Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Marcus Frings <[EMAIL PROTECTED]> [021207 00:52]: > Hello, > > I just migrated from leafnode to inn + suck on my Debian Woody box. > After installing suck I think I have discovered a possible security > violation. /etc/suck/get-news.conf is installed as root:root with > default file permissions 644. This means that $WORLD can read passwords > from this file which are stored there to get access to the upstream > newsserver. right. > IIRC /usr/sbin/get-news has to be run as user "news" and not as "root" > thus the script won't work if I change the permissions of get-news.conf > to 600 or 640. Or am I completely wrong and get-news should be started > as "root"? Anyway, 644 as default for files which store passwords is > pretty weird in my opinion. > Any comments concerning this are very welcome. I would agree giving anyone else the posibility of reading the passwords of your upstream-newsserver wont be a good idea :) That should be definetifly fixed. reguards Martin - -- | | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE98TwjeSmrkPesOvARAgGhAJ0bvEparbObee04w9QwtfRs/iYjhgCgkEhN 0txLkmMazOOLcbYVOJIE7/E= =8kgV -END PGP SIGNATURE-
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Marcus Frings <[EMAIL PROTECTED]> [021208 01:32]: > Martin Helas wrote: > > > I would agree giving anyone else the posibility of reading the passwords of > > your upstream-newsserver wont be a good idea :) > > That should be definetifly fixed. > > Thanks for your answer. As Javi suggested I have informed the Debian > security team. A bug report for suck will be generated in some > minutes... :-) > I have allready reported a bug and filed a patch against this bug. look at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172126 greetings Martin - -- |---- | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE98pUSeSmrkPesOvARArwJAJ4w8Ii+jlfOkCTR+kWakMtMFRI/EwCgleoL eZ1Myeknfw/1ePTxHRtK4yM= =MBnu -END PGP SIGNATURE-
Re: Kernel 2.4 ioperm
On Don Mai 22, 2003 at 10:1621 +0100, Simon Huggins <[EMAIL PROTECTED]> wrote: > On Thu, May 22, 2003 at 01:50:51PM -0600, xbud wrote: > > FYI, http://marc.theaimsgroup.com/?|=linux-kernel&m=105271679705571&w=2 > > You say 2.4 in the subject and it says 2.5 in that report. > > Is 2.4 vulnerable too? Yes, but it's fixed in 2.4.21-rc3 already ;) cu Martin -- |-------- | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 |
Re: [mdz@debian.org: [SECURITY] [DSA-340-1] New x-face-el packages fix insecure temporary file creation]
On Mon Jul 07, 2003 at 03:1321 +, Tom Goulet (UID0) <[EMAIL PROTECTED]> wrote: > > The signature is bad at my end, and my end usually works so it looks > like something mangled your message. For me too, I also get a bad signature. There definitivly went something wrong. Greetings Martin -- |-------- | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 | pgpWbdJK7DnLG.pgp Description: PGP signature
Re: Looking for a simple SSL-CA package
On Don Aug 21, 2003 at 12:5630 +0200, Tarjei Huse <[EMAIL PROTECTED]> wrote: > Hi, > > I'm no expert on handling certificates and I hope not having to learn > all the commandline switches of openssl by heart. However, I do need a > simple setup of a CA that I may use for creating selfsigned > certificates, webpages that clients may use to import the certificates > and also a way to organize certificare revocationlists etc. > > What are the alternatives besides OpenCA? Does anyone know of a set of > scipts that are a bit less complex and at the same time gives me some of > the same functionality? > > Tarjei Try TinyCA. Its a small tcl/tk-frontend to openssl. deb http://www.scholler.net/debian ./ Greetings Martin -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades.
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Marcus Frings <[EMAIL PROTECTED]> [021207 00:52]: > Hello, > > I just migrated from leafnode to inn + suck on my Debian Woody box. > After installing suck I think I have discovered a possible security > violation. /etc/suck/get-news.conf is installed as root:root with > default file permissions 644. This means that $WORLD can read passwords > from this file which are stored there to get access to the upstream > newsserver. right. > IIRC /usr/sbin/get-news has to be run as user "news" and not as "root" > thus the script won't work if I change the permissions of get-news.conf > to 600 or 640. Or am I completely wrong and get-news should be started > as "root"? Anyway, 644 as default for files which store passwords is > pretty weird in my opinion. > Any comments concerning this are very welcome. I would agree giving anyone else the posibility of reading the passwords of your upstream-newsserver wont be a good idea :) That should be definetifly fixed. reguards Martin - -- | | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE98TwjeSmrkPesOvARAgGhAJ0bvEparbObee04w9QwtfRs/iYjhgCgkEhN 0txLkmMazOOLcbYVOJIE7/E= =8kgV -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Possible security violation in the suck-package?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Marcus Frings <[EMAIL PROTECTED]> [021208 01:32]: > Martin Helas wrote: > > > I would agree giving anyone else the posibility of reading the passwords of > > your upstream-newsserver wont be a good idea :) > > That should be definetifly fixed. > > Thanks for your answer. As Javi suggested I have informed the Debian > security team. A bug report for suck will be generated in some > minutes... :-) > I have allready reported a bug and filed a patch against this bug. look at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172126 greetings Martin - -- |---- | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE98pUSeSmrkPesOvARArwJAJ4w8Ii+jlfOkCTR+kWakMtMFRI/EwCgleoL eZ1Myeknfw/1ePTxHRtK4yM= =MBnu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [mdz@debian.org: [SECURITY] [DSA-340-1] New x-face-el packages fix insecure temporary file creation]
On Mon Jul 07, 2003 at 03:1321 +, Tom Goulet (UID0) <[EMAIL PROTECTED]> wrote: > > The signature is bad at my end, and my end usually works so it looks > like something mangled your message. For me too, I also get a bad signature. There definitivly went something wrong. Greetings Martin -- |-------- | Martin Helas [EMAIL PROTECTED] |PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 | pgp0.pgp Description: PGP signature
Re: Looking for a simple SSL-CA package
On Don Aug 21, 2003 at 12:5630 +0200, Tarjei Huse <[EMAIL PROTECTED]> wrote: > Hi, > > I'm no expert on handling certificates and I hope not having to learn > all the commandline switches of openssl by heart. However, I do need a > simple setup of a CA that I may use for creating selfsigned > certificates, webpages that clients may use to import the certificates > and also a way to organize certificare revocationlists etc. > > What are the alternatives besides OpenCA? Does anyone know of a set of > scipts that are a bit less complex and at the same time gives me some of > the same functionality? > > Tarjei Try TinyCA. Its a small tcl/tk-frontend to openssl. deb http://www.scholler.net/debian ./ Greetings Martin -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: unsubscribe
Hi Listreaders, I just found exim's(3) config file in woody is installed with 0644 file permission by default. This might be okay for standard-installation, but might that not rise a security bug as soon, as you use either - client side authentification and have to insert the password there somewhere? - an other backend as /etc/passwd or simmilar? For example getting eMail-adresses from ldap or any other database needs some password to connect to it. Might it be not more secure installing /etc/exim/exim.conf 0640 with root:mail file-permission? I am not shure about that, so i did not open a bug at the BTS yet. Please give me advice. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
exim.conf file permmission (was: Re: unsubscribe)
Am Mi Jan 07, 2004 at 02:0411 +0100 gab Martin Helas <[EMAIL PROTECTED]> von sich: > [...] Ups, worng subject, sorry about that. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
exim.conf file permmission
Hi Listreaders, sorry for the double-post, but after accidently writing my prior email with the worng subject, and someone noted (PM) that some of you might drop mails with 'unsubcribe' subject, i do a repost of my message. Here is what i wrote: I just found exim's(3) config file in woody is installed with 0644 file permission by default. This might be okay for standard-installation, but might that not rise a security bug as soon, as you use either - client side authentification and have to insert the password there somewhere? - an other backend as /etc/passwd or simmilar? For example getting eMail-adresses from ldap or any other database needs some password to connect to it. Might it be not more secure installing /etc/exim/exim.conf 0640 with root:mail file-permission? I am not shure about that, so i did not open a bug at the BTS yet. Please give me advice. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
Re: Infrastructer back online?
Am Mi Jan 07, 2004 at 06:5432 -0800 gab Matt Zimmerman <[EMAIL PROTECTED]> von sich: > On Wed, Jan 07, 2004 at 10:35:30PM +0100, Jan L??hr wrote: > > > noticing the increasing amount of secure-adv I'd like to ask, wheter the > > buid-deamons are back or wheter another issue is increasing the amount of > > advs rapidly. > > Everything is working again. what's about p.d.o ? -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
Re: Mirroring security.debian.org for internal use
Am Do Jan 15, 2004 at 12:1545 -0800 gab Hans Baume <[EMAIL PROTECTED]> von sich: > Like some others who have mentioned this in the past, I would like > to mirror security.debian.org for internal use due to the large > number of Debian boxes at my company and the inconsistent access > to the important updates residing on that server. > > Ideally, I'd like to set up cron to rsync the updates every so often > but can't seem to find a way to achive this. Does anyone have any tips > on how to do it? > > TIA, > > /H > > PS: Yes, I've already tested apt-cacher ;-> ftp2.de.debian.org non-us.debian.org to mention only two. They are both located in europe, but i did'nt look in the us. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: unsubscribe
Hi Listreaders, I just found exim's(3) config file in woody is installed with 0644 file permission by default. This might be okay for standard-installation, but might that not rise a security bug as soon, as you use either - client side authentification and have to insert the password there somewhere? - an other backend as /etc/passwd or simmilar? For example getting eMail-adresses from ldap or any other database needs some password to connect to it. Might it be not more secure installing /etc/exim/exim.conf 0640 with root:mail file-permission? I am not shure about that, so i did not open a bug at the BTS yet. Please give me advice. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
exim.conf file permmission (was: Re: unsubscribe)
Am Mi Jan 07, 2004 at 02:0411 +0100 gab Martin Helas <[EMAIL PROTECTED]> von sich: > [...] Ups, worng subject, sorry about that. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
exim.conf file permmission
Hi Listreaders, sorry for the double-post, but after accidently writing my prior email with the worng subject, and someone noted (PM) that some of you might drop mails with 'unsubcribe' subject, i do a repost of my message. Here is what i wrote: I just found exim's(3) config file in woody is installed with 0644 file permission by default. This might be okay for standard-installation, but might that not rise a security bug as soon, as you use either - client side authentification and have to insert the password there somewhere? - an other backend as /etc/passwd or simmilar? For example getting eMail-adresses from ldap or any other database needs some password to connect to it. Might it be not more secure installing /etc/exim/exim.conf 0640 with root:mail file-permission? I am not shure about that, so i did not open a bug at the BTS yet. Please give me advice. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
Re: Infrastructer back online?
Am Mi Jan 07, 2004 at 06:5432 -0800 gab Matt Zimmerman <[EMAIL PROTECTED]> von sich: > On Wed, Jan 07, 2004 at 10:35:30PM +0100, Jan L??hr wrote: > > > noticing the increasing amount of secure-adv I'd like to ask, wheter the > > buid-deamons are back or wheter another issue is increasing the amount of > > advs rapidly. > > Everything is working again. what's about p.d.o ? -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF signature.asc Description: Digital signature
Re: Mirroring security.debian.org for internal use
Am Do Jan 15, 2004 at 12:1545 -0800 gab Hans Baume <[EMAIL PROTECTED]> von sich: > Like some others who have mentioned this in the past, I would like > to mirror security.debian.org for internal use due to the large > number of Debian boxes at my company and the inconsistent access > to the important updates residing on that server. > > Ideally, I'd like to set up cron to rsync the updates every so often > but can't seem to find a way to achive this. Does anyone have any tips > on how to do it? > > TIA, > > /H > > PS: Yes, I've already tested apt-cacher ;-> ftp2.de.debian.org non-us.debian.org to mention only two. They are both located in europe, but i did'nt look in the us. -- Regards,| Debian GNU / / _ _ _ _ _ __ __ . | / /__ / / / \// //_// \ \/ / Martin Helas| // /_/ /_/\/ /___/ /_/\_\ mailto:[EMAIL PROTECTED] | because reboots are for hardware upgrades. PGP-Fingerprint: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF
