Re: Two HDD on Desktop PC

[Vladislav Kurz]

On 05/08/2019 11:08, Mostaf Faridi wrote:
> Thanks for your reply
> Your guide is good.
> I want in linux mint Debian HDD can not mount and use it.
> I want linux mint can not mount Debian HDD.
> I want find way to config my debian system to prevent other OS can not
> mount Debian HDD.

In that case you have to encrypt both Debian and Mint drives, or
physically disconnect them.

-- 
Best Regards
Vladislav Kurz

> 
> MyWebSite http://mfaridi.com
> 
> On Mon, 5 Aug 2019, 13:14 Vladislav Kurz,  <mailto:vladislav.k...@webstep.net>> wrote:
> 
> On 04/08/2019 21:51, Mostaf Faridi wrote:
> > I have Desktop PC with two HDDs . on first HDD, I have Debian 10
> and on
> > Second HDD , I have Linux Mint.
> > File system on Debian is Ext4.
> > When I boot by linux mint I can access to files on Debian HDD. 
> > I want this is not happen.
> > I want all my files can not accessing by other linux distro.
> > How I can config 
> >
> > MyWebSite http://mfaridi.com
> 
> Hello Mostaf,
> 
> there have been already some suggestions. But to find the right
> solution, you have to say what level of isolation of those two systems
> you need.
> 
> - is it just to prevent unprivileged users from accessing the other
> drive? - then umount and removal from fstab is probably enough
> 
> - is it to prevent root from reading the other drive? - then you must
> encrypt
> 
> - is it to prevent root from erasing the oter drive? - then you must
> physically remove it each time
> 
> -- 
> Best Regards
>         Vladislav Kurz
> 

Re: Two HDD on Desktop PC

[Vladislav Kurz]

On 04/08/2019 21:51, Mostaf Faridi wrote:
> I have Desktop PC with two HDDs . on first HDD, I have Debian 10 and on
> Second HDD , I have Linux Mint.
> File system on Debian is Ext4.
> When I boot by linux mint I can access to files on Debian HDD. 
> I want this is not happen.
> I want all my files can not accessing by other linux distro.
> How I can config 
> 
> MyWebSite http://mfaridi.com

Hello Mostaf,

there have been already some suggestions. But to find the right
solution, you have to say what level of isolation of those two systems
you need.

- is it just to prevent unprivileged users from accessing the other
drive? - then umount and removal from fstab is probably enough

- is it to prevent root from reading the other drive? - then you must
encrypt

- is it to prevent root from erasing the oter drive? - then you must
physically remove it each time

-- 
Best Regards
Vladislav Kurz

Re: Two HDD on Desktop PC

[Vladislav Kurz]

On 04/08/2019 23:57, Ruslanas Gžibovskis wrote:
> 2) If you just do not want to see it, run: find / -type f -delete 

OMG, I thought that members of Debian community would not give this sort
of malicious advice. That command deletes everything.

Please be nice to each other.

-- 
Best Regards
    Vladislav Kurz

Re: APT vulnerability [DSA 4371-1]

[Vladislav Kurz]

On 1/22/19 3:43 PM, Evgeny Kapun wrote:
> On 22.01.2019 16:59, Vladislav Kurz wrote:
>> Hello everybody,
>>
>> I'm also encountering many errors when using
>>   apt -o Acquire::http::AllowRedirect=false update
>>   apt -o Acquire::http::AllowRedirect=false upgrade
>>
>> As written in announcement: This is known to break some proxies when
>> used against security.debian.org.
>>
>> However I do not use proxy at all. I have problems with jessie/updates,
>> cdn.debian.net, and http.debian.net
> 
> Try these URLs: http://cdn-fastly.deb.debian.org/debian,
> http://cdn-fastly.deb.debian.org/debian-security. The domains
> cdn.debian.net and http.debian.net are deprecated, use deb.debian.org
> instead.

Thanks for this info. It seems that jessie needs the above direct URL to
fastly even if not behind proxy (can't use SRV records).


-- 
Best Regards
Vladislav Kurz

APT vulnerability [DSA 4371-1]

[Vladislav Kurz]

Hello everybody,

is this vulnerability affecting also apt-get ?
If yes, will there be another DSA soon?

I'm also encountering many errors when using
 apt -o Acquire::http::AllowRedirect=false update
 apt -o Acquire::http::AllowRedirect=false upgrade

As written in announcement: This is known to break some proxies when
used against security.debian.org.

However I do not use proxy at all. I have problems with jessie/updates,
cdn.debian.net, and http.debian.net

Err http://security.debian.org jessie/updates/main i386 Packages
  302  Found [IP: 217.196.149.233 80]
Err http://security.debian.org jessie/updates/contrib i386 Packages
  302  Found [IP: 217.196.149.233 80]
Err http://security.debian.org jessie/updates/non-free i386 Packages
  302  Found [IP: 217.196.149.233 80]
Fetched 151 kB in 9s (16.2 kB/s)

Err:14 http://cdn.debian.net/debian stretch Release
  302  Found [IP: 2001:4f8:1:c::15 80]
Err:15 http://cdn.debian.net/debian stretch-updates Release
  302  Found [IP: 2001:4f8:1:c::15 80]
Err:16 http://cdn.debian.net/debian stretch-backports Release
  302  Found [IP: 2001:4f8:1:c::15 80]

Err:7 http://http.debian.net/debian stretch Release
  302  Found [IP: 2001:67c:2564:a119::148:14 80]
Err:8 http://http.debian.net/debian stretch-updates Release
  302  Found [IP: 2001:67c:2564:a119::148:14 80]
Err:9 http://http.debian.net/debian stretch-backports Release
  302  Found [IP: 2001:67c:2564:a119::148:14 80]


-- 
Best Regards
Vladislav Kurz

Re: samba security update - workaround does not start

[Vladislav Kurz]

Hello all,

I wanted to run the workaround script from
https://wiki.samba.org/index.php/CVE-2018-1057

But it fails with:

# ./samba_CVE-2018-1057_helper --lock-pwchange
Temporarily overriding 'dsdb:schema update allowed' setting
Traceback (most recent call last):
  File "./samba_CVE-2018-1057_helper", line 139, in 
sd_helper.modify_sd_on_dn(msg.dn, new_desc)
  File "/usr/lib/python2.7/dist-packages/samba/sd_utils.py", line 40, in
modify_sd_on_dn
m.dn = Dn(self.ldb, object_dn)
TypeError: argument 2 must be string, not ldb.Dn
A transaction is still active in ldb context [0x228cc20] on
tdb:///var/lib/samba/private/sam.ldb


--dry-dun runs nicely, listing all users from LDAP.

Has anyone idea what's wrong? Maybe some python modules?


-- 
Best Regards
    Vladislav Kurz

Re: vulnerability in 8.6

[Vladislav Kurz]

On 11/10/16 04:20, Richard Waterbeek wrote:
> Hi Salvatore, Ozgur,
> 
> You posted this url; https://www.debian.org/security/2016/dsa-3696
> 
> But, I have looked for a update and I went to Debian package search and
> searched for; 'kernel image 686
> pae' 
> [https://packages.debian.org/search?suite=stable=all=any=names=kernel+image+686+pae]
> 
> This gave one result, which is; 'kernel-image-3.16.0-4-686-pae-di' and
> written with that, 'Linux kernel binary image for the Debian installer
> 3.16.36-1+deb8u1: i386'

Check what kernel is your system running:

# uname -a
Linux hostname 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 GNU/Linux

The kernel packages for running system (not installer) are:
linux-image-*** not kernel-image-***

You can chek what is installed by: dpkg -l|grep linux

> And I read that I need a '+deb8u2' kernel?
> 
> Can someone explain to me what to do next? I have the assumption that a
> 'apt-get install "name-of-required-kerne-package"' would be sufficient?

apt-get update; apt-get upgrade

followed by reboot should be sufficient.

-- 
Best Regards
Vladislav Kurz

Re: [SECURITY] [DSA 3567-1] libpam-sshauth security update

[Vladislav Kurz]

On Friday 06 of May 2016 Jason Fisher  wrote:

> Unsubscribe

Sorry, I could not resist... 
http://xkcd.com/1675/

Re: [SECURITY] [DSA 3548-2] samba regression update [SA-DEBIAN #61116]

[Vladislav Kurz]

On Thursday 14 of April 2016 you wrote:

> -
> Debian Security Advisory DSA-3548-2   secur...@debian.org
> https://www.debian.org/security/ Salvatore Bonaccorso
> April 14, 2016https://www.debian.org/security/faq
> -
> 
> Package: samba
> Debian Bug : 820947
> 
> The upgrade to Samba 4.2 issued as DSA-3548-1 introduced a packaging
> regression causing an additional dependency on the samba binary package
> for the samba-libs, samba-common-bin, python-samba and samba-vfs-modules
> binary packages. Updated packages are now available to address this
> problem.

Thanks for the quick fix,

during the update I got the following error:

Unpacking samba-libs:amd64 (2:4.2.10+dfsg-0+deb8u2) over 
(2:4.2.10+dfsg-0+deb8u1) ...
dpkg: error processing archive /var/cache/apt/archives/samba-
libs_2%3a4.2.10+dfsg-0+deb8u2_amd64.deb (--unpack):
 trying to overwrite '/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0', 
which is also in package samba 2:4.2.10+dfsg-0+deb8u1
dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)

Subsequent run of apt-get -f install, finished successfully


-- 
S pozdravem
Vladislav Kurz

Centrála: Celní 17/5, 63900 Brno, CZ
Web: http://www.webstep.net
E-Mail: i...@webstep.net
Tel: 840-840-700, +420.548214711
Obchodní podmínky: https://zkrat.to/op

Re: Call for testing: upcoming samba security update

[Vladislav Kurz]

Hi,

I have noticed that samba-common-bin now depends on samba. It didn't before 
the upgrade. Is there any special reason for that? I just need nmblookup on 
some servers (and smbclient/cifs) but not the server package.

-- 
Best Regards
Vladislav Kurz

Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

[Vladislav Kurz]

On Monday 11 of April 2016 Elmar Stellnberger <estel...@gmail.com> wrote:

>Nonetheless the last time I had connected via a similar but more
> suspicious VPN to France I got a similar login attempt via my Google
> account from Vienna, Austria while I was staying in Carinthia and
> connected via Klagenfurt/Austria (where my ISP links to). That time
> there was definitely reason to believe in an attack of my Google account
> and I had my password changed.

Hi,

I would not worry myself, if the connection is reported to be from Vienna 
instead of Klagenfurt - it is still from the same country, and GeoIP databases 
are IMHO not very precise. 

But I cannot resist one question - why you use suspicious VPNs at all?

-- 
Best Regards
Vladislav Kurz

Re: Changing the "Reply-To:" for debian-security-announce

[Vladislav Kurz]

Hi all,

what about pointing reply-to to address that will automatically unsubscribe?

Most of replies are either unsubscribe attempts or misconfigured vacation 
autoresponders.

I know it maybe pretty harsh, but will do away with trolls ;)

-- 
Regards
Vladislav Kurz

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

[Vladislav Kurz]

On Wednesday 09 of April 2014 13:26:06 bsod wrote:
 Am 2014-04-09 12:42, schrieb Rob van der Putten:
  According to a post on slashdot SSH is not effected. I don't know if
  this is correct.
 
 (Open-)SSH is not affected as it does not use openssl at all. Should be
 the same for other SSH daemons like dropbear as they are not using TLS
 in SSH Protocol.

So, why does openssh-server depend on libssl ?

ldd /usr/sbin/sshd says it needs libcrypto.so, which is part of openssl?


-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
Obchodní podmínky: http://zkrat.to/op
=== www.webstep.net === vladislav.k...@webstep.net ===

Re: iptable mac address not showing in log

[Vladislav Kurz]

On Tuesday 19 of February 2013, sectech wrote:
 Hi, I need the mac address of the originating request of out going packets.
 Im not sure if im missing something or maybe debian squeeze does not have
 this functionality? But here is my iptable command and im logging ALL NEW
 requests out-going (INFO) on eth0
 iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -j LOG --log-level 6
 iptables -A OUTPUT -o eth0 -p udp -m state --state NEW -j LOG --log-level 6
 
 Feb 18 22:17:32 my-debian kernel: [50421.784255] IN= OUT=eth0 SRC=1.1.1.1
 DST=2.2.2.2 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=13743 PROTO=UDP SPT=1765
 DPT=53 LEN=61

Hi, if you are logging in OUTPUT chain, then the MAC adress is the address of 
your computer. Only packets generated by the computer itself are logged. In 
this case see ifconfig eth0 to get your MAC address.

Perhaps you wanted to log outgoing packets in the FORWARD chain?

-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === vladislav.k...@webstep.net ===


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201302191024.03864.vladislav.k...@webstep.net

Re: [SECURITY] [DSA 2318-1] cyrus-imapd-2.2 security update

[Vladislav Kurz]

On Friday 07 of October 2011, Nico Golde wrote:
 --
 Debian Security Advisory DSA-2318-1secur...@debian.org
 http://www.debian.org/security/ Nico Golde
 Oct 6, 2011 http://www.debian.org/security/faq
 --
 
 Package: cyrus-imapd-2.2
 Vulnerability  : multiple
 Problem type   : remote
 Debian-specific: no
 Debian bug : none
 CVE IDs: CVE-2011-3372 CVE-2011-3208

Hello everybody,

i wonder if there is something wrong with this DSA. I manage a lot of servers 
with cyrus, but the update is available only on one of them (squeeze, amd64), 
and not on the others (squeeze/lenny, i386). I do not use nntp, so I feel 
safe, but it might indicate some build problems.

-- 
Best Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201110101204.21526.vladislav.k...@webstep.net

Long Exim break-in analysis

[Vladislav Kurz]

Hello all,

first, I apologize for a long mail. Don't read if you don't like long e-mails.
But as Thorsten was already affected by exim exploit I thought this might be 
interesting for all debian-exim users:

one of my friends asked me for help with his server, and I discovered that it 
was rooted through unpatched exim. System is being reinstalled now, and I 
decided to write something about this exploit. I hope you will find the info 
interesting. It won't be anything exact, because the machine is offline now, 
but anyway here it goes:

First sign was that mail did not get through. Server was overloaded and a 
process named syslogd was using most of CPU. On the first sight top was 
looking a bit different than usual. ps showed processes /sbin/syslogd and 
syslogd (without path). First one was ok, the second one was doing something 
nasty and using the CPU. /proc/PID/exe was symlink to perl...

After I killed (-9) this rogue syslog, exim spawned new one! So I killed them 
both. There were some interesting files in /var/spool/exim4/ - two configs 
that download binary named setuid into /var/spool/exim4/ and make it setuid 
and try to run it. The other config did the sam ine /var/spool/exim/.
I think it was the same as shown on exim mailing list.

However /var/ was mounted nosuid so it failed (few days ago). But the bad guy 
was able to get shell as debian-exim user, and compiled another binary. He 
left us the source ;) - it was supposed to install his public key 
into /root/.ssh/authorized_keys. I checked this file and found there a public 
key but it was different then the one in /var/spool/exim/. Removed.

It seems that the first attack was uncuccessfull, but then some other attacker 
found that /tmp was not on separate partition, and setuid worked there. He 
left some evidence in /var/spool/exim/.bash_history - downloading and running 
some rootkit. Further search for suspicious processes found sshd on port 
above 55000. Killed immediately.

Then I started to get annoyed by ls, because it was spewing errors. It was 
because I have alias l='ls --color=auto'. Pure ls was ok. So I started 
looking for modified binaries, and found that some are owned by UID=122 which 
was not present in /etc/passwd:

find /bin/ /sbin/ /usr/bin/ /usr/sbin/ -not -user root -ls

-rwxr-xr-x   1 122  114 54152 Dec  4  2005 /bin/netstat
-rwxr-xr-x   1 122  114 39696 Jan 30  2007 /bin/ls
-rwxr-xr-x   1 122  114 62920 Sep 13  2006 /bin/ps
-rwxr-xr-x   1 122  114212747 Jan 30  2007 /sbin/ttyload
-rwxrwxr-x   1 122  114 93476 Jan 30  2007 /sbin/ttymon
-rwxr-xr-x   1 122  114 31504 Dec  4  2005 /sbin/ifconfig
-rwxr-xr-x   1 122  114 33992 Sep 13  2006 /usr/bin/top
-rwxr-xr-x   1 122  114 31452 Jan 30  2007 /usr/bin/md5sum
-rwxr-xr-x   1 122  114 12340 Aug  9  2006 /usr/bin/pstree
-rwxr-xr-x   1 122  114 59536 Jul 30  2007 /usr/bin/find

so now it explained why ls and top behaved differently than usual. Of course 
we cannot trust these results because ls and find are modified as well...

Further idea was, they must have done something to start after reboot, 
check /etc/inittab and there was something like this:

# standard tty stuff
0:2345:respawn:/sbin/ttyload

nice comment eh? Intersting is that mtime was probably preserved, but ctime 
was recent (few hours).

ps did not show that ttyload is running, but killall killed something 
anyway ;) because on first run it did not complain, but second time it said: 
no process killed. Then I compared netstat (hacked) with nmap from outside, 
and found that lots of ports are missing. Apache is running but not listening 
according to netstat... so there might be further backdoors hidden.

Thats almost all. Machine is now offline, replaced by another one. I'll try to 
get the hacked machine booted from live-cd, so I can examine it with 
trustworthy tools, and if i find more interesting thing i'll post a follow 
up.

Lessons learned:
1. subscribe to DSA and run apt-get 
2. /var/spool, /var/tmp, /tmp and other places where unprivileged users can 
write, should be mounted nosuid and even better noexec. It seems that this 
could prevent the attack, or at least make it much more difficult. 

As for point 2. it's a pity that dpkg is using /tmp and /var/lib/dpkg/ to run 
scripts during installation and removal of packages. It would be nice if 
whole /var could be mounted noexec.

That's all folks
-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201012212307.37241.vladislav.k...@webstep.net

Re: exim4 router problems since 2 days / sucpicous process zinit is pstree

[Vladislav Kurz]

On Friday 17 of December 2010, Thorsten Göllner wrote:
 Hi,
 
 I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
 mails. I always get the message, that the mail is not routeable. I only
 used dpkg-reconfigure exim4-config without touching one config file by
 hand. I detected a log message (panic log) which says, that there was a
 too large message. Since that point exim4 stopped working.

The last exploit of exim4 is based on too large messages causing buffer 
owerflows that can lead to root privileges. (Sorry for simplification, full 
details are on exim mailing list).
 
 The other point is that pstree reports a process zinit I never saw in
 the past:
 
 snip

 But I do not have any idea what it is. And I can not see the process
 with ps:
 

If pstree shows zinit and ps does not, it might mean that you are already 
rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide 
the presence of rootkit named zinit.

 Do I have a security issue here? Any other idea?

IMHO yes, you have a security issue.

-- 
Regards
Vladislav Kurz


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201012171235.51130.vladislav.k...@webstep.net

Re: exim4 router problems since 2 days / sucpicous process zinit is pstree

[Vladislav Kurz]

On Friday 17 of December 2010, Carlos Alberto Lopez Perez wrote:
 On 12/17/2010 12:35 PM, Vladislav Kurz wrote:
  On Friday 17 of December 2010, Thorsten Göllner wrote:
  Hi,
  
  The other point is that pstree reports a process zinit I never saw in
  the past:
  
  snip
  
  But I do not have any idea what it is. And I can not see the process
  
  with ps:
  If pstree shows zinit and ps does not, it might mean that you are already
  rooted (owned, hacked, cracked, etc), and your ps binary was modified to
  hide the presence of rootkit named zinit.
 
 Good point.
 
 Try to check the md5sum of ps:
 
 # apt-get install debsums
 # debsums procps
 

just for reference - md5sum of /bin/ps on i386/lenny 
(checked from freshly downloaded package)

a6094706266c8ec3b068cf964824afee  /bin/ps

-- 
Regards
Vladislav Kurz


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201012171317.52933.vladislav.k...@webstep.net

Re: exim4 router problems since 2 days / sucpicous process zinit is pstree

[Vladislav Kurz]

On Friday 17 of December 2010, Paul Stewart wrote:
 I have a question related to this security announcement and hope it's
 appropriate to ask here...
 
 I just recently installed a couple of machines with Debian 5 using
 netinstall.  They are running Exim which reports as 4.69 in the banner.
 
 I have ran aptitude update/upgrade and not seeing anything new for Exim -
 am I safe to assume I'm up to date and not vulnerable to this security
 issue? Sorry, just started using Debian - been at least 5 years since I
 ran it and wanted to make sure

If you have enabled the security updates repository then you should be OK.
Check your /etc/apt/sources.list if it contains this line:

deb http://security.debian.org/ lenny/updates main contrib non-free

And check version of exim4 using dpkg -l exim*. It should be: 4.69-9+lenny1.

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201012171345.33508.vladislav.k...@webstep.net

[Seznam #76865] [Support] [SECURITY] [DSA-2068-1] New python-cjson packages fix denial of service

[Vladislav Kurz]

On Thursday 15 of July 2010, Radovan Vrzdiak wrote:
 Pozadavek prijaty se subjectem [SECURITY] [DSA-2068-1] New python-cjson
 packages fix denial of service byl uzavren/vyresen.

 Na tento email prosim neodpovidejte, pokud si neprejete v reseni tohoto
 pozadavku pokracovat. Dekujeme.

Vazeni,

Nejen ze si nepreji aby ste pokracovali v resni tohoto pozadavku, ale hlavne 
si nepreji aby ste o tom informovali tisice lidi z celeho sveta na mailing 
listu debian-secur...@lists.debian.org. 

 --
 Radovan Vrzdiak
 System support
 Seznam.cz, a.s.

 fax: +420 234 694 115
 supp...@firma.seznam.cz
 http://www.seznam.cz



-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === vladislav.k...@webstep.net ===



--
Radovan Vrzdiak
System support
Seznam.cz, a.s. 
 
fax: +420 234 694 115
supp...@firma.seznam.cz
http://www.seznam.cz


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/rt-3.6.7-3619-1279265834-1226.76865-6...@seznam.cz

security support for etch?

[Vladislav Kurz]

Hello,

I'd like to ask the security team, how long do they plan to support etch 
(oldstable)? I remember that when etch was released, they announced support 
for sarge will continue for one year. I haven seen such announcement when 
lenny was released. 

Anyway big thanks to all in the security team for their valuable work.

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: Securing my PC at a Wireless Hotspot?

[Vladislav Kurz]

On Tuesday 10 of February 2009, Wade Richards wrote:
 On Tue, Feb 10, 2009 at 11:50:05AM +0100, Johan 'yosh' Marklund wrote:
  Bernd Eckenfels skrev:
   In article fe374f8d0902081747v4a99deadva1898142dac1d...@mail.gmail.com 
you wrote:
   Use a VPN or an SSH tunnel to a trusted source.
  
   A very neat trick is using dynamic port forwarding of SSH (-D 1080).
   You only need to login to any SSH Server and enable the auto
   forwarding. Then you can enter the SSH client as a SOCKS proxy server
   and you are done (for surfing).
 
  You could use the -w option in newer ssh server versions to tunnel
  through virtual tun devices =)

 One problem with tunnels is that you can accidently not use the tunnel.

 E.g. I have eth0 which is connected to the insecure network, and
 my encrypted tunnel to a secure network.

 Although the tunnel is available, the unsecure eth0 is still also
 available.  I need to correctly set up the SOCKS proxy or set up the
 routing tables, or do something to be sure that all my network traffic
 is going through the tunnel and not just directly to the unsecure eth0.
 There's no easy way to tell if you're doing it right, either, since the
 web looks basically the same from the unsecure network as from the secure
 one.

You can tell by checking routing tables, or visiting a web page that shows 
your IP. And you should know the IP of your tunnel server

 The Cisco VPN I use on my employer's Windows machine has an interesting
 feature: it completely hides the unencrypted network.  Once I create the
 VPN tunnel, my machine releases it's local IP address and there is no
 way for any network connections (other than the tunnel, of course) to go
 over the unencrypted device.  It is as if that device is disabled.

 This makes it idiotproof, which is an important but often overlooked
 aspect of security.

 So, is is possible to do that sort of thing with a Linux laptop?

OpenVPN can do that as well - look for option --redirect-gateway

-- 
regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

[Vladislav Kurz]

On Tuesday 08 of July 2008, Florian Weimer wrote:
 * Mert Dirik:
  PowerDNS is not available on all architectures, and Unbound and tinydns
  are not part of etch.
 
  So it's lack of alternatives, more or less.
 
  I don't really know much about these things but can't maradns

 MaraDNS could be used, I think.  However, I'm not familiar with that
 implementation.

  or dnsmasq be used with same purpose?

 dnsmasq needs to be patched first.

AFAIK dnsmasq if forwarding-only resolver, it needs some real DNS server to 
send queries to be resolved. So it should be OK. Or am I completely wrong?
Can someone confirm or oppose this?

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Find installed contrib and non-free packages

[Vladislav Kurz]

On Thursday 12 of June 2008, Martin Bartenberger wrote:
 Hi,

 just a few days ago I've read at
 http://www.debian.org/security/faq.en.html#contrib that contrib and
 non-free packages are not supported by the Debian security team.

 Now I want to find out which contrib and non-free packages are installed
 on my servers. Is there any special command or script for this or do I
 have to write one?

Hi, I use this method:

1. remove contrib and non-free from /etc/apt/sources.list
2. run dselect (update, select) and you will see all contrib and non-free 
packages as obsolete/local packages. 

Maybe aptitude will do the same, but I don't use it  ;-)

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: lm-sensors update for sarge

[Vladislav Kurz]

On Tuesday 27 of May 2008, dann frazier wrote:
 On Mon, May 26, 2008 at 03:56:21PM +0200, Vladislav Kurz wrote:
  Hello all,
 
  A few days ago I was surprised that there is an update for lm-sensors
  (and libsensors3) for sarge. It is available from security.debian.org. I
  know that sarge does not have any security support any more, and there
  was no DSA about lm-sensors this year. So I ask - does anyone know what
  is going on?

 lm-sensors was updated recently for compatability with the 2.4.27
 kernel update which had an ABI change (DSA 1503). Aurelien Jarno
 discovered that this updated had a problem (#475164) that resulted in
 missing binary modules. It is true that sarge is no longer security
 supported, but since this was a regression caused by a security update
 we went ahead and released the fix.

 --
 dann frazier

Thanks for explanation.

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

lm-sensors update for sarge

[Vladislav Kurz]

Hello all,

A few days ago I was surprised that there is an update for lm-sensors (and 
libsensors3) for sarge. It is available from security.debian.org. I know that 
sarge does not have any security support any more, and there was no DSA about 
lm-sensors this year. So I ask - does anyone know what is going on?

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

ssh-vulnkey and authorized_keys

[Vladislav Kurz]

Hello all,

thanks for the quick response to the SSL bug and for providing ssh-vulnkey and 
dokuwd.pl. SSH-VULNKEY produces funny output when processing authorized_keys 
with additional options like from=host, command=something to do, 
no-agent-forwarding, etc...

Instead of the file name it prints these extra options. It is hard to find 
such files then, especialy if they are not in regular user homes but used for 
special purposes (backups, monitoring) and located on unusual places.

It would be also helpful to print the line as dokuwd.pl does.
Is there any repository with newer versions of ssh-vulnkey or dokuwd.pl ?

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

[Vladislav Kurz]

On Tuesday 13 of May 2008, Dominic Hargreaves wrote:
 On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote:
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc
  (OpenPGP signature)

 This URL 404s (but the tool URL doesn't... possibly encouraging bad
 practice in running unverified code)

I seems to be another typo. Correct URL is apparently this:

http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.sig

  Instructions how to implement key rollover for various packages will be
  published at:
 
http://www.debian.org/security/key-rollover/

 This URL 404s too.

They state it WILL be published, but didn't say when...

 Thanks for your efforts on this issue so far - obviously a bit of a
 nightmare.

 Cheers,
 Dominic.

 --
 Dominic Hargreaves | http://www.larted.org.uk/~dom/
 PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === [EMAIL PROTECTED] ===


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

[Vladislav Kurz]

On Wednesday 23 of April 2008, dann frazier wrote:
 On Tue, Apr 22, 2008 at 04:45:53PM -0600, Michael Loftis wrote:
  --On April 22, 2008 11:21:25 PM +0200 Florian Weimer [EMAIL PROTECTED]
 
  wrote:
  I guess the number of systems with amd64 and a 3ware 7xxx/8 PATA
  controllers is pretty small, otherwise this bug would have been noticed
  earlier.  So the sky is not falling.
 
  Technically, this is not a security bug.
 
  It definitely affects non-64bit systems too, contrary to 3Ware's claims.
  We had corruption on a 32bit system, which is what prompted us to start
  figuring it out.
 
  And I agree, technically it isn't, but security is one of the few ways to
  get updates into the distribution that are NMU.

 But that doesn't make them security issues. Don't get me wrong, I'd be
 all for a more fluid update process for non-security/critical issues,
 but it doesn't exist at the moment. The security team controls what
 goes out as a security update, and we're not going to get the security
 team to release a security update for a non-security issue.

 --
 dann frazier

Hello,

This bight be a little off-topic, but I'd like to know if there is a 
definition of what is a security issue ? Once I learned that security 
consists of confidentiality, integrity and availability. And data corruption 
destroys integrity and availability.

-- 
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues

[Vladislav Kurz]

On Monday 03 of March 2008, Martin Geier wrote:
 Hi

 On Fri, Feb 29, 2008 at 05:06:18PM +0100, Vladislav Kurz wrote:
 [snip]

  Yesterday I have upgraded and rebooted couple of machines that still use
  kernel version 2.4.27, and one of them crashed after 5 and half hours.
  It still responded to pings, maybe routing and firewalling as well, but
  SSH and other services were unavailable. This is the only machine still
  using ext2 filesystem.

 This maybe a similar problem which I had some time ago (on a PPC), so
 please try the following:
 Assuming that the machine is dead, try killing all tasks via SysRq (see
 Documentation/sysrq.txt of the linux-kernel-source) and look if you get
 a login-prompt again.

 Does this work?

System reacts to Alt-sysrq-e by saying SysRq: terminate all tasks but 
nothing else happens. Even Alt-sysrq-i says kill all tasks but it does not 
help. However alt-sysrq-b rebooted the system :-)

-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === [EMAIL PROTECTED] ===


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues

[Vladislav Kurz]

On Friday 29 of February 2008, Desai, Jason wrote:
 I have noticed very similar things with one of my boxes which was
 upgraded to the latest 2.4.27 kernel.  Sometimes, it would even hang
 when running depmod from the modutils init script when booting.  I did
 some troubleshooting, and found that the older kernel boots fine.
 Moving some modules out to a different directory allowed the system to
 boot.  But it would eventually hang after a few hours, sometimes after
 only minutes.  Like you indicated - ping would work.  But there was
 nothing in the logs on the screen for me.

Yes that looks exactly the same as on my server. No log, nothing on console.

 I had other systems upgraded to this kernel too, and they seem ok.  Most
 use ext3.  However one does use ext2, and so far it has been ok.  The
 system giving me problems is a VM running inside of VMWare Server.  I
 was thinking the issue may have been with VMWare.

My server does not use VMWare so I think we can ignore that.

-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === [EMAIL PROTECTED] ===


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues

[Vladislav Kurz]

Hello all,

I wanted to file this through BTS but I'm not sure which package is the right 
place ot file kernel related bugs. Therefore I post here.

It seems that last upgrade of kernel 2.4.27 is causing system crash and maybe 
even filesystem corruption at least with ext2 filesystem.

Yesterday I have upgraded and rebooted couple of machines that still use 
kernel version 2.4.27, and one of them crashed after 5 and half hours.
It still responded to pings, maybe routing and firewalling as well, but SSH 
and other services were unavailable. This is the only machine still using 
ext2 filesystem.

After rebooting i worked fine until I tried to access some parts of 
filesystem. I susected problems with hard disk but there were no messages on 
console (I expected I/O errors and such). Memory was fine as well.
Checking filesystem with read-olny badblock scan fsck -c /dev/hda2 reported 
everything OK. But at the moment I tried to copy (rsync, tar) the filesystem 
to new disk it crashed again. Copying the filesystem with dd was fine, but 
when i loop-mounted the image and tried to copy from there, system crashed 
again. So I ruled out hardware problems and tried to reboot with old kernel, 
and to my surprise I could read the broken filesystem without any problems.

With old kernel I was able to rsync files to new hard drives, so the system is 
up and running now. (Using old kernel.) I can provide filesystem image 
of broken /usr partition for analysis.

All my other servers running 2.4.27-4 kernels use ext3 filesystems seem to be 
OK, but I'm quite afraid if it might happen on ext3 as well.

These bugfixes seem to be the only ones that have to do something with 
ext2/ext3. Could someone look into this issue? I will try to be as heplful as 
possibe debugging this stuff.

 CVE-2006-6053

 LMH reported a potential local DoS which could be exploited by a
 malicious user with the privileges to mount and read a corrupted ext3
 filesystem.

 CVE-2006-6054

 LMH reported a potential local DoS which could be exploited by a
 malicious user with the privileges to mount and read a corrupted ext2
 filesystem.


Anyway, big thanks to the security team for the work that thay do.

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables and nmap

[Vladislav Kurz]

On Thursday 07 June 2007 15:51, Joan Hérisson wrote:
 Hello,

   Config:
   - Debian 2.4.18
   - iptables with many rules

   Problems:
   - I have installed a tomcat 5.5 server. The server is 
 unreachable
 (connection failed from locahost or another host on my local network).

   Tries:
   - I have to open port 8080. I have this rule in 
 /etc/init.d.firewal-start :
   iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed
   where eth0 is the way toward the internet.
   So I added this rule :
   iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed
   where eth1 is the way toward my local network

Hello,

it seems that you are using some firewall script which uses a lot of user 
defined chains: tcp_packets, allowed. Without understanding which packets get 
filtered by chain tcp_packets and what is happening in chain allowed, it is 
hard to guess what's wrong. Try this:
iptables -A INPUT -p tcp -i eth1 --dport 8080 -j ACCEPT

I suspect that you are using some firewall script made by someone else, and 
that script is too complicated to understand for anyone else than author.
IMHO it's always better to make your own script that has only the rules you 
really need and understand.

   Results:
   - The server is still unreachable.
   - When I do nmap localhost, I have port 80 open but not 8080.
   - When I comment out the line for port 80 in firewall-start and 
 I
 restart firewall, I do nmap localhost, port 80 is still open.

   I do not find the link between iptables rules and nmap.
   Some ideas ?

nmap shows you the reality defined by iptables. If nmap shows something 
different than you expected, it just means you do not understand how iptables 
work. You should visit http://www.netfilter.org/ and read man iptables.

-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === [EMAIL PROTECTED] ===


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Security risks due to packages that are no longer part of Debian?

[Vladislav Kurz]

On Monday 11 of July 2005 19:10, Christian Hammers wrote:
 Hello

 If a User upgrades his woody system to sarge and one package that has
 been part of woody is now no longer part of Debian nor being superseded by
 another package, will apt-get warn the user that this package is a
 potential security risk as Debian does not monitor nor provide fixes for
 reported security issues in this package?

I use dselect and it shows obsolete/local packages section at the top of 
package listing. By obsolete/local it means those that are not downloadable 
from any source defined in /etc/apt/sources.list

Is that what you need?

-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address : Turgenevova 18, 61800 Brno, CZ, tax-id: 289-25528262
office : Veveri 9, 60200 Brno, CZ, tel  fax: +420 541 128 341
=== www.webstep.net === [EMAIL PROTECTED] ===



pgpgpgYIBqfxJ.pgp
Description: PGP signature

Re: local root exploit

[Vladislav Kurz]

On Fri, 07 Jan 2005 23:55:15 +0100, Arnaud Loonstra [EMAIL PROTECTED] 
wrote:
 Just tried the newly found exploits on a Woody system, it doesn't work...
 I get:
 [+] SLAB cleanup
 child 1 VMAs 143
 [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80
 [+] vmalloc area 0xc500 - 0xc9d17000
 [-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (No such file or
 directory)
 Killed
 
 http://isec.pl/vulnerabilities/isec-0021-uselib.txt
 
 Any others any other findings?
 
 A. Loonstra

Hello,

I have tried the exploit and it works! It just needs to mount the /dev/shm 
filesystem, or you can modify the exploit to put temporary file into /tmp/ 
instead of /dev/shm/

mount -t tmpfs tmpfs /dev/shm

After that:

$ ./elflbl

[+] SLAB cleanup
child 1 VMAs 65527
child 2 VMAs 9756
[+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80
[+] vmalloc area 0xc440 - 0xc8401000
Wait... /
[+] race won maps=10368
expanded VMA (0xbfffc000-0xe000)
[!] try to exploit 0xc48da000
[+] gate modified ( 0xffec90f4 0x0804ec00 )
[+] exploited, uid=0

sh-2.05a# whoami
root
sh-2.05a#

kerenels tested:
kernel-image-2.4.18-1-586tsc 2.4.18-13.1
kernel-image-2.4.18-bf2.4  (left from installation)

compiled with:
gcc-2.95  2.95.4-11woody1

So, now the qustion is, if backporting the patch is on the way and when we can 
expect a DSA.

-- 
Best regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: local root exploit

[Vladislav Kurz]

On Monday 10 of January 2005 15:29, Jacques Lav!gnotte wrote:
 On Mon, 10 Jan 2005 15:19:33 +0100

 Vladislav Kurz [EMAIL PROTECTED] wrote:
  mount -t tmpfs tmpfs /dev/shm

 Only root can do that.

But it can be already mounted, and the exploit can be modified to use any 
writeable directory instead.


  Jacques

-- 
Regards
Vladislav Kurz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]