Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
Davide Prina writes: > Corey H wrote: > >> how do you guys test all of the potential PNG/JPG potential malware payloads What's your use-case? As I'm not aware of an vector for GNU/Linux in normal everyday use¹, I guess you host files for Windows clients? Did anyone mention ClamAV already? If so, please ignore me (sorry for not following closely...). - Sebastian ¹ One can execute every file on GNU/Linux. But the attack is that execution of a file, not the file (otherwise we'd have to consider `rm', `gpg', `scp', and many more malware, too). -- As I was walking down Stanton Street early one Sunday morning, I saw a chicken a few yards ahead of me. I was walking faster than the chicken, so I gradually caught up. By the time we approached Eighteenth Avenue, I was close behind. The chicken turned south on Eighteenth. At the fourth house along, it turned in at the walk, hopped up the front steps, and rapped sharply on the metal storm door with its beak. After a moment, the door opened and the chicken went in. (Linda Elegant in "True Tales of American Life")
Re: Request to review and upload libewf 20140813-1
On 2022-06-10 23:23:35 +0900, Daichi Fukui wrote: > Hello team, > (CC: Samuel. Sebastian) > > I've prepared a new version of libewf [0], which is going to be > 20140813-1 with this update. > This version mainly introduces the following changes: > > * New upstream version 20140813 (Closes: #1006393) > * Switch to debhelper compat level 13 > * Update symbols file > * Add autopkgtest > > Additionally, since the source code for debian/20140807-2.1 is > currently missing in salsa, that source code is also included in this > update [1]. > > This new source package was built and tested using salsa-ci, and > everything but test-crossbuild-arm64 [2] successfully passed. > I will keep that failing job untouched because it is allowed to fail > as you can see [3]. > That said, if we have to address this issue before uploading > 20140813-1, please let me know. > > If this update is satisfactory and helpful, I would appreciate it if > you review and upload the package. > > By the way, one thing I'm worried about is the migration status of > this package. For some reasons, its migration is blocked by openssl > and that keeps the issue #1006393 unresolved, which would result in > the removal of libewf from testing on June 21st [4]. > If I understand correctly, according to developer information [5], we > should "avoid uploads unrelated to this transition" probably until > issues of openssl are resolved. If this guidance applies to this draft > source package, we will have to suspend this draft and wait for issues > of openssl being resolved. That's expected. The package is involved in the still ongoing openssl transition. As an upload was required to make it build with openssl 3, that upload was blocked behind openssl 3. As both have now migrated to testing, the warning should be gone from libewf's tracker. Cheers > > Hope this makes sense. > > [0] https://salsa.debian.org/dfukui/libewf/-/commits/debian/master > Tag: https://salsa.debian.org/dfukui/libewf/-/tags/debian%2F20140813-1 > [1] > https://salsa.debian.org/dfukui/libewf/-/commit/00c9537a456d56f92f2582133dfdb456314cd785 > [2] https://salsa.debian.org/dfukui/libewf/-/pipelines/387710 > [3] > https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml > [4] https://qa.debian.org/excuses.php?package=libewf > [5] https://tracker.debian.org/pkg/libewf > > Best regards, > Fukui -- Sebastian Ramacher
Re: [debian][libewf] Request for VCS repo update
Hi Fukui On 2022-06-02 21:57:38, Daichi Fukui wrote: > Hello Sebastian > > Nice to meet you. > It looks like the VCS repository for libewf is not up to date - tag > 20140807-2.1 is missing [0]. That tag does not exist. 201408107-2.1 was a non-maintainer upload. You can import the tag via gbp import-dsc using the source package for that version. However, note that the repository contains changes which have never been uploaded, so this might cause issues. Best Sebastian > If you don't mind, can you upload the source package or reach 'Simon > Chopin' regarding this issue? > (I failed to find his email address) > > In fact, I am preparing for a further update of the package to keep up > with the upstream. > Thus, I need to synchronise my local repository with the latest > version 20140807-2.1. > > Hope this makes sense. > > [0] https://salsa.debian.org/pkg-security-team/libewf/-/tags > Best regards, > Fukui -- Sebastian Ramacher
Re: radare2-cutter initial upload; possible radare2 update?
Hi, On Sat, Jan 26, 2019 at 12:32:28AM +0100, Hilko Bengen wrote: > * Sebastian Reichel: > > > Thanks, for taking care of this. I'm currently a bit short on time. > > I noticed, that you enabled OpenSSL, which is not ok. > > Right. Will revert that right away, now that my upload has been accepted > into unstable. > > > Also I think we should switch to upstream soname (3.2.1), which plains > > the way to use meson instead of their own build system. > > As long as upstream keeps their ABI stable across patchlevel releases, > I see no reason for doing that. upstream does not guarantee any ABI stability. This needs to be checked downstream (i.e. the maintainer importing the updated release). > Couldn't we also override the soname picked by the meson > buildsystem? I think that requires patching the build system. FWIW I rebased my meson patch on top of your changes and pushed it into an extra branch: https://salsa.debian.org/pkg-security-team/radare2/tree/meson It works, but uses upstream's soname. -- Sebastian signature.asc Description: PGP signature
Re: radare2-cutter initial upload; possible radare2 update?
Hi, On Thu, Jan 24, 2019 at 12:04:29AM +0100, Hilko Bengen wrote: > * Samuel Henrique: > > > I know that you're asking for objections, but I'd say please go ahead, > > especially because this new release of radare2 ships lots of > > improvements and somebody sent an email to our team's list requesting > > for 3.2.1 already (at least one person will be happy with it). > > Thank you. I'll upload radare/3.2.1+dfsg-1 right now. It will have to go > through NEW because of a SONAME bump, of course. After it has been > accepted, I'll follow up with radare2-cutter, hoping to get it into the > archive before the soft-freeze. > > Unless there are objections, of course. :-) Thanks, for taking care of this. I'm currently a bit short on time. I noticed, that you enabled OpenSSL, which is not ok. Most of R2 is LGPL, but there is some GPL code in it. Also I think we should switch to upstream soname (3.2.1), which plains the way to use meson instead of their own build system. -- Sebastian signature.asc Description: PGP signature
embedding openssl source in sslcan
tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its source? sslscan [0] as packaged in Debian currently relies on external libssl as provided by the openssl package. The openssl package disables support compression, SSLv2 and SSLv3 which is good but it also means that sslscan can not detect a SSL implementation that is still providing support for one of these deprecated protocols or compression. One could say that it is not required to test for SSLv2 because if libssl does not support it then it is not possible for an application to offer it. However libssl is not the only SSL toolkit in Debian and one might need to scan a non-Debian / older machine. [0] https://github.com/rbsec/sslscan Sebastian
Re: [SECURITY] [DSA 3148-1] chromium-browser end of life
Or use the the (non-free) Chrome DEBs provided by Google. Did they stop to put their servers into /etc/apt/sources.list before installing and, even worse, after de-installing? They did the last time I (un-)installed Chrome. - Sebastian -- Ich setzte einen Fuß in die Luft, und sie trug. (Hilde Domin) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87y4og8721@gmx.de
Re: How (un)safe would Debian be when only using the security.debian.org repository?
* adrelanos (adrela...@riseup.net) [10.11.13 20:51]: Hi! How (un)safe would it be...? When using Debian while... Not using: deb http://ftp.us.debian.org/debian stable main contrib non-free deb http://security.debian.org stable/updates main contrib non-free Only using: deb http://security.debian.org stable/updates main contrib non-free the other problem is, that you will not be able to install any software which has never received any security fix: e.g. neither vim nor nano are in the pool dir on that mirror. Sebastian -- Religion ist das Opium des Volkes. | _ ASCII ribbon campaign Karl Marx | ( ) against HTML e-mail SEB@STI@N GÜNTHER | X against M$ attachments mailto:deb...@teageek.de | / \ www.asciiribbon.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131110235942.ga2...@marvin.heimnetz.teageek.de
Re: HEAD's UP: possible 0day SSH exploit in the wild
Jim Popovitch wrote: ALLOW rules and SSH-keys. Is there a way to force keys AND passwd verification? Normally you'd want to DISABLE PasswordAuthentication and ChallengeResponseAuthentication - unless you have a special and well-maintained setup like e.g. One-Time-Pads or such - because both can potentially be brute-forced way faster than SSH-keys..unless you happen to use a key generated with one of those funny buggy random-sources from the past, in which case a well-maintained sshd nowadays will simply reject your key. Something that would indeed be interesting is a way to enforce that the PRIVATE KEY is password-protected - sadly, you can't see this from the public key, and I'm not aware of any possibility to query the client concerning this specific matter. Sebastian -- baboo -- Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: HEAD's UP: possible 0day SSH exploit in the wild
Michael Stone wrote: [A way to enforce non-empty passwd on ssh-keys] You can't, which is why it is useful to have both passwords and keys simultaneously--you can enforce a policy on a password. To cite Noah Meyerhans from his recent mail - my users would shoot me if I ever tried such a thing. Sadly, I'm not their bossbut they are more or less my customers, so putting a security policy in place requiring the previously stated mechanism would be more like starting a war than a small skirmish. Sebastian -- baboo -- Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: libsasl2: is there an announce list for Main
* john (lists.j...@gmail.com) [08.06.09 17:37]: Hi all, Is there an announce list for the updates to the Main repository or are packages just added there and end-users find out when they do apt-get update? For example I see that there's an update to libsasl2 and libsasl2-2. I can't find any information about the nature of the update. Perhaps if I knew how to ask apt it would tell me? Anyway I hate to apply patches that I don't have an idea about. So hopefully someone can enlighten me. debian-security-announce.lists.debian.org Thanks! John HTH Sebastian -- Religion ist das Opium des Volkes. | _ ASCII ribbon campaign Karl Marx | ( ) against HTML e-mail s...@sti@N GÜNTHER | X against M$ attachments mailto:sam...@guenther-roetgen.de | / \ www.asciiribbon.org pgp35xOCjDhJy.pgp Description: PGP signature
Re: Secure Remote Application and OS Deployment?
* Chip Panarchy (forumanar...@gmail.com) [16.03.09 06:46]: Hello Been doing a lot of research of late into the installation of Windows over a network (using the Unattended BootCD and a Network Share). Also a little into RIS (WDS). I am interested in how this could be done securely. To summarise what I would like to know, I have summarised it into the 2 questions below; Why do have the impression that this is a homework...? 1. Is there a Secure way to Remotely install: Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Linux (GNU way, so I can install the feature on any *nix) Mac OS X, if so, how? yes, for some Linux for sure. 2. Is there a Secure way to Remotely install applications (from a central repository) to the aforementioned Operating Systems, if so, how? yes, for those who have a sane package manager. NOTE: If it isn't possible for some of the OSs, please tell me which, then please continue to answer how it will be possible for the others. Thanks in advance, Chip D. Panarchy Sebastian -- Religion ist das Opium des Volkes. Karl Marx s...@sti@N GÜNTHER mailto:sam...@guenther-roetgen.de pgpc418ljDzZ5.pgp Description: PGP signature
Re: Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares?
* Chip Panarchy (forumanar...@gmail.com) [01.03.09 15:30]: Hello So far, when I have posted on this Mailing-List I have recieved some very informative replies. I am currently studying for a few certifications, (amongst them MCSE, Security+ the CCNA), and would like to learn how to design a secure network. Please help me with this endeavor. [ Hypothetical situation; ] Now onto my question. For a convoluted network as pictured above, (hypothetical, of course), what kind of Server (NOS included?) operating system should I install, and how should I configure it? I want to know this only by a security standpoint. Things that are important; # SECURITY # - Encryption of all traffic (256-bit) - Shares (if possible to have Shares and still maintain a secure network) - Centralised secure storage of Data (Storage) - Centralised secure storage of User accounts - Unattended installation of (at the very least) the 500 Windows boxes - Internet Please tell me what I would need in this situation, not interested in how many people would be needed, how much money it would cost, or how much time it would take. Well you need information about what should be secured and against what threat it should be secured. Any of your information does not explain what you are trying to achieve. Security is not a sole purpose, it is a pool of measures against one or more threads. There is no such thing as 100% security... Now time to summarise my questions in an easy to review format; 1. Which Server Operating system should I install on my Server? 2. To make the Network fast (e.g. Gigabit NICs on all computers more Servers etc.), as well as secure, what would I need to do? 3. What is the best way to have 256-bit encryption of all traffic on this network? 4. Is it possible to have Shared folders, yet still attain a high-level of security on this Network? 5. Would it be possible to have Centralised Storage/Resources? 6. Could it be possible to have a Centralised User Account database, for this entire network? 7. Would you think it a good idea to use a Debian server for Repositories? Please try your best to answer those 6 questions. I count 7... But I won't answer to any of these, because there are missing some fundamental constraints in this scenario to make any useful suggestions. Sebastian -- Religion ist das Opium des Volkes. Karl Marx s...@sti@N GÜNTHER mailto:sam...@guenther-roetgen.de pgpR4fEOMNVXQ.pgp Description: PGP signature
Re: Can not login as root
Example for the previous Mail: In /etc/passwd Change the line root:x:0:0:root:/root:/bin/bash to root::0:0:root:/root:/bin/bash Note the missing 'x' which means this user has to provide a password. Murat Ohannes Berin wrote: Hi, I just insralled Debian on my laptop. However, I can not login as root. It says wrong password. I am quite sure I am typing th right password. I am able to loging as the regular user. Murat -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security review wanted
Hello! As a reply to an earlier mail to debian-devel it was suggested to write to this list as well... This mail is about my PHP/MySQL code running http://wnpp.debian.net/ . The current code can be found here [2]. Let me quote myself from that other mail: As I usually code C++ and not PHP/MySQL my current code probably has security issues. As this code is running on a publicly accessible machine I depend on the kindness of its users and your security reviews. If you spot a vulnerability in that code please drop me a private mail about it. Thank you! Sebastian [1] http://svn.debian.org/viewsvn/collab-qa/ PS: Please CC me as I'm not on this list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- |Sebastian Wehrmann - [EMAIL PROTECTED]| || | Reichenhainer Str. 35/336 | | 09126Chemnitz | | home: +49 371 2407260 | | mobile: +49 179 9019256 | || | http://www.sw83.de | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 846-1] New cpio packages fix several vulnerabilities
FIXED Martin Schulze schrieb am 07.10.2005 17:51: -- Debian Security Advisory DSA 846-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 7th, 2005 http://www.debian.org/security/faq -- Package: cpio Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CAN-2005- CAN-2005-1229 Debian Bug : 306693 305372 Two vulnerabilities have been discovered in cpio, a program to manage archives of files. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005- Imran Ghory discovered a race condition in setting the file permissions of files extracted from cpio archives. A local attacker with write access to the target directory could exploit this to alter the permissions of arbitrary files the extracting user has write permissions for. CAN-2005-1229 Imran Ghory discovered that cpio does not sanitise the path of extracted files even if the --no-absolute-filenames option was specified. This can be exploited to install files in arbitrary locations where the extracting user has write permissions to. For the old stable distribution (woody) these problems have been fixed in version 2.4.2-39woody2. For the stable distribution (sarge) these problems have been fixed in version 2.5-1.3. For the unstable distribution (sid) these problems have been fixed in version 2.6-6. We recommend that you upgrade your cpio package. Upgrade Instructions wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody Source archives: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2.dsc Size/MD5 checksum: 549 15ede7cbecf63993116b4e6a6565a52a http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2.diff.gz Size/MD5 checksum:23977 58175edde016c3ddb92804479697288f http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2.orig.tar.gz Size/MD5 checksum: 181728 3e976db71229d52a8a135540698052df Alpha architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_alpha.deb Size/MD5 checksum:72916 8a3c436670b93fe9d6c0d7b9c6620826 ARM architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_arm.deb Size/MD5 checksum:64050 96781e9c208d4629c9bad9fd489a6752 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_i386.deb Size/MD5 checksum:61704 c4fd8a026047cd14a9516224d8319e13 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_ia64.deb Size/MD5 checksum:84576 5d9d925c312a5a9f141949c134fd23d3 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_hppa.deb Size/MD5 checksum:69922 219bd8e8d9de88975eca8c8df4e9ddd9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_m68k.deb Size/MD5 checksum:59998 b4ef64480db82238635e1c7f5b851eee Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_mips.deb Size/MD5 checksum:69160 a3f333c7b10c4f06a37de29de89844c1 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_mipsel.deb Size/MD5 checksum:68852 d704acf1b5d5c82ab024f6d45eab5686 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_powerpc.deb Size/MD5 checksum:64284 4227c627aa48dc40cacdde9cb866322a IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_s390.deb Size/MD5 checksum:64190 975304691e816ea35e5b1a1edbaca8fc Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cpio/cpio_2.4.2-39woody2_sparc.deb Size/MD5 checksum:65916 e9fcc403a99fa3c930c9a7ede7daeef4 Debian GNU/Linux 3.1 alias sarge Source archives:
Re: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution
Martin Schulze wrote: This message was modified by F-Secure Anti-Virus E-Mail Scanning. This is what F-Secure gave me. Martin do you send viruses? ;) Sebastian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Abwesenheit
Abwesenheit Sehr geehrte Damen und Herren, ich bin in der Zeit vom 21. August bis zum 9. September im Urlaub. In dieser Zeit können Sie sich an Herrn Zander wenden. Telefon 0391 544 56 70 Mit freundlichen Grüßen Sebastian Hennebrüder Leitung eCommerce - Internet --- Grass GmbH, eCommerce - Internet Allee-Center Ernst-Reuter-Allee 5 39104 Magdeburg Germany National Telefon 0391 / 54456 76 Fax 0391 / 54456 - 78 International Telefon ++49 391 / 54456 76 Fax ++49 391 / 54456 - 78 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Abwesenheit
Abwesenheit Sehr geehrte Damen und Herren, ich bin in der Zeit vom 21. August bis zum 9. September im Urlaub. In dieser Zeit können Sie sich an Herrn Zander wenden. Telefon 0391 544 56 70 Mit freundlichen Grüßen Sebastian Hennebrüder Leitung eCommerce - Internet --- Grass GmbH, eCommerce - Internet Allee-Center Ernst-Reuter-Allee 5 39104 Magdeburg Germany National Telefon 0391 / 54456 76 Fax 0391 / 54456 - 78 International Telefon ++49 391 / 54456 76 Fax ++49 391 / 54456 - 78 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Abwesenheit
Abwesenheit Sehr geehrte Damen und Herren, ich bin in der Zeit vom 21. August bis zum 9. September im Urlaub. In dieser Zeit können Sie sich an Herrn Zander wenden. Telefon 0391 544 56 70 Mit freundlichen Grüßen Sebastian Hennebrüder Leitung eCommerce - Internet --- Grass GmbH, eCommerce - Internet Allee-Center Ernst-Reuter-Allee 5 39104 Magdeburg Germany National Telefon 0391 / 54456 76 Fax 0391 / 54456 - 78 International Telefon ++49 391 / 54456 76 Fax ++49 391 / 54456 - 78
Abwesenheit
Abwesenheit Sehr geehrte Damen und Herren, ich bin in der Zeit vom 21. August bis zum 9. September im Urlaub. In dieser Zeit können Sie sich an Herrn Zander wenden. Telefon 0391 544 56 70 Mit freundlichen Grüßen Sebastian Hennebrüder Leitung eCommerce - Internet --- Grass GmbH, eCommerce - Internet Allee-Center Ernst-Reuter-Allee 5 39104 Magdeburg Germany National Telefon 0391 / 54456 76 Fax 0391 / 54456 - 78 International Telefon ++49 391 / 54456 76 Fax ++49 391 / 54456 - 78 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
kernel 2.4.22 patch
Hi, is there a kernel patch/update for the 'do_mremap VMA limit local privilege escalation vulnerability' described in http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt ? i have the kernel 2.4.22-2-686-smp running and do security updates on a daily basis. But im still vulnerable, as checked with the programm in the appendix of the above page. So, is there a debian patch or how can i fix this situation. and if there is a patch, why did it not get installed with the regular security updates? thanks, basti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: kernel 2.4.22 patch
[...] is there a kernel patch/update for the 'do_mremap VMA limit local privilege escalation vulnerability' described in http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt ? That link provides the CVE identification CAN-2004-0077. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077 lists several Debian security advisories related to this issue. [...] but these don't deal with 2.4.22 kernels only 2.4.16, 2.4.17 and 2.4.18 basti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
kernel 2.4.22 patch
Hi, is there a kernel patch/update for the 'do_mremap VMA limit local privilege escalation vulnerability' described in http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt ? i have the kernel 2.4.22-2-686-smp running and do security updates on a daily basis. But im still vulnerable, as checked with the programm in the appendix of the above page. So, is there a debian patch or how can i fix this situation. and if there is a patch, why did it not get installed with the regular security updates? thanks, basti
Re: kernel 2.4.22 patch
[...] is there a kernel patch/update for the 'do_mremap VMA limit local privilege escalation vulnerability' described in http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt ? That link provides the CVE identification CAN-2004-0077. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077 lists several Debian security advisories related to this issue. [...] but these don't deal with 2.4.22 kernels only 2.4.16, 2.4.17 and 2.4.18 basti
unsubscribe
__Erdbeben im Iran: Zehntausende Kinder brauchen Hilfe. UNICEF hilft denKindern - helfen Sie mit! https://www.unicef.de/spe/spe_03.php -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe
__Erdbeben im Iran: Zehntausende Kinder brauchen Hilfe. UNICEF hilft denKindern - helfen Sie mit! https://www.unicef.de/spe/spe_03.php
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Am Son, 2003-06-15 um 16.03 schrieb Phillip Hofmeister: @daily apt-get -q -q -q -q update apt-get -s -q -q -q -q upgrade Better use secpack, it will verify the signatures before upgrade: http://therapy.endorphin.org/secpack/ But still, automatic installation is not sufficient. For example, if there is a bug in the openssl libraries, you must restart all services that use it. Just installing new libraries is not enough. Sebastian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
Am Son, 2003-06-15 um 16.03 schrieb Phillip Hofmeister: @daily apt-get -q -q -q -q update apt-get -s -q -q -q -q upgrade Better use secpack, it will verify the signatures before upgrade: http://therapy.endorphin.org/secpack/ But still, automatic installation is not sufficient. For example, if there is a bug in the openssl libraries, you must restart all services that use it. Just installing new libraries is not enough. Sebastian
Re: Logging User Activity
Am Mit, 2003-05-14 um 16.33 schrieb Michael Parkinson: Dear All, Currently implementing a number of modifications to our internal security policies and one addition I am attempting to add is the full logging of user activity. Are you sure that this is not violating your users' privacy? But apart from political and legal issues - I suggest using the grsecurity kernel patch (www.grsecurity.org). You can put all users that you don't trust into a special audit group. Of course, you still have to come up with a solution for secure remote logging (syslog is not an option - some of your users could for example get the idea of sending fake logs of other users doing nasty things to the remote logging server...). Sebastian
Re: Have I been hacked?
Hi, you get this message when you use different names for a machine, for example the ip and the machine's name. One of them is saved in known_hosts, the other one causes this message! Sebastian Ian Goodall wrote: Thanks everyone for your help. It must be his computer as all the computers I usually log in from are all fine. I am still quite new to all of this but we all have to start somewhere :) Cheers, ijg0 = Original Message From Hobbs, Richard [EMAIL PROTECTED] = Hello, The SSH error is usually caused by the SSH server (your machine) being reformatted, or having SSH uninstalled and reinstalled, or have the public/private keys regenerated for some reason. have you recently made any changes to SSH, or reinstalled your system?? It could also happen if he has been making changes to his ~/.ssh/known_hosts file. HTH... Richard. Quoting Ian Goodall [EMAIL PROTECTED]: Thanks for your help Guys. It now says this: wtmp begins Wed May 7 13:21:47 2003 I think that is what had happened. I am new to this and this just looked dodgy to me! A friend also has ssh shell access to the box and got the following error message when connecting to the same my box: @@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. Please contact your system administrator. I don't get this from any other computers so is this just his computer? Thanks - Original Message - From: Eric LeBlanc [EMAIL PROTECTED] To: Ian Goodall [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Wednesday, May 07, 2003 3:23 PM Subject: Re: Have I been hacked? Check if your program have rotated the logs... cd /var/log ls -l wtmp* and, check in /etc/cron* or do a crontab -l (in user root) E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == On Wed, 7 May 2003, Ian Goodall wrote: I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? Thanks ijg0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] -- Ian Goodall www.iangoodall.co.uk
Re: security problem in debian netfilter code?
Am Don, 2003-05-08 um 15.52 schrieb Peter Holm: kernel. The ptrace bug is not the only problem as there are other security problems (for example in the netfilter code) that have never been fixed in stable. could you please speek out about this? You can find documentation about security bugs in the Debian kernels at: http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=kernelarchive=yesinclude=security Bugs #146349 and #168190 are Netfilter-related. Sebastian
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Am Mit, 2003-05-07 um 17.05 schrieb Adrian 'Dagurashibanipal' von Bidder: On Wednesday 07 May 2003 14:53, Peter Holm wrote: The actual kernel sources that one can get via apt-get, are they already patched? kernel-source-2.4.20 in unstable is patched. I fear there's no such place. The security announcements are only made when a fixed package is released, and to my knowledge there is no centralized debian specific place to get security announcements for security bugs where no patch is (yet) available. I am not quite sure how much the security team feels responsible for the kernel. The ptrace bug is not the only problem as there are other security problems (for example in the netfilter code) that have never been fixed in stable. Additionally, often patches are only available for current kernel versions, but not for older ones that are all available within woody. How far back must patches be backported? Is there a clear policy about this issue? Sebastian
Re: WAS: HELP, my Debian Server was hacked!
perl script for automatic updates... secpack does what you are looking for: http://therapy.endorphin.org/secpack/ Sebastian
Re: scrollkeeper loading external (online) DTD
hello sebastien..
Received at 2003-01-08 / 23:10 by Sebastien Chaumat:
The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
In this file the DTD is refered by an absolute external link :
!DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN
http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd;
Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
the docbookx.dtd.
I can trust signed debian packages but I can't trust
www.oasis-open.org.
More than 18 files in /usr/share/gnome/help/ induce this download.
I'am about to make bug report against scrollkeeper (for acting blindly,
and dowloading the same file more than once) and against packages that
provides the xml files (for using external DTD instead of provinding
it)...
Your opinion?
file a bug report against xbill (and the others). there are (or were) some
issues with libxml2, check bug #153720.
you can tell the maintainer to include something like this in
debian/rules (target config.status):
find -name *.xml -exec perl -i -pe
's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,'
{} \;
the gnome-applets package does it this way.
bye,
sebastian
--
::: sebastian henschel
::: kodeaffe
::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import
msg08410/pgp0.pgp
Description: PGP signature
Re: scrollkeeper loading external (online) DTD
hello sebastien..
Received at 2003-01-08 / 23:10 by Sebastien Chaumat:
The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
In this file the DTD is refered by an absolute external link :
!DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN
http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd;
Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
the docbookx.dtd.
I can trust signed debian packages but I can't trust
www.oasis-open.org.
More than 18 files in /usr/share/gnome/help/ induce this download.
I'am about to make bug report against scrollkeeper (for acting blindly,
and dowloading the same file more than once) and against packages that
provides the xml files (for using external DTD instead of provinding
it)...
Your opinion?
file a bug report against xbill (and the others). there are (or were) some
issues with libxml2, check bug #153720.
you can tell the maintainer to include something like this in
debian/rules (target config.status):
find -name *.xml -exec perl -i -pe
's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,'
{} \;
the gnome-applets package does it this way.
bye,
sebastian
--
::: sebastian henschel
::: kodeaffe
::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import
pgpKLwbKqZ2qm.pgp
Description: PGP signature
unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
Re: Apache + PHP and user permissions
Hi Ralf! 2. chroot everything just chroot the users at the login after ssh (if you want to allow ssh), How can chroot a user who logs in via ssh? Do you have some links about this? -- Sebastian Schinzel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PermitRootLogin enabled by default
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote: IMHO, we'd better set it to no. I always thought it was much better. Is there any landscape in which you may want to allow direct root login to your host? Yes, there is. For example I have some servers that retrieve their user information from a database. If the database is not reachable, an ordinary user can't login, but root can, since it's the only local account with login privileges. But then this is a special case that doesn't require root logins enabled by default. On the other hand I don't see why allowing direct root logins is a problem. - Sebastian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted Ethernet ?
On Thursday 21 February 2002 11.22, Jaroslaw Tabor wrote: Hello! Does someone know, if there is a solution to use Debian (or, in general Linux ) as encryptor for Ethernet ? I'd like to use two computers connected by unsafe ethernet as secure tunnel between two LANs. It means, that such device have to be transparent for all IP traffic (or may be for all Ethernet traffic?). regards Jarek Tabor Freeswan might be the solution. Check www.freeswan.org -- Sebastian Bruhn System Tekniker / System Technichian Email: [EMAIL PROTECTED] Today is Boomtime, the 52nd day of Chaos in the YOLD 3168 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted Ethernet ?
On Thursday 21 February 2002 11.22, Jaroslaw Tabor wrote: Hello! Does someone know, if there is a solution to use Debian (or, in general Linux ) as encryptor for Ethernet ? I'd like to use two computers connected by unsafe ethernet as secure tunnel between two LANs. It means, that such device have to be transparent for all IP traffic (or may be for all Ethernet traffic?). regards Jarek Tabor Freeswan might be the solution. Check www.freeswan.org -- Sebastian Bruhn System Tekniker / System Technichian Email: [EMAIL PROTECTED] Today is Boomtime, the 52nd day of Chaos in the YOLD 3168
Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON
On Thu, Jan 24, 2002 at 09:34:35AM +0100, Robert van der Meulen wrote: Quoting James ([EMAIL PROTECTED]): We could start by blocking @aol.com =) Or by all running good anti-spam measures and not replying to spam; I didn't even know it was there until people started replying to it, and i had to look up the original posting in my spam folder.. That's unfortunately not the solution. [EMAIL PROTECTED]:~$ ls -l .mail/junk -rw---1 srittau srittau 2766614 24. Jan 09:39 .mail/junk [EMAIL PROTECTED]:~$ And that's only the SPAM mail from this year. I have to download this over ad 56kBit link and I pay by the minute. - Sebastian
Re: buffer overflow in /bin/gzip?
On Wed, Nov 21, 2001 at 12:47:49AM -0600, Bryan Andersen wrote: On thing I think is quite important is to get rid of calls to routines that it is possible to buffer overflow. OpenBSD has a feature in their version of gcc that will cause a compile time error message telling you when one of the standard library routines known to be overflowable is used. I hope strcpy() does not belong to this class. It's quite common to do something like this: int len = strlen(s); char *new = (char *) malloc(len + 1); strcpy(new, s); This is perfectly fine. strncpy() is even more dangerous, since it doesn't add a final nul-byte if strlen(src) n. Most people are not aware of this problem. So, most of the time you use strncpy() you should use a construction like this: strncpy(dst, src, len); dst[len] = '\0'; - Sebastian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: buffer overflow in /bin/gzip?
On Wed, Nov 21, 2001 at 12:47:49AM -0600, Bryan Andersen wrote: On thing I think is quite important is to get rid of calls to routines that it is possible to buffer overflow. OpenBSD has a feature in their version of gcc that will cause a compile time error message telling you when one of the standard library routines known to be overflowable is used. I hope strcpy() does not belong to this class. It's quite common to do something like this: int len = strlen(s); char *new = (char *) malloc(len + 1); strcpy(new, s); This is perfectly fine. strncpy() is even more dangerous, since it doesn't add a final nul-byte if strlen(src) n. Most people are not aware of this problem. So, most of the time you use strncpy() you should use a construction like this: strncpy(dst, src, len); dst[len] = '\0'; - Sebastian
Re: Is ident secure?
On Sat, Sep 01, 2001 at 06:41:42AM -0400, Ben Pfaff wrote: Layne [EMAIL PROTECTED] writes: OK they just keep coming. I had 8 messages at 11:00PM , all of who I knew. Now I have 227 in my in box of solicitors all of who I didn't subscribe to. And you wonder why I get mad. Did it ever occur to you that maybe it's not acceptable to harass everyone on the mailing list just because someone subscribed you? Try to act a little more mature and follow the unsubscribe instructions like a normal person would. The only way to subscribe in the first place is by replying to a confirmation message, so you (or someone who has access to your account; has your account security been compromised?) must have subscribed. Of course, there's also the possibility that someone else had subscribed for him at a different e-mail address and forwards all mail to his address. Maybe the listmaster (cc'ed) should have a look at which addresses had subscribed at the time he describes. - Sebastian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is ident secure?
On Sat, Sep 01, 2001 at 06:41:42AM -0400, Ben Pfaff wrote: Layne [EMAIL PROTECTED] writes: OK they just keep coming. I had 8 messages at 11:00PM , all of who I knew. Now I have 227 in my in box of solicitors all of who I didn't subscribe to. And you wonder why I get mad. Did it ever occur to you that maybe it's not acceptable to harass everyone on the mailing list just because someone subscribed you? Try to act a little more mature and follow the unsubscribe instructions like a normal person would. The only way to subscribe in the first place is by replying to a confirmation message, so you (or someone who has access to your account; has your account security been compromised?) must have subscribed. Of course, there's also the possibility that someone else had subscribed for him at a different e-mail address and forwards all mail to his address. Maybe the listmaster (cc'ed) should have a look at which addresses had subscribed at the time he describes. - Sebastian
Re: aargh... I am being asked to change to SuSE
On Mon, Jul 16, 2001 at 11:03:41AM +0300, Juha Jäykkä wrote: Anyone care to help me: I need some _strong_ points in favour of Debian, against SuSE. No crap, please. I need to presuade my superiors to turn from RH to Debian instead of SuSE as they would like to do. I need strong evidence in favour of Debian if I am to succeed in enforcing it. I do not know SuSE myself, so I cannot fight them (they do not know Debian, but they are the ones who decide - they do not need to) alone. I only care for security/administrability issues now. One problem with administrability is YaST. A knowledgeable unix admin will have no problems to run a Debian box. But in my experience SuSE's YaST interferes with any by-hand tuning. Also an admin who has never used YaST before must first learn how to use it, and also learn what's different with YaST, what works, and what the flaws are. - Sebastian, who doesn't like YaST at all
Re: How can I help ?
On Tue, Jun 13, 2000 at 03:46:12PM -0700, Ryan White wrote: As I recall after windows 95 the passwords are sent over the line encrypted. The encryption might be weak but they are not clear text anymore. There is a switch in SMB to allow encrypted passwords. This is ON by default in debian (I believe) But using this option prevents you from using the global /etc/shadow file, which is problematic in some cases. - Sebastian
Re: bind running as root in Mandrake 7.0
On Mon, Jun 05, 2000 at 04:17:41AM -0800, Ethan Benson wrote: i don't think it is necessary (or really desirable) to have the postinst asking about running bind as root, i think that the number of people who need it is far to small to justify ya interuption in the system install. I tend to disagree. bind could use debconf and ask a question with priority low, default set to running bind without root permissions. Another approach is to fix bind by binding INADDR_ANY as was pointed out in this thread. This may have undesirable side-effects, though. - Sebastian
Re: Sendmail
On Sun, 26 Mar 2000, Oswald Buddenhagen wrote: i like the idea of denying all incoming packets on port 25. why not do it? port 25 is only for incoming mail, so block it if you don't need it (that's what you should do for all ports you don't need). alternatively you can setup relay/delivery blocking rules in the sendmail-config. but it's just a question of time, when the next security hole is found in sendmail, so i prefer low-level-blocking. i agree. you want to use some deliver-only MTA for these kind of sites. ssmtp is the program of your choice. (apt-get install ssmtp) generally i'd say, don't use sendmail at all :) sebastian -- gravity is a myth. the earth sucks.
Identification Protocol (was: Re: your mail)
On Thu, 16 Mar 2000, Ivan Ivanovic wrote: On my Slink placed on Inernet often appears auth port connection attempts from various sites... What (common) application needs this port? irc server make ident connections to clients. squid can use ident for authorization. sendmail sometimes uses ident. maybe you want to read rfc1413. i'd turn auth off for security reasons if your box has a direct connection to internet. from rfc1413: An Identification server may reveal information about users, entities, objects or processes which might normally be considered private. An Identification server provides service which is a rough analog of the CallerID services provided by some phone companies and many of the same privacy considerations and arguments that apply to the CallerID service apply to Identification. If you wouldn't run a finger server due to privacy considerations you may not want to run this protocol. seb
RE: Identification Protocol (was: Re: your mail)
On Thu, 16 Mar 2000, Fredrik Liljegren wrote: i'd turn auth off for security reasons if your box has a direct connection to internet. Many people misunderstand the usefulness of identd, and so disable it or block all off site requests for it. identd is not there to help out remote sites. There is no way of knowing if the data you get from the remote identd is correct or not. There is no authentication in identd requests. maybe i am one of these people :) identd takes two parameters, the server and the source port of a tcp connection. it gives back the userid of the user who started it. am i right so far? i think, the userid may be useful for some purposes but in most cases it is not but gives a hacker a little piece of information. but, you're right, it could be worth while tracking down some attack from your own computer. hmm... i will think about it :-) thanks
