Re: Bullseye security.debian.org codename misconfigured?
Am 22.01.22 um 21:07 schrieb Bjørn Mork: Stefan Fritsch writes: # cat /etc/apt/apt.conf.d/11-default-release APT::Default-Release "bullseye"; Just don't do that. It breaks all normal preferences and will end up preferring "bullseye" over anything else. Including "bullseye-security". This used to work until buster. But it turns out the release-notes mention this problem and the correct syntax is now: APT::Default-Release "/^bullseye(|-security|-updates)$/"; The failure mode of silently not installing security updates is bad, though. But I don't see an easy way to fix that. Maybe apt should print a warning if one uses a simple codename as Default-Release?
Re: Bullseye security.debian.org codename misconfigured?
Hi Viktor, Am 22.01.22 um 11:34 schrieb SZÉPE Viktor: Idézem/Quoting Stefan Fritsch : I have noticed that the latest linux security update is not installed on my box. The package is available in # apt-cache policy linux-image-amd64 linux-image-amd64: Installed: 5.10.84-1 Candidate: 5.10.84-1 Version table: 5.15.15-1 500 500 http://mirror.hetzner.de/debian/packages unstable/main amd64 Packages 5.10.92-1 500 500 http://security.debian.org bullseye-security/main amd64 Packages *** 5.10.84-1 990 990 http://mirror.hetzner.de/debian/packages bullseye/main amd64 Packages 100 /var/lib/dpkg/status Hello Stefan! Try adding deb http://deb.debian.org/debian-security bullseye-security main contrib non-free Please see https://wiki.debian.org/NewInBullseye#Changes This does not change anything and I did not expect it to. It would be rather strange if different URLs had different code-name settings. It is not that apt cannot load the lists, it just does not recognize that bullseye-security is the same as bullseye. Cheers, Stefan
Bullseye security.debian.org codename misconfigured?
Hi, I have noticed that the latest linux security update is not installed on my box. The package is available in # apt-cache policy linux-image-amd64 linux-image-amd64: Installed: 5.10.84-1 Candidate: 5.10.84-1 Version table: 5.15.15-1 500 500 http://mirror.hetzner.de/debian/packages unstable/main amd64 Packages 5.10.92-1 500 500 http://security.debian.org bullseye-security/main amd64 Packages *** 5.10.84-1 990 990 http://mirror.hetzner.de/debian/packages bullseye/main amd64 Packages 100 /var/lib/dpkg/status But apt-get dist-upgrade does not install it. I have # cat /etc/apt/apt.conf.d/11-default-release APT::Default-Release "bullseye"; and bullseye-security has # grep -i code /var/lib/apt/lists/security.debian.org_dists_bullseye-security_InRelease Codename: bullseye-security while on buster, it's: $ grep -i code /var/lib/apt/lists/security.debian.org_dists_buster_updates_InRelease Codename: buster No -security there. I have no apt pinning configured on my box. I think the bullseye-security codename should be "bullseye" instead. Or am I missing something Cheers, Stefan
Re: apache2 CVE-2018-17199 stretch
On Monday, 18 March 2019 09:19:41 CET Bjørn Håkon Noss wrote: > After looking at the Security tracker > (https://security-tracker.debian.org/tracker/CVE-2018-17199), I can > see that CVE-2018-17199 is fixed in both jessie and buster but not > stretch. > > Do you have any information about if and when it will be fixed in stretch? > > The bug causes our PCI Compliance to fail. As this is low severity, we intend to fix this in the next Debian stable point release (9.9). Cheers, Stefan
Re: flash plugin from ubuntu (was: flashplugin-nonfree and latest Flash security updates)
On Mittwoch, 3. August 2016 22:55:25 CEST Luedtke, Nicholas (HPE Linux Security) wrote: > This sounds like a bad idea and if done needs to be accompanied by a lot of > documentation. Why? It's certainly less of a security hazard than the current flashplugin- nonfree package. > > -Nicholas > > From: Holger Levsen > Sent: Wednesday, August 3, 2016 4:03:32 PM > To: debian-security@lists.debian.org > Cc: Bart Martens > Subject: Re: flash plugin from ubuntu (was: flashplugin-nonfree and latest > Flash security updates) > On Wed, Aug 03, 2016 at 10:46:33PM +0200, Stefan Fritsch wrote: > > Maybe the flashplugin-nonfree package should even be replaced by a package > > that installs the ubuntu archive signing key, sets up the sources.list > > line, and tweaks the unattended-updates config to allow automatic updates > > from that repo. > please, no. > > > -- > cheers, > Holger
flash plugin from ubuntu (was: flashplugin-nonfree and latest Flash security updates)
On Mittwoch, 3. August 2016 20:43:29 CEST Rob van der Putten wrote: > You can download the plugin manually. For i396 it's; > http://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.429/install_fl > ash_player_11_linux.i386.tar.gz An alternative that has worked quite well for me on some of my systems is to use the apt repository from ubuntu. It seems to get timely updates, canonical seems to have permission to distribute it, and it works just fine with jessie/ stretch/sid: deb http://archive.canonical.com/ubuntu/ trusty partner You need to import the key into apt. It's 0x3B4FE6ACC0B21F32 and is also signed by Steve Langasek, whose key is in the debian-keyring package. Maybe the flashplugin-nonfree package should even be replaced by a package that installs the ubuntu archive signing key, sets up the sources.list line, and tweaks the unattended-updates config to allow automatic updates from that repo. As an added benefit, you get a package for skype, too (and more). Unfortunately, I don't have enough time to create such a package. Probably one should ask Ubuntu, too... Cheers, Stefan
Re: [PATCH] Re: Logjam mitigation for Wheezy?
On Wednesday 03 June 2015 16:07:56, Thorsten Glaser wrote: > I’ve just done so: both the “precomputed, up to 8192 bits” part > (which already makes Qualys not cap the grade to B, but is not > the proper fix, because, in the end, people will just pregenerate > for the Debian-shipped group too) and the “load DH parameters from > the first SSLCertificateFile” part. There is every indication that precomputation for a 2048 bit DH group is still unfeasibly even for the NSA. And custom DH groups are not that easy to handle in an automated way. For example on a cubietruck (Cortex A7), generation of a 2048 bit group takes about one hour. > I’ve tested both parts with openssl(1) 1.0.2a (self-compiled from > sources) and had a look at both the weakdh and the Qualys checker. > > Please, feel free to make this into a proper wheezy-security upload > until such time as more stuff from 2.2.30 is backported. > > My backport is, basically, a reduced and edited SVN diff between > upstream tags/2.2.29 and branches/2.2.x limited to the two parts > I mentioned above (they come together in the same code, so…). I’ve > only edited the documentation slightly (remove the reference to > Apache 2.2.30 in two places) and resolved merge conflicts, but did > not change anything besides. Upstream jumped through quite a few hoops to make the patch work with openssl 0.9.8. We don't need that for wheezy (which has 1.0.1e), but it may come handy for squeeze when someone wants to do the backport. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/7468885.v8Xxc1WnWR@k
Re: Logjam mitigation for Wheezy?
On Wednesday 20 May 2015 12:47:35, Dan Ritter wrote: > In particular, Apache 2.2 does not have > SSLOpenSSLConfCmd DHParameters > as a configurable option. It looks like that only shows up in > 2.4, which is not in wheezy-backports. > So I guess this is a request for either a fix for Apache 2.2 or a > backport of 2.4 to wheezy. As I understand it, backporting SSLOpenSSLConfCmd would require a newer openssl than what is available in wheezy or jessie. Apache 2.4 in jessie uses precomputed DH params that are at least as long as the RSA key size (up to 8192 bits). This gives 2048 bit DH params for the most common 2048 bit RSA keys, which seems to be safe even though they are the same for all servers. It is also possible to load custom DH params from the SSLCertificateFile, but AFAICS this needs to be done for each vhost. I am planning to backport these improvements to apache 2.2 in wheezy. There are already patches available from upstream. Backporting 2.4 to wheezy is not feasible because of all the modules that would need to be backported, too. Cheers, Stefan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1633427.sqntbNTtro@k
Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
On Sunday 21 September 2014 21:13:50, Richard van den Berg wrote: > Package formats like apk and jar avoid this chicken and egg problem > by hashing the files inside a package, and storing those hashes in > a manifest file. Signatures only sign the manifest file. The > manifest itself and the signature files are not part of the > manifest, but are part of the package. So a package including it's > signature(s) is still a single file. This is bad design and will inevitably lead to security issues (as has been demonstrated by Android and apk). One must check the signature first, and only if the signature matches, start parsing complex file formats. And yes, zip is complex enough to be a problem. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/6823138.NpYddIaakV@k
regression in exim4 DSA-2154-1
Unfortunately, the latest update introduced a regression: Testing of user filters with -bf as normal user no longer works: $ /usr/sbin/exim4 -bf .forward exim: changing group failed: Operation not permitted $ See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611572 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201101302046.14628...@sfritsch.de
Re: [SECURITY] [DSA-2154-1] exim4 security update
On Sunday 30 January 2011, Dario Ernst wrote: > If i am not using -D or -C anywhere in my exim setup (e.g. using > the debian default initscripts and have not added any of those > options in /etc/default/exim4) and installed the update ... am i > okay to go with that? > > Sorry for asking those stupid questions, but the instructions are a > little ambiguous there... Yes, that's what I meant with "The Debian default configuration is not affected by the changes". How would you have worded it to be less ambigous? > On Sun, Jan 30, 2011 at 10:41:58AM +, Stefan Fritsch wrote: > > A design flaw (CVE-2010-4345) in exim4 allowed the loal > > Debian-exim user to obtain root privileges by specifying an > > alternate configuration file using the -C option or by using the > > macro override facility (-D option). > > > > > > The Debian default configuration is not affected by the changes. Cheers, Stefan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201101302042.26564...@sfritsch.de
Re: Starting point for contributing to debian-security
On Monday 03 January 2011, Yves-Alexis Perez wrote: > On mar., 2010-12-21 at 22:52 +0100, Yves-Alexis Perez wrote: > > Starting january, I think I'll be able to dedicate some time to > > debian security team. Very nice. > Ok, so we're now at beginning of january :) > > Is there any starting specific point on which help/time would be > needed? I know a “call for help” is supposed to happen but in the > meantime some documentation on what is needed and how would help > :) Useful first steps are - read [1] - apply to the secure-testing alioth project - get to know the security-tracker and the process of tracking security issues by checking some new issues But I think you have done those already. Therefore I suggest you mail t...@security.debian.org and we will think of some way for you to get started. One thing that comes to my mind would be to test source format 3.0 support with the new dak on security-master: Pick an open issue in squeeze from [2], which is in a source format 3.0 package and is not going to be fixed by migration from unstable soon. It would be good if you know the package well enough to test it, too. Then prepare a NMU patch for that package. Then you should probably send us the diff, though you may want to read [3], too. I think it's still up-to-date (but the how-to-DTSA linked from there isn't). [1] http://svn.debian.org/wsvn/secure- testing/doc/narrative_introduction?op=file&rev=0&sc=0 [2] http://security-tracker.debian.org/tracker/status/release/testing [3] http://testing-security.debian.net/uploading.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201101032156.08751...@sfritsch.de
Re: libapache2-mod-fcgid in lenny vulnerable to hole for weeks
On Tuesday 21 December 2010, John Goerzen wrote: > I reported bug #605484 regarding a security hole in lenny. I > believe the security team was CC'd. > > Prior to my report, > http://security-tracker.debian.org/tracker/CVE-2010-3872 said that > Debian/stable was not vulnerable. I also notified them to correct > this issue. > > My question here is: who's got the ball on security issues? It > seems that this issue didn't trigger any bugs being created or any > bugs being filed in Debian when it came out. When I did what I > thought was appropriate, it also didn't trigger much. The > maintainer was interested in it, but AFAICT there are, as yet, no > new packages. > > This is not an attack on any person/team, just a question about > whether we have an organizational problem we need to correct. The problem is a combination of several security team members being inactive because of work/thesis/... and the other members being kept busy by things which had higher priority. For example fixing the recent exim remote root vulnerability and sorting out infrastructure breakage due to the dak upgrade on security-master. The upgrade was was necessary to support squeeze. My understanding is that the mod_fcgid issue cannot be triggered by browsers but only if there is a malicious fcgi app on the server, which is not a very common setup. Therefore this seemed like a not-so- high priority issue. I am sorry that nobody found the time to mail this to you. FWIW, it seems the infrastructure has been finally fixed today, so I hope things will improve now. But I do think that there are currently to few active members in the security team. I am pretty sure we will send out a request for new volunteers soon. Cheers, Stefan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012212221.36331...@sfritsch.de
Re: CVE-2009-3555 not addressed in OpenSSL
On Thursday 11 November 2010, Kurt Roeckx wrote: > So I've prepared a package based on the ubuntu patch. I also went > over every commit between the 0.9.8l and 0.9.8m release and am > reasonly confident this patch should work properly. > > The current package is available at: > http://people.debian.org/~kroeckx/openssl/rfc5746/ > > I would welcome people testing it. Note that it might still > change based on feedback from people. It seems at least tor needs some patching to work with the updated openssl. [1] Peter, can you test that and prepare/test an updated package for Lenny if necessary, please? Thanks in advance. [1] http://archives.seul.org/or/cvs/Apr-2010/msg00214.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201011152226.27571...@sfritsch.de
mod_security (was: Apache "DDOS" with random number request)
On Monday 22 September 2008, Felipe Figueiredo wrote: > > Try modsecurity, it should block invalid URI > > Speaking of which, shouldn't it be re-included in Debian now that > the licensing issue[1] is supposed to be over[2]? There is already an ITP bug, but I don't know the current status. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487431 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: openssl-blacklist & two keys per one pid
On Monday 19 May 2008, Florian Weimer wrote: > BTW, it appears that the same blacklist can be used for -3 and -F4 > keys. (Just in case you haven't checked that already.) RSA keys with exponent 3 should probably not be used at all, because multiple implementations did not verify the signatures correctly. http://www.kb.cert.org/vuls/id/845620 http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html signature.asc Description: This is a digitally signed message part.
Re: ClamAV And unrar - Bug #465207
On Wednesday 27 February 2008, Nick Boyce wrote: > But it seems to me that simply enabling the --unrar parameter of > clamscan would not entail incorporating or distributing any unrar > code at all - the code to parse the --unrar parameter and call the > non-free unrar binary if specified surely belongs to ClamAV alone ? > > Thus the ClamAV package(s) could remain pure and free, while > individual sysadmins could make their own decision about whether to > install the non-free unrar binary package, and then request that > clamscan call it. Note that unrar-nonfree has no security support (like all packages in non-free) . Using it to automatically process potentially malicious content is a bad idea, IMHO. In fact, unrar-nonfree in stable had a security issue until the release of etch r3 (CVE-2007-0855). Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 1494-1] Still vulnerable?
On Tuesday 12 February 2008, Jens Schüßler wrote: > * Florian Weimer <[EMAIL PROTECTED]> wrote: > > * Jens Schüßler: > > > I just upgraded my linux-source-2.6.18 to > > > 2.6.18.dfsg.1-18etch1_all and build a new linux-image. But > > > after installing an rebooting I still was able to become root > > > with this exploit: > > > http://milw0rm.com/exploits/5092 I checked that the fix is in the source tarball. > $uname -a > Linux algol 2.6.18+2008-02-12 #1 Tue Feb 12 16:49:10 CET 2008 i686 > GNU/Linux > > As I said, fresh compiled from the new sources-Packet Only /usr/src/linux-source-2.6.18.tar.bz2 is in the source package. Maybe you forgot to extract it again, and used an old version you had already unpacked? Stefan
QA needed for insecure LD_LIBRARY_PATH in many wrapper scripts
Hi,
many wrapper scripts contain things like
export LD_LIBRARY_PATH=foo:$LD_LIBRARY_PATH
This is bad because if LD_LIBRARY_PATH is unset, it will expand to
LD_LIBRARY_PATH=foo:
which is interpreted as
LD_LIBRARY_PATH=foo:.
This means that the current directory is searched for libraries before
/lib and /usr/lib, which can have security implications.
The fix is to use "${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" instead of
":$LD_LIBRARY_PATH". This will get rid of the colon if LD_LIBRARY_PATH
is unset. (Actually, some scripts use "${LD_LIBRARY_PATH+:
$LD_LIBRARY_PATH}", which seems to work, too. But this is not
documented in the bash man page, at least I can't find it.)
This is not a new issue: CVE-2005-4790 and CVE-2005-4791 have been
found two years ago. Unfortunately, they were first announced as SuSE
specific packaging errors and were missed by the security teams.
I filed #451548 for liferea, but many more packages are affected. I
intend to file a wishlist bug for lintian to check for this. But
since this will take some time to get implemented, if someone has a
local mirror and wants to do some QA work, a complete check of the
archive would be good.
Of course "$LD_LIBRARY_PATH:" is just as bad as ":$LD_LIBRARY_PATH".
Maybe there are other environment variables that could be affected by
the same problem. For $PATH it is not a problem, because it should
always be set. More ideas?
Cheers,
Stefan
signature.asc
Description: This is a digitally signed message part.
Re: Vulnerabilities not affecting Debian: reporting proposal
Hi, Alexander Konovalenko wrote: > I couldn't find any existing solutions to the problem described > above. The testing security team does publish some of the > information in their Secure-testing-commits, but it lacks more > verbose explanations and is more of a tool for team members than a > source of information intended for the general public like Debian > Security Advisories. do you know the web interface to these svn commits at http://security-tracker.debian.net/tracker ? If you already have the CVE id, you can easily get all the information there. The explanations for not-affected could be more verbose sometimes, but I think in general they are sufficient. There is no feed for this information, but if you want to be up-to-date about the packages you use, you should look at the debsecan package (though that does not give you information about non-issues). Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities
Hi, On Mittwoch, 2. Mai 2007, Celejar wrote: > Dann Frazier <[EMAIL PROTECTED]> wrote: > > Package: linux-2.6 > > Vulnerability : several > > Problem-Type : local/remote > > Debian-specific: no > > CVE ID : CVE-2007-0005 CVE-2007-0958 CVE-2007-1357 > > CVE-2007-1592 > 1) DSA 1286-1 isn't (yet) on the Debian Security page [0]. I assume > this means that the advisories are mailed first and subsequently > added to the website? Yes. > 2) The advisory doesn't mention unstable, but three of the four > CVEs affect kernels up to 2.6.21, which would include 2.6.20 in > unstable. Will there be an advisory mentioning unstable? No, the fixes will just be (or already have been) uploaded to unstable. You can get more up-to-date information from the security tracker: http://security-tracker.debian.net/tracker/CVE-2007-0005 ... http://security-tracker.debian.net/tracker/status/release/unstable The information there shows that the issues are already fixed in 2.6.20-1. Look at the debsecan package. It can notify you about security issues in unstable automatically. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Allow password auth for one user with sftp?
On Sunday 14 January 2007 14:36, Adrian von Bidder wrote: > I have users a, b, c, d, e. All users except e can have shell > access, but beecause shell access is powerful, must not be able to > log in with password, but only with public key. User e is allowed > to log in with password and is restricted by rssh to only use scp, > sftp or rsync so that even if that password is stolen/guessed, the > attacker can at most deface the hosted web site in e's directory. > > Judging from the replies I've received so far I'll just end up > running a 2nd sshd on port or wherever. Openssh 4.4 supports per user configuration. But I don't think it will get into Debian before Etch's release. Cheers, Stefan
Re: ProFTPD still vulnerable (Sarge)
Hi, >> One is CVE-2006-5815 and the other is a mod_tls vulnerability without >> CVE >> id yet. AFAIK there is no exploit for sarge's 1.2.x for CVE-2006-5815 >> yet. >> So I would expect this to be the mod_tls vulnerability. Do you have >> mod_tls enabled? Try connecting to your server with telnet and enter >> FEAT >> and see whether it returns AUTH TLS. > > Nope: > > 211-Features: > 211-MDTM > 211-REST STREAM > 211-SIZE > 211 End Oh, that's bad. You don't have ftps enabled explicitly either? This probably means that there is at least some exploit to DoS sarge's 1.2.x. > >> There is a thread about this at >> http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000972.html > > CVE-2006-5815: "Buffer overflow in ProFTPD 1.3.0 and earlier, when > configured to use the CommandBufferSize directive ...". This directive > is not in the default Debian Config file, I believe, and it isn't in the > one on that machine. This description is wrong. There was some confusion about what CVE-2006-5815 is. It is really about a flaw in sreplace(). There is more info about this confusion later in the thread above, e.g. http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000990.html or at http://bugs.proftpd.org/show_bug.cgi?id=2858 The CommandBufferSize issue was fixed by DSA-1218-1. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFTPD still vulnerable (Sarge)
Hi, > The attacks ceased before I noticed, so I was not able to capture a TCP > stream. I would just like to alert people that there is still some > vulnerability in the ProFTPD code that was not fixed by DSA-1218-1. yes, there are two open vulnerabilites in proftpd. A DSA should be in the works, but I don't know the current status. One is CVE-2006-5815 and the other is a mod_tls vulnerability without CVE id yet. AFAIK there is no exploit for sarge's 1.2.x for CVE-2006-5815 yet. So I would expect this to be the mod_tls vulnerability. Do you have mod_tls enabled? Try connecting to your server with telnet and enter FEAT and see whether it returns AUTH TLS. There is a thread about this at http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000972.html NOTE: Users of etch/sid should upgrade to 1.3.0-16 *NOW*. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1053-1] New Mozilla packages fix arbitrary code execution
Hi, On Tuesday 09 May 2006 18:30, Daniel Schröter wrote: > > For the unstable distribution (sid) this problem will be fixed > > soon. > > Isn't it fixed since FF 1.5.dfsg+1.5.0.3-1? > http://lists.debian.org/debian-devel-changes/2006/05/msg00197.html the DSA is about the old mozilla, not firefox. Cheers, Stefan
Re: Bad press again...
On Thursday 25 August 2005 23:33, Peer Janssen wrote: > Do they have some monitoring script? Or some monitoring people? > (Might be interesting to know who: [disgruntled users? the > competition?]) cron-apt will send you a mail. Aug 25 05:16:31 xxx cron-apt: Failed to fetch http://security.debian.org/debian-security/dists/sarge/updates/main/binary-i386/Packages.gz Could not connect to security.debian.org:80 (194.109.137.218), connection timed out Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
On Thursday 14 July 2005 22:03, Fredrik "Demonen" Vold wrote: > I think it's possible for a script to list all installed packages, > then check each of them against the bug report system to see if the > installed version has a security bug filed against it. > > Maybe if some autmated system on the server would generate a > "Security.gz" or something else similar to the package list for > apt? I really don't know enough of the bug tracking system to know > if this is possible, but it opens up alot of possibilities if it > is. There is a page listing all security bugs: http://qa.debian.org/bts-security.html And a quick hack to extract only the bugs for installed packages is at http://www.sfritsch.de/debian/list-bts-security (uses apt-show-versions and libwww-perl). Probably it would be nice to add some functionality to only show the differences from the last run... Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall-troubleshooting
Hi! On Tuesday 05 July 2005 14:00, Daniel Pittman wrote: > /sbin/iptables -t filter -A in_world_http_s1 -p tcp --sport 1024:65535 > --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -t filter -A out_world_http_s1 -p tcp --sport 80 --dport > 1024:65535 -m state --state ESTABLISHED -j ACCEPT Note that if you don't allow RELATED packets for _all_ connections, you will have to explicitly allow at least fragmentation-needed icmp packets. Otherwise you will get problems with PMTU discovery which will lead to other obscure problems. Allowing some other icmp packets is probably a good idea as well (e.g. all destination-unreachable packets). Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:26, Matt Zimmerman wrote: > I expect it would be enough if they were all active, but that has > never been the case for this group. Wichert, Daniel, Michael and > myself are all de facto inactive for various reasons, and have been > for some time. And according to Steve Kemp, the secretaries can't push out updates. Which leaves us with Joey. Maybe it would be a good first step turn the secretaries to full members (if they want that)? But I agree with Martin F. Krafft that the security team should have quite a few more members. Cheers, Stefan pgpQMQthpoaFM.pgp Description: PGP signature
Re: 2.6 kernel vulnerabilities
Hi Geoff, On Friday 25 February 2005 06:52, Geoff Crompton wrote: > Are the kernel team aware of > http://www.securityfocus.com/bid/12555, a bunch of vulnerablities > in 2.6 kernels prior to 2.6.11-rc2. > > Or more generally, are these being tracked? And if so, by whom, and > I should I keep asking them specifically rather than posting to > debian-security? There are now bugs filed for those of them that have CANs (#296897, #296899, #296900, #296901). Still missing are the radeon and the i2c-viapro issues (the latter aparently being minor). Feel free to file bugs, or I might do it later. I don't have time right now. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: using sarge on production machines
Hi! On Saturday 19 February 2005 02:40, kurt kuene wrote: > so there WAS really a security team at that time. I eventually have > thought that I had only dreamed or misunderstood something. but > this is not debian-like. I have thought that if they run security > updates they will not just stop them again. No. There was never working security support for sarge. The testing-security-team checks which known security issues are still unfixed in sarge but there was never any infrastructure to ensure that fixes went in quickly. There are still quite a few unfixed issues [1]. > Do packages with important security problems (for example: remote > execution of arbitrary code) change faster from unstable to > testing? I think this is so but I am not sure... Updates that fix security issues usually have urgency=high and change faster to testing. However, you cannot trust this since new release critical bugs might still keep the new package from entering testing. Cheers, Stefan [1] http://merkel.debian.org/~joeyh/testing-security.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: TCP SYN packets which have the FIN flag set.
Hi! On Friday 05 November 2004 12:27, Baruch Even wrote: > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL SYN -j ACCEPT > > Please dont do that! > You can use SYN,ACK,FIN,RST SYN to check for illegal flags. Shouldn't iptables -A INPUT -m state --state INVALID -j DROP as the _first_ rule take care of all packages with illegal flags? Unfortunately, I haven't found any documentation what exactly is considered INVALID. Anybody? Cheers, Stefan -- Technische Universitaet Muenchen Raum: 1131 Physik-Department T39 Tel.: 089/289-12197 James-Franck-Strasse E-Mail: [EMAIL PROTECTED] D-85748 Garching -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH, PubkeyAuthentication and UsePam - security problem or RTFM?
Hi! Am Dienstag, 20. April 2004 15:27 schrieb Adrian 'Dagurashibanipal' von Bidder: > So, to rephrase the question, is > there a way to have PAM set up my session (specifically, pam_env) > without allowing users to log in with their password? I think you can do this by removing a line in /etc/pam.d/ssh . I think auth required pam_unix.so should be the one. Read the docs or maybe someone else remembers wether this is correct... Cheers, Stefan --
Re: SSH, PubkeyAuthentication and UsePam - security problem or RTFM?
Hi! Am Dienstag, 20. April 2004 15:27 schrieb Adrian 'Dagurashibanipal' von Bidder: > So, to rephrase the question, is > there a way to have PAM set up my session (specifically, pam_env) > without allowing users to log in with their password? I think you can do this by removing a line in /etc/pam.d/ssh . I think auth required pam_unix.so should be the one. Read the docs or maybe someone else remembers wether this is correct... Cheers, Stefan -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
