CVE-2023-41105 not fixed in bookworm
Dear security team, May I ask why CVE-2023-41105 was marked as " (Minor issue)"[1] ? As the CVE description says there are plausible cases where this can lead to security issues. There is a backport available for python 3.11 and it seems most other distros have patched this CVE. Kind regards, Richard van den Berg 1: https://security-tracker.debian.org/tracker/CVE-2023-41105
Re: What is the best free HIDS for Debian
On 10/05/2022 05:37, Vitaly Krasheninnikov wrote: Thank you for debcheckroot. I think it is a great project, which makes us one step closer to a verifiable Debian system. In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed us: "..._.GM" and "..._..M". According to the description on your website, it means the modification of the file permissions, not the actual content. Thanks a lot for clarifying this. I found the interpretation of the results of debcheckroot at https://www.elstel.org/debcheckroot/ On 06/05/2022 15:52, Elmar Stellnberger wrote: Am 06.05.22 um 15:05 schrieb Sylvain Sécherre: > Here's the fileserror.lis: > ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755 > ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 755 > ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755 > ... I hope you won´t mind that I am citing the output of debcheckroot you have given me. These three files point to an infection with a rootkit. Don´t care about modified configuration files like in /etc too much (but you may still have a look at them). Executable files on the other hand must never be modified. If these three files are different it means that someone has altered your system. If you look at the man pages of these executables then you also know that a maker of a rootkit would have interest to modify exactly these files. Since you are the author of the debcheckroot tool, why do you think that the G (group) and M (mode) flags indicate the content of the files were altered? Or did you make a mistake and forgot what the output of debcheckroot actually means? If so, does this change your opinion that a rootkit is installed on this system? Kind regards, Richard
Re: /home/loser is with permissions 755, default umask 0022
On 13-11-2020 08:18, Georgi Guninski wrote: Some more exploit vectors from the FD list: https://seclists.org/fulldisclosure/2020/Nov/13 Partial results: 1. mutt (text email client) exposes ~/.mutt/muttrc, which might contain the imap password in plaintext. Interesting find. Please report this to the mutt package maintainer using reportbug[1]. 2. Some time ago on a multiuser debian mirror we found a lot of data, including the wordpress password of the admin. As Giacomo already explained, there is nothing an OS can do to stop the insecure behavior of its users. 3. Anything created by EDITOR NEWFILE is readable, unless the directory prevents. This include root doing EDITOR /etc/NEWFILE Yes, that is indeed the default. If you don't like it, you can change the system umask in /etc/login.defs or /etc/profile Somehow I get the feeling you are using debian-security@lists.debian.org to report a security issues with Debian. This is however just a discussion mailing list about Debian security. If you wish to report a serious security issue (which I did not find in your E-mails) you need to contact the Debian Security Team[2]. Kind regards, Richard [1]: https://wiki.debian.org/reportbug [2]: https://www.debian.org/security/faq#contact
Re: vulnerability in 8.6
On 7 Nov 2016, at 16:54, Ozgur wrote: > > Linux 3.16.0-4-amd64 (Debian 8.6) > Always test security vulnerabilities on a fully patched system. According to https://security-tracker.debian.org/tracker/CVE-2016-5195 this was fixed in version 3.16.36-1+deb2 of the linux package. Kind regards, Richard
DSA for CVE-2016-5696 (off-path blind TCP session attack)
Dear Debian security team, Will there be a DSA written for CVE-2016-5696 [1]? It looks pretty serious and I'd like to fix this on my systems ASAP. Kind regards, Richard van den Berg [1] https://security-tracker.debian.org/tracker/CVE-2016-5696
Re: Unverifiable Signature on Debian Security Advisory Emails
> You can also use the finger interface at db.debian.org: > > finger seb/k...@db.debian.org The 90's called: they want their finger back. ;-) It seems RFC 1288 was never updated for TLS support. https://www.debian.org/events/keysigning points to http://keyring.debian.org/ which should be the defacto place to look for Debian PGP/GPG keys. It even mentions the finger interface. -- Richard
Re: streql - Constant-time string comparison
On 28-10-14 20:59 , Riley Baird wrote: > As far as I can tell, your code ensures that even if the strings are of > different length, an equality calculation should be performed anyway, > however returning 0, on the grounds that this would make it more > difficult for an attacker to know that the two strings entered were of > different lengths. Is this right? Pardon my ignorance, but how much more difficult does it actually become to determine the two inputs are of different length? In the original the function returns right away if xlen != ylen. If the attacker can control one of the inputs (say x), the change proposed by Joel will cause the time of the compare to increment when xlen in increased until xlen == ylen. If this can be observed with enough precision the same objective can be achieved. -- Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5450ab6e.1080...@vdberg.org
Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
On 21 sep. 2014, at 20:29, W. Martin Borgert wrote: > If a package would change by adding another signature, then this > would invalidate previous signatures. Package formats like apk and jar avoid this chicken and egg problem by hashing the files inside a package, and storing those hashes in a manifest file. Signatures only sign the manifest file. The manifest itself and the signature files are not part of the manifest, but are part of the package. So a package including it's signature(s) is still a single file. Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8ce64b3d-6269-47a6-8cf2-5ecaa631b...@vdberg.org
Re: Debians security features in comparison to Ubuntu
Emmanuel Thierry wrote On 17-05-14 18:37: Isn't it a better idea to use local entropy generators such as haveged instead of online ones ? Haveged is great, but IMHO it cannot replace a hardware PRNG. I'm quite disturbed about using a online (and moreover third-party) service to improve security of a local system. In my sense, this requires a huge level of trust towards the considered service. I agree with you, but one can argue that increasing the entropy of a system by using an online service provided by the same organization that distributes the software of that system does not decrease the overall security of that system. Kind regards, Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5377b5dd.8010...@vdberg.org
Re: Debians security features in comparison to Ubuntu
Joel Rees wrote On 17-05-14 18:20: Hmm. Early boot has problems getting enough randomness (for what?), To seed the kernel random number generator. so let's go get some randomness from a server somebody in the Ubuntu project set up. I never said it was a great solution, but the lack of good quality entropy on headless (virtual) Linux systems is a real problem. I merely asked if the Debian project provides something similar, or hopefully better. Kind regards, Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5377b3e9.3080...@vdberg.org
Re: Debians security features in comparison to Ubuntu
Joel Rees wrote On 17-05-14 03:19: He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. I might be misinterpreting your definition of "meaningful", but I have been looking for a public entropy source for my Debian system for quite a while. If you can point me to the Debian equivalent of pollinate and https://entropy.ubuntu.com/ that would be highly appreciated. Kind regards, Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5377818b.3050...@vdberg.org
Re: goals for hardening Debian: ideas and help wanted
> I suggest it might be better if exploits were each given a quick/approximate > "ranking" in terms of severity (and if the severity is unknown it could be > assigned a default median ranking), so that the algorithm you mention wouldn't > just add number of unplugged exploits, but add them by weight That is a good idea. The Common Vulnerability Scoring System was invented for this purpose: http://en.wikipedia.org/wiki/CVSS Kind regards, Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/7f6371fd-0ee0-4f36-8f36-7736f65e7...@vdberg.org
Re: process to include upstream jar sig in Debian-generated jar
On 29 aug. 2013, at 09:39, Florian Weimer wrote: > How would you tell a legitimate security update from a version that > lacks a signature for other reasons? If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. -- Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dedc154-c4cc-4ded-86ec-373b760de...@vdberg.org
CVE-2013-2266 fix for bind9 in stable?
Thanks a lot for the quick fix. Will bind9 9.7.3.dfsg-1 in stable also be fixed? I don't see any reports on http://www.debian.org/security/#DSAS and http://lists.debian.org/debian-security-announce/2013/threads.html Kind regards, Richard van den Berg
security.debian.org down, mirror needed
security.debian.org is hosted by the University of Twente in The Netherlands (www.utwente.nl). Their data center caught fire a few hours ago. As a result their class B (130.89.0.0/16) disappeared from the internet. A news article mentions that most servers and infrastructure has been distroyed. Is it possible to set up a mirror somewhere for the time being? -- Richard van den Berg, CISSP Trust Factory B.V. | http://www.trust-factory.com/ Bazarstraat 44a | Phone: +31 70 3620684 NL-2518AK The Hague | Fax : +31 70 3603009 The Netherlands |
security.debian.org down, mirror needed
security.debian.org is hosted by the University of Twente in The Netherlands (www.utwente.nl). Their data center caught fire a few hours ago. As a result their class B (130.89.0.0/16) disappeared from the internet. A news article mentions that most servers and infrastructure has been distroyed. Is it possible to set up a mirror somewhere for the time being? -- Richard van den Berg, CISSP Trust Factory B.V. | http://www.trust-factory.com/ Bazarstraat 44a | Phone: +31 70 3620684 NL-2518AK The Hague | Fax : +31 70 3603009 The Netherlands | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]