Re: bash 4.2 for squeeze
On Wed, Sep 24, 2014 at 03:43:42PM -0400, Darko Gavrilovic wrote: > Hi, is there a bash upgrade for squeeze to address below cve? > > https://www.debian.org/security/2014/dsa-3032 There is already a squeeze lts security announcement but my mirrors do not yet have the update. So it should be available with the next mirror pulse. Cheers, Sven -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924194633.gk3...@timegate.de
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Wed, Feb 23, 2011 at 03:11:23PM +0100, Sven Hoexter wrote: > *** An error occurred: Program ending: Bad arg length for Socket::inet_ntoa, > length is 0, should be 4 at /usr/lib/cgi-bin/cgiirc/nph-irc.cgi line 673, > line 7. > > > I'm not sure if that might be IPv6 related. That is indeed v6 related. I've now uploaded a NMU to DELAYED/2 with the patch from the Security Team upload just in case someone would like to object. .diff.gz should hit #612671 soon Sven -- And I don't know much, but I do know this: With a golden heart comes a rebel fist. [ Streetlight Manifesto - Here's To Life ] -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110223165523.GB10794@marvin
Re: [SECURITY] [DSA-2158-1] cgiirc security update
On Wed, Feb 23, 2011 at 10:12:08AM +0100, Philipp Kern wrote: > why wasn't this fixed (e.g. through an NMU) in unstable, too? The > announcement doesn't even mention unstable albeit it's the same version. We currently seem to have a slightly better protection for the unstable package; it doesn't work at all (at least for me). *** An error occurred: Program ending: Bad arg length for Socket::inet_ntoa, length is 0, should be 4 at /usr/lib/cgi-bin/cgiirc/nph-irc.cgi line 673, line 7. I'm not sure if that might be IPv6 related. There's some upstream activity so it would be nice to know if des@d.o is already known to be MIA before pushing this for removal or orphan the package. Sven -- And I don't know much, but I do know this: With a golden heart comes a rebel fist. [ Streetlight Manifesto - Here's To Life ] -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110223141123.GA10794@marvin
Re: Heads-up: EXIM remote root exploit published
On Sun, Dec 12, 2010 at 02:20:39PM +0100, Thomas Krichel wrote: > | For the testing distribution (squeeze) and the unstable distribution > | (sid), this problem has been fixed in version 4.70-1. > > but here > > r...@wotan:~# aptitude show exim4 | grep ^Version > Version: 4.72-2 > > so nothing to do or did they get the version number wrong in the > DSA? The version number in the DSA is to the best of my knowledge correct. The issue got fixed upstream in 4.70 without someone realizing that it is/was exploitable. So it has already been fixed in testing and unstable for a while. You might want to read the corresponding thread on the exim mailinglist if you dare for the details. HTH Sven -- And I don't know much, but I do know this: With a golden heart comes a rebel fist. [ Streetlight Manifesto - Here's To Life ] -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101212141511.ga8...@marvin.lan
Re: ProFTPD IAC Remote Root Exploit
On Mon, Nov 15, 2010 at 06:15:48PM +0200, Adrian Minta wrote: > Any debian reaction on this ? > http://seclists.org/fulldisclosure/2010/Nov/49 It doesn't effect the version shipped with Lenny and is fixed in testing and unstable. http://bugs.proftpd.org/show_bug.cgi?id=3521 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769 HTH Sven -- And I don't know much, but I do know this: With a golden heart comes a rebel fist. [ Streetlight Manifesto - Here's To Life ] -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101115164119.ga10...@marvin.lan
Re: proftpd amd64 binaries for DSA-1925?
On Wed, Nov 11, 2009 at 10:58:58AM +1300, Mark van Walraven wrote: > Greetings, > > "Binaries for the amd64 architecture will be released once they are > available." > > Has this been overlooked, or just taking a while? Looks like the links are still missing in the DSA on the website but the packages are on security.d.o since Nov. 2. proftpd-basic_1.3.1-17lenny4_amd64.deb Nov 02 23:40 Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - 03:45: No sleep] -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: CVE-2006-0019
On Sat, Jan 21, 2006 at 10:59:12AM +0100, Jan Luehr wrote: > Hello, > > as I'm using KDE daily I'm concerned about CVE-2006-0019 [1]. > Will Sarge be patched next week? (Otherwise I'll patch & build KDE by myself) > > [1] http://www.kde.org/info/security/advisory-20060119-1.txt Looks like this problem has been solved in DSA 948-1 http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00021.html Sven -- Du kannst mit Träumen nicht diskutieren, du kannst sie träumen oder verlieren. [ But Alive - Weißt nur, was du nicht willst ]
Re: Security team support
On Tue, Jun 28, 2005 at 05:45:41PM +0200, Markus Kolb wrote: > Hi, > > why security team doesn't ask for help if they have not enough time for > and problems with package fixing? > > I can help. > > I need only a security team member for contact and maybe a debian member > to sign my gnupg key. And then the whole community should trust you? No that's not the way it should work. OpenSource is still about having reputation and other people who trust you. Sven -- Das Fernsehen ist die größte kulturelle Katastrophe, die die Erde in der Zeit, an die wir uns erinnern können, erlebt hat. [ Joseph Weizenbaum ]
Re: Official security support for sarge
On Fri, Aug 20, 2004 at 11:42:04AM -0500, Micah Anderson wrote: > I have seen that also, but that doesn't help me understand if there is > official security support for sarge yet or not? http://www.infodrom.org/~joey/log/?200408230851 HTH Sven -- It ain't so bad bein' alone if you know it'll never last nothing lasts forever 'cept the certainly of change and love's the same It's a game with simple rules If you think it's forever then you're nothing but a fool [Venerea - Love Is A Battlefield Of Wounded Hearts] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: restricting process limit
On Wed, Apr 28, 2004 at 06:16:17PM +0200, Alberto Gonzalez Iniesta wrote: > On Wed, Apr 28, 2004 at 11:00:11AM -0400, Dan Christensen wrote: Hi, > > I've heard really good things about crm114: > > > > http://crm114.sourceforge.net/ > > > > It's faster than spamassassin and more accurate than spamassassin or > > the author. Licensed under the GPL. It only does Bayesian learning > > (no hard coded rules like SA), but it ends up doing better than SA > > after moderate training. > > I use it at home. It's way better that spamassassin, but requires some > training. What I don't really know is how effective it'll be on technical > mailing lists (which receive mails with dumps, kernel confs, and other > 'strange' content that may appear like anything but a 'normal' mail). If it's bayes based it will do a very good job cause words in technical mails differ from the ones in spam a lot. I personaly prefer bogofilter[1] cause I started using it about a year ago and my wordlist is perfectly trained for me now. It's written in C, fast and consumes little resources. Sven [1] http://bogofilter.sf.net backports for woody avaible at backports.org -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: restricting process limit
On Wed, Apr 28, 2004 at 06:16:17PM +0200, Alberto Gonzalez Iniesta wrote: > On Wed, Apr 28, 2004 at 11:00:11AM -0400, Dan Christensen wrote: Hi, > > I've heard really good things about crm114: > > > > http://crm114.sourceforge.net/ > > > > It's faster than spamassassin and more accurate than spamassassin or > > the author. Licensed under the GPL. It only does Bayesian learning > > (no hard coded rules like SA), but it ends up doing better than SA > > after moderate training. > > I use it at home. It's way better that spamassassin, but requires some > training. What I don't really know is how effective it'll be on technical > mailing lists (which receive mails with dumps, kernel confs, and other > 'strange' content that may appear like anything but a 'normal' mail). If it's bayes based it will do a very good job cause words in technical mails differ from the ones in spam a lot. I personaly prefer bogofilter[1] cause I started using it about a year ago and my wordlist is perfectly trained for me now. It's written in C, fast and consumes little resources. Sven [1] http://bogofilter.sf.net backports for woody avaible at backports.org -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Known vulnerabilities left open in Debian?
On Mon, Mar 22, 2004 at 06:57:39PM +0100, Giacomo Mulas wrote:
> There is a \begin{sarcasm} nice \end{sarcasm} article in
> linuxworld Australia (see
> http://www.linuxworld.com.au/index.php/id;1607539824;fp;2;fpid;1) which,
> among other things, claims that "Debian (Debian GNU/Linux) has left
> vulnerabilities there and didn't release any patches for them". While I
> can be sympathetic with Symantec people, who need to sell anti-virus
> software for a living and hence need to prove its sore need for whatever
> OS one may run, if I were in the Debian Security Team I would definitely
> be pissed off by something like this, and would release a harsh statement,
> based on hard facts, to counter this FUD.
Well a week ago or so we had a longer discussion here about open bugs left
in the ancient mozilla version in woody.
That's the only example I know but that doesn't mean much.
Sven
--
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
[The Cardigans - No sleep]
Re: Known vulnerabilities left open in Debian?
On Mon, Mar 22, 2004 at 06:57:39PM +0100, Giacomo Mulas wrote:
> There is a \begin{sarcasm} nice \end{sarcasm} article in
> linuxworld Australia (see
> http://www.linuxworld.com.au/index.php/id;1607539824;fp;2;fpid;1) which,
> among other things, claims that "Debian (Debian GNU/Linux) has left
> vulnerabilities there and didn't release any patches for them". While I
> can be sympathetic with Symantec people, who need to sell anti-virus
> software for a living and hence need to prove its sore need for whatever
> OS one may run, if I were in the Debian Security Team I would definitely
> be pissed off by something like this, and would release a harsh statement,
> based on hard facts, to counter this FUD.
Well a week ago or so we had a longer discussion here about open bugs left
in the ancient mozilla version in woody.
That's the only example I know but that doesn't mean much.
Sven
--
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
[The Cardigans - No sleep]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 08:48:02PM +0100, Florian Weimer wrote: > Noah Meyerhans wrote: Hi, > > That's highly unlikely to happen. It's been discussed before. In fact, > > at one point somebody uploaded mozilla 1.0.2 to stable-proposed-updates, > > but that was rejected. Apparently, although the mozilla developers > > claimed they wouldn't do it, 1.0.2 broke compatibility with derivitive > > browsers like Galeon. I don't recall the details. > > Okay, if that's the case, I'm going to start a campaign for including > Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? I know that the backports.org mozilla packages are working at least on i386. (ok beside the fact that you're braking third party apps). Haven't checked what's in proposed-updates so far. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: mozilla - the forgotten package?
On Wed, Mar 10, 2004 at 08:48:02PM +0100, Florian Weimer wrote: > Noah Meyerhans wrote: Hi, > > That's highly unlikely to happen. It's been discussed before. In fact, > > at one point somebody uploaded mozilla 1.0.2 to stable-proposed-updates, > > but that was rejected. Apparently, although the mozilla developers > > claimed they wouldn't do it, 1.0.2 broke compatibility with derivitive > > browsers like Galeon. I don't recall the details. > > Okay, if that's the case, I'm going to start a campaign for including > Mozilla 1.4 (plus fixes) in stable. Well why just include 1.4 and not 1.6? I know that the backports.org mozilla packages are working at least on i386. (ok beside the fact that you're braking third party apps). Haven't checked what's in proposed-updates so far. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it Don't use this one! This one produces kernel panics after a few hours on my systems. I suggest to use the one from the 2.2.25-ow2 patch. You can find it at http://www.openwall.com/linux (mentioned that also in another thread). Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it Don't use this one! This one produces kernel panics after a few hours on my systems. I suggest to use the one from the 2.2.25-ow2 patch. You can find it at http://www.openwall.com/linux (mentioned that also in another thread). Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.2 Kernel Fix
For those who are interessted Solar Designer updated his OpenWall patch with a fix for the mremap bug. See http://www.openwall.com/linux/ Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: 2.2 Kernel Fix
For those who are interessted Solar Designer updated his OpenWall patch with a fix for the mremap bug. See http://www.openwall.com/linux/ Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it I had a privat discussion about this patch with someone from the Debian Security Team and he's not very happy with this patch. First it changes some printk messages wich is uncommon for sec patches. Second it changes functions which can result in kernel incompatibility. Anyway I had a kernel panic short after deploying this patch on one of my boxes here. I'm not sure if it's related to this patch but strange anyway. If you can I would advise you to wait until the OpenWall project comes up with a clean patch. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: 2.2 Kernel Fix
On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote: > > 2.2 series of kernels, sincee they're apparently vulnerable too? > You can find the patch on bugtraq/isec/etc, attached is a peek at it I had a privat discussion about this patch with someone from the Debian Security Team and he's not very happy with this patch. First it changes some printk messages wich is uncommon for sec patches. Second it changes functions which can result in kernel incompatibility. Anyway I had a kernel panic short after deploying this patch on one of my boxes here. I'm not sure if it's related to this patch but strange anyway. If you can I would advise you to wait until the OpenWall project comes up with a clean patch. Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DSA 438 - bad server time, bad kernel version or information delayed?
On Wed, Feb 18, 2004 at 07:54:45PM +0100, Jan Lühr wrote: > After the last OpenSSH exploit, I thought that this kind of intransparency is > limited to OpenBSD, but to what f*** h*** is OpenSource software driving to? > Tranparency is the most important aspect of secure OpenSource Software. > (Anyway, imho it's the one and only argument for OpenSource software beeing > morre secure then other.) > What's going on here? It's called "responsible disclosure" - think about it what you want :) Like everything in life it has its pros and cons :-/ Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep]
Re: DSA 438 - bad server time, bad kernel version or information delayed?
On Wed, Feb 18, 2004 at 07:54:45PM +0100, Jan Lühr wrote: > After the last OpenSSH exploit, I thought that this kind of intransparency is > limited to OpenBSD, but to what f*** h*** is OpenSource software driving to? > Tranparency is the most important aspect of secure OpenSource Software. > (Anyway, imho it's the one and only argument for OpenSource software beeing > morre secure then other.) > What's going on here? It's called "responsible disclosure" - think about it what you want :) Like everything in life it has its pros and cons :-/ Sven -- If God passed a mic to me to speak I'd say stay in bed, world Sleep in peace [The Cardigans - No sleep] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFTPD ASCII File Remote Compromise Vulnerability
On Tue, Sep 23, 2003 at 04:26:14PM -0400, Matt Zimmerman wrote: > On Tue, Sep 23, 2003 at 02:45:24PM -0500, Bender, Jeff wrote: Hi, > > Looking for the Debian Woody patch. Anyone know if it is available or if > > this version is exploitable? > > According to the maintainer, the version in woody is not affected by this > bug. Quoting TJ Saunders from http://sourceforge.net/mailarchive/forum.php?thread_id=3173947&forum_id=2637 byg>BTW, How about version prior 1.2.7? They are believed to not have this bug. I would recommend upgrading to one of the patched releases, just to be certain. TJ = Hmmm that's why I hate advisorys without PoC Code or detailed descriptions. diffing the source code might help ... Sven -- http://www.comboguano.de http://sven.linux-ist-pleite.de I'm root, if you see me laughing you better have a backup!
Re: ProFTPD ASCII File Remote Compromise Vulnerability
On Tue, Sep 23, 2003 at 04:26:14PM -0400, Matt Zimmerman wrote: > On Tue, Sep 23, 2003 at 02:45:24PM -0500, Bender, Jeff wrote: Hi, > > Looking for the Debian Woody patch. Anyone know if it is available or if > > this version is exploitable? > > According to the maintainer, the version in woody is not affected by this > bug. Quoting TJ Saunders from http://sourceforge.net/mailarchive/forum.php?thread_id=3173947&forum_id=2637 byg>BTW, How about version prior 1.2.7? They are believed to not have this bug. I would recommend upgrading to one of the patched releases, just to be certain. TJ = Hmmm that's why I hate advisorys without PoC Code or detailed descriptions. diffing the source code might help ... Sven -- http://www.comboguano.de http://sven.linux-ist-pleite.de I'm root, if you see me laughing you better have a backup! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OpenSSH
On Wed, Sep 03, 2003 at 11:20:45AM +0200, Matthias Faulstich wrote: Hi, > does anybody know, whether the chroot-patch will be included in future > versions of the official ssh package? To me it looks like you can do the same thing without patching the sshd if you use scponlyc (scponly[1] shell with chroot() support). Anyway which sshd patch are you talking about? Beside that I think that it will be included in the Debian package after it got accepted by the upstream author[2]. Sven [1] http://www.sublimation.org/scponly/ [2] http://www.openssh.com -- http://www.comboguano.de http://sven.linux-ist-pleite.de I'm root, if you see me laughing you better have a backup!
Re: OpenSSH
On Wed, Sep 03, 2003 at 11:20:45AM +0200, Matthias Faulstich wrote: Hi, > does anybody know, whether the chroot-patch will be included in future > versions of the official ssh package? To me it looks like you can do the same thing without patching the sshd if you use scponlyc (scponly[1] shell with chroot() support). Anyway which sshd patch are you talking about? Beside that I think that it will be included in the Debian package after it got accepted by the upstream author[2]. Sven [1] http://www.sublimation.org/scponly/ [2] http://www.openssh.com -- http://www.comboguano.de http://sven.linux-ist-pleite.de I'm root, if you see me laughing you better have a backup! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Fri, Mar 28, 2003 at 10:55:45PM +0100, Christian Jaeger wrote: > At 12:11 Uhr +0100 26.03.2003, Sven Hoexter wrote: Hi, > >This might be bad cause AFAIK a few cronjobs change from their root uid to > >nobody via the su command. > > They don't really need a shell setting for nobody. su -s /bin/sh > $commandline works as well. Ok then I'm out of arguments ;) but I think there is a reason for the packagers to setup a lot of dummy users for daemons etc. with /bin/sh instead of /bin/false or /dev/null. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Re: noboby with a shell !!
On Fri, Mar 28, 2003 at 10:55:45PM +0100, Christian Jaeger wrote: > At 12:11 Uhr +0100 26.03.2003, Sven Hoexter wrote: Hi, > >This might be bad cause AFAIK a few cronjobs change from their root uid to > >nobody via the su command. > > They don't really need a shell setting for nobody. su -s /bin/sh > $commandline works as well. Ok then I'm out of arguments ;) but I think there is a reason for the packagers to setup a lot of dummy users for daemons etc. with /bin/sh instead of /bin/false or /dev/null. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > > Well yes it could :) As long as the user has no valid password it's not very > > usefull. Take a look into the /etc/shadow and in the second field you'll > > find > > ! or * indicating that this user has a invalid password. See man 5 shadow. > > That's hardly true. If an attacker could somehow create an ssh > authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody. Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > > Well yes it could :) As long as the user has no valid password it's not very > > usefull. Take a look into the /etc/shadow and in the second field you'll find > > ! or * indicating that this user has a invalid password. See man 5 shadow. > > That's hardly true. If an attacker could somehow create an ssh > authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody. Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote: Hi, > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote: Hi, > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Sat, Mar 22, 2003 at 05:49:55PM +0100, Laurent Tickle wrote: > Hello, > > Were I can find a patch for the PTrace bug ? > Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;) Well for 2.2.x Alan Cox released 2.2.25 wich includes only the ptrace patch. For 2.4.x several patches circulated on the lkml [1] and I heard about a offical bitkeeper generated patch on kernel.org. Sven [1] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0303.2/0226.html -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Re: PTRACE Fixed?
On Sat, Mar 22, 2003 at 05:49:55PM +0100, Laurent Tickle wrote: > Hello, > > Were I can find a patch for the PTrace bug ? > Because i'm searching for a patch who work on Kernel 2.2.X and 2.4.X ;) Well for 2.2.x Alan Cox released 2.2.25 wich includes only the ptrace patch. For 2.4.x several patches circulated on the lkml [1] and I heard about a offical bitkeeper generated patch on kernel.org. Sven [1] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0303.2/0226.html -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge freeze and security updates
On Sun, Feb 23, 2003 at 06:25:17PM +, Simon Huggins wrote: > On Sun, Feb 23, 2003 at 01:35:22AM -0500, Mark L. Kahnt wrote: Hi, > > There is a side effect that this means that few of the security fixes > > are making it through to Sarge, either. There is talk about using the > > security update system to produce security releases for Sarge, but those > > responsible for Sid are concerned about package numbering, among other > > problems, and are reluctant to see that implemented, as this situation > > is really a rarity (a perfect storm of stalled dependencies in Sid > > blocking so much concurrently.) > > It would however be nice to have security available for sarge for > reassurance but also so that people could choose it as a supported > release of Debian. Testing is not a supported release, testing is a place where developers and packagers try to get a stable base for a new release think of it like a dynamic beta version. > I don't see why people are worried about numbering for security patches > for testing. Why wouldn't they be done in the same way that security > patches are done at the moment? i.e 1.2.3-1.sarge.1 as the security fix > for 1.2.3-1 It's not the intention of testing to be used as a release. It is a testing stage in the hard process to get from one stable release to another. What's more needed are shorter release cycles so that there is no need to switch to something between the bleeding edge and a security nightmare. Maybe it's easier to understand that if you call the baby testing instead of the nice nick name cause testing describes better what it is atm and not what it's going to be. Another fact is that security support for testing would consume resources wich are more needed in the development and freezing prozess. I hope that you can now understand what testing is and why there should not be security support for it. Sven -- Revolution is not a dinner party, not an essay, nor a painting, nor a piece of embroidery; it cannot be advanced softly, gradually, carefully, considerately, respectfully, politely, plainly, and modestly. - Mao Zedong (Mao Tse-tung)
Re: Sarge freeze and security updates
On Sun, Feb 23, 2003 at 06:25:17PM +, Simon Huggins wrote: > On Sun, Feb 23, 2003 at 01:35:22AM -0500, Mark L. Kahnt wrote: Hi, > > There is a side effect that this means that few of the security fixes > > are making it through to Sarge, either. There is talk about using the > > security update system to produce security releases for Sarge, but those > > responsible for Sid are concerned about package numbering, among other > > problems, and are reluctant to see that implemented, as this situation > > is really a rarity (a perfect storm of stalled dependencies in Sid > > blocking so much concurrently.) > > It would however be nice to have security available for sarge for > reassurance but also so that people could choose it as a supported > release of Debian. Testing is not a supported release, testing is a place where developers and packagers try to get a stable base for a new release think of it like a dynamic beta version. > I don't see why people are worried about numbering for security patches > for testing. Why wouldn't they be done in the same way that security > patches are done at the moment? i.e 1.2.3-1.sarge.1 as the security fix > for 1.2.3-1 It's not the intention of testing to be used as a release. It is a testing stage in the hard process to get from one stable release to another. What's more needed are shorter release cycles so that there is no need to switch to something between the bleeding edge and a security nightmare. Maybe it's easier to understand that if you call the baby testing instead of the nice nick name cause testing describes better what it is atm and not what it's going to be. Another fact is that security support for testing would consume resources wich are more needed in the development and freezing prozess. I hope that you can now understand what testing is and why there should not be security support for it. Sven -- Revolution is not a dinner party, not an essay, nor a painting, nor a piece of embroidery; it cannot be advanced softly, gradually, carefully, considerately, respectfully, politely, plainly, and modestly. - Mao Zedong (Mao Tse-tung) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 10:12:22AM -0500, [EMAIL PROTECTED] wrote: > In article <[EMAIL PROTECTED]> you wrote: > > > On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: > > >> I suggest popa3d from http://www.openwall.com but I'm not sure > >> if you can use it in standalone mode. > > > I like the look of popa3d, but it does not support md5 or ssl > > transport. I know this is trivial protection, but every layer helps. > > I'd suggest The University of Washington's POP3 server. Which does > support SSL. However I don't believe the Debian packages for potato > included a daemon with SSL support. Not sure about Woody, Sarge or > Sid though. I just built it from source. You can get the source here: > > http://www.washington.edu/imap/ AFAIR the history told us that it's nearly as secure or insecure as qpopper. Sven
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 10:12:22AM -0500, [EMAIL PROTECTED] wrote: > In article <[EMAIL PROTECTED]> you wrote: > > > On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: > > >> I suggest popa3d from http://www.openwall.com but I'm not sure > >> if you can use it in standalone mode. > > > I like the look of popa3d, but it does not support md5 or ssl > > transport. I know this is trivial protection, but every layer helps. > > I'd suggest The University of Washington's POP3 server. Which does > support SSL. However I don't believe the Debian packages for potato > included a daemon with SSL support. Not sure about Woody, Sarge or > Sid though. I just built it from source. You can get the source here: > > http://www.washington.edu/imap/ AFAIR the history told us that it's nearly as secure or insecure as qpopper. Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 03:31:31AM -0800, Ted Roby wrote: > On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: > >On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: > >>apt-get install qpopper > >>;-) > >*rotfl* Hope that wasn't a serious answer. > >apt-cache search pop3 > > > >I suggest popa3d from http://www.openwall.com but I'm not sure > >if you can use it in standalone mode. > > I like the look of popa3d, but it does not support md5 or ssl > transport. I know this is trivial protection, but every layer helps. Well you asked for pop3 not pop3s. For security and pop3s courier might be a good choice but it's quite complex. (IMHO) > Qpopper does look interesting. Since version 4 it has been released as > free open source (I'm compiling it now, just to take a look). I have > experience with Eudora mail products, primarily EIMS running on MacOS, > so I am familiar with their processes. On one of my machines I still use qpopper but the security history is a pain. Root eploits, DoS stuff and others ... On the other hand qpopper is easy to set up and fast engough for a small enviroment but I would definitly not call qpopper secure. Sven BTW: qpopper was OpenSource software from the beginning. They just split up a part of it for a commercial product but changed this strategy back to one opensource product for all quite fast.
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: > apt-get install qpopper > > Ok! > > ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. Sven > Ted Roby ha escrito: > > > I have setup exim to host my domain's SMTP services. > > > > I am now looking for something to host POP3 on the same Debian potato > > box. > > > > I am asking the security list because that is my primary interest. > > I would like to find something stable, reasonably known to be secure, > > perhaps specifically recommended for debian servers, and can run as a > > stand-alone daemon. > > > > Would any of you care to make a recommendation?
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 03:31:31AM -0800, Ted Roby wrote: > On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: > >On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: > >>apt-get install qpopper > >>;-) > >*rotfl* Hope that wasn't a serious answer. > >apt-cache search pop3 > > > >I suggest popa3d from http://www.openwall.com but I'm not sure > >if you can use it in standalone mode. > > I like the look of popa3d, but it does not support md5 or ssl > transport. I know this is trivial protection, but every layer helps. Well you asked for pop3 not pop3s. For security and pop3s courier might be a good choice but it's quite complex. (IMHO) > Qpopper does look interesting. Since version 4 it has been released as > free open source (I'm compiling it now, just to take a look). I have > experience with Eudora mail products, primarily EIMS running on MacOS, > so I am familiar with their processes. On one of my machines I still use qpopper but the security history is a pain. Root eploits, DoS stuff and others ... On the other hand qpopper is easy to set up and fast engough for a small enviroment but I would definitly not call qpopper secure. Sven BTW: qpopper was OpenSource software from the beginning. They just split up a part of it for a commercial product but changed this strategy back to one opensource product for all quite fast. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: > apt-get install qpopper > > Ok! > > ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. Sven > Ted Roby ha escrito: > > > I have setup exim to host my domain's SMTP services. > > > > I am now looking for something to host POP3 on the same Debian potato > > box. > > > > I am asking the security list because that is my primary interest. > > I would like to find something stable, reasonably known to be secure, > > perhaps specifically recommended for debian servers, and can run as a > > stand-alone daemon. > > > > Would any of you care to make a recommendation? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: qpopper related question
On Wed, May 01, 2002 at 11:47:25AM +0200, eim wrote: Hi, > I've noted in my syslog a strange qpopper related entry: > > * May 1 11:48:10 foobox in.qpopper[11047]: connect from foo.bar.org > * May 1 11:48:10 foobox in.qpopper[11047]: @foo.bar.org: -ERR Unknown > command: "capa". > > Well, (-ERR Unknown command: "capa") sounds quite strange, > anyone has idea what this may be..? Looks like someone used telnet to connect to port 110 and instead of typing something like user pass hi typed somthing like user capa Then qpopper returns a -ERR Unknown command If your debug level is high engough you'll find this not existing command in your logs. Sven -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: qpopper related question
On Wed, May 01, 2002 at 11:47:25AM +0200, eim wrote: Hi, > I've noted in my syslog a strange qpopper related entry: > > * May 1 11:48:10 foobox in.qpopper[11047]: connect from foo.bar.org > * May 1 11:48:10 foobox in.qpopper[11047]: @foo.bar.org: -ERR Unknown > command: "capa". > > Well, (-ERR Unknown command: "capa") sounds quite strange, > anyone has idea what this may be..? Looks like someone used telnet to connect to port 110 and instead of typing something like user pass hi typed somthing like user capa Then qpopper returns a -ERR Unknown command If your debug level is high engough you'll find this not existing command in your logs. Sven -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DoS in debian (potato) proftpd
On Wed, Mar 27, 2002 at 12:37:59AM +0100, martin f krafft wrote: > also sprach Joe Dollard <[EMAIL PROTECTED]> [2002.03.25.2114 +0100]: Hi, > > The version of proftp that is in debian potato (1.2.0pre10 as > > reported by running 'proftpd -v ') is vulnerable to a glob DoS > > attack, as discovered on the 15th March 2001. You can verify this > > bug by logging in to a server running debian stable's proftpd and > > type "ls > > */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*". > > This results with 100% of the CPU and memory resources being > > consumed (more info at http://proftpd.linux.co.uk/critbugs.html), > > (please fix your line wraps!) > > security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not > contain this bug, at least not on i386 systems: > > fishbowl:~> ncftp lapse.home.madduck.net > NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason ([EMAIL PROTECTED]). > Connecting to 192.168.14.3 > ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net] > Logging in... > > Anonymous access granted, restrictions apply. > Logged in to localhost. > ncftp / > ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* > > > fishbowl:~> ssh lapse 'cat /etc/debian_version; uname -a' > 2.2r5 > Linux lapse 2.2.20 #1 Tue Feb 12 14:22:30 CET 2002 i486 If my understanding of this bug is right the new bug with the old problem is in mod_sql. So if you don't use it you should not be vulnerable cause no input data is passed through it. Another thing, the vulnerable mod_sql release was not shipped with the proftpd stable release. Sven -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DoS in debian (potato) proftpd
On Wed, Mar 27, 2002 at 12:37:59AM +0100, martin f krafft wrote: > also sprach Joe Dollard <[EMAIL PROTECTED]> [2002.03.25.2114 +0100]: Hi, > > The version of proftp that is in debian potato (1.2.0pre10 as > > reported by running 'proftpd -v ') is vulnerable to a glob DoS > > attack, as discovered on the 15th March 2001. You can verify this > > bug by logging in to a server running debian stable's proftpd and > > type "ls > > */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*". > > This results with 100% of the CPU and memory resources being > > consumed (more info at http://proftpd.linux.co.uk/critbugs.html), > > (please fix your line wraps!) > > security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not > contain this bug, at least not on i386 systems: > > fishbowl:~> ncftp lapse.home.madduck.net > NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason ([EMAIL PROTECTED]). > Connecting to 192.168.14.3 > ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net] > Logging in... > > Anonymous access granted, restrictions apply. > Logged in to localhost. > ncftp / > ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* > > > fishbowl:~> ssh lapse 'cat /etc/debian_version; uname -a' > 2.2r5 > Linux lapse 2.2.20 #1 Tue Feb 12 14:22:30 CET 2002 i486 If my understanding of this bug is right the new bug with the old problem is in mod_sql. So if you don't use it you should not be vulnerable cause no input data is passed through it. Another thing, the vulnerable mod_sql release was not shipped with the proftpd stable release. Sven -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: webhosting
On Mon, Feb 25, 2002 at 10:59:20PM +0100, Robert van der Meulen wrote: > Quoting Jerry Lynde ([EMAIL PROTECTED]): > > At 12:15 PM 2/25/2002, Robert wrote: Hi, > > I just wouldn't suggest anyone use BIND is the same sense that I wouldn't > > suggest they > > ride a Harley naked on snow-packed icy roads... something bad's bound to > > happen... > I'm still under the impression that it's quite possible to do a reasonably > secure bind install. Bind9 has some nice security-related features, and a > completely rewritten codebase (as opposed to bind8). I'm not sure what > insecurities you'd impose upon yourself by installing it.. You forgot to mention that you can chroot bind since a 8.x release. The chroot is not the non plus ultra solution but it throws a few more stones in the way of the script kiddies. Anyway it looks like the normal flamewars like sendmail vs. *your alternativ MTA here* :) Sv*using-bind*en -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de
Re: webhosting
On Mon, Feb 25, 2002 at 10:59:20PM +0100, Robert van der Meulen wrote: > Quoting Jerry Lynde ([EMAIL PROTECTED]): > > At 12:15 PM 2/25/2002, Robert wrote: Hi, > > I just wouldn't suggest anyone use BIND is the same sense that I wouldn't > > suggest they > > ride a Harley naked on snow-packed icy roads... something bad's bound to > > happen... > I'm still under the impression that it's quite possible to do a reasonably > secure bind install. Bind9 has some nice security-related features, and a > completely rewritten codebase (as opposed to bind8). I'm not sure what > insecurities you'd impose upon yourself by installing it.. You forgot to mention that you can chroot bind since a 8.x release. The chroot is not the non plus ultra solution but it throws a few more stones in the way of the script kiddies. Anyway it looks like the normal flamewars like sendmail vs. *your alternativ MTA here* :) Sv*using-bind*en -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange proftpd segfault and conntrack_ftp messages
On Wed, Jan 02, 2002 at 05:48:58PM +0100, Christian Hammers wrote: > Hello > > Does anybody know a security bug for which this could be a hint? > (hostname and ip's faked for obvious reasons) > > The server runs: > kernel 2.4.11-pre6 > xined_2.1.8.8p3-1.1.deb > proftpd_1.2.4-2.deb > > Except from that the IP only did some normal web browsing without any > tricks like tried cgi accesses or similar. > > TIA, > > -christian- > > On Wed, Jan 02, 2002 at 03:45:03PM +0100, root wrote: > > Jan 2 15:44:17 server kernel: conntrack_ftp: partial PORT 2336475143+1 > > Jan 2 15:44:18 server proftpd[3420]: server.domain > > (111.222.333.444[111.222.333.444]) - SECURITY VIOLATION: root login > > attempted. > > Jan 2 15:44:28 server kernel: conntrack_ftp: partial PORT 2339544491+1 > > Jan 2 15:44:31 server proftpd[3425]: server.domain > > (111.222.333.444[111.222.333.444]) - ProFTPD terminating (signal 11) > > Jan 2 15:44:31 server xinetd[17612]: EXIT: ftp status=1 pid=3425 > > duration=8(sec) The SECURITY VIOLATION message is ok and only occures when somebody tries to login with root over ftp. The SIG 11 seems to be another problem. Please try to reproduce this with proftpd in standalone mode with the -nd 5 flags for debugging. Sven -- >Lamer! :)\n Lokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de
Re: strange proftpd segfault and conntrack_ftp messages
On Wed, Jan 02, 2002 at 05:48:58PM +0100, Christian Hammers wrote: > Hello > > Does anybody know a security bug for which this could be a hint? > (hostname and ip's faked for obvious reasons) > > The server runs: > kernel 2.4.11-pre6 > xined_2.1.8.8p3-1.1.deb > proftpd_1.2.4-2.deb > > Except from that the IP only did some normal web browsing without any > tricks like tried cgi accesses or similar. > > TIA, > > -christian- > > On Wed, Jan 02, 2002 at 03:45:03PM +0100, root wrote: > > Jan 2 15:44:17 server kernel: conntrack_ftp: partial PORT 2336475143+1 > > Jan 2 15:44:18 server proftpd[3420]: server.domain >(111.222.333.444[111.222.333.444]) - SECURITY VIOLATION: root login attempted. > > Jan 2 15:44:28 server kernel: conntrack_ftp: partial PORT 2339544491+1 > > Jan 2 15:44:31 server proftpd[3425]: server.domain >(111.222.333.444[111.222.333.444]) - ProFTPD terminating (signal 11) > > Jan 2 15:44:31 server xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec) The SECURITY VIOLATION message is ok and only occures when somebody tries to login with root over ftp. The SIG 11 seems to be another problem. Please try to reproduce this with proftpd in standalone mode with the -nd 5 flags for debugging. Sven -- >Lamer! :)\n Lokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFtpd question
On Sun, Sep 23, 2001 at 10:47:47AM +0200, Luc MAIGNAN wrote: Hi, > is it possible via ProFtpd to allow one specific user to write on the server > but disable the feature for the others ? Are you talkin about normal access or anonymous? When you use "normal" accounts just set up normal rights on the system with the common tools chown, chgrp, chmod. Sven -- Sven Hoexter Earth - Germany - Leverkusen -=|=- e-mail: [EMAIL PROTECTED] rm -rf /usr/bin/laden One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them
Re: ProFtpd question
On Sun, Sep 23, 2001 at 10:47:47AM +0200, Luc MAIGNAN wrote: Hi, > is it possible via ProFtpd to allow one specific user to write on the server > but disable the feature for the others ? Are you talkin about normal access or anonymous? When you use "normal" accounts just set up normal rights on the system with the common tools chown, chgrp, chmod. Sven -- Sven Hoexter Earth - Germany - Leverkusen -=|=- e-mail: [EMAIL PROTECTED] rm -rf /usr/bin/laden One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: why they use IIS (was "red worm amusement")
On Mon, Jul 23, 2001 at 12:02:00PM -0500, JonesMB wrote: > this morning I read an interesting article on the "red worm amusement" > topic that led to the weekend's heated discussion. the article is at > http://dailynews.yahoo.com/h/zd/20010723/tc/it_bugs_out_over_iis_security_1. > html > > here are a few interesting quotes from the article - > "Despite the widespread perception of IIS as a nonsecure server, many > customers say that ... it (IIS) will remain their server of choice because > they are too committed to Microsoft to make a switch practical or affordable." > "I would switch if I could convince my company to do it," > "It's hard to find good Unix security guys" *rotfl* yeah and out in the wild are so many MSCE wich are all up to date with their security patches ... so the Code Red Worm had no chance to spread ... Sven -- Subject: Re: woody hanging > WRT subject. > $ apt-get install viagra ;-) [Karsten M. Self in debian-user]
Re: OT: why they use IIS (was "red worm amusement")
On Mon, Jul 23, 2001 at 12:02:00PM -0500, JonesMB wrote: > this morning I read an interesting article on the "red worm amusement" > topic that led to the weekend's heated discussion. the article is at > http://dailynews.yahoo.com/h/zd/20010723/tc/it_bugs_out_over_iis_security_1. > html > > here are a few interesting quotes from the article - > "Despite the widespread perception of IIS as a nonsecure server, many > customers say that ... it (IIS) will remain their server of choice because > they are too committed to Microsoft to make a switch practical or affordable." > "I would switch if I could convince my company to do it," > "It's hard to find good Unix security guys" *rotfl* yeah and out in the wild are so many MSCE wich are all up to date with their security patches ... so the Code Red Worm had no chance to spread ... Sven -- Subject: Re: woody hanging > WRT subject. > $ apt-get install viagra ;-) [Karsten M. Self in debian-user] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
On Thu, May 24, 2001 at 07:43:50PM +0200, Andres Herrera wrote: > Hi!! > > I have Potato in a machine, with > > ii proftpd1.2.0pre10-2.0 Versatile, virtual-hosting FTP daemon > > It's the last version in security.debian.org > > I've tried to exploit it by login and sending: > > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > > and suddenly it began eating memory and getting slow all the system. > > When I killed proftpd, system was almost KO. This is an old an known bug. It's fixed in the CVS tree and the current unstable Version. Have a look at the bugtracking System at www.proftpd.org > Any solution?? There are a few PathDeny filters out to check this and other Versions of this Bug. The other solution is to upgrade to the very stable unstable version ;-) Sven -- Subject: Re: woody hanging > WRT subject. > $ apt-get install viagra ;-) [Karsten M. Self in debian-user]
Re: proftpd exploit??
On Thu, May 24, 2001 at 07:43:50PM +0200, Andres Herrera wrote: > Hi!! > > I have Potato in a machine, with > > ii proftpd1.2.0pre10-2.0 Versatile, virtual-hosting FTP daemon > > It's the last version in security.debian.org > > I've tried to exploit it by login and sending: > > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > > and suddenly it began eating memory and getting slow all the system. > > When I killed proftpd, system was almost KO. This is an old an known bug. It's fixed in the CVS tree and the current unstable Version. Have a look at the bugtracking System at www.proftpd.org > Any solution?? There are a few PathDeny filters out to check this and other Versions of this Bug. The other solution is to upgrade to the very stable unstable version ;-) Sven -- Subject: Re: woody hanging > WRT subject. > $ apt-get install viagra ;-) [Karsten M. Self in debian-user] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Anti Virus for Debian
On Tue, Feb 20, 2001 at 01:59:20PM +1000, Mario Zuppini wrote: Hi Mario, first your Outlook and the TOFU it produces sucks! > I would also like to know of virus scanners especially for mail servers ie > sendmail > that will work on a SPARC ??? We use sendmail+amavis+nai. It works fine on Solaris 7 box. > there are a few that work under i386 ie like amavris etc can be found on > freshmeat.net > but nothing will work under a sparc Amavis is only the API for several scanners and it works fine under most Unix Plattforms. Cu, Sven -- Ich weiß nicht, wieso ihr euch so echauffiert. Die Warnung ist doch wirklich deutlich zu lesen auf der Packung. Da steht in großen, deutlichen Lettern: "Microsoft". NATÜRLICH funktioniert das nicht. Mehr als warnen können sie euch nicht. [Fefe in de.alt.sysadmin.recovery]
Re: Anti Virus for Debian
On Tue, Feb 20, 2001 at 01:59:20PM +1000, Mario Zuppini wrote: Hi Mario, first your Outlook and the TOFU it produces sucks! > I would also like to know of virus scanners especially for mail servers ie > sendmail > that will work on a SPARC ??? We use sendmail+amavis+nai. It works fine on Solaris 7 box. > there are a few that work under i386 ie like amavris etc can be found on > freshmeat.net > but nothing will work under a sparc Amavis is only the API for several scanners and it works fine under most Unix Plattforms. Cu, Sven -- Ich weiß nicht, wieso ihr euch so echauffiert. Die Warnung ist doch wirklich deutlich zu lesen auf der Packung. Da steht in großen, deutlichen Lettern: "Microsoft". NATÜRLICH funktioniert das nicht. Mehr als warnen können sie euch nicht. [Fefe in de.alt.sysadmin.recovery] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
