Re: MIT discovered issue with gcc
On Nov 30, 2013 6:29 PM, Bernhard R. Link brl...@debian.org wrote: * Joel Rees joel.r...@gmail.com [131129 00:36]: The standard needs to be re-written to encourage sane behavior in undefined situations, and if you don't like that opinion, I'll take some time later, when I have some, to rip your arguments that I've clipped above to shreds. I don't mind if you don't. I think the only answer to those lines is to advise you to not use any programs written in C. I suggest writing everything in Haskell and compiling that to java byte code run in a jvm. With the jvm implemented in Haskell and running in an interpreter. That'll be interesting to see.
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnwOtTVgYQsusoBt7iUac3+3MBsd5=zckdzmky87was...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:30 AM, Paul Tagliamonte paul...@debian.org wrote: On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. (I'm not the one insulting two core teams at once) Nope, you just take it a step further and insult the individual people. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnzgiy2aAtERiD0ezCrKeiiF4EZ+=CBo-O9Af5=u8v2...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:33 AM, Jordon Bedwell jor...@envygeeks.com wrote: On Fri, Nov 1, 2013 at 8:30 AM, Paul Tagliamonte paul...@debian.org wrote: On Fri, Nov 01, 2013 at 08:27:03AM -0500, Jordon Bedwell wrote: On Fri, Nov 1, 2013 at 8:23 AM, Paul Tagliamonte paul...@debian.org wrote: I take issue with this. I find this attitude really crappy. I'd strongly invite you to reconsider this tone and belief. I invite you to jump back down to earth and stop judging people as if you are somehow better. (I'm not the one insulting two core teams at once) Nope, you just take it a step further and insult the individual people. I should say individual people without the, as the implies you were insulting the people on the team, and not people in general. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnybxozwlmh8_r4z-t7xwh8zf5psd3eufp36oyxkquk...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 8:42 AM, Darko Gavrilovic d.gavrilo...@gmail.com wrote: I should say individual people without the, as the implies you were insulting the people on the team, and not people in general. No one here thinks they are better or smarter than you. It would just be nice if you could try to keep it a little more professional in your communication and responses. There was nothing unprofessional about what I said. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnw9_qf-zf7jqwvmndwt5uqg_e_a8zfanfkk+2czkyv...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Thu, Oct 31, 2013 at 10:28 AM, Paul Wise p...@debian.org wrote: On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. That's almost jokingly ironic. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnximXvUazKz6=ccerdremzvedmp5s+xhcgmkotwqtr...@mail.gmail.com
Re: SSL for debian.org/security?
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnxcxogd4jmaqys27zzsorfz-g8dsa_71sabgfqhchm...@mail.gmail.com
Re: SSL for debian.org/security?
On Wed, Oct 30, 2013 at 12:11 AM, Pedro Worcel pe...@worcel.com wrote: I fail to see what would make what hard, could you please explain? Hard, maybe not, needed: no. There is no reason to try and hide the information, there never was and there never will be. If you were to implement SSL and then a Tor option fine, but to skip SSL and only offer Tor is annoying and uneeded. Tell me something, do you also build a mote around your house to prevent people from parking near your yard? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnztkzga78trrxhobopbrn_zur8w_hhfanzre0sbc8t...@mail.gmail.com
Re: How secure is an installation with with no non-free packages?
On Thu, Sep 12, 2013 at 5:23 PM, Jonathan Perry-Houts jperryho...@gmail.com wrote: I still don't see why this should make me trust closed code more. For all I know Intel's code is full of lines like that, or worse. It's not about getting you to like closed or open source software more, it's about getting you to realize that open source software can and probably is just as vulnerable as closed source software. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnyrt8amqdh3enuqtmkw7lp61qdopzxary+rvx4vsmf...@mail.gmail.com
Re: How secure is an installation with with no non-free packages?
On Thu, Sep 12, 2013 at 9:03 PM, adrelanos adrela...@riseup.net wrote: Microcode. (I guess if the vulnerability can not be fixed with some kind of firmware upgrade and is used in the wild, that would be a reason to get it replaced for free or being required to buy a new one.) I'm not a lawyer but even I know a vendor like Intel or AMD cannot require you to buy a new processor as long as it's under warranty, and security/performance issues do count as a warranty issue... they do microcode updates now to avoid having to recall because of that type of situation not to mention the numerous other benefits such as fast shipping and other stuff. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnzeqg4-8qcyxrybwjanqrumpevsxtlges3mrhxjwt5...@mail.gmail.com
Re: flashplugin-nonfree get-upstream-version.pl security concern
On Thu, Dec 13, 2012 at 1:47 PM, Davide Prina davide.pr...@gmail.com wrote: On 12/12/2012 23:26, Michael Gilbert wrote: Ultimately, for anyone even modestly security-conscious adobe flash should really be avoided at all costs. +1 I'm not an expert, but I think that packages like this must first ask the users list on which you want this plugin installed and than execute scripts only for those users as user not root with, for example, su -c USER1 script.sh ... (downloading the file [with ugo+r] in /tmp/RANDOMDIR [with ugo+x] only once). Why does the group and other need access again? Even if it's read only you are still introducing fatal security problem indirectly by promoting the usage of global read. Also I think that these packages must alert the user that they will download somethings from a website and ask for a confirmation to continue (I don't know if it is already implemented). -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnxvhdtp1qamu0gfsad8fx8rd4x+ckpteujguxu_n8r...@mail.gmail.com
Re: flashplugin-nonfree get-upstream-version.pl security concern
Hai, On Wed, Dec 12, 2012 at 12:33 PM, Bart Martens ba...@debian.org wrote: I already use mktemp -d /tmp/flashplugin-nonfree.XX. Isn't that secure ? What is the problem you are suggesting to file a bug for ? Please tell me you are trolling? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQny0i45QgWFR-_KaX+S=mpd-sq2orovmnuzj2ykzmnf...@mail.gmail.com
Re: New rootkit targetting Debian squeeze (amd64 only)
On Fri, Nov 23, 2012 at 12:31 AM, Mike Mestnik cheako+debian-secur...@mikemestnik.net wrote: On 11/22/12 11:33, Laurentiu Pancescu wrote: More likely: a vulnerability in their web service (some form of execution of attacker-provided code), combined with a local privilege elevation exploit (the Linux kernel had quite many such bugs, some are probably yet undiscovered). I find it interesting that the rootkit was written or customized specifically for squeeze. I think this was a test of greater things to come. I would assume (mostly because to me it's ignorant not to assume this) that the author of the malware might have built it to target his preferred OS first and then would have expanded it later. It's much easier to build small and then work to greater things then to build big and possibly fail. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnwmGjz1ZfMH+cqqgxbmgdt4jcE=5uu_edyzfzpflbn...@mail.gmail.com
Re: Daemon umask
Hi, On 08/07/2012 08:15 AM, Laurie Mercer wrote: Is it possible to set the umask to a value (in this case 27) at boot time so that all daemon processes started at boot time will have this umask by default (unless they override it)? In Redhat this is done in the /etc/sysconfig/init file, umask parameter, which is not present in Debian. You can adjust /etc/login.defs, you can edit /etc/profile (via adding a sh file to /etc/profile.d) and check for the user and set it's umask, or you can create a common home folder for all your daemons and add it to .profile. Or you can go and edit each daemons init file. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50211d02.3010...@envygeeks.com
Re: Opinion on this, password changed, nothing suspicious in logs
On May 29, 2012 7:08 AM, Povl Ole Haarlev Olsen debian-secur...@stderr.dk wrote: Without any evidence of intrusion, I wouldn't be surprised if you got a flaky key on your keyboard. Are you sure you don't have a faulty 1 or something like that? This one has gotten me before. What can make it worse is if its almost like mine where it turns out its not the keys directly but the reciever playing games. Transmitting correctly one second and not the next.
Re: Dedicated server vs. VPS
On Mon, Mar 5, 2012 at 2:59 AM, Timh B t...@shiwebs.net wrote: Hi, This should probably be discussed off-list, anyway - the one that has the most dedicated resources and has the best security policy. Generally when it comes to keeping the kernel/system tools updated it's all about your own OS since it's usually independent from the hostnode. Except kernel in the openvz-case where the provider is responsible of keeping the kernel up to date. There will always be undiscovered holes in the kernel and/or toolchain but a hoster that does not put their hardware nodes on the internet is one step closer to good security. OpenVZ has nothing to do with it, all of them have that ability so specifically mentioning OpenVZ when Xen is like that and so is VMWare (to an extent I guess) is absolutely pointless. It's up to the provider to decide what type of VM you have, and the fact is that most of them chose not to give you access to the kernel because most of them know how many unknown exploits there are, and keeping the Kernel out of the VM space prevents kernel exploits (to a certain extent) but good providers give you the ability to select your kernel or kick it into a mode that allows you to use your own kernel. There is no way you can restrict a hosters access to your VPS, that's basically true for DS as well if you have the root-password in some sort of control-panel or if the support has it for some reason. This is not true in any case, including a dedicated server. It takes but a minute and your drive to get access to your server, root password or not, adjusted grub bootloader or not. Saved in a control panel or not. This is a quite talked about subject when it comes to Linux, but it's not really a security problem for the most part unless you plan to get a laptop stolen or something, but there are clear ways to fix that problem. Unless that entire drive is encrypted and requires the password to even boot they can get into it anytime they want. Dedicated servers are no more secure then VM's when it comes to this. It does however make them harder to manage and recover in user error since they don't attach a TTY. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=3epspsk27x4ovqblllshuj+c0ejfp34ey6yz2q46w...@mail.gmail.com
OpenSSH not logging denied public keys, even with logging set to verbose.
SSH Version: OpenSSH_5.5p1 Debian-6+squeeze1, OpenSSL 0.9.8o 01 Jun 2010 part of the config: compression yes maxauthtries 1 port 22 listenaddress 10.6.18.80 protocol 2 useprivilegeseparation yes syslogfacility AUTH loglevel VERBOSE logingracetime 30 permitrootlogin yes strictmodes yes rsaauthentication no publickeyauthentication yes authorizedkeysfile %h/.ssh/authorized_keys permitemptypasswords no passwordauthentication no x11forwarding no printlastlog yes tcpkeepalive yes acceptenv LANG LC_* usepam yes allowusers root git It seems like no matter what I try (even DEBUG3) it cannot get it to spit out publickey denied so that we can ban with our banning daemons. I am at a loss since I've tried everything that I can think of. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnzh5g0zotwwlhi5t2miit38jqhh_e66v84uexjmydl...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 6:31 AM, Taz taz.ins...@gmail.com wrote: rsaauthentication no change this to yes I'm at a loss, how is setting an option that does not even apply to us (since we use Protocol 2 and that option is moot for us anyways) going to fix a logging issue? Perhaps I need to be more explicit and I am sorry if I was too brief and didn't explain the situation very well. I am able to login with no problem using our keys, rsaauthentication is not the problem and never will be. The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=26YXWbeuA51X8cgpW=1cw13cg0oed4eaadk6duxk5...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
2012/3/1 Aníbal Monsalve Salazar ani...@debian.org: On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. It returned 1, this happens on freshly installed Debian and Ubuntu too though, tested it on Ubuntu too. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=2yqynmr5m7xohrzuto_xsfiqrpvbb+xnkbiyghvnd...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 3:16 PM, Mike Mestnik che...@mikemestnik.net wrote: On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote: On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. The chroot dosn't have a socket to log to... Have syslog listen on something like: /var/run/sshd/dev/log There is no chroot. I hope I didn't imply there was or is one. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=2ZuwRdbGCTdgB4Wr7TfDVhHQwh9BDbWVctOBRvhNp=q...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik che...@mikemestnik.net wrote: On 03/01/12 18:57, Russell Coker wrote: On Fri, 2 Mar 2012, Jordon Bedwell envyge...@gmail.com wrote: Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. It returned 1, this happens on freshly installed Debian and Ubuntu too though, tested it on Ubuntu too. http://etbe.coker.com.au/2011/12/31/server-cracked/ If you havd a sshd that is compromised in the same way as one was on one of my servers then Anibal's command will give an output of 0. I don't know what relevance this has to a discussion of OpenSSH logging though. I'd like to have OpenSSH log the email address field from a key that was used for login so I could see something like ssh key russ...@coker.com.au was used to login to account rjc in my logs. From what I know that information(the comment on the key) is not vary secure, Joe could put Bob as his comment... However one could so a look-up on the key from a key-server and get the email address that way. This is assuming that ppl are using there gpg(email) keys for ssh. I don't know if the chroot idea is legitimate or not, but i went ahead and started a logger in /run/sshd/dev/log and there were still no logs for publickey denied, and if this idea was actually for sure true, why would it show successful logins in the log and not unsuccessful logins in the log? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=0waxekp_rjvcb72d9subel35q_9mp1ue5pvqonmkc...@mail.gmail.com
Re: Default valid shells and home dir permissions
On Wed, Jan 11, 2012 at 3:37 AM, Kees de Jong keesdej...@gmail.com wrote: For the home dirs try this: dpkg-reconfigure adduser. Then choose 'no'. I think that should do the trick. I am on my Android right now so I can't check it for you. -- Met vriendelijke groet, Kees de Jong On Jan 11, 2012 10:09 AM, Davit Avsharyan avshar...@gmail.com wrote: Hi ppl., 1/ I'm wondering why most of the system users have valid shells by default ? cat /etc/passwd | grep -E '(sh|bash)' | wc -l 21 2/ Why, by default, new users' home directories have 755 ? Every time I create a new account, I have to change it to 700. Why it's like this ? any special reasons ? These are what I've checked on my Squeeze boxes. Rgrds, Davit Change the dir_mode in /etc/adduser.conf -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe!u2bdwpowgkz6_pwrusgcqel7i+dj97cqxpu_6em...@mail.gmail.com
Re: AW: Vulnerable PHP version according to nessus
On Wed, Dec 28, 2011 at 2:54 AM, Adam D. Barratt a...@adam-barratt.org.uk wrote: On 28.12.2011 07:56, Patrick Geschke wrote: Hey, @Maintainers: Whats the overall Status of the package? According to php.net 5.3.8 is stable. 5.3.8 is in both testing and unstable - see http://packages.qa.debian.org/p/php5.html Debian stable doesn't generally get new upstream versions of packages. Regards, Adam -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f53555ce02d37a0ad7b0ef133d97d...@mail.adsl.funky-badger.org New upstream version is used pretty loosely here. I would hardly consider a bug fix release a new version. You guys treat versions as if they're a matter of national security, because 5.3.7 vs 5.3.8 is obviously gonna have some major major API changes and some way new features. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=0qszhag16cdbzaksctfyf43zm2+wvefystby_emxp...@mail.gmail.com
Re: Debian LTS?
On Thu, 6 Oct 2011 09:50:12 +0100 Dominic Hargreaves wrote: If money were available, I'm sure there are plenty of skilled project participants that are more than willing to accept it. It could even be incentive- rather than person-based; something like $500 per LTS DSA to whoever gets it done first. Offering $500 to an admin who is already overworked and understaffed isn't enough incentive. TBH, as an Admin myself, I would rather be offered some new computer and some time off then any money at all, we aren't broke, just over worked. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/bffe1543dd0d29378c3e0724d0cbf180.squir...@s93886.gridserver.com
Re: Debian LTS?
On 10/05/2011 05:39 PM, Poison Bit wrote: On Thu, Oct 6, 2011 at 12:33 AM, Poison Bit poison...@gmail.com wrote: In my experience: if a company does not perform operative system upgrades, the company does not have more than 5 years and does not understand how open source, and in special linux kernel, works. Or has management issues, but that's another history. Re: Sony. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e8cee88.4030...@envygeeks.com
Re: AUTO: Steve Bownas is out of the office. (returning 09/06/2011)
On 08/21/2011 03:37 PM, David Giard wrote: Are we going to receive those every time he is out of the office? I hope someone will do something about it... Read his email again. Focus on the bottom. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e51a652.1000...@envygeeks.com
Re: CVE-2011-1929 - never mind, I missed DSA-2252-1
On 08/19/2011 10:04 AM, Mason Loring Bliss wrote: Evidently it's been fixed: http://www.debian.org/security/2011/dsa-2252 Just a future note too, if you ever find a CVE and don't want to Google you can do: http://security-tracker.debian.org/tracker/CVE-2011-1929 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e4e8e68.7010...@envygeeks.com
Re: CVE Exploit
On 3/11/2011 9:04 AM, Andrey Rahmatullin wrote: On Fri, Mar 11, 2011 at 09:42:17AM -0500, hans wrote: rm / -rf worked fine last time I tried it on a VM as an experiment. It was fixed in coreutils 6.2 [2006-09-18]. Subjective fix. It can still destroy your system, it can still delete critical files, just not certain critical files. We've done it before too. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d7a3a83.30...@envygeeks.com
Re: CVE Exploit
On 3/9/2011 1:26 PM, Timothy Ball wrote: On Wed, Mar 09, 2011 at 01:31:50AM -0800, aizaz83 hussain wrote: Dear I need your Help regarding Exploit development of CVE-2010-3872 Could you please Guide. How might this CVE-2010-3872 be exploited and how might an exploit work bwahahahahaha ... thanks this was a pretty good pick-me-up . read-code-write-0day ur-own-damn-self . need a hint ? pointer walk FTW !!! --timball ps) no i won't help u write 0day Damn, beat me to it man. Though I don't think it's a 0day anymore, it's been fixed in Debian. http://security-tracker.debian.org/tracker/CVE-2010-3872 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d78087e.1080...@envygeeks.com
Re: [SECURITY] [DSA-2154-1] exim4 security update
On 1/30/2011 8:11 AM, Dario Ernst wrote: Hello, as i was affected by the recent exim exploit i may be a bit paranoid here, but i have general question on this update. If i am not using -D or -C anywhere in my exim setup (e.g. using the debian default initscripts and have not added any of those options in /etc/default/exim4) and installed the update ... am i okay to go with that? Sorry for asking those stupid questions, but the instructions are a little ambiguous there... The only stupid question is a question not asked. And in theory yes you are correct that you should now be safe from any known threats involving that CVE. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d457d67.7030...@envygeeks.com
Re: CVE-2009-3555 not addressed in OpenSSL
On Sat, 2010-11-13 at 18:14 +0100, Thijs Kinkhorst wrote: I have tested it in some different environments with different types of configurations and the packages work very fine for me. Just one question, did you test the patch or did you test the build? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1289668905.4372.29.ca...@envygeeks.dev
Re: Number of apache2 process MaxClients ?
On 10/29/2010 11:06 AM, Min Wang wrote: Hi I have apache2.conf using prefork with MaxClient setting to 30 ( on Lenny) but on system I saw more than 100 apache2 processes Isn't the MaxClients supposed to limit total apache2 processes to be 30? Something may be wrong/security issue? # pstree init-+-apache2-+-94*[apache2---{apache2}] | `-7*[apache2] /etc/apache2.conf # prefork MPM IfModule prefork.c StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 30 MaxRequestsPerChild 0 /IfModule How quickly are you doing this? With prefork a new process is created for each client, when doing a bench this *can* make it seem like you are creating an abnormal amount of processes because the queue is filling up and the KA is either too low or too high (rarely too high but I've seen it spawn incorrectly with a high KA.) What I am saying is, are you sure they aren't /dying/ or /defunct/? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ccaf722.7090...@envygeeks.com
Re: Any Account Logs In With Any Password
On 10/27/2010 04:05 PM, Henrique de Moraes Holschuh wrote: On Mon, 25 Oct 2010, Michael Loftis wrote: checks prior to this indicate a soft success. If you remove authentication from your system, its expected that any attempt to access will pass, barring and specific denial. If I remove authentication from my system, I expect it to tell me to get lost, as that is the _only_ safe failure scenario. Recovery is supposed to be done through single-user mode and sulogin in that case (if you don't have a root window already open somewhere, that is). This fail-unsafe behaviour looks like it is a feature of the default config being shipped in /etc/pam.d/common-*. I wonder what is the justification behind that decision... Wait, let me get this right. You have a *server running*, you then *remove authentication* on said server and then you *expect* the system to tell everybody to go away? So if that is the case, why would you be running the server in the first place? An ironic situation... I like the idea of blaming the system for an administrators lack of competency when it comes to systems security. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc89f0b.4090...@envygeeks.com
Re: Any Account Logs In With Any Password
On 10/27/2010 05:19 PM, Jim P wrote: Please move this thread to debian-u...@. EOM I find it ironic you top post and don't trim while asking people to move something to Debian-User. This guy has what /he/ thinks is a /security issue/. According to Debian this list is: Discussions about /security issues/, including cryptographic issues, that are of interest to all parts of the Debian community. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc8b2d7.90...@envygeeks.com
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Thu, 2010-10-14 at 20:09 +0200, Yves-Alexis Perez wrote: On mar., 2010-10-12 at 05:34 -0500, Jordon Bedwell wrote: Also to add, the benefits of NX on PAE far outweigh those of not having PAE, Like, not booting at all? Like, going and buying a better computer? I have no problem booting my mums computer with PAE and NX (and it's almost 5 years old now ~ built with heavily proprietary hardware from Dell) Don't blame the kernel for your hardware. You must also be a politician or news anchor on the side too. Taking things out of context and replying out of context. Always pro to do so, that way you can subjectively reply. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1287080107.14513.3.ca...@envygeeks
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Thu, 2010-10-14 at 20:21 +0200, Yves-Alexis Perez wrote: I'm not sure it's a solution Debian can advertise. I know it's not, that is why later down the discussion we brought up the installer giving people the option to either choose the kernel or building a script that will check for PAE and go from there. That's not the point (and tbh, I don't run any i386 kernel anyway). But we do have users which will have issues, and we do have a -bigmem kernel which can be used for needing users. So yes I agree a way to propose the -bigmem to users needing it would be nice, but I don't think setting it the default kernel would work. But I basically see i386 as “the kernel of the last chance”. Read above. It was not meant to be a point, but a mere example. You can't stay legacy forever (well you /can/ but why would you want to?) and I think giving users the choice is the best step with a pro being NX that PAE can bring if the CPU supports it. Was that really necessary? Yes, because out of context replies are out of context. While it should have not so blunt (which I am really working on ~ you should have seen the way I would have replied a year ago) it had to be brought up :P -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1287081333.14513.16.ca...@envygeeks
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Thu, 2010-10-14 at 17:39 -0400, Jordan Metzmeier wrote: There is not only issues of legacy hardware but virtual machines. I signed up for the RHEL 6 beta. Downloaded my copy and fired it up in virtualbox, only to find that it failed to boot, because virtualbox did not support PAE. According to Virtualbox Devteam: Virtualbox does support PAE/NX. I don't know where it is, but I found an old ticket from 2007 that is marked as 'fixed' and somebody in said ticket mentioned advanced tab. I personally use VMWare and Xen but hope that helps :P -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1287092397.2322.2.ca...@envygeeks
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Tue, 2010-10-12 at 11:10 +0100, Marcin Owsiany wrote: And it might be non-obvious, but some CPUs (e.g. the one in my not-so-old laptop) don't support PAE, so making the default kernel use PAE would make debian unbootable on them. Because it's too hard to have ubiquity run a script that checks if the processor supports PAE and then enable it by default if it does, right? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1286879343.2459.10.ca...@envygeeks
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Tue, 2010-10-12 at 05:29 -0500, Jordon Bedwell wrote: On Tue, 2010-10-12 at 11:10 +0100, Marcin Owsiany wrote: And it might be non-obvious, but some CPUs (e.g. the one in my not-so-old laptop) don't support PAE, so making the default kernel use PAE would make debian unbootable on them. Because it's too hard to have ubiquity run a script that checks if the processor supports PAE and then enable it by default if it does, right? Sorry, I didn't check the list, not Ubiquity. Not enough coffee in the world this morning, I thought this was Ubuntu lists . Also to add, the benefits of NX on PAE far outweigh those of not having PAE, unless it's found that there are a significant amount of users on Debian who do in-fact use old /old/ hardware. With it recently being found that Linux is in-fact more popular than Mac OS X it might be best to start forcing some sort of basic security on users so they don't get had easily? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1286879680.2459.15.ca...@envygeeks
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Tue, 2010-10-12 at 11:35 +0100, Marcin Owsiany wrote: What's ubiquity? Read the follow up email where I corrected mistake please... Enable what? Last time I checked, a given kernel image either user PAE or not, there was no flag to control it. You read to much into the subjective usage of enable, enable could mean many things, including enabling an entirely different kernel... Last I checked there were ways of carrying multiple Kernels and enabling them on need-be basis (I guess I need to clarify here that enabling them implies a /single/ kernel at a time,) unless the entire world has gone topsy turvy. if PAE exists - PAE Kernel if ! PAE - Non-PAE Kernel There are other ideas, but those other ideas would add significantly to management time and they're just not too viable for Debian to implement on a default level. I guess there is one where you could have the installer /ask/ the user if they want to enable PAE and list the pros /and or/ cons. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1286880503.2459.27.ca...@envygeeks
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 2010-10-11 at 10:40 -0400, Michael Gilbert wrote: The problem here appears to be the jump to the new upstream version (1.8.2 to 1.8.13), which has a different dependency set. New upstreams are usually disallowed in security uploads. The question is why was that OK in this case, rather than the standard backporting approach? Perhaps there was more to this security problem than they're telling us? Something we would need to figure out by checking upstream? The only way to find out for sure is if we forward this thread to the package maintainer and ask him to speak out about what is going on. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1286808364.18776.1.ca...@envygeeks
Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 2010-10-11 at 11:15 -0400, Michael Gilbert wrote: I highly doubt that there is anything malicious going on here, and there is always the Debian does not hide problems mantra. The simplest, and most-likely explanation is that it was easier to update to the new upstream, rather than attempt to backport fixes for 11 separate issues. Why assume somebody meant something malicious? I implied, that perhaps there were smaller security upgrades which would have justified a version jump... Really guy. The serious problem with you assuming I implied that something malicious is going on is the fact that we can pull the source that he uploaded to Debian directly from Debian and view it. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1286811577.22195.2.ca...@envygeeks
Re: CVE-2009-3555 not addressed in OpenSSL
On 09/29/2010 03:52 PM, Michael Gilbert wrote: On Tue, 28 Sep 2010 15:04:04 -0500, Marsh Ray wrote: On 09/24/2010 02:45 AM, Simon Josefsson wrote: Marsh Rayma...@extendedsubset.com writes: As a long-term Debian user myself, I appeal to Debian's sense of enlightened self-interest and urge that RFC 5746 support be backported to stable. FWIW, the latest stable GnuTLS version with RFC 5746 support is not even in testing, so it won't be part of even the next stable. It may be too late for that in the release cycle though... But that's a choice made by Debian. Call it release policy, procedure, or whatever, Debian cannot use the existence of its own bureaucracy as a justification for wrong action (or inaction). As you certainly know Simon, great effort has been expended by many people over the course of the last year to develop and deploy industry-wide a backwards-compatible protocol fix in record time. To this end, minor version updates and source patches to all major open-source implementations were provided to library users and distros. Under these circumstances, I contend that it is wrong for Debian to withhold these security fixes from its installed base. Web browsers are now warning users about unpatched servers. Server admins who run Debian are left without a packaged solution. Consequently, their users are unable to configure their client applications to strict (more secure) mode and client applications must ship with the less secure default settings. These facts remain: Opera has implemented the correct fix for this security bug, Microsoft has implemented the correct fix for this security bug, Mozilla has implemented the correct fix for this security bug, OpenSSL has implemented the correct fix for this security bug, IBM Java has implemented the correct fix for this security bug, GNUTLS has implemented the correct fix for this security bug, Google has implemented the correct fix for this security bug, RedHat has implemented the correct fix for this security bug, Ubuntu has implemented the correct fix for this security bug, ...yet... Debian has not implemented the correct fix for this security bug. Debian, being a volunteer organization, has it's upsides and downsides. The downside here being without an active volunteer interested in this problem, nothing has happened. What is needed here is someone to step up to the plate: file some bugs; try to find the patches; backport and test them; etc. Bottom line, a little work and communication with maintainers of the affected packages would go a long way toward resolving this. Best wishes, Mike There is a bug against openssl and mod_ssl for apache already they simply just block renegotiation (unless they did a better patch later that I don't recall seeing) and one was challenged (if I remember right openssl) because it was missing something. Personally I had assumed Debian of all people would be on the ball with this so I never double backed to check and see if they patched it properly but I remember everything just being block block block and not fix fix fix for real. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ca3a852.8010...@envygeeks.com
Re: CVE-2009-3555 not addressed in OpenSSL
On 09/28/2010 03:04 PM, Marsh Ray wrote: On 09/24/2010 02:45 AM, Simon Josefsson wrote: But that's a choice made by Debian. Call it release policy, procedure, or whatever, Debian cannot use the existence of its own bureaucracy as a justification for wrong action (or inaction). Microsoft has implemented the correct fix for this security bug, Debian has not implemented the correct fix for this security bug. It intrigues me to know that even with a new stable coming soon we still won't see a proper fix. With patches being available to vendors for so long I'm starting to wonder why it wasn't on the to-do list from the start as a /possible/ rerun and *must* fix on Squeeze. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ca272fa.2060...@envygeeks.com
Re: scans in my hosts. (Debian 5.0 and Apache 2.2.9)
On 7/29/10 11:43 AM, Ashley Taylor wrote: If your phpMyAdmin installations are safe and protected and you wish to remove these from your log files for vanity reasons, please see this guide with a cool fail2ban config that should help you: http://foosel.org/blog/2008/04/banning_phpmyadmin_bots_using_fail2ban Ash. On Thu, Jul 29, 2010 at 3:49 PM, Sjors Gielenmailingl...@dazjorz.comwrote: Op 29 jul 2010, om 16:34 heeft OLCESE, Marcelo Oscar. het volgende geschreven: Estimated: I am taking these scans in my hosts. (Debian 5.0 and Apache 2.2.9) This has been repeating since a weeks. Know what can be? What can I do to eliminate? Thanks. Marcelo Olcese. Someone is scanning your system for vulnerable PHPMyAdmin installations, and other possibly vulnerable stuff. As long as you watch your PHPMyAdmin installations if you have any and make sure nobody can abuse them, nothing's wrong. Try, for example, requiring http authentication to access the directories, or turning off your webserver if you didn't need it anyway. Sjors There was a recent influx of attacks on some hosts who were using outdated versions [some by almost 4 revisions ~ one host I know of is using a version of PHPMyAdmin with about 20 CVE's against it that I confirmed myself ~ they have yet to push their security experts to update this as an emergency or close the loop by creating a prompted login ~ some who were very high end hosts] and they were open so a lot of people might see this happening more and more. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c51b444.7060...@envygeeks.com