Re: [d-security] Re: ssh vulnerability in the wild
Adrian von Bidder wrote: On Tuesday 16 September 2003 22:30, Rich Puhek wrote: [mix stable/testing/unstable] This is what I usually do - and usually, it works quite fine. Right now, though, I've been pulling in more and more from testing/unstable since some things depend on the new glibc, and some other things randomly break when used with the new glibc, so I've had to upgrade those things, which in turn depend on foo, which... Ahh, when it starts to want to download a lot of libraries I don't know much about, that's when I lean towards apt-get source. reduces the exploding dependancies/conflicts problem... --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _
Re: [d-security] Re: ssh vulnerability in the wild
Adrian von Bidder wrote: On Tuesday 16 September 2003 22:30, Rich Puhek wrote: [mix stable/testing/unstable] This is what I usually do - and usually, it works quite fine. Right now, though, I've been pulling in more and more from testing/unstable since some things depend on the new glibc, and some other things randomly break when used with the new glibc, so I've had to upgrade those things, which in turn depend on foo, which... Ahh, when it starts to want to download a lot of libraries I don't know much about, that's when I lean towards apt-get source. reduces the exploding dependancies/conflicts problem... --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Wed, Sep 17, 2003 at 12:12:35AM -0700, Rick Moen wrote: > I note: > http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb > http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb > http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb > > ...and would guess they're built from upstream's v. 3.7.1. > > (The two latter arrived within the last fifteen minutes.) openssh (1:3.6.1p2-8) unstable; urgency=high * Merge more buffer allocation fixes from new upstream version 3.7.1p1 (closes: #211324). Still waiting for a similar version on security.debian.org, for Woody. -- Regards Birzan George Cristian pgpl5xM3j0rlI.pgp Description: PGP signature
Re: [d-security] Re: ssh vulnerability in the wild
Quoting Jan Niehusmann ([EMAIL PROTECTED]): > So I guess we all have to upgrade again. Didn't see packages with > patches derived from 3.7.1, yet. I note: http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb ...and would guess they're built from upstream's v. 3.7.1. (The two latter arrived within the last fifteen minutes.) -- Cheers, Founding member of the Hyphenation Society, a grassroots-based, Rick Moen not-for-profit, locally-owned-and-operated, cooperatively-managed, [EMAIL PROTECTED] modern-American-English-usage-improvement association.
Re: [d-security] Re: ssh vulnerability in the wild
On Tuesday 16 September 2003 22:30, Rich Puhek wrote: [mix stable/testing/unstable] This is what I usually do - and usually, it works quite fine. Right now, though, I've been pulling in more and more from testing/unstable since some things depend on the new glibc, and some other things randomly break when used with the new glibc, so I've had to upgrade those things, which in turn depend on foo, which... I expect once the libc/gcc issues have settled down it should be a bit better - but I now run quite a bit a sarge system already, so security support for many things is non-existant for me. Thankfully, ssh/stable seems to work fine with libc6/unstable. Greets -- vbi -- featured product: GNU Privacy Guard - http://gnupg.org pgpClNjzn6LF1.pgp Description: signature
Re: [d-security] Re: ssh vulnerability in the wild
On Wed, Sep 17, 2003 at 08:24:43AM +0300, Birzan George Cristian wrote: > According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists > the only not vulnerable version as 3.7.1. In my mind, that means the ssh > version on security.debian.org right now is _STILL_ vulnerable. I'm not > a security expert, nor do I have time to actually see if that's true, > so, I'm asking the list if anyone can confirm/deny that. Yes, it seems like OpenSSH 3.7.1 appeared quickly after 3.7 (or 3.7 didn't really appear at all?) and fixed additional security bugs. The first debian patches did only contain patches from 3.7, not from 3.7.1, so ssh is still vulnerable. (But I did not check if all these vulnerabilities affect both woody and sid) So I guess we all have to upgrade again. Didn't see packages with patches derrived from 3.7.1, yet. Jan signature.asc Description: Digital signature
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 09:51:43PM +0200, Matthias Merz wrote: > So only one problem remains: The version in woody-proposed-updates is > 1:3.4p1-1.woody.1 which is "newer" than the patched version. So I had to > manually "downgrade" my proposed-updates-version to get the fix. > (apt-get dist-upgrade didn't show any packages to upgrade) > When will there be a "new" version in proposed-updates for apt-getting > the fix? This will be sorted out soon: I believe the next version in security will include the changes in proposed-updates and so will have a higher version number. -- Colin Watson [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote: > On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote: > > The new version has already been installed. This was quick. Good work, > > security team. > > > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > > > * NMU by the security team. > > * Merge patch from OpenBSD to fix a security problem in buffer handling > > > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > will this security fix be applied to sarge as well? It's not routine practice, but assuming glibc doesn't suddenly get fixed in the next couple of days, I expect to upload a fixed openssh to testing-proposed-updates once the dust settles. That should be able to get into testing fairly quickly. -- Colin Watson [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Wed, Sep 17, 2003 at 12:12:35AM -0700, Rick Moen wrote: > I note: > http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb > http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb > http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb > > ...and would guess they're built from upstream's v. 3.7.1. > > (The two latter arrived within the last fifteen minutes.) openssh (1:3.6.1p2-8) unstable; urgency=high * Merge more buffer allocation fixes from new upstream version 3.7.1p1 (closes: #211324). Still waiting for a similar version on security.debian.org, for Woody. -- Regards Birzan George Cristian pgp0.pgp Description: PGP signature
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 05:31:06PM +0200, Christian Hammers wrote: > The new version has already been installed. This was quick. Good work, > security team. > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > * NMU by the security team. > * Merge patch from OpenBSD to fix a security problem in buffer handling > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists the only not vulnerable version as 3.7.1. In my mind, that means the ssh version on security.debian.org right now is _STILL_ vulnerable. I'm not a security expert, nor do I have time to actually see if that's true, so, I'm asking the list if anyone can confirm/deny that. -- Regards Birzan George Cristian pgpu1uixft7Pe.pgp Description: PGP signature
Re: [d-security] Re: ssh vulnerability in the wild
Quoting Jan Niehusmann ([EMAIL PROTECTED]): > So I guess we all have to upgrade again. Didn't see packages with > patches derived from 3.7.1, yet. I note: http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb ...and would guess they're built from upstream's v. 3.7.1. (The two latter arrived within the last fifteen minutes.) -- Cheers, Founding member of the Hyphenation Society, a grassroots-based, Rick Moen not-for-profit, locally-owned-and-operated, cooperatively-managed, [EMAIL PROTECTED] modern-American-English-usage-improvement association. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tuesday 16 September 2003 22:30, Rich Puhek wrote: [mix stable/testing/unstable] This is what I usually do - and usually, it works quite fine. Right now, though, I've been pulling in more and more from testing/unstable since some things depend on the new glibc, and some other things randomly break when used with the new glibc, so I've had to upgrade those things, which in turn depend on foo, which... I expect once the libc/gcc issues have settled down it should be a bit better - but I now run quite a bit a sarge system already, so security support for many things is non-existant for me. Thankfully, ssh/stable seems to work fine with libc6/unstable. Greets -- vbi -- featured product: GNU Privacy Guard - http://gnupg.org pgp0.pgp Description: signature
Re: [d-security] Re: ssh vulnerability in the wild
On Wed, Sep 17, 2003 at 08:24:43AM +0300, Birzan George Cristian wrote: > According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists > the only not vulnerable version as 3.7.1. In my mind, that means the ssh > version on security.debian.org right now is _STILL_ vulnerable. I'm not > a security expert, nor do I have time to actually see if that's true, > so, I'm asking the list if anyone can confirm/deny that. Yes, it seems like OpenSSH 3.7.1 appeared quickly after 3.7 (or 3.7 didn't really appear at all?) and fixed additional security bugs. The first debian patches did only contain patches from 3.7, not from 3.7.1, so ssh is still vulnerable. (But I did not check if all these vulnerabilities affect both woody and sid) So I guess we all have to upgrade again. Didn't see packages with patches derrived from 3.7.1, yet. Jan signature.asc Description: Digital signature
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 09:51:43PM +0200, Matthias Merz wrote: > So only one problem remains: The version in woody-proposed-updates is > 1:3.4p1-1.woody.1 which is "newer" than the patched version. So I had to > manually "downgrade" my proposed-updates-version to get the fix. > (apt-get dist-upgrade didn't show any packages to upgrade) > When will there be a "new" version in proposed-updates for apt-getting > the fix? This will be sorted out soon: I believe the next version in security will include the changes in proposed-updates and so will have a higher version number. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote: > On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote: > > The new version has already been installed. This was quick. Good work, > > security team. > > > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > > > * NMU by the security team. > > * Merge patch from OpenBSD to fix a security problem in buffer handling > > > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > will this security fix be applied to sarge as well? It's not routine practice, but assuming glibc doesn't suddenly get fixed in the next couple of days, I expect to upload a fixed openssh to testing-proposed-updates once the dust settles. That should be able to get into testing fairly quickly. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 05:31:06PM +0200, Christian Hammers wrote: > The new version has already been installed. This was quick. Good work, > security team. > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > * NMU by the security team. > * Merge patch from OpenBSD to fix a security problem in buffer handling > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists the only not vulnerable version as 3.7.1. In my mind, that means the ssh version on security.debian.org right now is _STILL_ vulnerable. I'm not a security expert, nor do I have time to actually see if that's true, so, I'm asking the list if anyone can confirm/deny that. -- Regards Birzan George Cristian pgp0.pgp Description: PGP signature
Re: [d-security] Re: ssh vulnerability in the wild
Hello there, Christian Hammers schrieb: > > On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote: > > On Tue, 16 Sep 2003, Alexander Neumann wrote: > > > > > According to Wichert, the security team is already working on an update. > > The new version has already been installed. This was quick. Good work, > security team. > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > * NMU by the security team. > * Merge patch from OpenBSD to fix a security problem in buffer handling > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 So only one problem remains: The version in woody-proposed-updates is 1:3.4p1-1.woody.1 which is "newer" than the patched version. So I had to manually "downgrade" my proposed-updates-version to get the fix. (apt-get dist-upgrade didn't show any packages to upgrade) When will there be a "new" version in proposed-updates for apt-getting the fix? bye, Matthias Merz smime.p7s Description: Kryptographische Unterschrift mit S/MIME
Re: [d-security] Re: ssh vulnerability in the wild
Hello there, Christian Hammers schrieb: > > On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote: > > On Tue, 16 Sep 2003, Alexander Neumann wrote: > > > > > According to Wichert, the security team is already working on an update. > > The new version has already been installed. This was quick. Good work, > security team. > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > * NMU by the security team. > * Merge patch from OpenBSD to fix a security problem in buffer handling > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 So only one problem remains: The version in woody-proposed-updates is 1:3.4p1-1.woody.1 which is "newer" than the patched version. So I had to manually "downgrade" my proposed-updates-version to get the fix. (apt-get dist-upgrade didn't show any packages to upgrade) When will there be a "new" version in proposed-updates for apt-getting the fix? bye, Matthias Merz smime.p7s Description: Kryptographische Unterschrift mit S/MIME
Re: [d-security] Re: ssh vulnerability in the wild
## Jean Charles Delepine ([EMAIL PROTECTED]): > Same for most boxes here but there seem to be a versioning conflict > between security update and woody proposed update : I stumbled over this earlier this year. In short, "proposed-updates is NOT meant to be added by users." (Martin Schulze). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=182413&archive=yes Regards, cmt -- Spare Space
Re: [d-security] Re: ssh vulnerability in the wild
## Jean Charles Delepine ([EMAIL PROTECTED]): > Same for most boxes here but there seem to be a versioning conflict > between security update and woody proposed update : I stumbled over this earlier this year. In short, "proposed-updates is NOT meant to be added by users." (Martin Schulze). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=182413&archive=yes Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
* Dossy ([EMAIL PROTECTED]) wrote: > Eek. So, if we want to run secure systems, we either have to run > unstable (and all the troubles that comes with) or stable? I find that Old news... Sorry. Stephen pgpvTdoiywATE.pgp Description: PGP signature
Re: [d-security] Re: ssh vulnerability in the wild
Quoting Dossy ([EMAIL PROTECTED]): > Eek. So, if we want to run secure systems, we either have to run > unstable (and all the troubles that comes with) or stable? The Security Team FAQ addresses this: http://www.debian.org/security/faq#testing Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release. The FAQ is your friend. ;-> > I find that "testing" is a good middle ground for a reasonably stable > system but with reasonably up-to-date packages, so that's why I run > it. You can certainly do that. But the burden is on you to read DSAs and take manual action as needed. E.g., if a DSA says some exposed piece of software you elect to run has a vulnerability you care about, you might find it in your interest to do one of the following: 1. Downgrade to the stable branch's version. 2. Install the binary version from the unstable branch[1]. 3. apt-get source the unstable version, then recompile and dpkg -i it. 4. deb-src and hand-patch, as you say. 5. Switch temporarily from the affected package to an equivalent that isn't affected. (Remember, there's lsh, for example.) (The above is for the benefit of list readership at large. I'm certainly not suggesting you personally aren't aware of those options.) [1] Add Package: * Pin: release a=unstable Pin-Priority: 50 to /etc/apt/preferences. Have both testing and unstable lines in /etc/apt/sources.list . Then, after another apt-get update: # apt-get -t unstable install ...will get and any needed dependencies from the unstable branch. (Note that you cannot assume unstable automatically fixes security bugs.) Alternatively, use "=" syntax to fetch a specified package version: apt-get install somepackage=12.17.4-4 Tutorial: http://jaqque.sbih.org/kplug/apt-pinning.html -- Cheers, "I don't like country music, but I don't mean to denigrate Rick Moen those who do. And, for the people who like country music, [EMAIL PROTECTED] denigrate means 'put down'." -- Bob Newhart
Re: [d-security] Re: ssh vulnerability in the wild
Dossy wrote: On 2003.09.16, Stephen Frost <[EMAIL PROTECTED]> wrote: Is 3.6.1p2-3 vulnerable? For those of us who want security, must we downgrade to 3.4p1-1.1 or build from source after patching by hand? Or will this security fix be applied to sarge as well? There's at least a version on incoming.debian.org which has the version for unstable. I don't know what to tell you about testing/sarge. I'm sure it will be in before release but beyond that I've no idea when it will make it into testing. Eek. So, if we want to run secure systems, we either have to run unstable (and all the troubles that comes with) or stable? I find that "testing" is a good middle ground for a reasonably stable system but with reasonably up-to-date packages, so that's why I run it. Running "stable" involves hand-managing way too many packages that I do need more recent versions, and "unstable" involves way too many troubles if I apt-get update without carefully inspecting what's being updated, which I don't have the time for. :-( poop. Guess I'll go the deb-src route and hand-patch, I guess. Not what I wanted to do today ... ;-) -- Dossy Or (to get a reasonably up to date system): * Set your default release to stable (I actually prefer to use distribution names, so that if I'm asleep at the switch when a new version is released I don't accidentally 'apt-get upgrade' when I should 'apt-get dist-upgrade') * Include testing and unstable in sources.conf * Include apt-src for testing and/or unstable. * Install a stable system, then for special needs, try 'apt-get install foo/testing' (or "foo/unstable"). If you can live with the dependancies, great. If things turn ugly, then apt-get source instead. This way, you'll have stable (with the corresponding security updates) for just about everything. For the few packages that need to be from unstable or testing, either patch them yourself, or watch incoming, or watch for others to contribute .debs. Plus, you can apt-get update && upgrade without having your system blow up. I've found fairly few cases where I actually *need* a more recent version, so this approach works great for me. In most cases, the only perceved need for a more recent version has been for security updates, which, of course, are backported in Debian stable. Of course, YMMV. --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _
Re: [d-security] Re: ssh vulnerability in the wild
* Dossy ([EMAIL PROTECTED]) wrote: > Eek. So, if we want to run secure systems, we either have to run > unstable (and all the troubles that comes with) or stable? I find that Old news... Sorry. Stephen pgp0.pgp Description: PGP signature
Re: [d-security] Re: ssh vulnerability in the wild
Quoting Dossy ([EMAIL PROTECTED]): > Eek. So, if we want to run secure systems, we either have to run > unstable (and all the troubles that comes with) or stable? The Security Team FAQ addresses this: http://www.debian.org/security/faq#testing Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release. The FAQ is your friend. ;-> > I find that "testing" is a good middle ground for a reasonably stable > system but with reasonably up-to-date packages, so that's why I run > it. You can certainly do that. But the burden is on you to read DSAs and take manual action as needed. E.g., if a DSA says some exposed piece of software you elect to run has a vulnerability you care about, you might find it in your interest to do one of the following: 1. Downgrade to the stable branch's version. 2. Install the binary version from the unstable branch[1]. 3. apt-get source the unstable version, then recompile and dpkg -i it. 4. deb-src and hand-patch, as you say. 5. Switch temporarily from the affected package to an equivalent that isn't affected. (Remember, there's lsh, for example.) (The above is for the benefit of list readership at large. I'm certainly not suggesting you personally aren't aware of those options.) [1] Add Package: * Pin: release a=unstable Pin-Priority: 50 to /etc/apt/preferences. Have both testing and unstable lines in /etc/apt/sources.list . Then, after another apt-get update: # apt-get -t unstable install ...will get and any needed dependencies from the unstable branch. (Note that you cannot assume unstable automatically fixes security bugs.) Alternatively, use "=" syntax to fetch a specified package version: apt-get install somepackage=12.17.4-4 Tutorial: http://jaqque.sbih.org/kplug/apt-pinning.html -- Cheers, "I don't like country music, but I don't mean to denigrate Rick Moen those who do. And, for the people who like country music, [EMAIL PROTECTED] denigrate means 'put down'." -- Bob Newhart -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
Dossy wrote: On 2003.09.16, Stephen Frost <[EMAIL PROTECTED]> wrote: Is 3.6.1p2-3 vulnerable? For those of us who want security, must we downgrade to 3.4p1-1.1 or build from source after patching by hand? Or will this security fix be applied to sarge as well? There's at least a version on incoming.debian.org which has the version for unstable. I don't know what to tell you about testing/sarge. I'm sure it will be in before release but beyond that I've no idea when it will make it into testing. Eek. So, if we want to run secure systems, we either have to run unstable (and all the troubles that comes with) or stable? I find that "testing" is a good middle ground for a reasonably stable system but with reasonably up-to-date packages, so that's why I run it. Running "stable" involves hand-managing way too many packages that I do need more recent versions, and "unstable" involves way too many troubles if I apt-get update without carefully inspecting what's being updated, which I don't have the time for. :-( poop. Guess I'll go the deb-src route and hand-patch, I guess. Not what I wanted to do today ... ;-) -- Dossy Or (to get a reasonably up to date system): * Set your default release to stable (I actually prefer to use distribution names, so that if I'm asleep at the switch when a new version is released I don't accidentally 'apt-get upgrade' when I should 'apt-get dist-upgrade') * Include testing and unstable in sources.conf * Include apt-src for testing and/or unstable. * Install a stable system, then for special needs, try 'apt-get install foo/testing' (or "foo/unstable"). If you can live with the dependancies, great. If things turn ugly, then apt-get source instead. This way, you'll have stable (with the corresponding security updates) for just about everything. For the few packages that need to be from unstable or testing, either patch them yourself, or watch incoming, or watch for others to contribute .debs. Plus, you can apt-get update && upgrade without having your system blow up. I've found fairly few cases where I actually *need* a more recent version, so this approach works great for me. In most cases, the only perceved need for a more recent version has been for security updates, which, of course, are backported in Debian stable. Of course, YMMV. --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
Christian Hammers <[EMAIL PROTECTED]> écrivait (wrote) : > On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote: > > On Tue, 16 Sep 2003, Alexander Neumann wrote: > > > > > According to Wichert, the security team is already working on an update. > > > > Is there an emergency patch/workaround for this, if disabling ssh is not > > an option? Are systems with Privilege Separation affected? > > The new version has already been installed. This was quick. Good work, > security team. Same for most boxes here but there seem to be a versioning conflict between security update and woody proposed update : apt-cache policy ssh ssh: Installed: 1:3.4p1-1.woody.1 Candidate: 1:3.4p1-1.woody.1 Version Table: *** 1:3.4p1-1.woody.1 0 500 ftp://ftp.u-picardie.fr woody-proposed-updates/main Packages 100 /var/lib/dpkg/status 1:3.4p1-1.1 0 500 http://security.debian.org woody/updates/main Packages 1:3.4p1-1 0 500 ftp://ftp.u-picardie.fr woody/main Packages I will force the security.debian.org version to apply but I think people should be aware of the risq of using woody/updates and maybe one of the too should be renumbered. Jean Charles
Re: [d-security] Re: ssh vulnerability in the wild
Christian Hammers <[EMAIL PROTECTED]> écrivait (wrote) : > On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote: > > On Tue, 16 Sep 2003, Alexander Neumann wrote: > > > > > According to Wichert, the security team is already working on an update. > > > > Is there an emergency patch/workaround for this, if disabling ssh is not > > an option? Are systems with Privilege Separation affected? > > The new version has already been installed. This was quick. Good work, > security team. Same for most boxes here but there seem to be a versioning conflict between security update and woody proposed update : apt-cache policy ssh ssh: Installed: 1:3.4p1-1.woody.1 Candidate: 1:3.4p1-1.woody.1 Version Table: *** 1:3.4p1-1.woody.1 0 500 ftp://ftp.u-picardie.fr woody-proposed-updates/main Packages 100 /var/lib/dpkg/status 1:3.4p1-1.1 0 500 http://security.debian.org woody/updates/main Packages 1:3.4p1-1 0 500 ftp://ftp.u-picardie.fr woody/main Packages I will force the security.debian.org version to apply but I think people should be aware of the risq of using woody/updates and maybe one of the too should be renumbered. Jean Charles -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
Quoting Stephen Frost ([EMAIL PROTECTED]): > There's at least a version on incoming.debian.org which has the version > for unstable. I don't know what to tell you about testing/sarge. I'm > sure it will be in before release but beyond that I've no idea when it > will make it into testing. The version in incoming _seems_ to cause no problems on testing/sarge if you're willing to install libc6 from unstable, which I've just done, and am so far seeing no problems. Versions: http://incoming.debian.org/ssh_3.6.1p2-7_i386.deb http://http.us.debian.org/debian/pool/main/g/glibc/libc6_2.3.2-7_i386.deb -- Cheers, Wall Street has all the emotional stability of a Rick Moenthirteen-year-old girl. -- Louis Rukeyser [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On 2003.09.16, Stephen Frost <[EMAIL PROTECTED]> wrote: > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > > will this security fix be applied to sarge as well? > > There's at least a version on incoming.debian.org which has the version > for unstable. I don't know what to tell you about testing/sarge. I'm > sure it will be in before release but beyond that I've no idea when it > will make it into testing. Eek. So, if we want to run secure systems, we either have to run unstable (and all the troubles that comes with) or stable? I find that "testing" is a good middle ground for a reasonably stable system but with reasonably up-to-date packages, so that's why I run it. Running "stable" involves hand-managing way too many packages that I do need more recent versions, and "unstable" involves way too many troubles if I apt-get update without carefully inspecting what's being updated, which I don't have the time for. :-( poop. Guess I'll go the deb-src route and hand-patch, I guess. Not what I wanted to do today ... ;-) -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)
Re: [d-security] Re: ssh vulnerability in the wild
Quoting Stephen Frost ([EMAIL PROTECTED]): > There's at least a version on incoming.debian.org which has the version > for unstable. I don't know what to tell you about testing/sarge. I'm > sure it will be in before release but beyond that I've no idea when it > will make it into testing. The version in incoming _seems_ to cause no problems on testing/sarge if you're willing to install libc6 from unstable, which I've just done, and am so far seeing no problems. Versions: http://incoming.debian.org/ssh_3.6.1p2-7_i386.deb http://http.us.debian.org/debian/pool/main/g/glibc/libc6_2.3.2-7_i386.deb -- Cheers, Wall Street has all the emotional stability of a Rick Moenthirteen-year-old girl. -- Louis Rukeyser [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On 2003.09.16, Stephen Frost <[EMAIL PROTECTED]> wrote: > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > > will this security fix be applied to sarge as well? > > There's at least a version on incoming.debian.org which has the version > for unstable. I don't know what to tell you about testing/sarge. I'm > sure it will be in before release but beyond that I've no idea when it > will make it into testing. Eek. So, if we want to run secure systems, we either have to run unstable (and all the troubles that comes with) or stable? I find that "testing" is a good middle ground for a reasonably stable system but with reasonably up-to-date packages, so that's why I run it. Running "stable" involves hand-managing way too many packages that I do need more recent versions, and "unstable" involves way too many troubles if I apt-get update without carefully inspecting what's being updated, which I don't have the time for. :-( poop. Guess I'll go the deb-src route and hand-patch, I guess. Not what I wanted to do today ... ;-) -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 07:29:33PM +0200, Jan Niehusmann wrote: > On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote: > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > > will this security fix be applied to sarge as well? > I downgraded to be safe.
Re: [d-security] Re: ssh vulnerability in the wild
* Dossy ([EMAIL PROTECTED]) wrote: > On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote: > > The new version has already been installed. This was quick. Good work, > > security team. > > > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > > > * NMU by the security team. > > * Merge patch from OpenBSD to fix a security problem in buffer handling > > > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > will this security fix be applied to sarge as well? There's at least a version on incoming.debian.org which has the version for unstable. I don't know what to tell you about testing/sarge. I'm sure it will be in before release but beyond that I've no idea when it will make it into testing. Stephen pgpudpP4hCqE2.pgp Description: PGP signature
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote: > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > will this security fix be applied to sarge as well? I guess the patch will apply to sarge as well, so you can easily build a patched version yourself. Don't expect official security updates for testing. It'll be fixed when the version from sid gets promoted to sarge. Jan signature.asc Description: Digital signature
Re: [d-security] Re: ssh vulnerability in the wild
On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote: > The new version has already been installed. This was quick. Good work, > security team. > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > * NMU by the security team. > * Merge patch from OpenBSD to fix a security problem in buffer handling > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 Is 3.6.1p2-3 vulnerable? For those of us who want security, must we downgrade to 3.4p1-1.1 or build from source after patching by hand? Or will this security fix be applied to sarge as well? -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 07:29:33PM +0200, Jan Niehusmann wrote: > On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote: > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > > will this security fix be applied to sarge as well? > I downgraded to be safe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
* Dossy ([EMAIL PROTECTED]) wrote: > On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote: > > The new version has already been installed. This was quick. Good work, > > security team. > > > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > > > * NMU by the security team. > > * Merge patch from OpenBSD to fix a security problem in buffer handling > > > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 > > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > will this security fix be applied to sarge as well? There's at least a version on incoming.debian.org which has the version for unstable. I don't know what to tell you about testing/sarge. I'm sure it will be in before release but beyond that I've no idea when it will make it into testing. Stephen pgp0.pgp Description: PGP signature
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote: > Is 3.6.1p2-3 vulnerable? For those of us who want security, must we > downgrade to 3.4p1-1.1 or build from source after patching by hand? Or > will this security fix be applied to sarge as well? I guess the patch will apply to sarge as well, so you can easily build a patched version yourself. Don't expect official security updates for testing. It'll be fixed when the version from sid gets promoted to sarge. Jan signature.asc Description: Digital signature
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote: > On Tue, 16 Sep 2003, Alexander Neumann wrote: > > > According to Wichert, the security team is already working on an update. > > Is there an emergency patch/workaround for this, if disabling ssh is not > an option? Are systems with Privilege Separation affected? The new version has already been installed. This was quick. Good work, security team. openssh (1:3.4p1-1.1) stable-security; urgency=high * NMU by the security team. * Merge patch from OpenBSD to fix a security problem in buffer handling -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 bye, -christian- -- Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth
Re: [d-security] Re: ssh vulnerability in the wild
On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote: > The new version has already been installed. This was quick. Good work, > security team. > > openssh (1:3.4p1-1.1) stable-security; urgency=high > > * NMU by the security team. > * Merge patch from OpenBSD to fix a security problem in buffer handling > > -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 Is 3.6.1p2-3 vulnerable? For those of us who want security, must we downgrade to 3.4p1-1.1 or build from source after patching by hand? Or will this security fix be applied to sarge as well? -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 04:00:30PM +0100, Thomas Horsten wrote: > On Tue, 16 Sep 2003, Alexander Neumann wrote: > > > According to Wichert, the security team is already working on an update. > > Is there an emergency patch/workaround for this, if disabling ssh is not > an option? Are systems with Privilege Separation affected? The new version has already been installed. This was quick. Good work, security team. openssh (1:3.4p1-1.1) stable-security; urgency=high * NMU by the security team. * Merge patch from OpenBSD to fix a security problem in buffer handling -- Wichert Akkerman <[EMAIL PROTECTED]> Tue, 16 Sep 2003 13:06:31 +0200 bye, -christian- -- Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]