Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Thu, 2003-05-08 at 10:54, Oliver Hitz wrote: On 08 May 2003, Markus Kolb wrote: There are patched Debian kernel images with version 2.4.18-7 by the kernel-image maintainer Herbet Xu but not in official debian package trees. Just don't know where to find Herbert's packages. Perhaps someone can post the place! You can find patched kernel images and sources for woody in proposed-updates. Don't know if there is a more official place to find them. ftp://ftp.debian.org/debian/dists/woody-proposed-updates/ Sources are patched as of woody.2, according to this changes file[1], but only woody.1 images are available[2], as far as I can tell. The images at the second URL are still vulnerable: Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.. = Child process started.+ 516 - 516 ok! [1]http://ftp.debian.org/dists/proposed-updates/kernel-source-2.4.20_2.4.20-3woody.2_i386.changes [2]http://ftp.debian.org/pool/main/k/kernel-image-2.4.20-i386/ - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Fri, 2003-05-09 at 00:27, Jon wrote: Sources are patched as of woody.2, according to this changes file[1], but only woody.1 images are available[2], as far as I can tell. The images at the second URL are still vulnerable: [1]http://ftp.debian.org/dists/proposed-updates/kernel-source-2.4.20_2.4.20-3woody.2_i386.changes [2]http://ftp.debian.org/pool/main/k/kernel-image-2.4.20-i386/ Oops, spoke too soon. These packages are not vulnerable: http://ftp.debian.org/pool/main/k/kernel-image-2.4.20-1-i386/ - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Thu, 08 May 2003 01:30:15 +0200, in linux.debian.security you wrote: kernel. The ptrace bug is not the only problem as there are other security problems (for example in the netfilter code) that have never been fixed in stable. could you please speek out about this? Where can I find more info about this? Where can i find patches? Which kernel-source/image pkg has this patches applied? Searchengines spit out too much noise looking for that issue... THANK YOU!!! Have a nice thread, Peter
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Wednesday 07 May 2003 14:53, Peter Holm wrote:
Hi,
may I be allowed to ask some questions?
I am a little bit confused about the latest discussions on the ptrace
kernel bug.
[...]
Why isn´t there a security warning about that ptrace bug?
[...]
Well the most problem is that Marcelo Tosatti (he is the maintainer of
official 2.4 kernel tree) thinks that the ptrace hole is not so
important ('only' local attacks possible) and the official kernel
sources will be patched with planned kernel version 2.4.21.
It would be the better solution to patch the official kernel sources as
fast as possible to get a new base for distributors and to get one
official patch.
By the way there are people not following security lists and they
believe that latest stable kernel ist really stable and has no known
security flaws... instead there is a flaw since months.
This is a behaviour for what we judge and hate Microsoft.
It is realy stupid to let the distributors do the work of security
patching the kernel. Maybe the distributors should hack their own
kernels and there is no Linux anymore?!
What I want say, it was not only a Debian based problem.
There is no announcement like there is none at www.kernel.org.
There are patched Debian kernel images with version 2.4.18-7 by the
kernel-image maintainer Herbet Xu but not in official debian package
trees. Just don't know where to find Herbert's packages. Perhaps
someone can post the place!
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
By the way there are people not following security lists and they that was my situation. there must be hundreds or thousands of people out there, which also do have just little time for administering their debian installs and rely on security announcement list and apt-get. Also, if I understand it right, all new installs of woody, by cdrom or ftp, will be unsecure. I really do not understand, why there isn´t a warning at http://www.debian.org/releases/stable/installmanual, something like YOU HAVE TO PATCH YOUR KERNEL AFTER INSTALL... Not finding anything about that issue on kernel.org is also unsatisfying. Why is security not worth one single link on that primary site for the Linux kernel source??? Have a nice thread, Peter
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
The security team has already released two DSA's on the ptrace issue. Those would be DSA 270 and DSA 276. Why they have not put priority on fixing it for the i386 architecture I do not know, but I do know that modifying the kernel in stable on i386 is a monstrous problem, as doing it right means you have to: - rebuild all the different kernel images - rebuild all the modules packages external to the kernel, which would get broken by the above rebuild - rebuild the boot floppies - rebuild the install CD's -- see shy jo, not a member of the security team pgpGAbvVbjkmT.pgp Description: PGP signature
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On 08 May 2003, Markus Kolb wrote: There are patched Debian kernel images with version 2.4.18-7 by the kernel-image maintainer Herbet Xu but not in official debian package trees. Just don't know where to find Herbert's packages. Perhaps someone can post the place! You can find patched kernel images and sources for woody in proposed-updates. Don't know if there is a more official place to find them. ftp://ftp.debian.org/debian/dists/woody-proposed-updates/ Regards, Oliver
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Thu, 08.05.03, Joey Hess [EMAIL PROTECTED] wrote: fixing it for the i386 architecture I do not know, but I do know that modifying the kernel in stable on i386 is a monstrous problem, as doing it right means you have to: - rebuild all the different kernel images - rebuild all the modules packages external to the kernel, which would get broken by the above rebuild - rebuild the boot floppies - rebuild the install CD's And that is not true for the architectures that _were_ patched? I also think that a patched 2.4.20-ptrace as replacement for 2.4.20 would have not much problems running external modules. The patched kernel-images for i386 have been lying around for some time, and i have them running on some boxen which all work fine. I acknowlege that there may still be issues with some installations or even broken packages (software that wont run with the patch), in which case something of an unofficial security advisory would have been nice (which provides information about the hole and a link to the unofficial patched kernel images with a note that they may break some stuff). The official DSA could then be published once all outstanding issues had been resolved. I dont know whether that would be against a debian policy but in all cases this is far superior to the current situation where everyone has to patch the kernel for him/herself or use the unofficial debs instead, which has the same effect as releasing a .deb that has the same problems. cya, Nils -- Nils Juergens | [EMAIL PROTECTED] | icq 7090774 Having problems sending big files over the net? Try out Efisto (http://efisto.rnbhq.org).
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Nils Juergens wrote: fixing it for the i386 architecture I do not know, but I do know that modifying the kernel in stable on i386 is a monstrous problem, as doing it right means you have to: - rebuild all the different kernel images - rebuild all the modules packages external to the kernel, which would get broken by the above rebuild - rebuild the boot floppies - rebuild the install CD's And that is not true for the architectures that _were_ patched? It's certianly less true of ie, s390. There are not a lot of third pary kernel modules for s390, for example, and if there are any, they're not needed during install like the pcmcia modules are. I also think that a patched 2.4.20-ptrace as replacement for 2.4.20 would have not much problems running external modules. Maybe if you got rather lucky and didn't inaverdently change anything else. -- see shy jo pgp8QUGT7ziSi.pgp Description: PGP signature
Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Hi, may I be allowed to ask some questions? I am a little bit confused about the latest discussions on the ptrace kernel bug. As I am not a regular reader of this mailing list but heavily relying on the debian security announce mailing list and apt-get, I was really wondering why I could not find anything about that ptrace kernel bug that can be found here http://sinuspl.net/ptrace/ on the debian security website / announcement list. As I keep my systems regularly (apt-)updated I thought there was no reason to panic, at least debian is known for it´s high claims on beeing secure and there would be some word about that if it was a problem. well, said that I tried, just for fun, if that exploit could do something on my actual debian installations and I really got slapped hard! All machines were exploitable! Ok, my questions: Why isn´t there a security warning about that ptrace bug? The actual kernel sources that one can get via apt-get, are they already patched? What about the kernel-images? As i read, there are some misfunctions with that kernel-patch, not allowing some tools to work properly (netsaint / nagios were mentioned). Are there any more sideeffects known? Is there a good website accumulating information about-that-prace-bug-and-patch-and-all-the-problems-that-are related-to this.org? And: which informtion sources do I have to follow to become informed about *all* security bugs in debian? Thanks for your attention and sorry for my clumsy english! Have a nice thread, Peter
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Wednesday 07 May 2003 14:53, Peter Holm wrote: The actual kernel sources that one can get via apt-get, are they already patched? I have to admit that I didn't follow this issue closely, you'll have to get this info elsewhere. And: which informtion sources do I have to follow to become informed about *all* security bugs in debian? I fear there's no such place. The security announcements are only made when a fixed package is released, and to my knowledge there is no centralized debian specific place to get security announcements for security bugs where no patch is (yet) available. This is unfortunate, but I guess it cannot be changed as the security team reputedly is quite heavily loaded even now. greets -- vbi -- this email is protected by a digital signature: http://fortytwo.ch/gpg pgpdOI8IGWLE2.pgp Description: signature
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Am Mit, 2003-05-07 um 17.05 schrieb Adrian 'Dagurashibanipal' von Bidder: On Wednesday 07 May 2003 14:53, Peter Holm wrote: The actual kernel sources that one can get via apt-get, are they already patched? kernel-source-2.4.20 in unstable is patched. I fear there's no such place. The security announcements are only made when a fixed package is released, and to my knowledge there is no centralized debian specific place to get security announcements for security bugs where no patch is (yet) available. I am not quite sure how much the security team feels responsible for the kernel. The ptrace bug is not the only problem as there are other security problems (for example in the netfilter code) that have never been fixed in stable. Additionally, often patches are only available for current kernel versions, but not for older ones that are all available within woody. How far back must patches be backported? Is there a clear policy about this issue? Sebastian
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
HI, This is unfortunate, but I guess it cannot be changed as the security team reputedly is quite heavily loaded even now. so is the debian project facing a kind of DOS-Attack on an organizatory level? This seems to be a social vulnerability then. Have a nice thread, Peter
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
I think you'll find the bugtraq list at http://securityfocus.com/ to be the leading edge for security information. I like focus-linux too. http://securityfocus.com/archive To find more current news on issues / exploits, you would probably need to follow some particular IRC or whatever the evil side of the internet uses these days. The main problem with bugtraq is a *lot* of M$ (and other commercial software) issues are mixed in there. I find myself only reading the subjects of 70% of the posts. but for issues like ptrace, you'll find everything you need there. // George On Wed, May 07, 2003 at 02:53:35PM +0200, Peter Holm wrote: Hi, may I be allowed to ask some questions? I am a little bit confused about the latest discussions on the ptrace kernel bug. As I am not a regular reader of this mailing list but heavily relying on the debian security announce mailing list and apt-get, I was really wondering why I could not find anything about that ptrace kernel bug that can be found here http://sinuspl.net/ptrace/ on the debian security website / announcement list. As I keep my systems regularly (apt-)updated I thought there was no reason to panic, at least debian is known for it?s high claims on beeing secure and there would be some word about that if it was a problem. well, said that I tried, just for fun, if that exploit could do something on my actual debian installations and I really got slapped hard! All machines were exploitable! Ok, my questions: Why isn?t there a security warning about that ptrace bug? The actual kernel sources that one can get via apt-get, are they already patched? What about the kernel-images? As i read, there are some misfunctions with that kernel-patch, not allowing some tools to work properly (netsaint / nagios were mentioned). Are there any more sideeffects known? Is there a good website accumulating information about-that-prace-bug-and-patch-and-all-the-problems-that-are related-to this.org? And: which informtion sources do I have to follow to become informed about *all* security bugs in debian? Thanks for your attention and sorry for my clumsy english! Have a nice thread, Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
