Re: Advisory description text

2008-01-07 Thread Christoph Ulrich Scholler 
Hi,

On 07.01. 13:54, Adam Majer wrote:
> Moritz Muehlenhoff wrote:
> > CVE-2007-3382
> > 
> > It was discovered that single quotes (') in cookies were treated
> > as a delimiter, which could lead to an information leak.
> > 
> > CVE-2007-3385
> > 
> > It was discovered that the character sequence \" in cookies was
> > handled incorrectly, which could lead to an information leak.
> > 
> > CVE-2007-5461
> > 
> > It was discovered that the WebDAV servlet is vulnerable to absolute
> > path traversal.
> > 
> 
> First of all, this is not targeted at this specific advisory or any
> person writing this advisory. :)
> 
> Generally, the first little bits of each and every CVE description
> above, as well as in other advisories sent out by Debian, is not needed.
> Please, remove the "It was discovered that" part from any templates that
> you may be using. That part is not needed. It is also implied and
> doesn't add anything to the advisory.

I respectfully disagree.  A short summary of what a CVE is about is very
useful for everyone not intimately familiar with all CVEs.  Remember
that Debian is not only used by seasoned professionals who know all
pertinent security advisory distribution channels by heart.  A little
"redundancy" is a good thing when humans are involved.

Regards

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How to prevent daemons from ever being started?

2006-05-15 Thread Christoph Ulrich Scholler 
Hi,

On 15.05. 17:09, Uwe Hermann wrote:
> What is "the Debian way" to prevent any daemon from ever starting,
> whether upon reboot, upon upgrade, upon new install etc.

If your default runlevel is 2, delete the symlink to the respective init
script in /etc/rc2.d or even in /etc/rc[2345].d.  Just make sure that
there is at least one such symlink still in place in any of
/etc/rc[S0123456].d.  If you do it like this no new symlinks will be
created upon upgrade.

Regards

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange Apache log and mambo security - sexy executable

2006-01-23 Thread Christoph Ulrich Scholler 
Hi,

On 23.01. 07:46, Jose Marrero wrote:
> Apache configured with mod_rewrite to deny blank or fake referers is a
> good idea.

How can you tell that a referrer is fake?

Regards,

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: web password change

2004-03-14 Thread Ulrich Scholler 
Hi,

On Sun Feb 29, 2004 at 21:15:39 +0100, Nejc Novak wrote:
> I would like to make users avaiable some kind of 'web control panel'. I 
> have created a design and also already intergrated squirrelmail into it. 
> Now i would also them to have a web form for password changing. I've 
> browsd freshmeat and i've found a program called chpasswd 
> .

I'm using poppassd in conjunction with poppass-cgi via https.  The
advantage of this solution is that it uses PAM instead of directly
altering /etc/{passwd,shadow}.

Regards,

uLI

Re: web password change

2004-03-14 Thread Ulrich Scholler 
Hi,

On Sun Feb 29, 2004 at 21:15:39 +0100, Nejc Novak wrote:
> I would like to make users avaiable some kind of 'web control panel'. I 
> have created a design and also already intergrated squirrelmail into it. 
> Now i would also them to have a web form for password changing. I've 
> browsd freshmeat and i've found a program called chpasswd 
> .

I'm using poppassd in conjunction with poppass-cgi via https.  The
advantage of this solution is that it uses PAM instead of directly
altering /etc/{passwd,shadow}.

Regards,

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel 2.4.21 Forwarding table vulnerability

2003-07-28 Thread Ulrich Scholler 
Hi Bruce,

On Mon Jul 28, 2003 at 11:38:51 -0700, Bruce Banner wrote:
> When were they patched? And how do I know when they
> are patched and when they are available?  Is there
> somewhere I can find this info?  I found the Red Hat
> info on Bugtraq but there was no mention of Debian
> Source anywhere.

You can go to http://packages.qa.debian.org/, search for a package of
your choice (for instance kernel-source-2.4.20) and check the "Latest
News".  These contain a brief description of the changes in a package,
in the same format as in /usr/share/doc//changelog.Debian.gz.

regards,

uLI

Re: Kernel 2.4.21 Forwarding table vulnerability

2003-07-28 Thread Ulrich Scholler 
Hi Bruce,

On Mon Jul 28, 2003 at 11:38:51 -0700, Bruce Banner wrote:
> When were they patched? And how do I know when they
> are patched and when they are available?  Is there
> somewhere I can find this info?  I found the Red Hat
> info on Bugtraq but there was no mention of Debian
> Source anywhere.

You can go to http://packages.qa.debian.org/, search for a package of
your choice (for instance kernel-source-2.4.20) and check the "Latest
News".  These contain a brief description of the changes in a package,
in the same format as in /usr/share/doc//changelog.Debian.gz.

regards,

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: configure ssh-access

2003-07-09 Thread Ulrich Scholler 
Hi,

On Wed Jul 09, 2003 at 23:16:51 +0200, François TOURDE wrote:
> >  By allowing connections from only a
> > few IP address blocks, you cut out most of the crackers in the world, but
> > don't have to mess with dynamic DNS and lack of reverse lookup;  A good
> > tradeoff between security and convenience.
> 
> Even with fake/forged IP's ?

SSH is TCP-based.  IP spoofing on the internet is very hard to do.

> You can also imagine a knoking (? toc toc toc) mechanism: One ping,
> followed by two telnet packets, then 4 ftp or whatever packets, and
> then your ip is allowed to try a ssh connection...

This is security by obscurity.  Approaches like this have been discussed
on this list before.  It is the somewhat convoluted equivalent of a
plaintext password authentication scheme layered on top of SSH.

Regards,

uLI

Re: configure ssh-access

2003-07-09 Thread Ulrich Scholler 
Hi,

On Wed Jul 09, 2003 at 23:16:51 +0200, François TOURDE wrote:
> >  By allowing connections from only a
> > few IP address blocks, you cut out most of the crackers in the world, but
> > don't have to mess with dynamic DNS and lack of reverse lookup;  A good
> > tradeoff between security and convenience.
> 
> Even with fake/forged IP's ?

SSH is TCP-based.  IP spoofing on the internet is very hard to do.

> You can also imagine a knoking (? toc toc toc) mechanism: One ping,
> followed by two telnet packets, then 4 ftp or whatever packets, and
> then your ip is allowed to try a ssh connection...

This is security by obscurity.  Approaches like this have been discussed
on this list before.  It is the somewhat convoluted equivalent of a
plaintext password authentication scheme layered on top of SSH.

Regards,

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strongest linux - kernel patches

2003-07-03 Thread Ulrich Scholler 
Hi,

On Wed Jul 02, 2003 at 22:50:20 -0300, Peter Cordes wrote:
>  Luckily, that's a solved problem.  Con Kolivas's -ck3 patch for 2.4.21
> includes grsecurity and XFS.  (I didn't mention it before because I didn't
> realize it was significant. (I'm not using ACLs).)  Con's webpage is
> http://members.optusnet.com.au/ckolivas/kernel/ 

During the reign of 2.4.19, I've had problems with kswapd dying after a
few days of uptime when I used the -ck patches.  Is this still the case?

regards,

uLI

Re: Strongest linux - kernel patches

2003-07-03 Thread Ulrich Scholler 
Hi,

On Wed Jul 02, 2003 at 22:50:20 -0300, Peter Cordes wrote:
>  Luckily, that's a solved problem.  Con Kolivas's -ck3 patch for 2.4.21
> includes grsecurity and XFS.  (I didn't mention it before because I didn't
> realize it was significant. (I'm not using ACLs).)  Con's webpage is
> http://members.optusnet.com.au/ckolivas/kernel/ 

During the reign of 2.4.19, I've had problems with kswapd dying after a
few days of uptime when I used the -ck patches.  Is this still the case?

regards,

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

SSH version identification (was Re: Someone scanned my ssh daemon)

2003-06-17 Thread Ulrich Scholler 
Hi,

On Tue Jun 17, 2003 at 10:44:01 -0400, Phillip Hofmeister wrote:
> On Tue, 17 Jun 2003 at 11:56:36PM +1000, Mark Devin wrote:
> > I was going to say exactly this earlier in the thread.  I put this
> > in My
> > Apache config quite some time ago when I realised I could.  There
> > should
> > be something similar in the sshd_config in my opinion.
> 
> File a wishlist bug with the ssh package.

The issue of the sshd identification string has been discussed 
previously 
(http://lists.debian.org/debian-security/2002/debian-security-200210/msg00318.html).
 

It was suggested to edit the source of sshd, hexedit the sshd binary, or 
to file a bug 
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139505&repeatmerged=yes).

An advantage of being chatty in the identification string is that Debian
backports security fixes to the versions in stable, which is visible in
the identification string (it specifies the package version).  This can
be used to pacify over-excited network admins, who think that someone
has unpatched machines on their network.

Personally, I would like to have a configuration option in
/etc/ssh/sshd_config.  There seems to be such an option in FreeBSD's
sshd (mentioned in the thread referenced above).

Regards,

uLI



pgpDj3eRCfKVz.pgp
Description: PGP signature

SSH version identification (was Re: Someone scanned my ssh daemon)

2003-06-17 Thread Ulrich Scholler 
Hi,

On Tue Jun 17, 2003 at 10:44:01 -0400, Phillip Hofmeister wrote:
> On Tue, 17 Jun 2003 at 11:56:36PM +1000, Mark Devin wrote:
> > I was going to say exactly this earlier in the thread.  I put this
> > in My
> > Apache config quite some time ago when I realised I could.  There
> > should
> > be something similar in the sshd_config in my opinion.
> 
> File a wishlist bug with the ssh package.

The issue of the sshd identification string has been discussed 
previously 
(http://lists.debian.org/debian-security/2002/debian-security-200210/msg00318.html). 

It was suggested to edit the source of sshd, hexedit the sshd binary, or 
to file a bug 
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139505&repeatmerged=yes).

An advantage of being chatty in the identification string is that Debian
backports security fixes to the versions in stable, which is visible in
the identification string (it specifies the package version).  This can
be used to pacify over-excited network admins, who think that someone
has unpatched machines on their network.

Personally, I would like to have a configuration option in
/etc/ssh/sshd_config.  There seems to be such an option in FreeBSD's
sshd (mentioned in the thread referenced above).

Regards,

uLI



pgp0.pgp
Description: PGP signature

Re: Unusable Update for Stable

2003-02-13 Thread Ulrich Scholler 
hi,

On Thu Feb 13, 2003 at 08:30:27 +0100, Lupe Christoph wrote:
> Does anybody know why stable/updates/main on http://security.debian.org
> has a package that depends on a libc that is not available for Stable?

yes, because the package you are trying to install is neither in stable
nor in its updates/security fixes.  see below.

> # apt-cache policy libapache-mod-ssl
> libapache-mod-ssl:
>   Installed: 2.8.9-2.1
>   Candidate: 2.8.9-2.3
>   Version Table:
>  2.8.9-2.3 0
> 500 http://ftp.tu-clausthal.de unstable/non-US/main Packages
>
>  2.8.9-2.2 0
> 500 http://ftp.tu-clausthal.de testing/non-US/main Packages
>  *** 2.8.9-2.1 0
> 200 http://security.debian.org stable/updates/main Packages
> 100 /var/lib/dpkg/status
>  2.8.7-1 0
> 500 http://ftp.tu-clausthal.de stable/non-US/main Packages

apt is trying to install the libapache-mod-ssl from unstable.  as you can
see the candidate version is the same as in unstable.

regards,

uLI

Re: Unusable Update for Stable

2003-02-13 Thread Ulrich Scholler 
hi,

On Thu Feb 13, 2003 at 08:30:27 +0100, Lupe Christoph wrote:
> Does anybody know why stable/updates/main on http://security.debian.org
> has a package that depends on a libc that is not available for Stable?

yes, because the package you are trying to install is neither in stable
nor in its updates/security fixes.  see below.

> # apt-cache policy libapache-mod-ssl
> libapache-mod-ssl:
>   Installed: 2.8.9-2.1
>   Candidate: 2.8.9-2.3
>   Version Table:
>  2.8.9-2.3 0
> 500 http://ftp.tu-clausthal.de unstable/non-US/main Packages
>
>  2.8.9-2.2 0
> 500 http://ftp.tu-clausthal.de testing/non-US/main Packages
>  *** 2.8.9-2.1 0
> 200 http://security.debian.org stable/updates/main Packages
> 100 /var/lib/dpkg/status
>  2.8.7-1 0
> 500 http://ftp.tu-clausthal.de stable/non-US/main Packages

apt is trying to install the libapache-mod-ssl from unstable.  as you can
see the candidate version is the same as in unstable.

regards,

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PermitRootLogin enabled by default

2002-06-26 Thread Christoph Ulrich Scholler 
On Wed, Jun 26, 2002 at 02:11:00PM +0200 or thereabouts, InfoEmergencias - Luis 
Gómez wrote:
> Messing up with sshd_config for all the privsep stuff, I've noticed that
> PermitRootLogin was set to yes in my three woody boxes. I usually
> consider this a problem (although it has been my fault - i should have
> checked and noticed this much time ago). What do you think of this?

disallowing direct root logins via ssh provides for auditing.  you will
always know which user became root.  this is why i keep PermitRootLogin
turned off.

regards,

uLI


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: VI wrapper for SUDO?

2001-11-30 Thread Christoph Ulrich Scholler 
hi,

maybe i misunderstand the intention here, but isn't it pointless to
restrict privileges of the editing process of /etc/aliases if you could
just as well change root's alias to a program that's run whenever root
receives email and, e. g., puts one's most favourite /etc/passwd in
place of the original?

regards,

uLI

On Thu, Nov 29, 2001 at 02:45:08PM -0800 or thereabouts, William R Ward wrote:
> A lazy sysadmin, not thinking through the ramifications, might put
> things like "/usr/bin/vi /etc/aliases" in the sudoers file, thinking
> that it limits access.  But of course, vi has the ":e" command...
> 
> Is there any kind of wrapper that can be used to allow sudo to grant
> editing access to only one file?  I am thinking of something similar
> to vipw or visudo, but with security in mind; following this basic
> algorithm:
> 
> 1. Using user privileges, Copy the desired file to a temp file owned
>by the real user.
> 2. Using user privileges, Edit the temp file.
> 3. Using root privileges, copy the temp file to the final location.

Re: VI wrapper for SUDO?

2001-11-30 Thread Christoph Ulrich Scholler 

hi,

maybe i misunderstand the intention here, but isn't it pointless to
restrict privileges of the editing process of /etc/aliases if you could
just as well change root's alias to a program that's run whenever root
receives email and, e. g., puts one's most favourite /etc/passwd in
place of the original?

regards,

uLI

On Thu, Nov 29, 2001 at 02:45:08PM -0800 or thereabouts, William R Ward wrote:
> A lazy sysadmin, not thinking through the ramifications, might put
> things like "/usr/bin/vi /etc/aliases" in the sudoers file, thinking
> that it limits access.  But of course, vi has the ":e" command...
> 
> Is there any kind of wrapper that can be used to allow sudo to grant
> editing access to only one file?  I am thinking of something similar
> to vipw or visudo, but with security in mind; following this basic
> algorithm:
> 
> 1. Using user privileges, Copy the desired file to a temp file owned
>by the real user.
> 2. Using user privileges, Edit the temp file.
> 3. Using root privileges, copy the temp file to the final location.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: rogue Chinese crawler

2001-11-23 Thread Christoph Ulrich Scholler 
On Fri, Nov 23, 2001 at 05:32:04PM + or thereabouts, Martin WHEELER wrote:
> Is anyone else having problems with the robot from
> 
>  openfind.com.tw
> ...
> Anyone know of a sure-fire robot killer under woody?

as a first recourse you could instruct your firewall to deny all access
from openfind.com.tw to your machine:80.

regards,

uLI