Re: [SECURITY] [DSA 3431-2] ganeti regression update
On Fri, 2016-01-15 at 11:05, Milan Mogin wrote: > please unsubscribe me Go to https://lists.debian.org/debian-security-announce/ where you can unsubscribe yourself. Detailed info about Debian mailing lists can be found at: https://www.debian.org/MailingLists > On 15/01/2016 10:53 a.m., Salvatore Bonaccorso wrote: > >-BEGIN PGP SIGNED MESSAGE- > >Hash: SHA512 > > > >- - > >Debian Security Advisory DSA-3431-2 secur...@debian.org > >https://www.debian.org/security/ Salvatore Bonaccorso > >January 14, 2016 https://www.debian.org/security/faq > >- - [...]
Re: finding a process that bind a spcific port
On Wed, 2014-01-22 at 13:37, Nico Angenon wrote: the same...no output Maybe you can be lucky with: ss -ulp But, if you are really hacked it would be better to shutdown machine, move disk to clean machine and try some forensic tools. -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122124234.ga17...@arvanta.net
Re: finding a process that bind a spcific port
On Wed, 2014-01-22 at 14:26, Nico Angenon wrote: File /tmp/a and tmp/b gives me the same numberlist... I'll fromat the box, it'll go faster... True! But if there is vulnerability (security hole) in your system it's just a question of time when you'll have this situation again. -Message d'origine- From: Matias Mucciolo Sent: Wednesday, January 22, 2014 2:14 PM To: debian-security@lists.debian.org Cc: Nico Angenon Subject: Re: finding a process that bind a spcific port You can try something like: cd /proc/ ls -d1 [0-9]* | sort -n /tmp/a ps ax -o pid | grep [0-9] | tr -d | sort -n /tmp/b and check with ip exits in /proc dir but not in ps example in my box: .. 46154615 46244624 46474647 4702 | 4704 4703 | 4705 4706 4707 in my case i have difference but is because the grep/etc pid -- Matias On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote: Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2982F3BBF0F24EE283ACDB8DF366C387@NicoPC -- Kind regards, Milan -- Arvanta,http://www.arvanta.net Please do not send me e-mail containing HTML code or documents in proprietary format (word, excel, pps and so on) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122135637.ga18...@arvanta.net
Re: NSA software in Debian
On Wed, 2014-01-22 at 15:01, Marko Randjelovic wrote: On Sun, 19 Jan 2014 21:17:03 -0800 Andrew Merenbach and...@merenbach.com wrote: I just decided to try this out the other day on my Wheezy 7.3 install. It wasn't that painful and I haven't noticed any performance impact or misbehaving (read: broken) programs, at least not yet. Then again, I haven't done real benchmarks. Yes, most features doesn't make significant performance impact. It appears that this patch is available in the apt repos under the kernel section (sensibly enough) as: linux-patch-grsecurity2 Once it's downloaded, it patches the kernel in an automated fashion and doesn't force a reboot (although I believe you still need one to make it effective, I suppose). AFAIK, it's for kernel 3.2.21, I don't see how could it work with Wheezy kernel - 3.2.51. I found it a lot easier to go with vanilla kernel and grsec/pax patch instead of using Debian kernels. That said, since it's a kernel patch, /caveat emptor/... your mileage may vary. And maybe some prefer to customize the options for the patch being applied. ;) -- Kind regards, Milan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122140839.gb18...@arvanta.net
Re: New rootkit targetting Debian squeeze (amd64 only)
On Fri, 2012-11-23 at 02:22, Jordon Bedwell wrote: On Fri, Nov 23, 2012 at 12:31 AM, Mike Mestnik cheako+debian-secur...@mikemestnik.net wrote: On 11/22/12 11:33, Laurentiu Pancescu wrote: More likely: a vulnerability in their web service (some form of execution of attacker-provided code), combined with a local privilege elevation exploit (the Linux kernel had quite many such bugs, some are probably yet undiscovered). I find it interesting that the rootkit was written or customized specifically for squeeze. I think this was a test of greater things to come. I would assume (mostly because to me it's ignorant not to assume this) that the author of the malware might have built it to target his preferred OS first and then would have expanded it later. It's much easier to build small and then work to greater things then to build big and possibly fail. Two days passed and no one say anything about infection vector. Expect gibberish babble about Russian hackers. To me, it looks like some 'unknown entity' spread FUD about Linux and especially Debian. -- Kind regards, Milan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121123121425.ga27...@arvanta.net
Re: New rootkit targetting Debian squeeze (amd64 only)
On Thu, 2012-11-22 at 12:32, Laurentiu Pancescu wrote: http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html Nothing about infection vector, so it is non-issue, probably. Yes, root can be faked to install it from some third party module or even DKMS, but root shouldn't do such things without careful checking everything about third party modules. -- Kind regards, Milan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121122131343.ga11...@arvanta.net
Re: idea: switch default MTA from exim4 to postfix (wheezy+1)
On Thu, 2012-11-01 at 22:48, Hideki Yamane wrote: Hi, Now we are using Exim as default MTA, but I doubt whether it'd be best choice since several critical security vulnerabilities has found this two or three years. Yes, it's often that such vulnerability has been found for software (of course), however, other MTA like postfix has less vulnerabilities than Exim. So I suggest switch from Exim to Postfix for default MTA. Pros) - Postfix has less vulnerabilities than Exim during years If we choose postfix for default, probably it's more secure than using Exim ***by default***. It's good for our users. Exim: 8 DSAs and 13 CVEs and some high and remote vulns as NVD severity http://security-tracker.debian.org/tracker/source-package/exim4 and http://security-tracker.debian.org/tracker/source-package/exim Postfix: 3 DSAs and 10 CVEs and no high vulns since its first release http://security-tracker.debian.org/tracker/source-package/postfix Cons) - well, maybe I didn't get it ;) If you want to continue to use Exim, you can do it via apt-get. Please let me know your idea for this. Should be done 10 years ago, IMHO. Why wait? OT: and same for bind and use dbndns (djbdns). -- Kind regards, Milan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121101145318.ga11...@arvanta.net
Re: idea: switch default MTA from exim4 to postfix (wheezy+1)
On Thu, 2012-11-01 at 12:03, Axel Caspard wrote: I am curious to know why you would like to see bind replaced with dbndns? The same as for exim: security records. - Original Message - From: Milan P. Stanic m...@arvanta.net To: debian-security@lists.debian.org Sent: Thursday, 1 November, 2012 10:53:19 AM Subject: Re: idea: switch default MTA from exim4 to postfix (wheezy+1) On Thu, 2012-11-01 at 22:48, Hideki Yamane wrote: Hi, Now we are using Exim as default MTA, but I doubt whether it'd be best choice since several critical security vulnerabilities has found this two or three years. Yes, it's often that such vulnerability has been found for software (of course), however, other MTA like postfix has less vulnerabilities than Exim. So I suggest switch from Exim to Postfix for default MTA. Pros) - Postfix has less vulnerabilities than Exim during years If we choose postfix for default, probably it's more secure than using Exim ***by default***. It's good for our users. Exim: 8 DSAs and 13 CVEs and some high and remote vulns as NVD severity http://security-tracker.debian.org/tracker/source-package/exim4 and http://security-tracker.debian.org/tracker/source-package/exim Postfix: 3 DSAs and 10 CVEs and no high vulns since its first release http://security-tracker.debian.org/tracker/source-package/postfix Cons) - well, maybe I didn't get it ;) If you want to continue to use Exim, you can do it via apt-get. Please let me know your idea for this. Should be done 10 years ago, IMHO. Why wait? OT: and same for bind and use dbndns (djbdns). -- Kind regards, Milan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121101163557.ga11...@arvanta.net
Re: how to fix rootkit?
On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote: I think you're talking about syscall interceptions and related stuff. You're right, we can't trust, but it in this case we're talking about a very specialized malware and I don't see any fast action to bypass it. Maybe the conclusion is that we can't trust anything, so we can't do anything, but something need to be done, right? An option is load another kernel with kexec but we can't trust kexec. What we do? What about device which can be tapped to the CPU of running machine and then 'take over' CPU. Such device could then read RAM, block devices and peripherals to save data for post mortem analysis. Although some secret agencies could already have something like that I'm not sure that it is commercially available or it will in the near future. If someone think that hardware manufacturer could design and put on the market computers with such option built in, I suspect that it will be suppressed by legislator. Sometimes we need to assume some risks otherwise we can't proceed. ;-) That is. We live in risky world and we cannot achieve perfect security. As in real world, computer security is trade off between usability and risk. BR, Fernando Mercês Linux Registered User #432779 www.mentebinaria.com.br softwarelivre-rj.org @MenteBinaria II Hack'n Rio - 23 e 24/11 hacknrio.org On Wed, Feb 8, 2012 at 5:15 PM, Michael Stummvoll mich...@stummi.org wrote: Am 08.02.12 19:51, schrieb Jutta Zalud: Michael Stummvoll wrote: And who says, that the new binarys don't work in compromized mode, e.g. with a LD_PRELOAD? ;) you can't trust a compromized system, not even when you running (or think you are running) own binaries. Who knows, what the kernel does. What exactly do you mean by system? The Operating System. As I understand Fernando he suggested to run extern self-compiled binaries withing the compromized OS to be sure, and what i want to say is that you can't be sure in this case. Kind Regards, Michael -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f32c9d7.30...@stummi.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam7p17mntcwytrsgok9vjkwo6onwtoy9srdyaadcno5im5c...@mail.gmail.com -- Kind regards, Milan -- Arvanta, IT Securityhttp://www.arvanta.net Please do not send me e-mail containing HTML code or documents in proprietary format (word, excel, pps and so on) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120209120714.gb5...@arvanta.net
Re: how to fix rootkit?
On Thu, 2012-02-09 at 23:19, Russell Coker wrote: On Thu, 9 Feb 2012, Milan P. Stanic m...@arvanta.net wrote: On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote: I think you're talking about syscall interceptions and related stuff. You're right, we can't trust, but it in this case we're talking about a very specialized malware and I don't see any fast action to bypass it. Maybe the conclusion is that we can't trust anything, so we can't do anything, but something need to be done, right? An option is load another kernel with kexec but we can't trust kexec. What we do? What about device which can be tapped to the CPU of running machine and then 'take over' CPU. Such device could then read RAM, block devices and peripherals to save data for post mortem analysis. There are devices which use firewire to directly access system RAM. It is AFAIK firewire must be enabled by kernel (CPU) to have access to RAM via DMA controller settings. Hacked kernel could disable DMA access to firewire (or any) controller. also possible to design a PCI/PCIe card which does bus-mastering on external control to dump RAM contents. I've seen a live demonstration of the use of firewire to directly access system RAM, a system was compromised by having some memory altered, dumping the RAM would be trivial by comparison. I'm not sure for modern computer architecture does CPU have to enable bus mastering for device on the bus? If so, malware could disable bus mastering for peripheral devices. It has also been demonstrated that if you chill RAM to a low temperature then you can extract it from the system with most of it's contents intact. Fifteen (maybe twenty) years ago I wrote small Forth interpreter which could run from 486 CPU cache, and at that time 486 have had 4KB cache. Theoretically, new generation malware could be designed to run from the CPU cache completely. -- Kind regards, Milan -- Arvanta, IT Securityhttp://www.arvanta.net Please do not send me e-mail containing HTML code or documents in proprietary format (word, excel, pps and so on) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120209141629.ga6...@arvanta.net
Re: how to fix rootkit?
On Wed, 2012-02-08 at 19:39, Michael Stummvoll wrote: Am 08.02.12 18:46, schrieb Fernando Mercês: Reading memory after turning off? There are a easy way to it? When I said your own binaries, I mean get fresh copies of binaries and use in system with a USB stick or something like that. Do not use the compromised system binaries. That's it. ;-) And who says, that the new binarys don't work in compromized mode, e.g. with a LD_PRELOAD? ;) What about statically linked binaries on the external media (CD, DVD, USB ...) which is write protected with 'execute in place' mode? you can't trust a compromized system, not even when you running (or think you are running) own binaries. Who knows, what the kernel does. If the kernel is changed to circumvent external (or all) binaries then the solution could be to use some tool (I can't remember right now if that exists) which could 'take over' the complete system (even kernel) and than do a snapshot or whatever is appropriate in that situation. -- Kind regards, Milan -- Arvanta, IT Securityhttp://www.arvanta.net Please do not send me e-mail containing HTML code or documents in proprietary format (word, excel, pps and so on) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120208193713.ga16...@arvanta.net
Re: AUTO: Steve Bownas is out of the office. (returning 06/09/2011)
On Sat, 2011-06-04 at 23:41, Jim Popovitch wrote: On Sat, Jun 4, 2011 at 23:08, Steven Bownas sbow...@us.ibm.com wrote: I am out of the office until 06/09/2011. X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on liszt.debian.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=4.0 tests=AUTOGENERATE,AUTOREBOD,FOURLA, LDO_WHITELIST,OUTOFOFFICE,RCVD_IN_DNSWL_MED autolearn=no version=3.2.5 And it have 'Auto-Submitted: auto-generated' header. Mails with such header should not pass mailing list filter, IMHO. Somebody has some work to do tweaking the rules I volunteer if nobody else steps forward. -Jim P. -- Kind regards, Milan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110605133105.ga26...@arvanta.net
Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
On Sun, 2008-07-20 at 14:04, Florian Weimer wrote: * John Elliot: Hi, We have a couple of Sarge servers running bind9(9.2.4-1sarge3) that appear to be vulnerable to the DNS cache poisoning issue(Looks like port randomization was only introduced in bind9.3?) - As the servers cannot be upgraded at this time to etch, what is the recommended course of action? Backports and upgrade to 9.3? Install one or more etch boxes, put BIND 9 onto it, and configure the sarge machines to use them as forwarders. This is sufficient if the network between them is trusted. You could also forward requests to your ISP's resolvers (subject to the same constraint). Simpler and more secure (and easier) solution is the installation of the djbdns. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Selinux targeted policy postfix remove fail in etch
Hi! In etch semodule -r postfix fails with next message: libsepol.expand_module: Error while indexing out symbols libsemanage.semanage_expand_sandbox: Expand module failed Does someone know what is the problem and how the postfix module can be removed? TIA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1232-1] New clamav packages fix denial of service
On Sat, Dec 09, 2006 at 03:43:33PM +0100, Moritz Muehlenhoff wrote: Package: clamav Vulnerability : missing sanity checks Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-5874 [...] For the upcoming stable distribution (etch) this problem has been fixed in version 0.86-1. ^^ For the unstable distribution (sid) this problem has been fixed in version 0.86-1. ^^ Clamav in testing and unstable is version 0.88.6 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: handling private keys
On Tue, Jun 28, 2005 at 10:51:40PM +0200, Sven Mueller wrote: Anyway, for the kind of use you would like to put your smartphone to, you also need some interface for the host application to contact the smartphone by and to transmit the data in both directions, some UI on the smartphone to present the data to you (which would need to be smart enough to handle at least some of the more common data types) etc But smartphone is possibly always-on connected to net (GPRS, I think), isn't it? I wouldn't put my valuable private key on device which is connected with anything out of my control. signature.asc Description: Digital signature
Re: Compromised system - still ok?
On Mon, Feb 07, 2005 at 06:25:19PM +1100, Matthew Palmer wrote: Obviously you've never done this. Good luck finding someone who even knows what TCP/IP is, let alone sufficient knowledge to be able to track a cracker in real time with no warning. How smart they are can be seen at: http://www.boingboing.net/2005/01/27/jailed_for_using_a_n.html In short: A man used lynx to donate to tsunami victims but webmaster at british telekom called the police and the charitable man is arrested. I don't know should I cry or should I laugh. signature.asc Description: Digital signature
Re: running services in their own little world
On Mon, Jul 26, 2004 at 01:36:37PM +1000, Russell Coker wrote: LIDS used to be in the LSM kernel patch, but got removed before LSM was merged into 2.6.x because it wasn't being maintained. Is LIDS being maintained again? It is maintained and developed actively again, for now. On the http://www.lids.org/ are patches for 2.4 and 2.6 series. If so when will the patch be submitted to Linus? Who knows? These days patches doesn't get accepted so easy :-( Note: Russell, I'm subscribed to all mailing lists where we meet, so you shouldn't CC'ing to me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: running services in their own little world
On Mon, Jul 26, 2004 at 11:21:24PM +1000, Russell Coker wrote: Adding a new LSM module is like adding a new device driver, people who choose not to use it will not even notice it's there, so there's nothing stopping Linus from adding them at any time. LIDS patch is actually LSM module and it is not to intrusive, but I'm not Linus :-) It would be good if SE Linux wasn't the only security module in the kernel.org kernel tree. Nice to hear from most active SE Linux developer these days. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: running services in their own little world
On Sun, Jul 25, 2004 at 11:02:54AM +1000, Russell Coker wrote: On Sun, 25 Jul 2004 02:43, hanasaki [EMAIL PROTECTED] wrote: The idea is to run bind, http and other servers in a jail. I am just getting started and know little about it, for now. I was hoping that there were Debian packages that already provided the jail(s) to run these services in. SE Linux offers a good solution to your problem. However SE Linux support in Debian is lacking because I'm the only DD working on it. At the moment SE Linux support in Fedora is significantly better. LIDS is more simpler. SE Linux is overkill for simple servers for now, IMO. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Backporting SELinux to woody
On Thu, Mar 11, 2004 at 08:25:15PM +0100, Norbert Tretkowski wrote: * Milan P. Stanic wrote: Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb instead of libselinux1_1.6-0.1_i386.deb? Well, if 1.6-0.1 will be in our next stable release, your backport will not be replaced with the version from stable. I'd suggest using libselinux1_1.6-0.0-bp.mps_i386.deb instead. OK. Packages are on the: deb http://www.rns-nis.co.yu/~mps selinux/ deb-src http://www.rns-nis.co.yu/~mps selinux/ I don't have experience in making deb-src repositories but I hope it is ok. If anything is wrong (is anything ok? :-) ) please, tell me. There are packages which I'm using to test SELinux under UML and woody. SELinux packages depends on the attr and libattr from http://www.backports.org I'll try to make html page about it tomorrow. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Backporting SELinux to woody
On Thu, Mar 11, 2004 at 08:25:15PM +0100, Norbert Tretkowski wrote: * Milan P. Stanic wrote: Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb instead of libselinux1_1.6-0.1_i386.deb? Well, if 1.6-0.1 will be in our next stable release, your backport will not be replaced with the version from stable. I'd suggest using libselinux1_1.6-0.0-bp.mps_i386.deb instead. OK. Packages are on the: deb http://www.rns-nis.co.yu/~mps selinux/ deb-src http://www.rns-nis.co.yu/~mps selinux/ I don't have experience in making deb-src repositories but I hope it is ok. If anything is wrong (is anything ok? :-) ) please, tell me. There are packages which I'm using to test SELinux under UML and woody. SELinux packages depends on the attr and libattr from http://www.backports.org I'll try to make html page about it tomorrow.
Re: Backporting SELinux to woody
On Thu, Mar 11, 2004 at 09:02:50AM +1100, Russell Coker wrote: If someone needs them I can put it on the net or post somewhere, or maybe help if the help is needed. If you could establish an apt repository for it then that would be very useful. Brian's SE Linux packages haven't been updated for a while. Can I leave control and changelog files in packages as is they now, i.e. original from respective DD's? I don't like idea to rebuild all of them just to put my name, comments and notes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Backporting SELinux to woody
On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote: If you copy all files related to a package intact then you don't have to make such changes. If you make any changes at all (even re-compiling with a different compiler and/or libc) then you must update the changelog appropriately. Is it enough to put note in changelog that the package is backported to woody? I can do that for binary packages tomorrow but I don't have enough time for sources until next week. Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb instead of libselinux1_1.6-0.1_i386.deb? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Backporting SELinux to woody
On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote: If you copy all files related to a package intact then you don't have to make such changes. If you make any changes at all (even re-compiling with a different compiler and/or libc) then you must update the changelog appropriately. Is it enough to put note in changelog that the package is backported to woody? I can do that for binary packages tomorrow but I don't have enough time for sources until next week. Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb instead of libselinux1_1.6-0.1_i386.deb?
Re: Backporting SELinux to woody
On Wed, Mar 10, 2004 at 04:58:14PM +1100, Russell Coker wrote: I suspect that the problem can be with old glibc (2.2.5) but I'm not sure. Because that I'd like to ask should I backport glibc from sarge? There have been some changes to the way libxattr works. From memory I think that you needed an extra -l option on the link command line when compiling with old libc6. I can't remember whether it was linking the PAM module or libselinux that needed it (or maybe both). I already found that -lattr should be added to Makefiles in policycoreutils-1.6 to build it and to Makefile for pam_unix module into libpam. I also think that the same should be done in libselinux1-1.6 and even looked through Makefiles there, but didn't found where and how to link libattr to libselinux1. That because I don't know how to build libraries i.e. I know ./configure make or fakeroot debian/rules binary for libraries but I don't know low-level work. So, the question: how can I link libattr to libselinux1? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Backporting SELinux to woody
On Wed, Mar 10, 2004 at 10:04:38PM +1100, Russell Coker wrote: So, the question: how can I link libattr to libselinux1? Edit src/Makefile and add -lattr in the $(CC) line for $(LIBSO). That is. I just rebuilt policycoreutils and pam with libselinux1 which is linked with libattr and it was smooth. Now I have to backport coreutils and sysvinit, huh. Thank you, Russell. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Backporting SELinux to woody
On Wed, Mar 10, 2004 at 01:29:16PM +0100, Milan P. Stanic wrote: That is. I just rebuilt policycoreutils and pam with libselinux1 which is linked with libattr and it was smooth. Now I have to backport coreutils and sysvinit, huh. Hate to reply myself, but I'd like to inform you that I backported libselinux, selinux-utils, policycoreutils, pam, coreutils, sysvinit, checkpolicy and selinux-policy-default to woody. It works under UML. If someone needs them I can put it on the net or post somewhere, or maybe help if the help is needed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Backporting SELinux to woody
On Wed, Mar 10, 2004 at 04:58:14PM +1100, Russell Coker wrote: I suspect that the problem can be with old glibc (2.2.5) but I'm not sure. Because that I'd like to ask should I backport glibc from sarge? There have been some changes to the way libxattr works. From memory I think that you needed an extra -l option on the link command line when compiling with old libc6. I can't remember whether it was linking the PAM module or libselinux that needed it (or maybe both). I already found that -lattr should be added to Makefiles in policycoreutils-1.6 to build it and to Makefile for pam_unix module into libpam. I also think that the same should be done in libselinux1-1.6 and even looked through Makefiles there, but didn't found where and how to link libattr to libselinux1. That because I don't know how to build libraries i.e. I know ./configure make or fakeroot debian/rules binary for libraries but I don't know low-level work. So, the question: how can I link libattr to libselinux1?
Re: Backporting SELinux to woody
On Wed, Mar 10, 2004 at 10:04:38PM +1100, Russell Coker wrote: So, the question: how can I link libattr to libselinux1? Edit src/Makefile and add -lattr in the $(CC) line for $(LIBSO). That is. I just rebuilt policycoreutils and pam with libselinux1 which is linked with libattr and it was smooth. Now I have to backport coreutils and sysvinit, huh. Thank you, Russell.
Re: Backporting SELinux to woody
On Wed, Mar 10, 2004 at 01:29:16PM +0100, Milan P. Stanic wrote: That is. I just rebuilt policycoreutils and pam with libselinux1 which is linked with libattr and it was smooth. Now I have to backport coreutils and sysvinit, huh. Hate to reply myself, but I'd like to inform you that I backported libselinux, selinux-utils, policycoreutils, pam, coreutils, sysvinit, checkpolicy and selinux-policy-default to woody. It works under UML. If someone needs them I can put it on the net or post somewhere, or maybe help if the help is needed.
Backporting SELinux to woody
Hi! [ Sorry, I'm not sure if this list is right place to ask this, but I can't remember better one ] I'm trying to backport SELinux tools and libraries from unstable to stable (woody). Well, actually I succeed to build all except coreutils and sysvinit and installed all under UML and get to the point where I cannot login in. I've found problem with pam (backported one) which is compiled on the woody platform. Here is the syslog message: - Mar 9 19:29:44 [login] PAM adding faulty module: /lib/security/pam_unix.so Mar 9 19:29:44 [login] PAM unable to dlopen(/lib/security/pam_selinux.so) Mar 9 19:29:44 [login] PAM [dlerror: /lib/libselinux.so.1: undefined symbol: ls etxattr] - I suspect that the problem can be with old glibc (2.2.5) but I'm not sure. Because that I'd like to ask should I backport glibc from sarge? Best regards, Milan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Backporting SELinux to woody
Hi! [ Sorry, I'm not sure if this list is right place to ask this, but I can't remember better one ] I'm trying to backport SELinux tools and libraries from unstable to stable (woody). Well, actually I succeed to build all except coreutils and sysvinit and installed all under UML and get to the point where I cannot login in. I've found problem with pam (backported one) which is compiled on the woody platform. Here is the syslog message: - Mar 9 19:29:44 [login] PAM adding faulty module: /lib/security/pam_unix.so Mar 9 19:29:44 [login] PAM unable to dlopen(/lib/security/pam_selinux.so) Mar 9 19:29:44 [login] PAM [dlerror: /lib/libselinux.so.1: undefined symbol: ls etxattr] - I suspect that the problem can be with old glibc (2.2.5) but I'm not sure. Because that I'd like to ask should I backport glibc from sarge? Best regards, Milan
Re: Big VPN
On Wed, Mar 03, 2004 at 08:54:38AM +0100, Dariush Pietrzak wrote: FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. That is untrue. 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x Right! I shouldn't write mail at 01:25 after midnight :-) I used freeswan for years but I'm switching to racoon so I don't follow freeswan (or openswan) anymore. Sorry for inconvenience. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Wed, Mar 03, 2004 at 08:54:38AM +0100, Dariush Pietrzak wrote: FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. That is untrue. 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x Right! I shouldn't write mail at 01:25 after midnight :-) I used freeswan for years but I'm switching to racoon so I don't follow freeswan (or openswan) anymore. Sorry for inconvenience.
Re: Big VPN
On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote: On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote: If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. And what about the ipsec system in the 2.6 kernel (KAME) and the racoon daemon for initial key exchange? It does the same work as freeswan but it is still developped.. FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. I'm not sure but I think that Herbert Xu (Debian kernel maintainer) added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in the kernel 2.6.x Racoon is in FreeBSD for few years and is actively developed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Tue, Mar 02, 2004 at 03:37:52PM -0600, Jacques Normand wrote: On Tue, Mar 02, 2004 at 10:08:22PM +0100, J.H.M. Dassen (Ray) wrote: If you're looking for a VPN solution, by all means look at FreeS/WAN (or its likely successor, OpenSWAN). Just forget about OE. OE isn't about the type of security you're looking for in a VPN. And what about the ipsec system in the 2.6 kernel (KAME) and the racoon daemon for initial key exchange? It does the same work as freeswan but it is still developped.. FreeS/WAN is orphaned upstream. OpenSWAN is based on FreeS/WAN and as such it does not work with 2.6. I'm not sure but I think that Herbert Xu (Debian kernel maintainer) added patches to pluto (FreeS/WAN IKE daemon) to work with IPSec in the kernel 2.6.x Racoon is in FreeBSD for few years and is actively developed.
Re: Security patches
On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote: It's a pity that the developers of other security systems didn't get involved, it would be good to have a choice of LIDS, HP's system, DTE, and others in the standard kernel. LIDS uses LSM in 2.5/2.6 kernel series, IIRC. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security patches
On Mon, Dec 01, 2003 at 07:23:18AM +1100, Russell Coker wrote: On Mon, 1 Dec 2003 05:10, Milan P. Stanic [EMAIL PROTECTED] wrote: On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote: It's a pity that the developers of other security systems didn't get involved, it would be good to have a choice of LIDS, HP's system, DTE, and others in the standard kernel. LIDS uses LSM in 2.5/2.6 kernel series, IIRC. LIDS does not appear to be in 2.6 at all. No, it doesn't. But the LIDS patch uses LSM hooks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security patches
On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote: It's a pity that the developers of other security systems didn't get involved, it would be good to have a choice of LIDS, HP's system, DTE, and others in the standard kernel. LIDS uses LSM in 2.5/2.6 kernel series, IIRC.
Re: Security patches
On Mon, Dec 01, 2003 at 07:23:18AM +1100, Russell Coker wrote: On Mon, 1 Dec 2003 05:10, Milan P. Stanic [EMAIL PROTECTED] wrote: On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote: It's a pity that the developers of other security systems didn't get involved, it would be good to have a choice of LIDS, HP's system, DTE, and others in the standard kernel. LIDS uses LSM in 2.5/2.6 kernel series, IIRC. LIDS does not appear to be in 2.6 at all. No, it doesn't. But the LIDS patch uses LSM hooks.
Re: On the security of e-mails
On 26-May-2000 Alexander Hvostov wrote: Bradley, Uhm, isn't Sendmail's SMTP-over-SSL thing supposed to conform to some standard..? I seriously doubt the other endpoint has to be Sendmail; rather, I think it probably only needs to be running a proper SMTP-over-SSL implementation. If this is the case, then this can be done with stunnel and your favorite MTA. (mine being qmail... why doesn't everyone use qmail..?) I think it is standard because I read the postfix TLS enhancement doc's and here is snip from description: Overview: = - This is an SSL/TLS enhancement package for postfix. It realizes (well, or at least should, once it is finished) the STARTTLS extension to SMTP as described in RFC2487 and used by Netscape 4.5x. RFC2487 is SMTP Service Extension for Secure SMTP over TLS So, all SMTP MTA's with SSL/TLS should cooperate, shouldn't they? -- E-Mail: Milan P. Stanic [EMAIL PROTECTED] Key fingerprint = EA81 54A6 7F35 5A38 FCE6 9EF6 9D24 E68E 5C1D AF15 --