re: aide, apt-get and remote management...
On Friday, 2003-12-12 at 12:39:49 +0100, Adam ENDRODI wrote: > On Fri, Dec 12, 2003 at 07:46:38AM +0100, Lupe Christoph wrote: > > We don't use AIDE exclusively at a client site, but in combination > > with Tripwire. We think tripwire is a little more secure becuse it > > uses signed databases. > Perhaps the following ./configure options will prove themselves > useful: > --with-confighmactype=TYPEHash type to use for checking config. > Valid values are md5 and sha1. > --with-confighmackey=KEY HMAC hash key to use for checking config. > Must be a base64 encoded byte stream. > Maximum string length is 31 chars. > --with-dbhmactype=TYPEHash type to use for checking db. > Valid values are md5 and sha1. > --with-dbhmackey=KEY HMAC hash key to use for checking db. > Must be a base64 encoded byte stream. > Maximum string lentgth is 31 chars. > --enable-forced_configmd Forces the config to have checksum. > Also disables --config-check > --enable-forced_dbmd Forces the file/pipe database's to have > checksum. > This will be the default in the next release. Well, I went by what is said on the website http://www.cs.tut.fi/~rammer/aide.html > Future plans > ... > o Encrypted and signed database Before I start investigating this and spend a lot of time I don't have, can you explain what Aide does when I use those configure options? BTW, the Debian package does not use them. There is no bug filed about this. Should we? > bit, That's a miss on my acronym cache. Please expand ;-) Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Content-Type in DSAs
Hi! When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. Thank you for your patience, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Content-Type in DSAs
On Tuesday, 2004-01-06 at 18:00:13 +0100, Adrian 'Dagurashibanipal' von Bidder wrote: > Clinging to sanity, Alexander Neumann mumbled in his beard: > > * Lupe Christoph <[EMAIL PROTECTED]> wrote: > >> Comparing the DSAs and reading how mutt recognizes a PGP signed message, > >> I found that only some DSAs from Martin Schulze have a Content-Type as > mutt > >> wants it: > >> Content-Type: application/pgp; format=text; x-action=sign > > -> PGP/MIME > No. PGP/MIME is multipart/signed on the top level, whatever the mime type of > the message is in the first MIME part, and application/pgp-signature in the > second MIME part. > application/pgp is a never standardized text/plain variant of an inline > signed message, with the main problem that some Mailers do not render it > correctly (since they assume that unknown application/... is binary, not > text). Martin Schulze does not use application/pgp anymore. I found it only in older DSAs sent by him. I now understand why the text/plain format is used. For something as important as DSAs, I would use that myself. Thanks for your explanations, people! Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: tripwire .deb for Woody
On Tuesday, 2004-01-13 at 13:34:18 +0100, Lupe Christoph wrote: > Has anybody on this list managed to backport the tripwire package to > Woody? I'm running into a strange problem where configure tries to > locate an include file named "locale". Yes, without an suffix. I don't > know much C++, but this does not seem normal to me. Plus, when I try to > backport to Sarge, configure does not contain this test. The backport to > Sarge fails in a different way, BTW. Ha! I found that one out. First, the include file is OK. I found it on my home machine. Second, compiling tripwire with g++ 2.95 does not work. You need g++ 3.0. libstdc++3-dev contains that include file. CXX=g++-3.0 CC=gcc-3.0 dpkg-buildpackage -rfakeroot -us -uc CC=... is possibly not needed, but it's probably better to have the same version of g++ and gcc in case it is needed. I would submit this port and a few others to backports.org, but I'm not a Debian Developer. Maybe I should aspire to become one ;-) Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
tripwire .deb for Woody
Hi! Has anybody on this list managed to backport the tripwire package to Woody? I'm running into a strange problem where configure tries to locate an include file named "locale". Yes, without an suffix. I don't know much C++, but this does not seem normal to me. Plus, when I try to backport to Sarge, configure does not contain this test. The backport to Sarge fails in a different way, BTW. I could not find a tripwire*.deb with Google. Please help! Thanks, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: aide, apt-get and remote management...
On Sunday, 2004-01-18 at 13:22:27 -0800, Johannes Graumann wrote: > Hello, > Where are the options below from? > I run aide 0.10, which is according to the sourceforge site the current > one and it doesn't like it. Also as someone else mentioned: > http://www.cs.tut.fi/~rammer/aide.html says "Future plans: ... > Encrypted and signed database". They are in the Debian source package. I haven't gotten around to investigating how they work, though. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: LKM
On Monday, 2004-01-26 at 21:38:54 +0100, Yannick Roehlly wrote: > Thiago Ribeiro <[EMAIL PROTECTED]> writes: > > Hi, When I run tiger, I got a follow error: NEW: --WARN-- > > [rootkit004f] Chkrootkit has detected a possible rootkit installation > > NEW: Warning: Possible LKM Trojan installed But I alredy list my > > proccess and did find nothing... What's can be this? > Are you runing nautilus? > Apparently, some of the nautilus processes are hidden (I don't know why) > and thus make chkrootkit complain about possible LKM infection. > Try a: $ chkrootkit -x lkm chkrootkit has an impedance mismatch with ps. This has been discussed before. antalya:~# chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / You have 4 process hidden for ps command ps -ef lists these: root 0 1 0 Jan19 ?00:00:00 [ksoftirqd_CPU0] root 0 1 0 Jan19 ?00:03:40 [kswapd] root 0 1 0 Jan19 ?00:00:00 [bdflush] root 0 1 0 Jan19 ?00:00:06 [kupdated] So ps does not give chkrootkit a PID, but /proc has those processes. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: chrootkit and false LKM positive
On Tuesday, 2004-01-27 at 12:19:41 +0100, Yannick Roehlly wrote: > The false LKM positives seem to result from a bug in chkrootkit which is > not aware of the new threading model of 2.6 kernel. > See bug #222179. Not exactly true. This is also in recent 2.4.x kernels. See my other mail. I'm running 2.4.23. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: security.debian.org
On Monday, 2004-02-09 at 20:38:37 +, Neil McGovern wrote: > On Mon, Feb 09, 2004 at 06:17:01PM +0100, Konstantin Filtschew wrote: > > security.debian.org seems to be down > [EMAIL PROTECTED]:~$ ping security.debian.org > PING security.debian.org (130.89.175.33): 56 data bytes > 64 bytes from 130.89.175.33: icmp_seq=0 ttl=51 time=68.8 ms > 64 bytes from 130.89.175.33: icmp_seq=1 ttl=51 time=15.5 ms > 64 bytes from 130.89.175.33: icmp_seq=2 ttl=51 time=15.0 ms > 64 bytes from 130.89.175.33: icmp_seq=3 ttl=51 time=15.9 ms > 64 bytes from 130.89.175.33: icmp_seq=4 ttl=51 time=15.5 ms > --- security.debian.org ping statistics --- > 5 packets transmitted, 5 packets received, 0% packet loss > round-trip min/avg/max = 15.0/26.1/68.8 ms When I received the mail, I immediately tried to ping it. No reply. I still have the traceroute output from that time: traceroute to security.debian.org (194.109.137.218), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 0.313 ms 0.265 ms 0.294 ms 2 217.5.98.173 (217.5.98.173) 41.572 ms 14.095 ms 16.924 ms 3 217.237.157.90 (217.237.157.90) 43.417 ms 13.360 ms 13.235 ms 4 m-ec1.M.DE.net.DTAG.DE (62.154.27.234) 43.712 ms 41.187 ms 13.722 ms 5 zcr2-so-5-2-0.Munich.cw.net (208.175.230.49) 43.801 ms 80.418 ms 13.694 ms 6 zcr1-ge-4-3-0-5.Munich.cw.net (208.175.230.253) 44.627 ms 14.025 ms 13.144 ms 7 bcr2-so-0-3-0.Amsterdam.cw.net (208.173.209.149) 44.844 ms 41.744 ms 41.494 ms 8 zcr2-so-1-0-0.Amsterdamamt.cw.net (208.173.209.198) 45.590 ms 40.869 ms 42.402 ms 9 zar1-ge-0-3-0.Amsterdamamt.cw.net (208.173.220.131) 46.314 ms zar1-ge-1-3-0.Amsterdamamt.cw.net (208.173.220.147) 325.519 ms 45.989 ms 10 kpn.Amsterdamamt.cw.net (208.173.212.154) 48.013 ms 45.763 ms 39.773 ms 11 0.so-1-3-0.xr1.d12.xs4all.net (194.109.5.101) 49.062 ms 67.547 ms 41.748 ms 12 0.so-3-0-0.cr1.d12.xs4all.net (194.109.5.58) 47.961 ms * 46.106 ms 13 * * * 14 * * * Now the traceroute goes like this: traceroute to security.debian.org (130.89.175.33), 30 hops max, 38 byte packets 1 firewally (172.17.0.7) 14.812 ms 0.293 ms 0.176 ms 2 217.5.98.173 (217.5.98.173) 14.354 ms 15.059 ms 16.953 ms 3 217.237.157.90 (217.237.157.90) 33.209 ms 12.916 ms 13.132 ms 4 f-ea1.F.DE.net.DTAG.DE (62.154.18.22) 47.707 ms 44.256 ms 19.434 ms 5 208.49.136.173 (208.49.136.173) 46.733 ms 17.878 ms 21.079 ms 6 pos12-0-2488M.cr1.FRA2.gblx.net (67.17.74.149) 38.589 ms 89.690 ms 26.491 ms 7 pos0-0-2488M.cr1.AMS2.gblx.net (67.17.64.90) 45.999 ms 39.470 ms 39.688 ms 8 so0-0-0-2488M.ar1.AMS1.gblx.net (67.17.65.230) 46.996 ms 38.572 ms 39.662 ms 9 SURFnet.ge-4-2-0.ar1.AMS1.gblx.net (67.17.162.206) 40.223 ms GigaSurf-Amsterdam.ge-2-1-0.ar1.AMS1.gblx.net (208.49.125.50) 39.632 ms 39.552 ms 10 P11-0.CR1.Amsterdam1.surf.net (145.145.166.33) 38.971 ms 71.401 ms 39.665 ms 11 PO1-0.CR2.Amsterdam1.surf.net (145.145.160.2) 39.699 ms 39.121 ms 39.690 ms 12 PO0-0.AR5.Enschede1.surf.net (145.145.163.14) 44.969 ms 44.032 ms 44.446 ms 13 utwente-router.Customer.surf.net (145.145.4.2) 44.232 ms 44.670 ms 43.218 ms 14 slagroom.snt.utwente.nl (130.89.175.33) 45.313 ms 82.717 ms 44.476 ms You can see that this was probably not security.d.o being down, but some router. the packets are taking a quite different path. Maybe U Twente switched providers? > Also see http://www.debian.org/News/2004/20040202 That's old news. The machine has been reactivated. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Help! File permissions keep changing...
Wow, this is so completely OT I like it... On Wednesday, 2004-02-18 at 13:58:59 +0100, Ivan Brezina wrote: > hmm, xargs does not use quotes when executing commands. This causes > problems with dirs with spaces in name. > If user has directory named "dummy root", he can easily get accsess to > /root directory. That's why GNU find and xargs have the options -print0 and -0, respectively. Names in Unixish filesystems can't have NULs in them. Stoopid(tm) example: find "foo bar" -print0 | xargs -0 ls -ld There, I made the thread even more offtopic! :-O HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Tripwire (clone) which would you prefer?
On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote: > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Stable != bad, ask the Debian project :-P I'm using a combination of Tripwire and AIDE. Before I decided on that, I did a survey of intergity checkers. I didn't find bsign then, but integrit. At that time 3.00.05 was most current. It did not offer a variety of hashes, only SHA1. It offered no database integrity like Tripwire does (and seemingly AIDE now, too). In general it was one of the better tools, but not as flexible and versatile as AIDE and Tripwire. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Slightly OT: Setting the primary NIC
On Sunday, 2004-03-21 at 10:20:06 +0100, Sven Riedel wrote: > I'm struggeling with a problem on a multi-homed host running debian, and > as the problem is somewhat security related, I hope you'll tolerate the > question on this list :) This isn't freebsd-security ;-) > Anyway, the Host has an internal NIC and an external NIC (acting among > other things as a firewall). For some reason, all services think the > external NIC is the primary, and will try to bind to that/all requests > from samba/cups etc have a source IP from the external NIC, which > complicates the setups of the internal hosts. Are yousaying packets are being sent out of your internal interface with the source address set to that of the external interface?!? That should not happen. Please supply the output of ifconfig -a and netstat -an. > I've tried switching the order in which the modules for the NICs are > loaded (eth0 became eth1 and vice versa), the order in which the NICs > are activated with ifup and some other things, to no avail. I haven't > found anything at the debian site wrt this problem either - all I can > say is that the old distribution on the machine didn't have this > problem (but that was the only saving grace of that distro). You are most definitely looking in the wrong place. > Can anyone tell me how I can tell the machine which NIC is the primary? There is no such thing as a primary NIC. Unless a daemon explicitly binds a socket to a specific IP address and send a packet through that socket, the source IP address is set to that of the interface the packet is sent on. So you have a weird configuration for sure. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Slightly OT: Setting the primary NIC
On Sunday, 2004-03-21 at 03:17:45 -0800, Brandon High wrote: > On Sun, Mar 21, 2004 at 11:58:00AM +0100, Lupe Christoph wrote: > > > Can anyone tell me how I can tell the machine which NIC is the primary? > > There is no such thing as a primary NIC. Unless a daemon explicitly > > binds a socket to a specific IP address and send a packet through that > Could it be that he means the NIC that the default route applies to? > netstat -rn would show that. I doubt that. he couldn't reach the others machine if the packets went the default route. Sven? Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Woody Backport of tripwire
On Thursday, 2004-04-22 at 20:32:42 -0400, Phillip Hofmeister wrote: > Can anyone refer me to a woody backport of tripwire (or a version such > as 2.3.1.2+)? I recently did a backport, but it's not up for downloads. I could mail it to you, or you can do it yourself from the package source. If you do that, you will need to use CXX=g++-3.0 GCC=gcc-3.0 dpkg-buildpackage -rfakeroot -us -uc (Or similar) g++ 2.95 will not do. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas |
Re: Q: server monitoring
On Thursday, 2004-04-29 at 21:46:33 +0200, Holger Eitzenberger wrote: > can someone recommend a tool to monitor (hardware, network, ...) > some linux servers, e. g. nagios (www.nagios.org)? What > other free tools are available? I'm running mon for availability testing and Munin (was LRRD) for performance monitoring. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas |
Re: apt-get update
On Friday, 2004-05-14 at 11:52:58 +0200, [EMAIL PROTECTED] wrote: > I have just made some changes in my firewall and now I am having problems > with apt-get update because when connecting to > http://ftp2.de.debian.org > nothing happens and with netstat -lanp I see SYN/SENT and nothing more You could just try with a browser, or do "telnet ftp2.de.debian.org 80" to make sure it's nothing to do with apt-get. > Does anybody have the same problem ?? No answer for me, too. > Is ftp2.de.debian.org down It does not answer to pings, but you tried that, didn't you? And if you did a traceroute, too, you must have seen that 195.71.13.76 is the last replying hop. Or did you forbid ICMP Echo and traceroute for yourself in your firewall? Anyway. 195.71.13.76 belongs to mediaWays/Telefonica Deutschland GmBH. And ftp2.de.debian.org (195.71.9.196) belongs to them, too. So you may want to send mail to [EMAIL PROTECTED] to inquire. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity| | Home for Badgers with Rabies.Michael Lucas |
Re: Debian Security Support in Place
> The security team will continue to support Debian GNU/Linux 3.0 alias > woody until May 2006, or if the security support for the next release, > codenamed etch, starts, whatever happens first. This is equivalent to saying "We will rip security support for oldstable from under your feet at any time just as we please". This is not acceptable in a production environment. May 2006 is less than a full year anyhow, which is very short for a production environment. I have several machine I cannot update before January 2006 because I have a contract that keeps me busy fulltime for a different customer. That contract may be prolonged. Incidentally, that customer is using SLES 8 (SuSE Linux Enterprise Server) and has no capacity to upgrade to SLES 9 for at least a year. With SLES 8, this is not a problem because of the long suppprt timeframe. Which is exactly the reason they go with SLES rather than the regular SuSE releases. So in essence the announcement says "screw you, commercial customers". Please don't do that. It makes promoting Debian awkward. Thank you for your attention, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
On Saturday, 2005-07-09 at 10:37:27 +0200, martin f krafft wrote: > also sprach Lupe Christoph <[EMAIL PROTECTED]> [2005.07.09.1022 +0200]: > > > The security team will continue to support Debian GNU/Linux 3.0 > > > alias woody until May 2006, or if the security support for the > > > next release, codenamed etch, starts, whatever happens first. > > This is equivalent to saying "We will rip security support for > > oldstable from under your feet at any time just as we please". > No, it's not. It's worded a little awkwardly, but herewith you get > my promise that etch will not happen first. So May 2006 it is. You > are welcome to get those companies to come up with funding to allow > us to pay 1-2 people taking care of sarge after May 2006. If I can get the customer who owns the Woody system to fund *me* for upgrading them, I'll be glad... > And if that is unacceptable to you: Ubuntu has announced a 5 year > support plan for server systems: > http://www.ubuntulinux.org/UbuntuFoundation Let's not discuss Ubuntu here, so I just say I'm running a Debian Testing system, and that is running quite nicely without any "Testing will be broken for the next few months". Having Unstable and Experimental is a Very Good Thing. I set up two servers with Testing even though I could not be sure when fixes for security holes would come up. These have now migrated to Stable because I used "sarge" rather than "testing" in /etc/apt/sources.list. And the are updated when an applicable DSA comes out. I'm very fond of the way Debian releasing works. Even when it works slowly like with Sarge. The Woody machines would not be running Debian if the project was negligent in keeping Debian up to date. They needed backports to be kept resasonably up to date, but even that speaks for Debian. Backports are amazingly easy to do most of the time. When the problems of the security team came to light, I was quite astonished and I'm glad they have been resolved so fast. We couldn't do without Joey, but that doesn't mean he should carry all the weight. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 799-1] New webcalendar packages fix remote code execution
On Monday, 2005-09-05 at 12:35:25 +0200, bernd wrote: > wie angekuendigt. die security-warnung von debian fuer webcalendar Ich glaube, Du wolltest die wo anders hinschicken... Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 926-1] New ketm packages fix privilege escalation
On Friday, 2005-12-23 at 17:32:50 +0100, [EMAIL PROTECTED] wrote: > Hej, jag har julledigt, och kommer inte tillbaka förrän måndagen den 2:a > januari. > För installationsärenden, maila [EMAIL PROTECTED] eller ring pay&read på > 08-20 83 70 > Med vänliga hälsningar, > David Ahlard Ja, Frohe Weihnachten auch von mir. Und ein erfolgreiches neues Jahr. You don't have to pay for reading this... Jingle, you bells! Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Still problems with sendmail updates in Stable (libsasl2)
Hi! I still have dependency problems with the sendmail update on Stable. I only get libsasl2 2.1.19-1.5sarge1 from security.debian.org while the sendmail-bin package depends on libsasl2 (>= 2.1.19.dfsg1). When can one expect to be able to install the sendmail update? Thank you, Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Still problems with sendmail updates in Stable (libsasl2)
On Tuesday, 2006-08-29 at 09:06:46 +0200, Lupe Christoph wrote: > I still have dependency problems with the sendmail update on Stable. > I only get libsasl2 2.1.19-1.5sarge1 from security.debian.org while > the sendmail-bin package depends on libsasl2 (>= 2.1.19.dfsg1). > When can one expect to be able to install the sendmail update? DSA-1155-2 must have slipped by me unnoticed. While I do not like the method (I believe all required packages should be available from security.debian.org), I will do as described. Fortunately only two of my Debian machines run sendmail, while most use Postfix. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ClamAV is dead?!?
This morning I found a number of complaints from freshclam in my mailbox, culminating in the one below. Checking http://www.clamav.net/ revealed that the domain is down: [1]transIP clamav.net is gereserveerd voor slechts EUR 10 bij TransIP B.V. Op dit moment is nog geen website op dit domein geplaatst. Probeert u het later nog eens. [2]www.transip.nl colocatie, webhosting- en domeinprovider in Nederland Verhuis of registreer direct ___[(Alle)] OK References 1. http://www.transip.nl/ 2. http://www.transip.nl/ Anybody know what is happening to ClamAV? Lupe Christoph - Forwarded message from Cron Daemon <[EMAIL PROTECTED]> - From: Cron Daemon <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Mon, 9 Oct 2006 08:53:21 +0200 (CEST) Subject: Cron <[EMAIL PROTECTED]> [ -x /usr/bin/freshclam ] && /usr/bin/freshclam >/dev/null X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: ERROR: Not a TXT record ERROR: No servers could be reached. Giving up ERROR: Not a TXT record ERROR: No servers could be reached. Giving up ERROR: Not a TXT record ERROR: No servers could be reached. Giving up ERROR: Not a TXT record ERROR: No servers could be reached. Giving up ERROR: Not a TXT record ERROR: No servers could be reached. Giving up ERROR: Not a TXT record ERROR: No servers could be reached. Giving up - End forwarded message - -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ClamAV is dead?!?
On Monday, 2006-10-09 at 09:57:10 +0200, Evgeni Golov wrote: > On Mon, 9 Oct 2006 09:42:14 +0200 Lupe Christoph wrote: > > This morning I found a number of complaints from freshclam in my > > mailbox, culminating in the one below. Checking http://www.clamav.net/ > > revealed that the domain is down: > It isn't - works here. It's back to working here now. > > Anybody know what is happening to ClamAV? > Maybe your local DNS is broken? Nope. That was a real website that referred to clamav.net. You should have looked at the message, Dutch or not: "clamav.net is gereserveerd voor slechts EUR 10 bij TransIP B.V." > ;; QUESTION SECTION: > ;www.clamav.net.IN A > ;; ANSWER SECTION: > www.clamav.net. 1106IN CNAME tad.clamav.net. > tad.clamav.net. 3508IN A 194.109.142.194 Same here. Somebody reacted fast. The website makes no mention of the downtime, though. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ClamAV is dead?!?
On Monday, 2006-10-09 at 10:26:08 +0100, Daniel Cash wrote: > I Think it depends where you come from. > If I try to go directly I still get the "gereserveerd" holding page, but > if I feed www.clamav.net into babelfish then it can see the real page. > Perhaps high DNC machine is a little poisoned? > Oh, I am trying to connect from London if that helps. > I am sure when everything is refreshed in a couple of hours it will > shake through fine. It all depends on caching. The A record has a lifetime of about one hour. So all caches should have expired by now. But if something does not honor the TTL, you may see the interim address longer. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ProFTPD still vulnerable (Sarge)
Hi! On 23. November I updated the proftpd package on a Sarge machine that regretably has to have FTP open to the world. Soon after, somebody ran many attempts to log in as 'Administrator'. These attempts ran again on the 28th and again on the 29th. On that day, they managed to make proftp fall over: Nov 29 03:35:54 somehost proftpd[9887]: connect from 210.64.51.245 (210.64.51.245) Nov 29 03:36:15 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - FTP session opened. Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - no such user 'Administrator' Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - mod_delay/0.4: delaying for 1 usecs Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - mod_delay/0.4: delaying for 63 usecs Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - ProFTPD terminating (signal 11) Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - FTP session closed. The attacks ceased before I noticed, so I was not able to capture a TCP stream. I would just like to alert people that there is still some vulnerability in the ProFTPD code that was not fixed by DSA-1218-1. More if this happens again and I manage to run tcpdump in time. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFTPD still vulnerable (Sarge)
OT: There seems to be something strange with your MUA. Look at this header: Cc: "Lupe Christoph"@murphy.debian.org, " <[EMAIL PROTECTED]>"@murphy.debian.org On Thursday, 2006-11-30 at 12:57:53 +0100, Stefan Fritsch wrote: > > The attacks ceased before I noticed, so I was not able to capture a TCP > > stream. I would just like to alert people that there is still some > > vulnerability in the ProFTPD code that was not fixed by DSA-1218-1. > yes, there are two open vulnerabilites in proftpd. A DSA should be in the > works, but I don't know the current status. Good to know. I found out in the meantime that this host does not need to expose FTP to the world, and the hole has been plugged in the firewall. Which also means that I will not be able to get more details from this machine. I'd need to set up a honeypot. > One is CVE-2006-5815 and the other is a mod_tls vulnerability without CVE > id yet. AFAIK there is no exploit for sarge's 1.2.x for CVE-2006-5815 yet. > So I would expect this to be the mod_tls vulnerability. Do you have > mod_tls enabled? Try connecting to your server with telnet and enter FEAT > and see whether it returns AUTH TLS. Nope: 211-Features: 211-MDTM 211-REST STREAM 211-SIZE 211 End > There is a thread about this at > http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000972.html CVE-2006-5815: "Buffer overflow in ProFTPD 1.3.0 and earlier, when configured to use the CommandBufferSize directive ...". This directive is not in the default Debian Config file, I believe, and it isn't in the one on that machine. I believe this is similar to 308313 or 301275. This ProFTPD is started from inetd, so it's probably a matter of timing if the segfault occurs or not. If that is the case, it's not even a DoS opportunity as each connection gets a fresh proftpd process. Thanks for your feedback. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFTPD still vulnerable (Sarge)
On Thursday, 2006-11-30 at 13:49:44 +0100, Stefan Fritsch wrote: > Oh, that's bad. You don't have ftps enabled explicitly either? No, just plain ftp. > This probably means that there is at least some exploit to DoS sarge's 1.2.x. As I said, the FTP access from "outside" is disabled now. So I can't test without mod_delay, and can't check if this is distinct from the effect described in 308313 and 301275. But I doubt that. > >> There is a thread about this at > >> http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000972.html > > CVE-2006-5815: "Buffer overflow in ProFTPD 1.3.0 and earlier, when > > configured to use the CommandBufferSize directive ...". This directive > > is not in the default Debian Config file, I believe, and it isn't in the > > one on that machine. > This description is wrong. There was some confusion about what > CVE-2006-5815 is. It is really about a flaw in sreplace(). There is more > info about this confusion later in the thread above, e.g. > http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000990.html > or at > http://bugs.proftpd.org/show_bug.cgi?id=2858 > The CommandBufferSize issue was fixed by DSA-1218-1. CommandBufferSize isn't used, so it couldn't be that in any case. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: This is an very serious bug
On Thursday, 2006-12-14 at 13:45:50 +0100, Sels, Roger wrote: > Looking at the email address used I presume the bug in question is: > blars.org is down; hinfo-update fails miserably as a result. > See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=402316 blars.org is down? That's good news! One of my servers was on his extortion list. In fact, all IP addresses of that provider were. They and I refused to pay. Regarding this bug, it's normal that RBLs are taken down and then blacklist the entire address space. I've had this happen with my RBL checker every few months. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup
On Monday, 2006-12-18 at 09:04:47 +0100, Frédéric VANNIÈRE wrote: > You should look at scponly, it's a shell which only allow scp, sftp > and rsync in > a very restricted chroot. > It works well, I'm using it for the backup of more 100 servers and > workstations. If you want to use scponlyc (in chroot), you have to loopback-mount all filesystems into the chroot you want to rsync. Since Linux does not support read-only loopback mounts, this leaves them open not only for reading but also for writing... The way I did it some years ago was to dump and encrypt the filesystems, writing the result into the chroot. You can use incremental dumps or use find | cpio for incrementals (which I did). Of course, you need enough space to keep an encrypted, compressed dump of all filesystems... HTH, Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup, bind-mount ro
On Monday, 2006-12-18 at 13:48:54 +0100, Dariush Pietrzak wrote: > > filesystems into the chroot you want to rsync. Since Linux does not > > support read-only loopback mounts, this leaves them open not only for > > reading but also for writing... > It does support read-only bind mounts though. Sorry, coming from a Solaris background, I tend to say loopback mounts when I mean bind mounts. No, they are just an aliasing mechanism. debian:~# uname -r 2.6.17-2-k7 debian:~# mount -o bind,ro /tmp /mnt debian:~# touch /mnt/foo debian:~# ls -l /mnt/foo -rw-r--r-- 1 root root 0 2006-12-18 16:44 /mnt/foo [EMAIL PROTECTED]::~$ touch /mnt/bar [EMAIL PROTECTED]::~$ ls -l /mnt/bar -rw-r--r-- 1 lupe lupe 0 2006-12-18 16:45 /mnt/bar No cigar... Lupe Christoph PS: Linux loopback mounts *can* be ro. PPS: It might be possible to mount the same device multiple times with different options (rw vs. ro). I never tried it, and I don't want to crash my machine now ;-) -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup, bind-mount ro
On Tuesday, 2006-12-19 at 08:47:32 +0100, Dariush Pietrzak wrote: > On Mon, Dec 18, 2006 at 04:50:51PM +0100, Lupe Christoph wrote: > > when I mean bind mounts. No, they are just an aliasing mechanism. > Nope, they're not: Well, we are on a Debian mailing list, so I'd assume we talk about Debian packages... But let me qualify my statement. "Bind mounts are just an aliasing mechanism in default kernels as distributed with any major distribution I looked at." Satisfied? > it's just that sometime in the past, someone took a shortcut and made > bind-mounts ignore the options, and now it seems that noone can explain to > Linus that that was an ommision, and patches fixing that get thrown out > because "noone would use that", and "that was linux behaviour for years > and noone complained yet". The curse of backwards compatibility. Coming from somebody who routinely breaks ABIs... > The patches were maintained as seperate 'bind mount extensions/bme' > project here: http://www.13thfloor.at/patches/ > and now they're part of vserver project, http://linux-vserver.org/ ... and you filed a bug to have them included in the Debian kernel builds? After first packaging them as a Debian kernel patch package? I mean, VServer is too heavy to include in the default kernels. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
security.debian.org: MD5Sum mismatch
Hi! I can't apt-get update testing/updates main: Failed to fetch http://security.debian.org/dists/testing/updates/main/binary-i386/Packages.bz2 MD5Sum mismatch The Release file has this MD5 sum: b6465c8fe5c1ecb2eb67d22100a78dd745569 main/binary-i386/Packages.bz2 The Packages.bz2 files from all three servers have the same, different sum: 08acc34481f83825a7335fad039baeb4 Packages-128.31.0.36.bz2 08acc34481f83825a7335fad039baeb4 Packages-212.211.132.250.bz2 08acc34481f83825a7335fad039baeb4 Packages-212.211.132.32.bz2 (I have only checked one server for the Release file, so I'm only assuming that the file is the same on all three servers.) Is anybody capable of correcting this situation reading this list? Thank you, Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org: MD5Sum mismatch
On Friday, 2007-08-17 at 12:12:38 +0200, Jonas Andradas wrote: > how long have you noticed this mismatch? I mean, an update on the mirror > could be taking place, and the Packages.bz2 file not yet been updated... > On 8/17/07, Lupe Christoph <[EMAIL PROTECTED]> wrote: > > Failed to fetch > > http://security.debian.org/dists/testing/updates/main/binary-i386/Packages.bz2 > > MD5Sum > > mismatch You're right, this can be caused by an update. (I *wish* those updates were atomic, but they probably arent'.) It's been like that since noon local time yesterday: /dists/testing/updates/main/binary-i386/Packages.bz2 16-Aug-2007 12:51 /dists/testing/updates/Release 16-Aug-2007 12:48 I don't know which timezone these servers run in. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org: MD5Sum mismatch
On Friday, 2007-08-17 at 10:46:32 +, [EMAIL PROTECTED] wrote: > On Fri, Aug 17, 2007 at 12:20:34PM +0200, Lupe Christoph wrote: > > I *wish* those updates > > were atomic, but they probably arent'. > why not though ? Because they involve a lot of files. You would have to use two areas that contain alternating generations and switch the (http|ftp|rsync) servers between them. Only that switch can be atomic. Doing this would make the operation of the server a lot more complicated and thus less robust. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org: MD5Sum mismatch
On Friday, 2007-08-17 at 11:22:11 +0200, Lupe Christoph wrote: > Failed to fetch > http://security.debian.org/dists/testing/updates/main/binary-i386/Packages.bz2 > MD5Sum mismatch > (I have only checked one server for the Release file, so I'm only > assuming that the file is the same on all three servers.) I should have: Release-128.31.0.36: b6465c8fe5c1ecb2eb67d22100a78dd745569 main/binary-i386/Packages.bz2 Release-212.211.132.250: 08acc34481f83825a7335fad039baeb445591 main/binary-i386/Packages.bz2 Release-212.211.132.32: 08acc34481f83825a7335fad039baeb445591 main/binary-i386/Packages.bz2 08acc34481f83825a7335fad039baeb4 Packages-128.31.0.36.bz2 08acc34481f83825a7335fad039baeb4 Packages-212.211.132.250.bz2 08acc34481f83825a7335fad039baeb4 Packages-212.211.132.32.bz2 128.31.0.36 aka steffani.debian.org is out of step. Please resync. Lupe Christoph -- | The whole aim of practical politics is to keep the populace alarmed| | (and hence clamorous to be led to safety) by menacing it with an | | endless series of hobgoblins, all of them imaginary. | | H. L. Mencken, "In Defense of Women", 1918 | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security support incomplete? (was: Re: [SECURITY] [DSA 3455-1] curl security update)
On Tuesday, 2016-02-02 at 17:14:42 +0100, Yves-Alexis Perez wrote: > On mar., 2016-02-02 at 17:37 +0200, Wolfgang Jeltsch wrote: > > Can anyone please clarify? In particular, I would like to know what the > > exact policies regarding coverage of security support are, and what > > issues have not been fixed intentionally in oldstable (and maybe even > > stable). > Everything is in the tracker. This is three-fold: the DSA does not mention oldstable at all, the DSA does not link to the tracker, and the text in the tracker page does not really justify the decision to leave oldstable unfixed "Too intrusive to backport". What?!? The link with that text points to a page that does nothing to explain the decision. Lupe Christoph -- | As everyone knows, it was predicted that the world would end last | | Wednesday at 10:00 PST. Since there appears to be a world in existence | | now, the entire universe must therefore have been recreated, complete | | with an apparent "history", last *Thursday*. QED. | | Seanna Watson, <1992nov2.165142.11...@bcrka451.bnr.ca> |
Re: [SECURITY] [DSA 3481-1] glibc security update
On Wednesday, 2016-02-17 at 10:58:01 +0100, Jan Lühr wrote: > Am 02/16/2016 um 03:18 PM schrieb Salvatore Bonaccorso: > > CVE-2015-7547 > > The Google Security Team and Red Hat discovered that the glibc > Comparing the age (2015-07) and the severity: Can you give some details > on the situation? Why was the bug fixed so late? Read this: https://googleonlinesecurity.blogspot.de/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html and this: https://sourceware.org/bugzilla/show_bug.cgi?id=18665 > Which parties influenced the release date? The submitter of the Bugzilla ticket who did not provide example code. Gap between 2015-08-22 14:59:40 UTC and 2016-02-16 14:11:42 UTC. HTH, Lupe Christoph -- | As everyone knows, it was predicted that the world would end last | | Wednesday at 10:00 PST. Since there appears to be a world in existence | | now, the entire universe must therefore have been recreated, complete | | with an apparent "history", last *Thursday*. QED. | | Seanna Watson, <1992nov2.165142.11...@bcrka451.bnr.ca> |
Re: "Ian Murdock" Death
On Saturday, 2016-07-16 at 05:34:52 -0700, Kyle Lussier wrote: > CONFIDENTIAL > Melvin - > I appreciate your response, however this issue is very > serious. > Please answer all of the questions accurately, as I have > requested in a clear, unambiguous, and ethical manner. No wonder "The coroner and related PD have not responded'. Lupe Christoph -- | As everyone knows, it was predicted that the world would end last | | Wednesday at 10:00 PST. Since there appears to be a world in existence | | now, the entire universe must therefore have been recreated, complete | | with an apparent "history", last *Thursday*. QED. | | Seanna Watson, <1992nov2.165142.11...@bcrka451.bnr.ca> |
Re: Certificate errors with security.debian.org
On Sunday, 2017-01-15 at 07:40:40 +0100, Scrap wrote: > Are you sure the URL is correct? If i try to connect to > https://security.debian.org/ from Chrome I revice:" ERR_CONNECTION_REFUSED". > If i try with out https i'm redirect to https://www.debian.org/security/ and > this site have a trusted certificate. $ telnet -4 -z ssl -z debug security.debian.org 443 Trying 212.211.132.32... Trying 212.211.132.250... Trying 195.20.242.89... telnet: Unable to connect to remote host: Connection refused I have no IPv6 internet access, so I can't try that. HTH, Lupe Christoph -- | As everyone knows, it was predicted that the world would end last | | Wednesday at 10:00 PST. Since there appears to be a world in existence | | now, the entire universe must therefore have been recreated, complete | | with an apparent "history", last *Thursday*. QED. | | Seanna Watson, <1992nov2.165142.11...@bcrka451.bnr.ca> |
Re: Some Debian package upgrades are corrupting rsync "quick check" backups
On Saturday, 2017-01-28 at 14:51:19 +, Holger Levsen wrote: > On Sat, Jan 28, 2017 at 03:04:56PM +0100, Daniel Reichelt wrote: > > I highly suspect this stems from packages' rules files supporting > > reproducible builds. > I rather think this is due to binNMUs not modifying debian/changelog… > (in the source package while it's modified in the binary packages…) This is completely counter intuitive. I'm using rsnapshot to backup a few private machines. I will have to set up separate rsnapshots for those parts of the backup that suffer from this , to avoid bogging down the data parts by unnecessary checksum calculations. This problem may affect many other backups too. Did anybody research backup programs before this was introduced to Debian? The servers are all Debian, except for my home router which is running OpenWRT. But for curiosity, does anybody know if Ubuntu is using the same , or are they doing the usual, i.e. not follow Debian? Thanks, Lupe Christoph -- | As everyone knows, it was predicted that the world would end last | | Wednesday at 10:00 PST. Since there appears to be a world in existence | | now, the entire universe must therefore have been recreated, complete | | with an apparent "history", last *Thursday*. QED. | | Seanna Watson, <1992nov2.165142.11...@bcrka451.bnr.ca> |
Re: sysadmin in training
On Friday, 2023-05-12 at 21:48:55 -0400, Michael Lazin wrote: > The thing that caught my eye is disabling execution for /tmp. I > managed thousands of Debian servers at one time and I often found hacker > scripts in ./tmp because of a Wordpress exploit. This is because /tmp is > world writable and presumably people who don't know better are unlikely to > look for bad scripts there. While I agree pulling third scripts with curl > is cringe-worthy I think Ossec HIDS is an exception because it is GNU > Public licensed. Because of a bug in the current version of Nitrokey's App 2 I became aware that the /tmp on the machine I tested that app on was set to default, i.e. rw,noatime. I set it to rw,nosuid,nodev,noexec,noatime only to find out that the app did some dirty tricks to run that did not work anymore with those mount options. See my ticket on Github: https://github.com/Nitrokey/nitrokey-app2/issues/54#issuecomment-1525455482 The problem is pyinstaller. Which means that using a secure /tmp prevents this from working. I did not check if pyinstaller respects TMPDIR or some such ENV variable. But in the general case, one can't rely on this for every braindead installer. HTH, Lupe Christoph PS: BTW, just because something is GPLed does not mean it's trustworthy. -- | Never attribute to malice that which is adequately explained by stupidity. | | Hanlon's razor | | Never attribute to malice that which can adequately be explained by awarding | | every job to the lowest bidder. | | From The Daily WTF https://thedailywtf.com/articles/thanks |
