Re: Grave apache dos possible through byterange requests
Carlos Alberto Lopez Perez wrote:
> The new advisory [1] recommends this:
>
> # Drop the Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (?:,.*?){5,5} bad-range=1
> RequestHeader unset Range env=bad-range
>
> # We always drop Request-Range; as this is a legacy
> # dating back to MSIE3 and Netscape 2 and 3.
> RequestHeader unset Request-Range
>
> # optional logging.
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common
> env=bad-range
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common
> env=bad-req-range
What's the use of the second CustomLog line?
'bad-req-range' is never set, is it?
- Thomas
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e5aa494.8030...@demonium.de
Re: aptitude upgrade vs. apt-get upgrade
Piotr Drozdek wrote: > I don't have any packages with 'id' status in my system. I don't know > what they mean. Maybe somebody can help? I think 'd' marks packages for deletion? However, I have not requested to delete all these packages. > But - to resolve your problem: can you just do this upgrade (8 packages) > now? > And upgrade tex-common manually: > aptitude install tex-common=2.08.1 The problem with the missing update of tex-common can be solved by using either 'apt-get upgrade' or 'aptitude full-upgrade'. However, I still wonder what's going wrong with 'aptitude update'. Maybe a lot of other people who update their systems this way are missing some security updates? - Thomas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d95bc67.9070...@demonium.de
Re: aptitude upgrade vs. apt-get upgrade
Piotr Drozdek wrote: > Dnia 2011-03-31, o godz. 20:11:40 > Thomas Hungenberg napisaĆ(a): > >> Piotr Drozdek wrote: >> > Show me results of >> > apt-cache policy tex-common >> >> tex-common: >> Installed: 2.08 >> Candidate: 2.08.1 >> Version table: >> 2.08.1 0 >> 500 http://security.debian.org/ squeeze/updates/main i386 >> Packages *** 2.08 0 >> 500 http://ftp.de.debian.org/debian/ squeeze/main i386 >> Packages 100 /var/lib/dpkg/status >> >> >> > dpkg --get-selections |grep tex-common >> >> tex-common install >> >> >>- Thomas >> >> > > Everything looks fine. Candidate is a new version. > Do upgrade by typing: > > apt-get update > aptitude full-upgrade Interesting... 'aptitude full-upgrade' works: # aptitude -s full-upgrade The following packages will be upgraded: bind9-host dnsutils libbind9-60 libdns69 libisc62 libisccc60 libisccfg62 liblwres60 tex-common 9 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. but 'aptitude update' misses the security update for 'tex-common': # aptitude -s upgrade The following packages will be upgraded: bind9-host dnsutils libbind9-60 libdns69 libisc62 libisccc60 libisccfg62 liblwres60 8 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded. I just noticed that the package 'tex-common' is marked 'id' in aptitude: # aptitude search tex-common id tex-common - common infrastructure for building and installing TeX Maybe this is the reason? There are dozens of other packages marked 'id', like debian-keyring, strace, ... I don't think this was the case before the upgrade from lenny to squeeze. - Thomas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d958d30.9070...@demonium.de
Re: aptitude upgrade vs. apt-get upgrade
Piotr Drozdek wrote: > Show me results of > apt-cache policy tex-common tex-common: Installed: 2.08 Candidate: 2.08.1 Version table: 2.08.1 0 500 http://security.debian.org/ squeeze/updates/main i386 Packages *** 2.08 0 500 http://ftp.de.debian.org/debian/ squeeze/main i386 Packages 100 /var/lib/dpkg/status > dpkg --get-selections |grep tex-common tex-common install - Thomas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d94c3dc.6050...@demonium.de
Re: aptitude upgrade vs. apt-get upgrade
Hector Oron wrote: > Can you check which it is the status of tex-common, is it held by any > reason? aptitude frontend it is very good to find out such things. 'aptitude search ~ahold' returns no results. $ dpkg -l tex-common Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-=-=-== ii tex-common2.08 common infrastructure for building and installing TeX Looks ok for me. - Thomas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d94c36f.80...@demonium.de
aptitude upgrade vs. apt-get upgrade
Hi, since upgrading from lenny to squeeze, I've noticed several times that aptitude does not install all available security updates whereas apt-get does. Currently, this looks like: # aptitude -s upgrade The following packages will be upgraded: bind9-host dnsutils libbind9-60 libdns69 libisc62 libisccc60 libisccfg62 liblwres60 8 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded. # apt-get -s upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: bind9-host dnsutils libbind9-60 libdns69 libisc62 libisccc60 libisccfg62 liblwres60 tex-common 9 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. What's the reason for this? - Thomas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d94784f.3080...@demonium.de
Re: DSA-1494-1 - Graphics errors
Thomas Hungenberg schrieb am 14.02.2008 15:40: > I was using linux-image-2.6.18-5 on my Thinkpad notebook (ATI graphics) > without problems. > Now I installed linux-image-2.6.18-6 from DSA-1494-1. > After booting the new kernel version, I experienced graphics errors > (horizontal lines below the mouse pointer) and X.org eats up lots of > CPU ressources. > With the old kernel version everything still runs fine. > > Anyone having similar problems with the new kernel version? Problem solved: I am using the fglrx driver for x.org and did not notice that the corresponding kernel module was not build and installed correctly with m-a for the new kernel version. After installing the fglrx kernel module correctly everything runs fine with the new kernel. I am a little bit surprised that - apart from small graphics errors and some performance issues - the fglrx driver runs fine without the kernel module. I thought that starting x.org would fail if the kernel module is not available. - Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DSA-1494-1 - Graphics errors
Florian Weimer schrieb am 18.02.2008 22:33: > Could you please post "uname -a" output from the old and new kernels? Linux xyz 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686 GNU/Linux Linux xyz 2.6.18-6-686 #1 SMP Sun Feb 10 22:11:31 UTC 2008 i686 GNU/Linux - Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DSA-1494-1 - Graphics errors
Riku Valli schrieb am 14.02.2008 18:04: > I just installed 2.6.18-6-686 and compiled my Ati's properitier drivers > for this kernel. No problems. I used Thinkpad too (T61) if i remember > right. I'm using X.org's ATI driver on a T60. - Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
DSA-1494-1 - Graphics errors
Hi, I was using linux-image-2.6.18-5 on my Thinkpad notebook (ATI graphics) without problems. Now I installed linux-image-2.6.18-6 from DSA-1494-1. After booting the new kernel version, I experienced graphics errors (horizontal lines below the mouse pointer) and X.org eats up lots of CPU ressources. With the old kernel version everything still runs fine. Anyone having similar problems with the new kernel version? - Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
On Thu, 19 Aug 2004 11:52:51 +0300 (EEST), Martin Fluch wrote: > Do you really want to log those illegal user names? If you do so, you > would run into danger to log passwords in plain text as well, when you > accidently enter the password when ssh asks you for the user name... I'm aware of that, but there are situations when logging the usernames is quite interesting. For example, if there is an increase in ssh scanning like over the last weeks, it is nice to put a machine on the net which offers no other services (kind of a honeypot) and see what usernames the attackers are trying. - Thomas -- PGP: 2047Bit RSA, ID 0x668E601D - Encrypted mail welcome! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
On Fri, 20 Aug 2004 02:26:17 -0600, Will Aoki wrote: >> > Set "LogLevel VERBOSE" in /etc/ssh/sshd_config >> >> LogLevel is already set to VERBOSE. But even with LogLevel DEBUG the >> invalid usernames are not logged. :-( >> I tested that on three different machines running Debian/woody. > > It works for me on all of my machines running woody, including a fresh > installation I did last week. I just figured out that when setting "UsePrivilegeSeparation" to "no" in sshd_config, also sshd on Debian/woody logs sshd[xxx]: Failed for illegal user from xxx.xxx.xxx.xxx port x ssh2 But with PrivilegeSeparation turned on, the username is not logged. However, sshd from Debian/sarge also logs the illegal usernames with PrivilegeSeparation turned on. So I wonder if you do not use PrivilegeSeparation on your woody installations? - Thomas -- PGP: 2047Bit RSA, ID 0x668E601D - Encrypted mail welcome! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
On Sun, 15 Aug 2004 12:34:59 -0600, Will Aoki wrote: >> Is there a way to make the sshd included with Debian/woody to also log >> the usernames an attacker tried to connect with? > > Set "LogLevel VERBOSE" in /etc/ssh/sshd_config LogLevel is already set to VERBOSE. But even with LogLevel DEBUG the invalid usernames are not logged. :-( I tested that on three different machines running Debian/woody. Could this be a PAM issue? Is there perhaps a configuration variable to turn on logging of invalid usernames in PAM like LOG_UNKFAIL_ENAB in /etc/login.defs? - Thomas -- PGP: 2047Bit RSA, ID 0x668E601D - Encrypted mail welcome! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
sshd: Logging illegal users
Hello, sshd included with Debian/sarge logs connection attempts with illegal usernames this way: sshd[xxx]: Illegal user from xxx.xxx.xxx.xxx sshd[xxx]: Failed unknown for illegal user from xxx.xxx.xxx.xxx port x ssh2 However, the older sshd version from Debian/woody by default only logs the following when trying to connect with an illegal username: sshd[xxx]: Connection from xxx.xxx.xxx.xxx port x sshd[xxx]: Enabling compatibility mode for protocol 2.0 Is there a way to make the sshd included with Debian/woody to also log the usernames an attacker tried to connect with? - Thomas -- PGP: 2047Bit RSA, ID 0x668E601D - Encrypted mail welcome! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
