Re: Security Flaw:

[David Christensen]

On 7/9/24 23:34, Richard Bostrom wrote:

I cannot update my passphrase in crypttab although the passphrase is updated in 
the OS I cannot enter my OS without using the latest passphrase.

Yours sincerely
Richardh Bostrom



Passphrases in crypttab(5) are for disks, disk partitions, virtual 
devices, etc., and are unrelated to user passwords.  Changing one does 
not affect the other, and vice versa.



If you are using LUKS to encrypt a partition, LUKS supports more than 
one passphrase.  See cryptsetup(8).  To change the passphrase, I would 
add the new passphrase, reboot, and enter the new passphrase to verify. 
When you are confident the new passphrase works, delete the old passphrase.



David

Re: Security hole in kernel fixed?

[Stanislav Vlasov]

ср, 15 мая 2024 г. в 16:55, Hans :

> Dear developers,

Users.

> in April 2024 the security hole CVE-2023-6546 was discovered in linux-image, 
> and I believe, it is fixed in kernel 6.1.0 (from debian/stable) as soon after 
> this a new kernel was released.

https://security-tracker.debian.org/tracker/CVE-2023-6546 may be help

-- 
Stanislav

Re: Security hole in kernel fixed?

[The Wanderer]

On 2024-05-15 at 03:05, Hans wrote:

> Dear developers,

As usual, most of us here are not Debian developers, even if some of us
may be software developers.

> in April 2024 the security hole CVE-2023-6546 was discovered in linux-image, 
> and I believe, it 
> is fixed in kernel 6.1.0 (from debian/stable) as soon after this a new kernel 
> was released.
> 
> However, there is no new kernel 6.5.0-*-bpo released at that time, so my 
> question: 
> 
> Does anyone know, if this fix was also integrated in kernel 6.5.0-*.bpo ?

I don't have a definitive answer, but you might look at:

https://security-tracker.debian.org/tracker/CVE-2023-6546

The only place it mentions 6.5 is in the Notes section, where it
mentions 6.5-rc7 (with a kernel.org link) in the context of a statement
that the Linux kernel in Debian buster does not include the vulnerable
code.

I would therefore suspect that any 6.5.x kernel probably was not
affected by this vulnerability to begin with.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

[Phil Wyett]

On Tue, 2023-11-28 at 08:56 +, Marold Marcus (DC-AE/ESW1) wrote:
> Hello,
> I would like to request an upgrade of the curl package (Linux Ubuntu Core 22 
> / Jammy) to Nghttp2
> v1.57.0 because of CVE-2023-44487: HTTP/2 Rapid Reset.
> https://nghttp2.org/blog/2023/10/10/nghttp2-v1-57-0/
> Thank you in advance.
>  
> Mit freundlichen Grüßen / Best regards
> 
> Marcus Marold
> ctrlX AppSoftware DC-AE/ESW1
> 
> Fax +49 9352 18-5830
> marcus.mar...@boschrexroth.de
> www.boschrexroth.com
> 
> Bosch Rexroth AG
> Bgm.-Dr.-Nebel-Str. 2
> 97816 Lohr am Main
> GERMANY
> 
> BOSCH REXROTH
> 
> 
> 
> Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart HRB 23192
> Vorstand: Dr. Steffen Haack (Vorsitzender), Roland Bittenauer, Thomas 
> Fechner, Holger von Hebel,
> Reinhard Schäfer
> Vorsitzender des Aufsichtsrats: Dr. Markus Forschner
> ​
> 

Hi,

For Ubuntu reference of which versions are or are not affected, see:

https://ubuntu.com/security/CVE-2023-44487

Regards

Phil

-- 
Playing the game for the games sake.

* Debian Maintainer

Web:

* Debian Wiki: https://wiki.debian.org/PhilWyett
* Website: https://kathenas.org

Social:

* Instagram: kathenasorg
* Threads: @kathenasorg





signature.asc
Description: This is a digitally signed message part

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

[Brad Rogers]

On Tue, 28 Nov 2023 08:56:28 +
"Marold Marcus (DC-AE/ESW1)"  wrote:

Hello Marold,

Firstly, we're (for the most part) users, not developers.

>I would like to request an upgrade of the curl package (Linux Ubuntu
>Core 22 /

Secondly, we're _Debian_ users not Ubuntu.

You'll have to take it up with Ubuntu.

-- 
 Regards  _   "Valid sig separator is {dash}{dash}{space}"
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
Makes you wonder how the other half die
Devil Inside - INXS


pgpUQA0ta4an1.pgp
Description: OpenPGP digital signature

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

[Andy Smith]

Hi,

On Tue, Nov 28, 2023 at 08:56:28AM +, Marold Marcus (DC-AE/ESW1) wrote:
> I would like to request an upgrade of the curl package (Linux
> Ubuntu Core 22 / Jammy) to Nghttp2 v1.57.0 because of
> CVE-2023-44487:
> HTTP/2 Rapid Reset.

Your mention of the curl package is confusing since this is a bug in
Nghttp2 amongst other things, so I assume that was just an error.

Secondly, this is Debian, not Ubuntu. If you want to report
something to Ubuntu, report it to Ubuntu.

Next up, this is a user support list contributed to by users. It's
not the place to officially report bugs, at least not if you want
them to be read by the package maintainers and to have some sort of
audit trail.

Looking at:

https://security-tracker.debian.org/tracker/CVE-2023-44487
https://security-tracker.debian.org/tracker/source-package/nghttp2

I see that for some reason the bug is fixed in unstable and bullseye
(oldstable) but not stable. I can't see any open bugs in nghttp2 so
possibly it's just delayed slightly but you may want to officially
report it to Debian using "reportbug" or the instructions at
https://bugs.debian.org/.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Security vulnerability at curl package: CVE-2023-44487: HTTP/2 Rapid Reset

[Marco Moock]

Am 28.11.2023 um 08:56:28 Uhr schrieb Marold Marcus (DC-AE/ESW1):

> I would like to request an upgrade of the curl package (Linux Ubuntu
> Core 22 / Jammy) to Nghttp2 v1.57.0 because of
> CVE-2023-44487:
> HTTP/2 Rapid Reset.

That is the debian user mailing list, not related to Ubuntu.

Debian has curl 8.4.0 included.

Testing and unstable already have nghttp2 1.58.0.
Stable doesn't.
https://tracker.debian.org/pkg/nghttp2

Contact the maintainers (listed on the left) about that.

Re: Security question about daemon-init

[Darac Marjal]

On 29/08/2023 18:35, Bhasker C V wrote:

Apologies in advance for cross-group posting.

I have enabled selinux  and after carefully allowing certain 
permissions, I have put my system in enforcing mode


I do see a suspicious line like this


[  115.089395] audit: type=1400 audit(1693329979.841:11): avc:  denied 
 { getattr } for  pid=3104 comm="daemon-init" 
path="/home/bcv/.thunderbird" dev="dm-5" ino=257 
scontext=system_u:system_r:virtd_t:s0 
tcontext=system_u:object_r:thunderbird_home_t:s0 tclass=lnk_file 
permissive=0


I am not sure why on earth would daemon-init try to read .thunderbird 
directory under my homedir .


Has anyone faced this problem?

What is this daemon-init program and why does it want access to my 
home thunderbird directory ?


According to 
https://packages.debian.org/search?suite=bookworm=any=filename=contents=daemon-init 
there is no file within Debian Stable named "daemon-init".




Regards
Bhasker C V




OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: [SECURITY] [DLA 3173-1] linux-5.10 security update

[Felix Miata]

Anssi Saari composed on 2022-11-02 09:40 (UTC+0200):

> John Boxall wrote:

>> Did I miss something in the last three years? When did buster go to a
>> 5.10 kernel? My buster system is still on kernel 4.19.

> Looks like a linux-5.10 source package was indeed added to Buster in
> August and as you noted, it's getting security updates too. There's some
> info on the what and when at https://tracker.debian.org/pkg/linux-5.10
> but I don't know the why.

> Maybe this is for Buster's LTS lifecycle and 4.19 is expected to go EOL
> before Buster does? Just a guess.

According to https://wiki.debian.org/DebianReleases Buster doesn't have an LTS. 
:p

Projected EOL for 4.19 currently is 2024-12.
https://www.kernel.org/category/releases.html
-- 
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

Re: Security Updates

[David Wright]

On Wed 09 Mar 2022 at 21:46:45 (-0500), Greg Wooledge wrote:
> On Wed, Mar 09, 2022 at 08:28:39PM -0500, Dan Ritter wrote:
> > Dimitrios Papanikolaou wrote: 
> > > 
> > > I have Debian 10 (buster) installed in my Nodes.
> > > I use the sec repo:
> > > 
> > > deb http://security.debian.org/debian-securitybuster/updates main contrib 
> > > non-free
> > 
> > I hope there is another / between security and buster.
> 
> You mean a space.
> 
> > > This is what I have. But can you explain me. Why I am not getting the 
> > > latest security updates?
> 
> What specific update did you expect to see, that you did not get?
> 
> > Today you should be getting a new linux kernel.
> 
> In buster?  It's not vulnerable to "dirty-pipe".  That vulnerability
> was introduced in Linux 5.8, and buster has a 4.x kernel.

Start-Date: 2022-03-07  08:23:15
Commandline: apt-get upgrade
Upgrade: firefox-esr-l10n-en-gb:amd64 (91.6.0esr-1~deb10u1, 
91.6.1esr-1~deb10u1), firefox-esr:amd64 (91.6.0esr-1~deb10u1, 
91.6.1esr-1~deb10u1)
End-Date: 2022-03-07  08:23:42

… so the previous browser version ran for about 25 days, …

Start-Date: 2022-03-09  12:14:48
Commandline: apt-get upgrade
Upgrade: linux-libc-dev:amd64 (4.19.208-1, 4.19.232-1), 
linux-compiler-gcc-8-x86:amd64 (4.19.208-1, 4.19.232-1), linux-doc:amd64 
(4.19+105+deb10u13, 4.19+105+deb10u14), linux-source:amd64 (4.19+105+deb10u13, 
4.19+105+deb10u14), linux-doc-4.19:amd64 (4.19.208-1, 4.19.232-1), 
linux-kbuild-4.19:amd64 (4.19.208-1, 4.19.232-1), linux-config-4.19:amd64 
(4.19.208-1, 4.19.232-1), linux-source-4.19:amd64 (4.19.208-1, 4.19.232-1)
End-Date: 2022-03-09  12:15:10

Start-Date: 2022-03-09  12:22:09
Commandline: apt-get dist-upgrade
Install: linux-headers-4.19.0-19-common:amd64 (4.19.232-1, automatic), 
linux-headers-4.19.0-19-amd64:amd64 (4.19.232-1, automatic), 
linux-image-4.19.0-19-amd64:amd64 (4.19.232-1, automatic)
Upgrade: linux-image-amd64:amd64 (4.19+105+deb10u13, 4.19+105+deb10u14), 
linux-headers-amd64:amd64 (4.19+105+deb10u13, 4.19+105+deb10u14)
End-Date: 2022-03-09  12:23:47

… and 5 months for the previous kernel. Could be coincidental.

Cheers,
David.

Re: Security Updates

[Greg Wooledge]

On Wed, Mar 09, 2022 at 08:28:39PM -0500, Dan Ritter wrote:
> Dimitrios Papanikolaou wrote: 
> > Hi,
> > 
> > I have Debian 10 (buster) installed in my Nodes.
> > I use the sec repo:
> > 
> > deb http://security.debian.org/debian-securitybuster/updates main contrib 
> > non-free
> 
> I hope there is another / between security and buster.

You mean a space.

> > This is what I have. But can you explain me. Why I am not getting the 
> > latest security updates?

What specific update did you expect to see, that you did not get?

> Today you should be getting a new linux kernel.

In buster?  It's not vulnerable to "dirty-pipe".  That vulnerability
was introduced in Linux 5.8, and buster has a 4.x kernel.

Re: Security Updates

[Dan Ritter]

Dimitrios Papanikolaou wrote: 
> Hi,
> 
> I have Debian 10 (buster) installed in my Nodes.
> I use the sec repo:
> 
> deb http://security.debian.org/debian-securitybuster/updates main contrib 
> non-free

I hope there is another / between security and buster.
 
> This is what I have. But can you explain me. Why I am not getting the latest 
> security updates?


Today you should be getting a new linux kernel. However, buster
is the old release, and bullseye is the new stable release.
Only significant security updates will be made for the old
system.


-dsr-

Re: Security

[Reco]

Hi.

On Fri, Feb 04, 2022 at 09:43:18AM +0100, Andrei POPESCU wrote:
> On Du, 30 ian 22, 19:27:56, Reco wrote:
> > 
> > > 
> > > How does "people installing without recommends" translate to "GNOME 
> > > users" is beyond me,
> > 
> > Easy. Look closely at two graphical frontends to libvirt they provide in
> > main archive.
> > Now ask yourself - would I need these on a server? Who would need to use
> > these?
>  
> Those who want a graphical tool to manage their VMs?

I.e. those who have a dozen VM at most, a single "server" to host them,
and said "server" is most probably translates to a localhost. I don't
see all that as a bad thing, but each GUI has its share of limitations
once it comes to managing something in big quantities, and both GNOME
boxes and Virt Manager follow that principle.


> Installing some -gnome packages still doesn't make me a GNOME user ;)

But installing them gives you a pile of GNOME core packages by
dependency.
Thus the software in question behaves the way GNOME developers want it
to behave, and the dependent software does it too. #768376 is a fine
example of that.
Thus I have bad news for you - installing either GNOME boxes or Virt
Manager (or other GNOME stuff) made you GNOME user, but if you insist
you're not - I won't press it ;)

For the record, for me both "GNOME" and "GNOME user" does not have a
negative connotation. About the only flaw of GNOME project for me is
their abuse of Scrum software development methodology, and that's a
topic for another discussion.

Reco

Re: Security

[tomas]

On Fri, Feb 04, 2022 at 09:43:18AM +0100, Andrei POPESCU wrote:

[...]

> Those who want a graphical tool to manage their VMs? Installing some 
> -gnome packages still doesn't make me a GNOME user ;)
> 
> (e.g. I'm using network-manager-gnome with LXDE)

It creeps slowly on you ;-P

(Just kidding. Everyone be happy with the tools (s)he prefers: provided
they're free, of course :-)

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: Security

[Andrei POPESCU]

On Du, 30 ian 22, 19:27:56, Reco wrote:
> 
> > 
> > How does "people installing without recommends" translate to "GNOME 
> > users" is beyond me,
> 
> Easy. Look closely at two graphical frontends to libvirt they provide in
> main archive.
> Now ask yourself - would I need these on a server? Who would need to use
> these?
 
Those who want a graphical tool to manage their VMs? Installing some 
-gnome packages still doesn't make me a GNOME user ;)

(e.g. I'm using network-manager-gnome with LXDE)
 
Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Security

[Vincent Lefevre]

On 2022-02-02 13:59:07 +1300, Richard Hector wrote:
> On 2/02/22 00:26, Vincent Lefevre wrote:
> > On 2022-01-31 01:36:06 +1300, Richard Hector wrote:
> > > On 29/01/22 04:17, Vincent Lefevre wrote:
> > > > Servers shouldn't have pkexec installed in the first place, anyway.
> > > 
> > > libvirt-daemon-system depends on policykit-1.
> > > 
> > > Should that not be on my (kvm) server either?
> > 
> > I don't need libvirt-daemon-system on my server. And I don't see
> > why it would be needed in general. If I understand correctly,
> > libvirt is used to manage VMs, but what is mostly exposed on the
> > Internet (e.g. as a web server) is the VM itself, which doesn't
> > need libvirt.
> 
> I guess it depends how you define a 'server'. I include the machine that
> hosts my VMs. And I certainly don't restrict it to what's exposed on the
> Internet.

I suppose that such a host runs a limited number of services, e.g.
it is not used as a webserver.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Security

[Richard Hector]

On 2/02/22 00:26, Vincent Lefevre wrote:

On 2022-01-31 01:36:06 +1300, Richard Hector wrote:

On 29/01/22 04:17, Vincent Lefevre wrote:
> Servers shouldn't have pkexec installed in the first place, anyway.

libvirt-daemon-system depends on policykit-1.

Should that not be on my (kvm) server either?


I don't need libvirt-daemon-system on my server. And I don't see
why it would be needed in general. If I understand correctly,
libvirt is used to manage VMs, but what is mostly exposed on the
Internet (e.g. as a web server) is the VM itself, which doesn't
need libvirt.


I guess it depends how you define a 'server'. I include the machine that 
hosts my VMs. And I certainly don't restrict it to what's exposed on the 
Internet.


I admit I haven't explored in depth exactly which bits of libvirt are 
required on the VM host; I rely to some extent on the recommendations in 
the packages.


Cheers,
Richard

Re: Security

[Vincent Lefevre]

On 2022-01-31 01:36:06 +1300, Richard Hector wrote:
> On 29/01/22 04:17, Vincent Lefevre wrote:
> > Servers shouldn't have pkexec installed in the first place, anyway.
> 
> libvirt-daemon-system depends on policykit-1.
> 
> Should that not be on my (kvm) server either?

I don't need libvirt-daemon-system on my server. And I don't see
why it would be needed in general. If I understand correctly,
libvirt is used to manage VMs, but what is mostly exposed on the
Internet (e.g. as a web server) is the VM itself, which doesn't
need libvirt.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Security

[Reco]

Hi.

On Sun, Jan 30, 2022 at 02:39:14PM +0100, Andrei POPESCU wrote:
> On Du, 30 ian 22, 15:54:17, Reco wrote:
> > On Mon, Jan 31, 2022 at 01:36:06AM +1300, Richard Hector wrote:
> > > On 29/01/22 04:17, Vincent Lefevre wrote:
> > > 
> > > > Servers shouldn't have pkexec installed in the first place, anyway.
> > > > 
> > > 
> > > libvirt-daemon-system depends on policykit-1.
> > > 
> > > Should that not be on my (kvm) server either?
> > 
> > Many years ago exactly this was disputed in #768376.
> > Long story short - the only reason libvirt-daemon-system depends on
> > policykit-1 is because GNOME users could be confused if it does not.
> 
> As far as I can tell the Maintainer's stance (in 2014) was:
> 
> Having polkit installed and doing nothing (for people switching to
> socke based permission checks) is IMHO a better service to our users
> than having all the bugs for people installing without recommends (and
> there are many of those)
>  
> 
> How does "people installing without recommends" translate to "GNOME 
> users" is beyond me,

Easy. Look closely at two graphical frontends to libvirt they provide in
main archive.
Now ask yourself - would I need these on a server? Who would need to use
these?


> considering that GNOME users would have policykit-1 
> installed anyway (as a dependency of GNOME) and they are much less 
> likely to disable installation of Recommends in the first place.

Back in '14 that was not universal axiom. Things have changed since then
somewhat though.


> As written in message #80 circumstances have changed, maybe the 
> Maintainer will reconsider.

Possibly, although unlikely. I mean, it was a wishlist priority bug,
after all.

My point in all this - PolicyKit was redundant on a typical server back
then, and by large it still is. Even if your server has libvirt,
although in this case some assembly is required.

Reco

Re: Security

[Andrei POPESCU]

On Du, 30 ian 22, 15:54:17, Reco wrote:
>   Hi.
> 
> On Mon, Jan 31, 2022 at 01:36:06AM +1300, Richard Hector wrote:
> > On 29/01/22 04:17, Vincent Lefevre wrote:
> > 
> > > Servers shouldn't have pkexec installed in the first place, anyway.
> > > 
> > 
> > libvirt-daemon-system depends on policykit-1.
> > 
> > Should that not be on my (kvm) server either?
> 
> Many years ago exactly this was disputed in #768376.
> Long story short - the only reason libvirt-daemon-system depends on
> policykit-1 is because GNOME users could be confused if it does not.

As far as I can tell the Maintainer's stance (in 2014) was:

Having polkit installed and doing nothing (for people switching to
socke based permission checks) is IMHO a better service to our users
than having all the bugs for people installing without recommends (and
there are many of those)
 

How does "people installing without recommends" translate to "GNOME 
users" is beyond me, considering that GNOME users would have policykit-1 
installed anyway (as a dependency of GNOME) and they are much less 
likely to disable installation of Recommends in the first place.

As written in message #80 circumstances have changed, maybe the 
Maintainer will reconsider.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Security

[Reco]

Hi.

On Mon, Jan 31, 2022 at 01:36:06AM +1300, Richard Hector wrote:
> On 29/01/22 04:17, Vincent Lefevre wrote:
> 
> > Servers shouldn't have pkexec installed in the first place, anyway.
> > 
> 
> libvirt-daemon-system depends on policykit-1.
> 
> Should that not be on my (kvm) server either?

Many years ago exactly this was disputed in #768376.
Long story short - the only reason libvirt-daemon-system depends on
policykit-1 is because GNOME users could be confused if it does not.

Reco

Re: Security

[Richard Hector]

On 29/01/22 04:17, Vincent Lefevre wrote:


Servers shouldn't have pkexec installed in the first place, anyway.



libvirt-daemon-system depends on policykit-1.

Should that not be on my (kvm) server either?

Cheers,
Richard

Re: Security

[Dan Ritter]

Nicholas Geovanis wrote: 
> On Fri, Jan 28, 2022, 6:57 AM Dan Ritter  wrote:
> 
> > Nicholas Geovanis wrote:
> > > On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU 
> > > wrote:
> > >
> > > > On Ma, 25 ian 22, 16:13:23, Nate Bargmann wrote:
> > > > And please don't bother to reply with "there are no other users on this
> > > > system I should worry about", the bad guys could still find ways to get
> > > > in, e.g. via a compromised browser, regardless if you are behind a
> > > > firewall or not[1].
> > > >
> > >
> > > Servers don't have browsers installed on them, for exactly this reason.
> >
> > Note that browsers can sneak in where you aren't expecting them;
> > "headless chromium" is a part of many automated QA systems and
> > HTML to PDF generators.
> >
> 
> Absolutely, and also unnecessary on servers. Especially in presence of
> cloud where we can make a clean custom spin easily.

It turns out that not all software has the same requirements
and affordances that you consider universal.

-dsr-

Re: Security

[Nicholas Geovanis]

On Fri, Jan 28, 2022, 9:17 AM Vincent Lefevre  wrote:

> On 2022-01-27 21:44:07 -0600, Nicholas Geovanis wrote:
> > On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU 
> > wrote:
> >
> > > I'll use the opportunity to draw attention to DSA-5059-1, see e.g. this
> > > article for details:
> > >
> > >
> > >
> https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/
> > >
> > > And please don't bother to reply with "there are no other users on this
> > > system I should worry about", the bad guys could still find ways to get
> > > in, e.g. via a compromised browser, regardless if you are behind a
> > > firewall or not[1].
>
> Running the browser in firejail should be sufficient as the profile
> should disable pkexec, e.g.
>

Vincent's point is the right one I think. We need to deploy security "in
depth". Every single setuid executable should be SHIPPED protected, just
pick your style of protection.

SElinux should be shipped enabled like Redhat does. Think it's too hard to
administer? Then ship it with multiple models implemented in multiple rule
sets like Redhat does. Then you can choose your style of mandatory access
control with a mouse click at installation.

$ firejail --profile=firefox ls
> Reading profile /etc/firejail/firefox.profile
> [...]
> Error: execute permission denied for /usr/bin/pkexec
> Error: no suitable pkexec executable found
>
> > Servers don't have browsers installed on them, for exactly this reason.
>
> Servers shouldn't have pkexec installed in the first place, anyway.
>
> --
> Vincent Lefèvre  - Web: 
> 100% accessible validated (X)HTML - Blog: 
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
>
>

Re: Security

[Andrei POPESCU]

On Jo, 27 ian 22, 21:44:07, Nicholas Geovanis wrote:
> On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU 
> >
> > And please don't bother to reply with "there are no other users on this
> > system I should worry about", the bad guys could still find ways to get
> > in, e.g. via a compromised browser, regardless if you are behind a
> > firewall or not[1].
> 
> Servers don't have browsers installed on them, for exactly this reason.

(already addressed by Vincent)
 
> I think your argument above that is a red herring. Because file attribute
> modification detection should be running regularly. On home machines as
> well as servers. Without that, "keeping the system up-to-date" will not
> prevent intrusion.

I'm missing the connection between this vulnerability and file attribute 
modification detection, please elaborate.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Security

[Nicholas Geovanis]

On Fri, Jan 28, 2022, 6:57 AM Dan Ritter  wrote:

> Nicholas Geovanis wrote:
> > On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU 
> > wrote:
> >
> > > On Ma, 25 ian 22, 16:13:23, Nate Bargmann wrote:
> > > And please don't bother to reply with "there are no other users on this
> > > system I should worry about", the bad guys could still find ways to get
> > > in, e.g. via a compromised browser, regardless if you are behind a
> > > firewall or not[1].
> > >
> >
> > Servers don't have browsers installed on them, for exactly this reason.
>
> Note that browsers can sneak in where you aren't expecting them;
> "headless chromium" is a part of many automated QA systems and
> HTML to PDF generators.
>

Absolutely, and also unnecessary on servers. Especially in presence of
cloud where we can make a clean custom spin easily.

-dsr-
>

Re: Security

[Vincent Lefevre]

On 2022-01-27 21:44:07 -0600, Nicholas Geovanis wrote:
> On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU 
> wrote:
> 
> > I'll use the opportunity to draw attention to DSA-5059-1, see e.g. this
> > article for details:
> >
> >
> > https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/
> >
> > And please don't bother to reply with "there are no other users on this
> > system I should worry about", the bad guys could still find ways to get
> > in, e.g. via a compromised browser, regardless if you are behind a
> > firewall or not[1].

Running the browser in firejail should be sufficient as the profile
should disable pkexec, e.g.

$ firejail --profile=firefox ls   
Reading profile /etc/firejail/firefox.profile
[...]
Error: execute permission denied for /usr/bin/pkexec
Error: no suitable pkexec executable found

> Servers don't have browsers installed on them, for exactly this reason.

Servers shouldn't have pkexec installed in the first place, anyway.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Security

[Dan Ritter]

Nicholas Geovanis wrote: 
> On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU 
> wrote:
> 
> > On Ma, 25 ian 22, 16:13:23, Nate Bargmann wrote:
> > And please don't bother to reply with "there are no other users on this
> > system I should worry about", the bad guys could still find ways to get
> > in, e.g. via a compromised browser, regardless if you are behind a
> > firewall or not[1].
> >
> 
> Servers don't have browsers installed on them, for exactly this reason.

Note that browsers can sneak in where you aren't expecting them;
"headless chromium" is a part of many automated QA systems and
HTML to PDF generators.

-dsr-

Re: Security

[Nicholas Geovanis]

On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU 
wrote:

> On Ma, 25 ian 22, 16:13:23, Nate Bargmann wrote:
> > I am subscribed to that list and get them too.
> >
> > I just see that three more messages popped in since this morning from
> > the security list.
> >
> > The complaints seem to be only about browsers.  The inference seems to
> > be that the latest release always fixes security bugs.  While this is
> > true to an extent, what is seldom acknowledged is that new releases also
> > bring new and as yet undisclosed bugs that will be fixed next time or
> > the time after or the time after that or...  I figure it's a gamble
> > either way and stick with the Debian packages.
>
> I'll use the opportunity to draw attention to DSA-5059-1, see e.g. this
> article for details:
>
>
> https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/
>
> And please don't bother to reply with "there are no other users on this
> system I should worry about", the bad guys could still find ways to get
> in, e.g. via a compromised browser, regardless if you are behind a
> firewall or not[1].
>

Servers don't have browsers installed on them, for exactly this reason.

I think your argument above that is a red herring. Because file attribute
modification detection should be running regularly. On home machines as
well as servers. Without that, "keeping the system up-to-date" will not
prevent intrusion.

IOW you closed the barn door before the cow escaped. Good. But she went out
the other door that was still open.

Any system connecting to the internet should be kept up-to-date.
>
> Even if you don't care about your data, privacy, etc., your system will
> probably become part of some botnet and be used to spread malware and
> spam to others.
>
>
> [1] Of course, the risk level is significantly lower for the typical
> home user, but still not negligible in my opinion - we just can't know
> what unknown browser vulnerabilities there might be lurking, which the
> bad guys could actively exploit via malicious websites (vs. targeted
> attacks for high value targets).
>
> In today's world once your browser is compromised https://xkcd.com/1200/
> applies.
>
>
> Kind regards,
> Andrei
> --
> http://wiki.debian.org/FAQsFromDebianUser
>

Re: Security

[Andrei POPESCU]

On Ma, 25 ian 22, 16:13:23, Nate Bargmann wrote:
> I am subscribed to that list and get them too.
> 
> I just see that three more messages popped in since this morning from
> the security list.
> 
> The complaints seem to be only about browsers.  The inference seems to
> be that the latest release always fixes security bugs.  While this is
> true to an extent, what is seldom acknowledged is that new releases also
> bring new and as yet undisclosed bugs that will be fixed next time or
> the time after or the time after that or...  I figure it's a gamble
> either way and stick with the Debian packages.

I'll use the opportunity to draw attention to DSA-5059-1, see e.g. this 
article for details:

https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/

And please don't bother to reply with "there are no other users on this 
system I should worry about", the bad guys could still find ways to get 
in, e.g. via a compromised browser, regardless if you are behind a 
firewall or not[1].

Any system connecting to the internet should be kept up-to-date.

Even if you don't care about your data, privacy, etc., your system will 
probably become part of some botnet and be used to spread malware and 
spam to others.


[1] Of course, the risk level is significantly lower for the typical 
home user, but still not negligible in my opinion - we just can't know 
what unknown browser vulnerabilities there might be lurking, which the 
bad guys could actively exploit via malicious websites (vs. targeted 
attacks for high value targets).

In today's world once your browser is compromised https://xkcd.com/1200/ 
applies.


Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Security

[Nicholas Geovanis]

The proper way IMO is to subscribe to the CERT for your nation. Be the
interface to it for your organization within your local responsibilities.
You will then receive the high-risk advisories before they are publically
released. That paid off, for example, during the ghost/meltdown Intel
vulnerabilities.

On Tue, Jan 25, 2022, 2:52 PM Polyna-Maude Racicot-Summerside <
deb...@polynamaude.com> wrote:

>
>
> On 2022-01-25 15:47, Andy Smith wrote:
> > Hello,
> >
> > On Tue, Jan 25, 2022 at 03:05:51PM -0500, Polyna-Maude
> Racicot-Summerside wrote:
> >> Kind of strange that some people complains we lag behind when I get
> >> information everyday that fixes are available for packages in the stable
> >> / old stable release.
> >
> > I think you are getting worked up over the actions of a troll.
> >
> > You will never get them to change their mind no matter how much
> > factual evidence you come up with, because they aren't posting in
> > good faith. If they were then they would have either accepted the
> > answers they got five times over the first time they brought it up
> > here, or else not accepted them and given up. Instead they went on
> > to write a "press release" and threaten more to come regarding
> > "excommunicated" developers. Their goal is to cause drama, not find
> > a solution for any real world problem.
> >
> > I recommend just moving on with your life and accepting that this
> > person is going to keep posting the same claims over and over
> > without feeling the need to refute them every time.
> >
> This message was more regarding some new users or ones who could have
> doubt on the safety / security of the Debian ecosystem.
>
> Sadly some of these people may cause some harm.
>
> > Cheers,
> > Andy
> >
>
> --
> Polyna-Maude R.-Summerside
> -Be smart, Be wise, Support opensource development
>

Re: Security

[Nate Bargmann]

I am subscribed to that list and get them too.

I just see that three more messages popped in since this morning from
the security list.

The complaints seem to be only about browsers.  The inference seems to
be that the latest release always fixes security bugs.  While this is
true to an extent, what is seldom acknowledged is that new releases also
bring new and as yet undisclosed bugs that will be fixed next time or
the time after or the time after that or...  I figure it's a gamble
either way and stick with the Debian packages.

- Nate

-- 
"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."
Web: https://www.n0nb.us
Projects: https://github.com/N0NB
GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819



signature.asc
Description: PGP signature

Re: Security

[Polyna-Maude Racicot-Summerside]

On 2022-01-25 15:47, Andy Smith wrote:
> Hello,
> 
> On Tue, Jan 25, 2022 at 03:05:51PM -0500, Polyna-Maude Racicot-Summerside 
> wrote:
>> Kind of strange that some people complains we lag behind when I get
>> information everyday that fixes are available for packages in the stable
>> / old stable release.
> 
> I think you are getting worked up over the actions of a troll.
> 
> You will never get them to change their mind no matter how much
> factual evidence you come up with, because they aren't posting in
> good faith. If they were then they would have either accepted the
> answers they got five times over the first time they brought it up
> here, or else not accepted them and given up. Instead they went on
> to write a "press release" and threaten more to come regarding
> "excommunicated" developers. Their goal is to cause drama, not find
> a solution for any real world problem.
> 
> I recommend just moving on with your life and accepting that this
> person is going to keep posting the same claims over and over
> without feeling the need to refute them every time.
> 
This message was more regarding some new users or ones who could have
doubt on the safety / security of the Debian ecosystem.

Sadly some of these people may cause some harm.

> Cheers,
> Andy
> 

-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development


OpenPGP_signature
Description: OpenPGP digital signature

Re: Security

[Andy Smith]

Hello,

On Tue, Jan 25, 2022 at 03:05:51PM -0500, Polyna-Maude Racicot-Summerside wrote:
> Kind of strange that some people complains we lag behind when I get
> information everyday that fixes are available for packages in the stable
> / old stable release.

I think you are getting worked up over the actions of a troll.

You will never get them to change their mind no matter how much
factual evidence you come up with, because they aren't posting in
good faith. If they were then they would have either accepted the
answers they got five times over the first time they brought it up
here, or else not accepted them and given up. Instead they went on
to write a "press release" and threaten more to come regarding
"excommunicated" developers. Their goal is to cause drama, not find
a solution for any real world problem.

I recommend just moving on with your life and accepting that this
person is going to keep posting the same claims over and over
without feeling the need to refute them every time.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: security of debian default sudoers file (was: dead lock)

[Keith Bainbridge]

On 17/10/21 20:41, Gregor Zattler wrote:

PS: in my opinion you should avoid creating a sudoers file unless you
really know what you are doing. the defaults are very insecure.



So force sudo to use the root passwd.

After you ensure your root passwd works, simply add the line:

Defaultsrootpw

to /etc/sudoers.

You should need a fresh terminal to test this.




--
All the best

Keith Bainbridge

keithrbaugro...@gmail.com

RE: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP withreserved IPs on wlan0?

[Michael Grant]

I have used openwrt, but not recent version of it.  I have been using Ubiquiti 
EdgeRouters running the stock EdgeOS.  Very solid routers.  I even have one 
sitting up in a tree in a Tupperware container in the snowy mountains!

I recently discovered that EdgeOS is based on Debian and you can install Debian 
packages on them.

Michael Grant

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 16:42:40 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> > > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
> > 
> > My understanding - please correct me if I'm wrong - is that with those
> > types of cards, the ports are distinct and aren't actually switched in
> > hardware, so switching occurrs at the OS / kernel level. I don't know
> > how much of a load this puts on the system in practice, but my
> > understanding is that it's certainly not an ideal way to design a
> > switch.
> 
> Modern processors -- even the ones 5 years old -- are really
> fast.
> 
> Linux bridging (switching) is very efficient.

Fair enough.

> Is it "ideal"? No. But given that you want one device which acts
> as a WAP, router, firewall and switch, it should perform quite 
> well. If you hate the idea of doing that, though, an 8-port
> gigabit switch is about the same price as a used 4-port gigabit
> NIC. Not as flexible, though.
> 
> > > desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> > > you can use it as a WAP and have nine switched/routed gigabit ports,
> > > counting one on the motherboard.  If you only need 5 ports, you only
> > > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.
> > 
> > My understanding, although I could not find solid documentation of this,
> > is that consumer wireless chipsets designed for client use don't make
> > particularly performant APs. They'll work, but purpose built APs will
> > perform much better, especially with their AP optimized antennas. I
> > don't really know if this is true, though, and to what extent it's an
> > issue, if it really is one.
> 
> Oh, no, this is a myth. The $20-150 consumer wifi routers use
> the same wifi interface chips as good PCIe cards, for the most
> part. OpenWRT is actually a great source of information on
> these.
> 
> Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3
> antenna MIMO on a consumer router, you should get equivalent
> range and performance.

Thanks. I'd love to see actual tests comparing performance of wireless
APs (consumer, enterprise, and DIY ones like we're discussing), but
they seem very hard to come by.

> > And the power usage on a five year old desktop (which I don't actually
> > have) will be much higher than a purpose-built AIO AP / switch / router.
> 
> That can be true. But then, the desktop can also be your server
> for a bunch of other things that, perhaps, you were going to
> run.

Fair enough. I'm currently using an old R210 ii as my server, so I'm
not one to talk ;) I suppose it might be fun to see if I can fit a
modern AX200 based PCIe (perhaps a low profile one) into it and see how
it performs as an AP / router ...

> > But again, I don't really disagree. If I had the hardware lying around,
> > and I determined that the power consumption wasn't a factor, it would
> > certainly be tempting to consider this route.
> 
> Everything is a tradeoff.

Yes.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
> 
> My understanding - please correct me if I'm wrong - is that with those
> types of cards, the ports are distinct and aren't actually switched in
> hardware, so switching occurrs at the OS / kernel level. I don't know
> how much of a load this puts on the system in practice, but my
> understanding is that it's certainly not an ideal way to design a
> switch.

Modern processors -- even the ones 5 years old -- are really
fast.

Linux bridging (switching) is very efficient.

Is it "ideal"? No. But given that you want one device which acts
as a WAP, router, firewall and switch, it should perform quite 
well. If you hate the idea of doing that, though, an 8-port
gigabit switch is about the same price as a used 4-port gigabit
NIC. Not as flexible, though.

> > desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> > you can use it as a WAP and have nine switched/routed gigabit ports,
> > counting one on the motherboard.  If you only need 5 ports, you only
> > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.
> 
> My understanding, although I could not find solid documentation of this,
> is that consumer wireless chipsets designed for client use don't make
> particularly performant APs. They'll work, but purpose built APs will
> perform much better, especially with their AP optimized antennas. I
> don't really know if this is true, though, and to what extent it's an
> issue, if it really is one.

Oh, no, this is a myth. The $20-150 consumer wifi routers use
the same wifi interface chips as good PCIe cards, for the most
part. OpenWRT is actually a great source of information on
these.

Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3
antenna MIMO on a consumer router, you should get equivalent
range and performance.

> And the power usage on a five year old desktop (which I don't actually
> have) will be much higher than a purpose-built AIO AP / switch / router.

That can be true. But then, the desktop can also be your server
for a bunch of other things that, perhaps, you were going to
run.

> But again, I don't really disagree. If I had the hardware lying around,
> and I determined that the power consumption wasn't a factor, it would
> certainly be tempting to consider this route.

Everything is a tradeoff.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 11:03:35 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > > I can be glad that OpenWRT has improved their security practices
> > > and simultaneously not be interested in using it.
> > 
> > I think we are really in basic agreement. The reason I use OpenWRT is
> > that I use a residential all-in-one WAP / switch / router, which Debian
> > is unsuitable for. If I ever go the separate WAP / switch / router
> > route, I'll probably use Debian on the router for the reasons you
> > give: good support, a system I'm familiar with, etc.
> 
> Debian works well in this situation. You just need to arrange
> for enough NIC ports to meet your needs.
> 
> If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old

My understanding - please correct me if I'm wrong - is that with those
types of cards, the ports are distinct and aren't actually switched in
hardware, so switching occurrs at the OS / kernel level. I don't know
how much of a load this puts on the system in practice, but my
understanding is that it's certainly not an ideal way to design a
switch.

> desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> you can use it as a WAP and have nine switched/routed gigabit ports,
> counting one on the motherboard.  If you only need 5 ports, you only
> need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.

My understanding, although I could not find solid documentation of this,
is that consumer wireless chipsets designed for client use don't make
particularly performant APs. They'll work, but purpose built APs will
perform much better, especially with their AP optimized antennas. I
don't really know if this is true, though, and to what extent it's an
issue, if it really is one.

And the power usage on a five year old desktop (which I don't actually
have) will be much higher than a purpose-built AIO AP / switch / router.

> Debian has hostapd and dnsmasq packages.

But again, I don't really disagree. If I had the hardware lying around,
and I determined that the power consumption wasn't a factor, it would
certainly be tempting to consider this route.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Stefan Monnier]

> I think we are really in basic agreement. The reason I use OpenWRT is
> that I use a residential all-in-one WAP / switch / router, which Debian
> is unsuitable for. If I ever go the separate WAP / switch / router
> route, I'll probably use Debian on the router for the reasons you
> give: good support, a system I'm familiar with, etc.

Here's a related datapoint:

For a couple years, I have used a Pi box as router+WAP, running
Debian (after having used "home routers" running OpenWRT for many years
before that).

I was quite happy with it software side (a bit less convenient to
configure than OpenWRT for the WAP part, but largely makes up for it for
the ease with which I could add auxiliary services and the convenience
of using the same OS as I use on all my other machines), but I was
unable to make it provide a good enough wireless signal to cover
my apartment.

So I switched to a box dedicated to WAP+router (BT HomeHub, in my case
https://openwrt.org/toh/bt/homehub_v5a), whose hardware is too limited
to run Debian.  IOW the problem for me was to find hardware which is
low-power enough to have it "always on" yet whose wifi interface is good
enough to cover my apartment: these thingies seem to be much more often
able to run OpenWRT than to run Debian :-(

W.r.t security, an important advantage of Debian is that upgrades are
much easier and smoother (so much so that they can be fully automatic)
than in OpenWRT.  But I'm a very happy user of OpenWRT (and have been
for many many years).


Stefan


PS: Another reason I went with the BT HomeHub is that it includes the
modem (and that this modem is supported by OpenWRT, tho with
a proprietary firmware), so it saves me having to have yet another box
in that corner (I still have the Pi there since the HomeHub is not
well suited to provide some of those services, which require a largish
storage which I'd rather not connect via USB).

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> > I can be glad that OpenWRT has improved their security practices
> > and simultaneously not be interested in using it.
> 
> I think we are really in basic agreement. The reason I use OpenWRT is
> that I use a residential all-in-one WAP / switch / router, which Debian
> is unsuitable for. If I ever go the separate WAP / switch / router
> route, I'll probably use Debian on the router for the reasons you
> give: good support, a system I'm familiar with, etc.

Debian works well in this situation. You just need to arrange
for enough NIC ports to meet your needs.

If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
you can use it as a WAP and have nine switched/routed gigabit ports,
counting one on the motherboard.  If you only need 5 ports, you only
need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.

Debian has hostapd and dnsmasq packages.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 09:57:13 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 08:36:34 -0500
> > Dan Ritter  wrote:
> > 
> > > OpenWRT's security process doesn't look as terrible as it used
> > > to be, but it doesn't really look good right now, just trying to
> > > be better.
> > 
> > Again, let's look at specific examples of vulnerabilities present in
> > both OpenWRT and Debian, and compare the projects' responses. I gave
> > you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
> > was issued about two weeks before Debian's.
> > 
> > You feel that OpenWRT's security process "doesn't look good." Based on
> > what? Can you provide a vulnerability that affects their software that
> > they dropped the ball on?
> 
> No, thanks. I don't need to poke at OpenWRT any further.
> 
> I already have a Debian firewall that has had good security
> support from Debian since 2014; I see no reason not to continue
> using it until the hardware fails. At that point, I will buy
> another relatively small fully supported Debian box, and carry
> on. Among other benefits, it means that all the machines at home
> have the same procedures and can be used as testbeds for each
> other. E.g. the music-playing machine in the living room is now
> testing out Bullseye.
> 
> I can be glad that OpenWRT has improved their security practices
> and simultaneously not be interested in using it.

I think we are really in basic agreement. The reason I use OpenWRT is
that I use a residential all-in-one WAP / switch / router, which Debian
is unsuitable for. If I ever go the separate WAP / switch / router
route, I'll probably use Debian on the router for the reasons you
give: good support, a system I'm familiar with, etc.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> On Mon, 8 Feb 2021 08:36:34 -0500
> Dan Ritter  wrote:
> 
> > OpenWRT's security process doesn't look as terrible as it used
> > to be, but it doesn't really look good right now, just trying to
> > be better.
> 
> Again, let's look at specific examples of vulnerabilities present in
> both OpenWRT and Debian, and compare the projects' responses. I gave
> you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
> was issued about two weeks before Debian's.
> 
> You feel that OpenWRT's security process "doesn't look good." Based on
> what? Can you provide a vulnerability that affects their software that
> they dropped the ball on?

No, thanks. I don't need to poke at OpenWRT any further.

I already have a Debian firewall that has had good security
support from Debian since 2014; I see no reason not to continue
using it until the hardware fails. At that point, I will buy
another relatively small fully supported Debian box, and carry
on. Among other benefits, it means that all the machines at home
have the same procedures and can be used as testbeds for each
other. E.g. the music-playing machine in the living room is now
testing out Bullseye.

I can be glad that OpenWRT has improved their security practices
and simultaneously not be interested in using it.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 08:36:34 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 06:41:23 -0500
> > Dan Ritter  wrote:
> > 
> > > Gregory Seidman wrote: 
> > > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs 
> > > > on
> > 
> > ...
> > 
> > > Debian gets security updates in a timely manner (for stable).
> > > 
> > > How's OpenWRT's security team?
> > 
> > I'm not sure if this is a genuine question or a rhetorical one (sorry -
> > tone doesn't always come across well in email), but OpenWRT does have a
> > security process, with advisories, bug fixes, etc.:
> 
> Semi-rhetorical: my experience with OpenWRT and ddWRT is that
> once a device is installed, it never gets an upgrade. I'd be
> happy to learn otherwise.

Rejoice, then! If you choose never to upgrade, that's your choice, but
the project releases point releases every couple of months or so, and
new major versions every year or two:

https://downloads.openwrt.org/releases/

> > https://openwrt.org/docs/guide-developer/security
> > 
> > I suspect the process may not be as good as Debian's, but they do fix
> > at least some serious bugs fairly quickly. E.g., if I'm reading the
> > following pages correctly, the Debian DSAs for the recent serious set of
> > dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> > Security Advisory on Jan. 19:
> 
> That page lists 15 advisories over the last 3 years -- let's say
> 2 years, since this year is just beginning. Four of those
> advisories are for OpenWRT-only problems.
> 
> In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
> Let's discount the desktop software -- that's 8 of them, by my
> count -- because nobody runs desktop software on a router.

I think this is a misleading comparison. It's not just a question
of desktop software - Debian includes vastly more software in general,
for which the security team is responsible, than OpenWRT does. Debian
proudly announces that it comes with "more than 59000 packages":

https://www.debian.org/intro/about

OpenWRT includes merely "several thousand packages" (I can't find an
exact number):

https://openwrt.org/packages/start

So of course Debian is going to have more SAs.

> OpenWRT's security process doesn't look as terrible as it used
> to be, but it doesn't really look good right now, just trying to
> be better.

Again, let's look at specific examples of vulnerabilities present in
both OpenWRT and Debian, and compare the projects' responses. I gave
you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
was issued about two weeks before Debian's.

You feel that OpenWRT's security process "doesn't look good." Based on
what? Can you provide a vulnerability that affects their software that
they dropped the ball on?

> This probably doesn't matter much if you just want a WAP inside
> your house, but I feel confirmed that Debian is still a much
> better choice for an Internet-facing router/firewall.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> On Mon, 8 Feb 2021 06:41:23 -0500
> Dan Ritter  wrote:
> 
> > Gregory Seidman wrote: 
> > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
> 
> ...
> 
> > Debian gets security updates in a timely manner (for stable).
> > 
> > How's OpenWRT's security team?
> 
> I'm not sure if this is a genuine question or a rhetorical one (sorry -
> tone doesn't always come across well in email), but OpenWRT does have a
> security process, with advisories, bug fixes, etc.:

Semi-rhetorical: my experience with OpenWRT and ddWRT is that
once a device is installed, it never gets an upgrade. I'd be
happy to learn otherwise.

> https://openwrt.org/docs/guide-developer/security
> 
> I suspect the process may not be as good as Debian's, but they do fix
> at least some serious bugs fairly quickly. E.g., if I'm reading the
> following pages correctly, the Debian DSAs for the recent serious set of
> dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> Security Advisory on Jan. 19:

That page lists 15 advisories over the last 3 years -- let's say
2 years, since this year is just beginning. Four of those
advisories are for OpenWRT-only problems.

In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
Let's discount the desktop software -- that's 8 of them, by my
count -- because nobody runs desktop software on a router.

OpenWRT's security process doesn't look as terrible as it used
to be, but it doesn't really look good right now, just trying to
be better.

This probably doesn't matter much if you just want a WAP inside
your house, but I feel confirmed that Debian is still a much
better choice for an Internet-facing router/firewall.

-dsr-

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Eduardo M KALINOWSKI]

On 15/09/2020 10:44, Greg Wooledge wrote:
> Another choice would be to run Debian stable, but don't install Debian's
> version of nginx.  Use upstream's releases, compile them yourself, and
> update them yourself whenever you need to (for security reasons or
> otherwise).

If one chooses to do so, it might be better to fetch the debian source
package of the newer version and create a .deb out of it. At least the
benefits of the debian packaging are retained.

(In other words, you create your own backport.)

But if the versions of libraries required for building the newer version
are not available in stable, the process becomes much more difficult.
(But so would be building from the upstream source, probably.)


-- 
I enjoy the time that we spend together.

Eduardo M KALINOWSKI
edua...@kalinowski.com.br

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Eduardo M KALINOWSKI]

On 15/09/2020 10:38, Klaus Singvogel wrote:
> No: no new version.
> 
> If you're unhappy with that, think about these choices:
> 
> - install upcoming Debian 11 (Testing, Bullseye) and live with the changes
>   of packages and possible errors in the system. Release date unknown.
> 
> - install Debian Sid (Unstable) and live with many more changes

You can also check if there is a newer version in backports (there
doesn't seem to be), and you can request one (but it will depend on some
volunteer's effort to create it, so no guarantees).

But note that there is no offical security support for backports. A
newer version may also get backported, but it might take a while, or it
might not happen.


-- 
We gave you an atomic bomb, what do you want, mermaids?
-- I. I. Rabi to the Atomic Energy Commission

Eduardo M KALINOWSKI
edua...@kalinowski.com.br

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Greg Wooledge]

On Tue, Sep 15, 2020 at 03:38:33PM +0200, Klaus Singvogel wrote:
> No: no new version.
> 
> If you're unhappy with that, think about these choices:
> 
> - install upcoming Debian 11 (Testing, Bullseye) and live with the changes
>   of packages and possible errors in the system. Release date unknown.
> 
> - install Debian Sid (Unstable) and live with many more changes
> 
> - if both are not fullfilling your needs, think about a different
>   distribution: LFS (Linux from Scratch), or Yocto, or commerical one.

Another choice would be to run Debian stable, but don't install Debian's
version of nginx.  Use upstream's releases, compile them yourself, and
update them yourself whenever you need to (for security reasons or
otherwise).

Personally I'd prefer to let the Debian security team do all that work
for me, but the OP seems to value large numbers for their own sake.

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Klaus Singvogel]

Hi Revanth,

Suryadevara, Revanth wrote:
> Hi  Klaus,
> 
> Just needed to re-confirm couple of things here
> 
> 1. I understand that the NGINX version shipped by default is secured and will 
> be updated with patches should there be some security issues. But my question 
> is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available 
> in Debian 10, soon ? If yes, when ?

As others said, and I explained already: no.

Debian 10's version of a package will never change. No new features, no
loss of features, no new syntax of configurations, no other changes.

> 2.  Please provide some kind of confirmation on CVE-2020-11879
>   If Vulnerability was already addressed, please point me to some article 
> which confirms the same.
>   If not addressed, please confirm on when can we expect 3.35.91 or 
> greater version to be available in Debian 10?

No: no new version.

If you're unhappy with that, think about these choices:

- install upcoming Debian 11 (Testing, Bullseye) and live with the changes
  of packages and possible errors in the system. Release date unknown.

- install Debian Sid (Unstable) and live with many more changes

- if both are not fullfilling your needs, think about a different
  distribution: LFS (Linux from Scratch), or Yocto, or commerical one.

  But beware of the security updates. AFAIK both, LFS and Yocto, needs
  your effort to keep your machine(s) secure.

Best regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Dan Ritter]

Suryadevara, Revanth wrote: 
> Just needed to re-confirm couple of things here
> 
> 1. I understand that the NGINX version shipped by default is secured and will 
> be updated with patches should there be some security issues. But my question 
> is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available 
> in Debian 10, soon ? If yes, when ?

No, never.

Debian creates stable releases. That means that, unless there is
a compelling reason, no new major versions are packaged.
Instead, security patches are applied as necessary.

When Debian 11 is released, most likely in 2021, there will be a new
major version of nginx.

You want to subscribe to the debian-security-announce list, and
at least look at the archives of debian-security.

You should read through the Debian Handbook, too. 
https://debian-handbook.info/

-dsr-

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[tomas]

On Tue, Sep 15, 2020 at 12:23:11PM +, Suryadevara, Revanth wrote:
> Hi  Klaus,
> 
> Just needed to re-confirm couple of things here
> 
> 1. I understand that the NGINX version shipped by default is secured and will 
> be updated with patches should there be some security issues. But my question 
> is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available 
> in Debian 10, soon ? If yes, when ?

Debian doesn't change package versions in its stable release
(except exceptions, see Greg's post in this thread).

That's the meaning of "stable". Debian 10, aka Buster is
the current stable version [1]. So the answer is "most
probably not".

> 2.  Please provide some kind of confirmation on CVE-2020-11879
>   If Vulnerability was already addressed, please point me to some article 
> which confirms the same.
>   If not addressed, please confirm on when can we expect 3.35.91 or 
> greater version to be available in Debian 10?

Well, you can do that yourself. Enter "CVE-2020-11879 site:debian.org"
into your favourite Internet search engine (which hopefully isn't
Google, but I disgress), you'll be lead to [2]. Follow the links
from there, and you'll get lots of information :-)

Cheers

[1] https://www.debian.org/releases/index.html
[2] https://security-tracker.debian.org/tracker/CVE-2020-11879

 - t


signature.asc
Description: Digital signature

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Greg Wooledge]

On Tue, Sep 15, 2020 at 12:23:11PM +, Suryadevara, Revanth wrote:
> 1. I understand that the NGINX version shipped by default is secured and will 
> be updated with patches should there be some security issues. But my question 
> is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available 
> in Debian 10, soon ? If yes, when ?

No.

Please read .

RE: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Suryadevara, Revanth]

Hi  Klaus,

Just needed to re-confirm couple of things here

1. I understand that the NGINX version shipped by default is secured and will 
be updated with patches should there be some security issues. But my question 
is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available in 
Debian 10, soon ? If yes, when ?

2.  Please provide some kind of confirmation on CVE-2020-11879
If Vulnerability was already addressed, please point me to some article 
which confirms the same.
If not addressed, please confirm on when can we expect 3.35.91 or 
greater version to be available in Debian 10?

Thanks,
Revanth.

-Original Message-
From: Klaus Singvogel  
Sent: 15 September 2020 15:10
To: Suryadevara, Revanth 
Cc: debian-user@lists.debian.org
Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

Hi Revanth,

as you might have found out now, the Debian Security team is backporting 
security patches to older versions of OpenSource software, and Debian 10 isn't 
insecure.

The advantage of backporting is, that you don't have to adapt config files to 
latest syntax on an update, nor introduce incompatible libraries to your system 
on update.

So, don't worry about the older versions of software regarding security.
They are getting regular patches by the Debian Security team, even when the 
package maintainer doesn't support this version anymore.

I want to thank here the Debian Security team for there excellent job they did 
in the past and the future. Thank you.

Regarding missing CVE-2020-11879 for GNOME Evolution: I don't have the proof, 
but I think this points out to the fact the shipped version isn't affected.

Best regards,
Klaus.

Suryadevara, Revanth wrote:
> Hi Klaus,
>   
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, According 
> to nginx download page, 
> (https://us-east-2.protection.sophos.com?d=nginx.org=aHR0cDovL25naW54Lm9yZy9lbi9kb3dubG9hZC5odG1s=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==QjhjRHpDSVhOY2tZQWxCRzZrQTdxSXRJRklrSko2bEVqbnBFcGhvZGhzZz0==8babb3b80f934e38bc57897e4ca56711)
>  Nginx 1.14.x is no longer supported and will not be getting regular patches. 
> So, if any security Vulnerabilities arise then system would be at high risk 
> as the vendor no longer provide updates.
> 
> 2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 . This ID 
> isn't present in the links which you've shared.
> 
> Thanks,
> Revanth.
> 
> -Original Message-
> From: Klaus Singvogel 
> Sent: 15 September 2020 13:32
> To: Suryadevara, Revanth 
> Cc: debian-user@lists.debian.org
> Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME 
> Evolution
> 
> Suryadevara, Revanth wrote:
> > 
> > We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
> > v3.30.5-1.1 installed along with other packages.
> > 
> [...]
> > When can we expect latest versions of Nginx and GNOME Evolution to be 
> > available in Debian 10 ?
> 
> Which security bugs do you think are in the Debian 10 version of Nginx
> v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?
> 
>   
> https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXR
> hZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L
> 25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n=cmV2YW50aC5zdXJ5YWRldmFy
> YUBhcmNzZXJ2ZS5jb20==V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkF
> Pc084Y0NRdz0==1d129af62b6248948c99efacbb1de4f1
> 
>   
> https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXR
> hZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1d
> Glvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c==cmV2YW50aC5zdXJ5YWRl
> dmFyYUBhcmNzZXJ2ZS5jb20==eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3N
> tNno3aHRtY25yVT0==1d129af62b6248948c99efacbb1de4f1
> 
> Please name us the CVE identifiers, which you believe Debian 10 is affected 
> by.
> 
> Thanks in advance.
> 
> Best regards,
>   Klaus.
> --
> Klaus Singvogel
> GnuPG-Key-ID: 1024R/5068792D  1994-06-27

--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Greg Wooledge]

On Tue, Sep 15, 2020 at 09:13:04AM +, Suryadevara, Revanth wrote:
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
> According to nginx download page, (http://nginx.org/en/download.html) Nginx 
> 1.14.x is no longer supported and will not be getting regular patches. So, if 
> any security Vulnerabilities arise then system would be at high risk as the 
> vendor no longer provide updates.

The Debian security team backports patches to fix security issues
whenever possible.

*If* in the future a vulnerability is discovered which cannot easily be
fixed by a patch backported from a future version of nginx, then the
security team *may* opt to use a newer upstream version of nginx in
the stable release.  There is some precedent for this with other packages
such as samba and bind9.

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Klaus Singvogel]

Hi Revanth,

as you might have found out now, the Debian Security team is backporting
security patches to older versions of OpenSource software, and Debian 10
isn't insecure.

The advantage of backporting is, that you don't have to adapt config files
to latest syntax on an update, nor introduce incompatible libraries to
your system on update.

So, don't worry about the older versions of software regarding security.
They are getting regular patches by the Debian Security team, even when
the package maintainer doesn't support this version anymore.

I want to thank here the Debian Security team for there excellent job they
did in the past and the future. Thank you.

Regarding missing CVE-2020-11879 for GNOME Evolution: I don't have the
proof, but I think this points out to the fact the shipped version isn't
affected.

Best regards,
Klaus.

Suryadevara, Revanth wrote:
> Hi Klaus,
>   
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
> According to nginx download page, (http://nginx.org/en/download.html) Nginx 
> 1.14.x is no longer supported and will not be getting regular patches. So, if 
> any security Vulnerabilities arise then system would be at high risk as the 
> vendor no longer provide updates.
> 
> 2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 . This ID 
> isn't present in the links which you've shared.
> 
> Thanks,
> Revanth.
> 
> -Original Message-
> From: Klaus Singvogel  
> Sent: 15 September 2020 13:32
> To: Suryadevara, Revanth 
> Cc: debian-user@lists.debian.org
> Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution
> 
> Suryadevara, Revanth wrote:
> > 
> > We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
> > v3.30.5-1.1 installed along with other packages.
> > 
> [...]
> > When can we expect latest versions of Nginx and GNOME Evolution to be 
> > available in Debian 10 ?
> 
> Which security bugs do you think are in the Debian 10 version of Nginx
> v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?
> 
>   
> https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkFPc084Y0NRdz0==1d129af62b6248948c99efacbb1de4f1
> 
>   
> https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1dGlvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c==cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3NtNno3aHRtY25yVT0==1d129af62b6248948c99efacbb1de4f1
> 
> Please name us the CVE identifiers, which you believe Debian 10 is affected 
> by.
> 
> Thanks in advance.
> 
> Best regards,
>   Klaus.
> -- 
> Klaus Singvogel
> GnuPG-Key-ID: 1024R/5068792D  1994-06-27

-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Reco]

Hi.

Please do not top post.

On Tue, Sep 15, 2020 at 09:13:04AM +, Suryadevara, Revanth wrote:
> Hi Klaus,
>   
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
> According to nginx download page, (http://nginx.org/en/download.html)
> Nginx 1.14.x is no longer supported and will not be getting regular
> patches. So, if any security Vulnerabilities arise then system would
> be at high risk as the vendor no longer provide updates.

No known CVE = no problem. Unless of course you just happen to know a
private zero-day.
And, as the version of nginx shows, they've fixed some CVEs in past,
trice for the duration of buster.


> 2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 .
> This ID isn't present in the links which you've shared.

Buster's evolution is vulnerable indeed - [1]. Security impact is low,
so it's hardly a surprise it is not fixed yet.

Reco

[1] https://security-tracker.debian.org/tracker/source-package/evolution

RE: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Suryadevara, Revanth]

Hi Klaus,

1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
According to nginx download page, (http://nginx.org/en/download.html) Nginx 
1.14.x is no longer supported and will not be getting regular patches. So, if 
any security Vulnerabilities arise then system would be at high risk as the 
vendor no longer provide updates.

2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 . This ID 
isn't present in the links which you've shared.

Thanks,
Revanth.

-Original Message-
From: Klaus Singvogel  
Sent: 15 September 2020 13:32
To: Suryadevara, Revanth 
Cc: debian-user@lists.debian.org
Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

Suryadevara, Revanth wrote:
> 
> We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
> v3.30.5-1.1 installed along with other packages.
> 
[...]
> When can we expect latest versions of Nginx and GNOME Evolution to be 
> available in Debian 10 ?

Which security bugs do you think are in the Debian 10 version of Nginx
v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?


https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkFPc084Y0NRdz0==1d129af62b6248948c99efacbb1de4f1


https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1dGlvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c==cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3NtNno3aHRtY25yVT0==1d129af62b6248948c99efacbb1de4f1

Please name us the CVE identifiers, which you believe Debian 10 is affected by.

Thanks in advance.

Best regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

[Klaus Singvogel]

Suryadevara, Revanth wrote:
> 
> We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
> v3.30.5-1.1 installed along with other packages.
> 
[...]
> When can we expect latest versions of Nginx and GNOME Evolution to be 
> available in Debian 10 ?

Which security bugs do you think are in the Debian 10 version of Nginx
v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?


https://metadata.ftp-master.debian.org/changelogs//main/n/nginx/nginx_1.14.2-2+deb10u3_changelog


https://metadata.ftp-master.debian.org/changelogs//main/e/evolution/evolution_3.30.5-1.1_changelog

Please name us the CVE identifiers, which you believe Debian 10 is affected by.

Thanks in advance.

Best regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security issue ... please could someone help !!!

[Reco]

Hi.

On Sun, Apr 05, 2020 at 09:03:00PM +0100, Bhasker C V wrote:
> I kept digging down and saw that anything below 32 bytes is not accepted
> (by cryptsetup --key-file option) but anything above 32 bytes is
> discarded.

cryptsetup(8), "-s" option.


> Does this mean that cryptsetup plain with --key-file uses
> only 32 bytes ?

Yes, assuming the defaults.


> Am I doing anything wrong ?

Probably no.

By default cryptsetup uses AES encryption algorithm with the key size of
256 bits. You're suppling your own key to cryptsetup, hence it chooses
just right amount of bits from it (32 bytes = 256 bits).


> If only 32 bytes are used, it is (in my opinion) not so much secure
> isnt it  ?

It's sufficiently secure, unless you try to do something really wrong
(like storing a plain key somewhere), or generate your key predictably.

Reco

Re: Security Issue with sssd / AD authentication?

[Dan Purgert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Kent West wrote:
> Probably not the best place to put this information, but I figure here 
> is better than no where...
>
> I'm tinkering with authentication a Debian (10.1) box via Active 
> Directory, so that an AD user can log into the Debian box.
>
> [...]
>
> The result is that if I have a local account that belongs to a 
> completely different person than a person with a domain account of the 
> same name, the domain account person, upon login, becomes the local 
> account person, with full access as that person.
>
> Advice? Suggestions? Questions?
>

Last time I did central logins like that, I used openLDAP, so it may not
be the same process.  But as I recall, you had to change one of the PAM
modules (possibly more than one) such that it prefers ldap (AD,
whatever) over the local /etc/passwd file.

Additionally, I seem to recall some caveat of the "same username" not
gracefully allowing you to "select"; so I just ended up having a
secondary 'me_local' account that wasn't part of the LDAP setup.

It's been a few years (and a new job) since, so I might not have the
notes anymore (The general info is usually something I hang onto, but
the "basics of ldap" notes aren't immediately forthcoming).


-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl3FrLUACgkQjhHd8xJ5
ooEOuggArD62bnF0vuIBfbvmvu8IbomBs0eUBN+YqA8iusNMA6KF+0YboWeNmK6z
yzlcNb8PArKx4ca5olV3gV6zOa4lO73onW9BBq4tcajgW7mgllsLgDeWBlD4HeER
xg1O5m9TCJlmgnWLWdW15tr6hQk8STASm7R8/LGBWOq3AGVE21dQBnkC7sdxu514
6b5EgMDBdgiCFuKXogkZL/EbdWMNYvGe1rQao1yCAeln9+NDasYp2A+KAZ76XEnT
rPgjYol4JIO3O7Be+X0XsTy6ssSpNd2w5IuKfpGev5wfxtrj4tR+NkxxEwUHz38H
+9nN6awXwtdywR6XmU+IucWRua7/Wg==
=9it9
-END PGP SIGNATURE-

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Security Issue with sssd / AD authentication?

[Kent West]

On 11/8/19 11:53 AM, Roberto C. Sánchez wrote:

On Fri, Nov 08, 2019 at 11:36:34AM -0600, Kent West wrote:

Probably not the best place to put this information, but I figure here is
better than no where...

I'm tinkering with authentication a Debian (10.1) box via Active Directory,
so that an AD user can log into the Debian box.

The relevant /etc/sssd/sssd.conf file has the following modification:

use_fully_qualified_names = False

If I have a local account (say, "westk") and a domain account of the same
name, but with a different password, I can log into the Debian box with the
domain "westk"/password, but the "id" command shows me then to be logged in
as the local "westk".

The result is that if I have a local account that belongs to a completely
different person than a person with a domain account of the same name, the
domain account person, upon login, becomes the local account person, with
full access as that person.

Advice? Suggestions? Questions?


It seems like you have two options:

1. change the use_fully_qualified_names setting
2. eliminate the westk local account

While the situation has security implications, those implications are a
result of misconfiguration rather than any defect in the related
utilities.

You could experience the same issue by allowing logins from two
different domains where the same user account exists in both.  It is a
risk of the use_fully_qualified_names configuration setting.

Regards,

-Roberto



I can accept that answer, if that's indeed the answer, but it seems to 
me that the local Debian box knows it authenticated from the domain, not 
locally (based on where the password was successful). Having that 
knowledge, it seems an error to then assign the user as the local user 
rather than the domain user.


--

Kent

Re: Security Issue with sssd / AD authentication?

[Roberto C . Sánchez]

On Fri, Nov 08, 2019 at 11:36:34AM -0600, Kent West wrote:
> Probably not the best place to put this information, but I figure here is
> better than no where...
> 
> I'm tinkering with authentication a Debian (10.1) box via Active Directory,
> so that an AD user can log into the Debian box.
> 
> The relevant /etc/sssd/sssd.conf file has the following modification:
> 
> use_fully_qualified_names = False
> 
> If I have a local account (say, "westk") and a domain account of the same
> name, but with a different password, I can log into the Debian box with the
> domain "westk"/password, but the "id" command shows me then to be logged in
> as the local "westk".
> 
> The result is that if I have a local account that belongs to a completely
> different person than a person with a domain account of the same name, the
> domain account person, upon login, becomes the local account person, with
> full access as that person.
> 
> Advice? Suggestions? Questions?
> 
It seems like you have two options:

1. change the use_fully_qualified_names setting
2. eliminate the westk local account

While the situation has security implications, those implications are a
result of misconfiguration rather than any defect in the related
utilities.

You could experience the same issue by allowing logins from two
different domains where the same user account exists in both.  It is a
risk of the use_fully_qualified_names configuration setting.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: Security Updates

[Nazar Zhuk]

On Sun, Dec 30, 2018 at 08:00:51PM +0100, Marek Gráfel wrote:

> I also tried the command via the apt-get update terminal, telling me that
> the operation is declined. 

Make sure you run apt-get as root or with sudo:

  sudo apt-get update

Then:

  sudo apt-get upgrade


-- Nazar

Re: Security Updates

[David Christensen]

On 12/30/18 11:00 AM, Marek Gráfel wrote:

I do not know English well, but I hope that the translation through Google


Is there a Debian mailing list in your native language?

https://lists.debian.org/completeindex.html


David

Re: Security Updates

[songbird]

Marek Gráfel wrote:
...
> I do not know English well, but I hope that the translation through Google
> will be enough to lead me to write a procedure how to install security
> updates, and please explain why your Debian freezes despite Linux Mintu? I
> think Debian is higher than Linux Mint. Thank you for your reply :)

  i cannot really tell what you have done or what you
have installed.

  if you actually do have a Debian System installed
then you can add the following line to the 
/etc/apt/sources.list file:

deb http://security.debian.org/debian-security testing/updates main contrib 
non-free

change the word "testing" to "stretch" if you only want to
follow that version.  or change it to stable if you want
to only follow the stable distribution as it changes.

IMO if you have a system that is freezing under various
situations you likely have a hardware or heat problem.


  songbird

Re: Security updates for Chromium on Debian Jessie

[Daniel Bareiro]

Hi, Alex.

On 29/09/17 07:19, Alex ARNAUD wrote:

 In the last DSA for the chromium-browser package (DSA-3985-1) I noticed
 that the updates were released for stable, testing and unstable but not
 for oldstable. I think the same thing happened with the previous
 update.

 Maybe I'm missing something and Chromium on Jessie is no longer getting
 security updates?

>>> It seems that the maintainer is overworked and cannot provide Jessie
>>> updates for chromium anymore[1].  Somebody else said he might be looking
>>> at it[2], but that was six weeks ago and nothing happened so far.
>>>
>>> So while it is not clear when chromium in jessie will be EOL'ed, it
>>> seems advisable to switch to some other browser for now (if you want a
>>> package from Debian, firefox-esr is the only option).
>>>
>>>
>>> 1. https://lists.debian.org/debian-security/2017/07/msg9.html
>>> 2. https://lists.debian.org/debian-security/2017/08/msg00010.html

>> Thanks for the observation and the references. I was not aware of this.
>>
>> Here I am using both Firefox and Chromium since sometimes I need to test
>> some things in both browsers (for example some WebRTC application such
>> as Jitsi Meet).

> You can also install Google Chrome from the Google Debian repository.
> It's up-to-date and it works for Jessie.

Thanks for the suggestion. I did not know they had a repository
published. The times I installed Chrome were downloading the Debian
package. But maybe this automatically adds an entry in
/etc/apt/source.list.d.


Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Re: security-cdn.debian.org weigert me?

[Paul van der Vlis]

Op 29-09-17 om 13:52 schreef Paul van der Vlis:

> Ik vind het daarom toch vreemd dat hij connect naar
> security-cdn.debian.org. Dat kan ik nergens uithalen. En morgen kan het
> weer wat anders zijn.

Volgens mij is men overgestapt van eigen Debian-services, naar het
cloud-platform van deze organisatie:
https://www.fastly.com/products/fastly-managed-cdn/

Groeten,
Paul

-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

Re: security-cdn.debian.org weigert me?

[Paul van der Vlis]

Op 28-09-17 om 14:04 schreef Floris:

> Waarschijnlijk al tig keer gecontroleerd, maar hoe zien de
> sources.list(.d/) er uit op de probleem machine?

root@kvm:/usr/local/sbin# cat /etc/apt/sources.list
deb http://ftp.nl.debian.org/debian/ jessie main contrib non-free
deb http://ftp.nl.debian.org/debian/ jessie-updates main contrib non-free
deb http://security.debian.org/ jessie/updates  main contrib non-free
deb http://ftp.nl.debian.org/debian/ jessie-backports main contrib non-free

root@kvm:/usr/local/sbin# ls -l /etc/apt/sources.list.d/
totaal 0
root@kvm:/usr/local/sbin#

Ik vind het daarom toch vreemd dat hij connect naar
security-cdn.debian.org. Dat kan ik nergens uithalen. En morgen kan het
weer wat anders zijn.

Groeten,
Paul


-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

Re: security-cdn.debian.org weigert me?

[Richard Lucassen]

On Fri, 29 Sep 2017 11:38:27 +0200
Paul van der Vlis  wrote:

> names="security.debian.org ftp.nl.debian.org popov.debian.org \
>   popcon.debian.org ns1.vandervlis.nl ns2.vandervlis.nl"
> 
> ip4=""
> for name in $names; do
>ip4="$ip4 `dig -t A +short $name | tr '\r \n' ' '`"
> done
> for ip in $ip4; do
>   iptables -I OUTPUT -d $ip  -j ACCEPT
> done

Gebruik liever ipsets ipv zoiets...

R.

-- 
richard lucassen
http://contact.xaq.nl/

Re: Security updates for Chromium on Debian Jessie

[Alex ARNAUD]

Le 28/09/2017 à 19:39, Daniel Bareiro a écrit :

Hi, Sven.

On 28/09/17 14:13, Sven Joachim wrote:


In the last DSA for the chromium-browser package (DSA-3985-1) I noticed
that the updates were released for stable, testing and unstable but not
for oldstable. I think the same thing happened with the previous update.

Maybe I'm missing something and Chromium on Jessie is no longer getting
security updates?



It seems that the maintainer is overworked and cannot provide Jessie
updates for chromium anymore[1].  Somebody else said he might be looking
at it[2], but that was six weeks ago and nothing happened so far.

So while it is not clear when chromium in jessie will be EOL'ed, it
seems advisable to switch to some other browser for now (if you want a
package from Debian, firefox-esr is the only option).


1. https://lists.debian.org/debian-security/2017/07/msg9.html
2. https://lists.debian.org/debian-security/2017/08/msg00010.html


Thanks for the observation and the references. I was not aware of this.

Here I am using both Firefox and Chromium since sometimes I need to test
some things in both browsers (for example some WebRTC application such
as Jitsi Meet).

Thanks for your reply.


You can also install Google Chrome from the Google Debian repository. 
It's up-to-date and it works for Jessie.


Best regards.
--
Alex ARNAUD
Visual-Impairment Project Manager
Hypra - "Humanizing technology"

Re: security-cdn.debian.org weigert me?

[Paul van der Vlis]

Op 28-09-17 om 19:17 schreef Geert Stappers:
> On Thu, Sep 28, 2017 at 01:22:44PM +0200, Paul van der Vlis wrote:
>> Op 28-09-17 om 12:27 schreef Floris:
>>> Waar verwijzen de guests naar?
>> security.debian.org verwijst daar ook naar villa.debian.org.
>>
>> Hmm, op de probleem-machine verwijst dit naar
>> mirror-conova-security.debian.org. En op een andere machine naar
>> wieck.debian.org. Blijkbaar verschilt dit.
>>
>> Maar de melding gaat niet over security.debian.org, maar om
>> security-cdn.debian.org, en dat verwijst naar
>> prod.debian.map.fastly.net. Zowel op de host als op de guests.
> 
> De host in kwestie, kan die wel bij andere webservers?
> 
>curl http://stappers.it/t/
> 
> zou tijdstip en IP-adres ( v4 of v6 ) moeten laten zien.

Dit geeft een timeout.

Ik ben er ondertussen achter. De firewall accepteert alleen uitgaand
verkeer naar bepaalde hostnames, die hij regelmatig resolved. Echter als
een naam een CNAME is naar een andere naam, dan gaat het blijkbaar mis.

Eigenlijk vind ik het een heel goede zaak om alleen uitgaand verkeer toe
te staan naar een whitelist van hosts. Maar het heeft wel onderhoud
nodig...  Ik doe het met code zoals onderstaande, maar blijkbaar is dat
niet helemaal OK:

names="security.debian.org ftp.nl.debian.org popov.debian.org \
  popcon.debian.org ns1.vandervlis.nl ns2.vandervlis.nl"

ip4=""
for name in $names; do
   ip4="$ip4 `dig -t A +short $name | tr '\r \n' ' '`"
done
for ip in $ip4; do
  iptables -I OUTPUT -d $ip  -j ACCEPT
done

Nu ik security-cdn.debian.org heb toegevoegd lijkt het weer te werken.

Groeten,
Paul


-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

Re: Security updates for Chromium on Debian Jessie

[Daniel Bareiro]

Hi, Sven.

On 28/09/17 14:13, Sven Joachim wrote:

>> In the last DSA for the chromium-browser package (DSA-3985-1) I noticed
>> that the updates were released for stable, testing and unstable but not
>> for oldstable. I think the same thing happened with the previous update.
>>
>> Maybe I'm missing something and Chromium on Jessie is no longer getting
>> security updates?

> It seems that the maintainer is overworked and cannot provide Jessie
> updates for chromium anymore[1].  Somebody else said he might be looking
> at it[2], but that was six weeks ago and nothing happened so far.
> 
> So while it is not clear when chromium in jessie will be EOL'ed, it
> seems advisable to switch to some other browser for now (if you want a
> package from Debian, firefox-esr is the only option).
>
> 
> 1. https://lists.debian.org/debian-security/2017/07/msg9.html
> 2. https://lists.debian.org/debian-security/2017/08/msg00010.html

Thanks for the observation and the references. I was not aware of this.

Here I am using both Firefox and Chromium since sometimes I need to test
some things in both browsers (for example some WebRTC application such
as Jitsi Meet).

Thanks for your reply.

Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Re: security-cdn.debian.org weigert me?

[Geert Stappers]

On Thu, Sep 28, 2017 at 01:22:44PM +0200, Paul van der Vlis wrote:
> Op 28-09-17 om 12:27 schreef Floris:
> > Waar verwijzen de guests naar?
> security.debian.org verwijst daar ook naar villa.debian.org.
> 
> Hmm, op de probleem-machine verwijst dit naar
> mirror-conova-security.debian.org. En op een andere machine naar
> wieck.debian.org. Blijkbaar verschilt dit.
> 
> Maar de melding gaat niet over security.debian.org, maar om
> security-cdn.debian.org, en dat verwijst naar
> prod.debian.map.fastly.net. Zowel op de host als op de guests.

De host in kwestie, kan die wel bij andere webservers?

   curl http://stappers.it/t/

zou tijdstip en IP-adres ( v4 of v6 ) moeten laten zien.


Groeten
Geert Stappers
-- 
Leven en laten leven

Re: Security updates for Chromium on Debian Jessie

[Sven Joachim]

On 2017-09-28 11:08 -0300, Daniel Bareiro wrote:

> In the last DSA for the chromium-browser package (DSA-3985-1) I noticed
> that the updates were released for stable, testing and unstable but not
> for oldstable. I think the same thing happened with the previous update.
>
> Maybe I'm missing something and Chromium on Jessie is no longer getting
> security updates?

It seems that the maintainer is overworked and cannot provide Jessie
updates for chromium anymore[1].  Somebody else said he might be looking
at it[2], but that was six weeks ago and nothing happened so far.

So while it is not clear when chromium in jessie will be EOL'ed, it
seems advisable to switch to some other browser for now (if you want a
package from Debian, firefox-esr is the only option).

Cheers,
   Sven


1. https://lists.debian.org/debian-security/2017/07/msg9.html
2. https://lists.debian.org/debian-security/2017/08/msg00010.html

Re: security-cdn.debian.org weigert me?

[Floris]

Op Thu, 28 Sep 2017 13:22:44 +0200 schreef Paul van der Vlis  
:



Op 28-09-17 om 12:27 schreef Floris:


Misschien heb je er niks aan, maar bij mij verwijst security.debian.org/
naar villa.debian.org
$ ping4 security.debian.org
PING security.debian.org (212.211.132.32) 56(84) bytes of data.
64 bytes from villa.debian.org (212.211.132.32): icmp_seq=1 ttl=59
time=15.0 ms
64 bytes from villa.debian.org (212.211.132.32): icmp_seq=2 ttl=59
time=14.7 ms
64 bytes from villa.debian.org (212.211.132.32): icmp_seq=3 ttl=59
time=14.5 ms
^C

Waar verwijzen de guests naar?

security.debian.org verwijst daar ook naar villa.debian.org.

Hmm, op de probleem-machine verwijst dit naar
mirror-conova-security.debian.org. En op een andere machine naar
wieck.debian.org. Blijkbaar verschilt dit.

Maar de melding gaat niet over security.debian.org, maar om
security-cdn.debian.org, en dat verwijst naar
prod.debian.map.fastly.net. Zowel op de host als op de guests.

Groeten,
Paul.





ping4 security-cdn.debian.org
PING prod.debian.map.fastly.net (151.101.36.204) 56(84) bytes of data.
64 bytes from 151.101.36.204 (151.101.36.204): icmp_seq=1 ttl=59 time=8.76  
ms

^C

Als ik in een browser naar prod.debian.map.fastly.net ga krijg ik:
Fastly error: unknown domain: prod.debian.map.fastly.net. Please check  
that this domain has been added to a service.




Wel vreemd, want op deb.debian.org lees ik het volgende waaruit blijkt dat  
prod.debian.map.fastly.net zal moeten werken:




Welcome to deb.debian.org!

This is deb.debian.org. This service provides mirrors for the following  
Debian archive repositories:


/debian/
/debian-debug/
/debian-ports/
/debian-security/
The server deb.debian.org does not have packages itself, but the name has  
SRV records in DNS that let apt in stretch and later find places.


To use it with a sufficiently recent apt, you for instance can put

deb http://deb.debian.org/debian unstable main
deb http://deb.debian.org/debian-debug unstable-debug main
deb http://deb.debian.org/debian-ports unstable main
in your sources.list.
As of October 2016 the SRV record is

_http._tcp.deb.debian.org.  IN  SRV 10 1 80 
prod.debian.map.fastly.net.
_http._tcp.deb.debian.org.  IN  SRV 10 1 80 
dpvctowv9b08b.cloudfront.net.
If you hit the server behind deb.debian.org directly, either because you  
use an older apt or because you use a HTTP proxy that does not support SRV  
records, your requests will get HTTP redirected to one of the CDN  
instances. If you want to avoid the redirects, you can pick one instance  
directly. For instance, this also works in your sources.list:

deb http://cdn-fastly.deb.debian.org/debian stable main
deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
The redirection service is also available on HTTPS, so with the  
apt-transport-https package installed, you can use:

deb https://deb.debian.org/debian stable main
deb https://deb.debian.org/debian-security stable/updates main
This service is sponsored by Fastly and Amazon CloudFront.


Waarschijnlijk al tig keer gecontroleerd, maar hoe zien de  
sources.list(.d/) er uit op de probleem machine?


Floris

Re: security-cdn.debian.org weigert me?

[Paul van der Vlis]

Op 28-09-17 om 12:27 schreef Floris:

> Misschien heb je er niks aan, maar bij mij verwijst security.debian.org/
> naar villa.debian.org
> $ ping4 security.debian.org
> PING security.debian.org (212.211.132.32) 56(84) bytes of data.
> 64 bytes from villa.debian.org (212.211.132.32): icmp_seq=1 ttl=59
> time=15.0 ms
> 64 bytes from villa.debian.org (212.211.132.32): icmp_seq=2 ttl=59
> time=14.7 ms
> 64 bytes from villa.debian.org (212.211.132.32): icmp_seq=3 ttl=59
> time=14.5 ms
> ^C
> 
> Waar verwijzen de guests naar?
security.debian.org verwijst daar ook naar villa.debian.org.

Hmm, op de probleem-machine verwijst dit naar
mirror-conova-security.debian.org. En op een andere machine naar
wieck.debian.org. Blijkbaar verschilt dit.

Maar de melding gaat niet over security.debian.org, maar om
security-cdn.debian.org, en dat verwijst naar
prod.debian.map.fastly.net. Zowel op de host als op de guests.

Groeten,
Paul.




-- 
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

Re: security-cdn.debian.org weigert me?

[Floris]

Op Thu, 28 Sep 2017 11:08:53 +0200 schreef Paul van der Vlis  
:



Op 27-09-17 om 20:41 schreef Geert Stappers:

On Wed, Sep 27, 2017 at 04:47:36PM +0200, Paul van der Vlis wrote:

Hoi,

Een machine geeft sinds een paar dagen foutmeldingen bij het ophalen  
van

security updates, zoiets:

---
Get:2 http://security.debian.org/ jessie/updates/main git amd64
1:2.1.4-2.1+deb8u5 [3694 kB]
Err http://security.debian.org/ jessie/updates/main
linux-image-3.16.0-4-amd64 amd64 3.16.43-2+deb8u5
  Could not connect to security-cdn.debian.org:80 (151.101.36.204),
connection timed out [IP: 151.101.36.204 80]
Fetched 4962 kB in 4min 0s (20.7 kB/s)
E: Failed to fetch
http://security.debian.org/pool/updates/main/l/linux/linux-image-3.16.0-4-amd64_3.16.43-2+deb8u5_amd64.deb
 Could not connect to security-cdn.debian.org:80 (151.101.36.204),
connection timed out [IP: 151.101.36.204 80]
---

root@kvm:~# telnet 151.101.36.204 80
Trying 151.101.36.204...
telnet: Unable to connect to remote host: Connection timed out
root@kvm:~# ping 151.101.36.204
PING 151.101.36.204 (151.101.36.204) 56(84) bytes of data.
64 bytes from 151.101.36.204: icmp_seq=1 ttl=56 time=4.99 ms
64 bytes from 151.101.36.204: icmp_seq=2 ttl=56 time=5.13 ms
^C

Het gaat om een KVM host, de guests hebben hier geen last van. Deze
hebben een eigen IP.

Wat zal er aan de hand zijn,


Waarschijnlijk een korte onderbreking.
Althans, in mijn meting is de klacht er niet meer.



$ telnet 151.101.36.204 80
Trying 151.101.36.204...
Connected to 151.101.36.204.
Escape character is '^]'.
GET / HTTP/1.0
Host: security.debian.org

HTTP/1.1 302 Found
Server: Apache
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Referrer-Policy: no-referrer
X-Xss-Protection: 1
Location: https://www.debian.org/security/
Cache-Control: max-age=120
Expires: Wed, 27 Sep 2017 18:37:43 GMT
Content-Type: text/html; charset=iso-8859-1
Via: 1.1 varnish
Fastly-Debug-Digest:  
96a24a8855fbaca6dde10ffdbdf5bb8c9e4c05f00c65c15a702fb8928a1cedb9

Content-Length: 285
Accept-Ranges: bytes
Date: Wed, 27 Sep 2017 18:35:43 GMT
Via: 1.1 varnish
Age: 0
Connection: close
X-Served-By: cache-fra1226-FRA, cache-ams4432-AMS
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1506537343.421910,VS0,VE28



302 Found

Found
The document has moved href="https://www.debian.org/security/;>here.


Apache Server at security.debian.org Port 80

Connection closed by foreign host.

Nee, het probleem is er nog steeds en speelt al sinds een week.

Bij vele machines gaat het dus ook bij mij prima, net als bij jou.
Maar bij 1 machine niet.

Deze machine is een KVM-host, guests op deze machine hebben er geen last
van terwijl ze aan hetzelfde fysieke netwerkkabeltje hangen (ze hebben
wel een ander IP).

Groeten,
Paul.





Misschien heb je er niks aan, maar bij mij verwijst security.debian.org/  
naar villa.debian.org

$ ping4 security.debian.org
PING security.debian.org (212.211.132.32) 56(84) bytes of data.
64 bytes from villa.debian.org (212.211.132.32): icmp_seq=1 ttl=59  
time=15.0 ms
64 bytes from villa.debian.org (212.211.132.32): icmp_seq=2 ttl=59  
time=14.7 ms
64 bytes from villa.debian.org (212.211.132.32): icmp_seq=3 ttl=59  
time=14.5 ms

^C

Waar verwijzen de guests naar?

Floris

Re: security issues

[Gene Heskett]

On Sunday 27 August 2017 12:22:30 Mike McClain wrote:

> On Sat, Aug 26, 2017 at 04:35:21PM -0400, Gene Heskett wrote:
> > I have had the ultimate revenge on those who were enemies at one
> > time, I've outlived the turkeys without doing anything to hasten
> > their demise. ;-)
>
> I thought that was worthy of being a tagline.
> Hope you don't mind.
> Mike

Help yourself Mike. But I am far from the first to say that in print. :)
> --
> You can't say that civilization don't advance,
>   for in every war they kill you in a new way.
> - Will Rogers


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: security issues

[Mike McClain]

On Sat, Aug 26, 2017 at 04:35:21PM -0400, Gene Heskett wrote:
>
> I have had the ultimate revenge on those who were enemies at one time,
> I've outlived the turkeys without doing anything to hasten their
> demise. ;-)
>

I thought that was worthy of being a tagline.
Hope you don't mind.
Mike
--
You can't say that civilization don't advance,
  for in every war they kill you in a new way.
- Will Rogers

Re: security issues

[Gene Heskett]

On Saturday 26 August 2017 15:43:40 Brian wrote:

> [Lots of snipping]
>
> On Sat 26 Aug 2017 at 15:25:53 -0400, Gene Heskett wrote:
> > On Saturday 26 August 2017 14:51:41 Brian wrote:
> > > That's what you think! But while you are slumbering, she is
> > > emailing friends and talking with Donald on Twitter. Never
> > > underestimate a woman's ability to manipulate a communication
> > > medium.
> >
> > Ahh, no.  This one is 77 yo, dying of COPD slowly but surely.  She
> > also fell and broke a hip back in February, which was replaced, and
> > what little moving around is usually with e walker assist, and just
> > to the potty chair 10 feet from the recliner she has taken up
> > residence in, and with an oxy hose hanging on her ears, probably
> > sleeps 12-16 hours a day. Not at all computer litterate. Ever.
> >
> > A retired elementary school music teacher, she was once forced to
> > use an elderly PB 286 computer with 2 floppy disks, running dos3.2,
> > to do her report cards.  That disaster was not, to my knowledge,
> > repeated.  One of the reasons she took her 34 years of credit for
> > teaching and retired in the late 90's.
> >
> > I am doing all the housekeeping and cooking since February. And I do
> > take time out for "my stuff" like these mailing lists, and
> > converting elderly machine tools, mills and lathes, to 10x the
> > original precision with linuxcnc, new drive screws and me making at
> > least half the hardware to make the conversions.  And I just wrote
> > the gcodes to put a new barrel in old meat in the pot, chambered for
> > 6.5 Creedmoor.  The barrels in it from the early '60's up till now
> > have all been for the 30-06 Ackley Improved, but its kick was
> > beginning to beat the old man up. So I do this stuff to keep me out
> > of the bars.  Seems to be working fairly well... ;-)  And I make
> > some furniture from time to time.
>
> You and your wife have my sympathy and best wishes, My response was
> intended to be light-hearted, but, sometimes, hitting the mark is
> wildly off.
>
> Regards,
>
> Brian.

NP Brian, you had no first hand idea as to where I was coming from. And I 
wasn't looking for sympathy, just describing my situation & why I make 
recommendations that don't fit a busy, multiuser site at all well.  I 
have no other users here except me.  If I muck it up, I'm the scapegoat, 
complete with the chin whiskers. :)

I have had the ultimate revenge on those who were enemies at one time, 
I've outlived the turkeys without doing anything to hasten their 
demise. ;-) 

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: security issues

[Brian]

[Lots of snipping]

On Sat 26 Aug 2017 at 15:25:53 -0400, Gene Heskett wrote:

> On Saturday 26 August 2017 14:51:41 Brian wrote:
> 
> > That's what you think! But while you are slumbering, she is emailing
> > friends and talking with Donald on Twitter. Never underestimate a
> > woman's ability to manipulate a communication medium.
> >
> Ahh, no.  This one is 77 yo, dying of COPD slowly but surely.  She also 
> fell and broke a hip back in February, which was replaced, and what 
> little moving around is usually with e walker assist, and just to the 
> potty chair 10 feet from the recliner she has taken up residence in, and 
> with an oxy hose hanging on her ears, probably sleeps 12-16 hours a day.  
> Not at all computer litterate. Ever.
> 
> A retired elementary school music teacher, she was once forced to use an 
> elderly PB 286 computer with 2 floppy disks, running dos3.2, to do her 
> report cards.  That disaster was not, to my knowledge, repeated.  One of 
> the reasons she took her 34 years of credit for teaching and retired in 
> the late 90's.
> 
> I am doing all the housekeeping and cooking since February. And I do take 
> time out for "my stuff" like these mailing lists, and converting elderly 
> machine tools, mills and lathes, to 10x the original precision with 
> linuxcnc, new drive screws and me making at least half the hardware to 
> make the conversions.  And I just wrote the gcodes to put a new barrel 
> in old meat in the pot, chambered for 6.5 Creedmoor.  The barrels in it 
> from the early '60's up till now have all been for the 30-06 Ackley 
> Improved, but its kick was beginning to beat the old man up. So I do 
> this stuff to keep me out of the bars.  Seems to be working fairly 
> well... ;-)  And I make some furniture from time to time.
 
You and your wife have my sympathy and best wishes, My response was
intended to be light-hearted, but, sometimes, hitting the mark is wildly
off.

Regards,

Brian.

Re: security issues

[Gene Heskett]

On Saturday 26 August 2017 15:25:53 Gene Heskett wrote:

> > > install any of the firewall type stuff, dd-wrt in the router is
> > > the best guard dog. I've been running some form of it for 15 or
> > > more years, and have not been breached.
> >
> > Isn't dd-wrt only suitable for particular routers?


if it has at least 4G of flash, brainslayer probably has a build for it.  
Do a search using the model # from yours to find out if it will work for 
you. Most routers above the 65 USD price break can probably be flashed.

I'm useing a Buffalo NetFinity, $70+ ship, came with dd-wrt but the 
branding video image covered some functions I needed, so I installed it 
from the dd-wrt site, and with some minor tweaking, and one reflash, its 
been sitting on the other side of the big printer for about 8 years now.  
The only traffic that comes in unannounced is to my web page, which I 
have in a permissions sandbox on this machine.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: security issues

[Gene Heskett]

On Saturday 26 August 2017 14:51:41 Brian wrote:

> On Sat 26 Aug 2017 at 07:40:09 -0400, Gene Heskett wrote:
> > On Saturday 26 August 2017 04:13:38 Dejan Jocic wrote:
> > > On 26-08-17, R Calleja wrote:
> > > > Buenos dias, soy usuario de debian 8.9 desde hace 2 años.
> > > > Tengo problemas de seguridad que me obligan a reinstalar el
> > > > sistema a menudo, una vez al año.
> > > > He leido documentos y ayuda para mejorar la seguridad.
> > > > Pero no soy un usuario con conocimientos avanzados de sistemas.
> > > > Mi objetivo es conseguir una estacion de trabajo segura .
> > > > He conocido herramientas como:
> > > > Lynis, openval, nessus, grsecurity,apparmor, selinux, etc
> > > > Si puede alguien con conocimientos de seguridad  ayudarme. O hay
> > > > alguna empresa que de soporte.
> > > >
> > > > Muchas gracias, Roberto
> > > >
> > > >
> > > > Good afternoon, I have been debian 8.9 user for 2 years.
> > > > I have security issues that force me to reinstall the system
> > > > often, once a year.
> > >
> > > What security issues?
> > >
> > > > I have read documents and help to improve security.
> > >
> > > What documents?
> > >
> > > > But I am not a user with advanced systems knowledge.
> > >
> > > That is not problem, you can find lots of tutorials and documents
> > > around.
> > >
> > > > My goal is to get a safe work station.
> > > > I have known tools like:
> > > > Lynis, openval, nessus, grsecurity, apparmor, selinux, etc.
> > >
> > > Apparmor and selinux do not go together, use just apparmor because
> > > it is easier to set up and easier not to mess up. Selinux in
> > > theory can provide you with more protection, but in practical use
> > > you will not see it. Lynis is probably too much for you. Openval I
> > > do not know, nessus I did not use. Grsecurity is, according to
> > > Linus Torvald:
> > >
> > > "
> > >
> > > Don't bother with grsecurity.
> > >
> > > Their approach has always been "we don't care if we break
> > > anything, we'll just claim it's because we're extra secure".
> > >
> > > The thing is a joke, and they are clowns. When they started
> > > talking about people taking advantage of them, I stopped
> > > trying to be polite about their bullshit.
> > >
> > > Their patches are pure garbage.
> > >
> > > Linus
> > > "
> > >
> > > > If anyone with safety knowledge can help me. Or is there any
> > > > support company.
> > > >
> > > > Thank you very much, Roberto
> > >
> > > For someone who knows little, you are sure installing too much
> > > things. Here are some general advices, but do not take this for
> > > granted, it is based on personal opinion after all, and I'm not
> > > security expert, though I did read for few of those have to say
> > > about security in linux.
> > >
> > > 1. Firewall. If you are connected to net and use some services you
> > > really want it. Choose simple one, like gufw. That is front end
> > > for ufw ( uncomplicated firewall ) and will serve your needs well.
> > > If you want something more secure, but really more complicated,
> > > you will have to learn iptables.
> >
> > If the security being worried about is external, coming in and
> > attacking you from the internet, then I would recommend getting an
> > aftermarket router with enough flashable memory to support
> > reprogramming it with dd-wrt. I don't worry about local security
> > here as we're an older couple and the wife is not computer
> > litterate, so I am the only user.  I don't
>
> That's what you think! But while you are slumbering, she is emailing
> friends and talking with Donald on Twitter. Never underestimate a
> woman's ability to manipulate a communication medium.
>
Ahh, no.  This one is 77 yo, dying of COPD slowly but surely.  She also 
fell and broke a hip back in February, which was replaced, and what 
little moving around is usually with e walker assist, and just to the 
potty chair 10 feet from the recliner she has taken up residence in, and 
with an oxy hose hanging on her ears, probably sleeps 12-16 hours a day.  
Not at all computer litterate. Ever.

A retired elementary school music teacher, she was once forced to use an 
elderly PB 286 computer with 2 floppy disks, running dos3.2, to do her 
report cards.  That disaster was not, to my knowledge, repeated.  One of 
the reasons she took her 34 years of credit for teaching and retired in 
the late 90's.

I am doing all the housekeeping and cooking since February. And I do take 
time out for "my stuff" like these mailing lists, and converting elderly 
machine tools, mills and lathes, to 10x the original precision with 
linuxcnc, new drive screws and me making at least half the hardware to 
make the conversions.  And I just wrote the gcodes to put a new barrel 
in old meat in the pot, chambered for 6.5 Creedmoor.  The barrels in it 
from the early '60's up till now have all been for the 30-06 Ackley 
Improved, but its kick was beginning to beat the old man up. So I do 
this stuff to keep me 

Re: security issues

[Brian]

On Sat 26 Aug 2017 at 07:40:09 -0400, Gene Heskett wrote:

> On Saturday 26 August 2017 04:13:38 Dejan Jocic wrote:
> 
> > On 26-08-17, R Calleja wrote:
> > > Buenos dias, soy usuario de debian 8.9 desde hace 2 años.
> > > Tengo problemas de seguridad que me obligan a reinstalar el sistema
> > > a menudo, una vez al año.
> > > He leido documentos y ayuda para mejorar la seguridad.
> > > Pero no soy un usuario con conocimientos avanzados de sistemas.
> > > Mi objetivo es conseguir una estacion de trabajo segura .
> > > He conocido herramientas como:
> > > Lynis, openval, nessus, grsecurity,apparmor, selinux, etc
> > > Si puede alguien con conocimientos de seguridad  ayudarme. O hay
> > > alguna empresa que de soporte.
> > >
> > > Muchas gracias, Roberto
> > >
> > >
> > > Good afternoon, I have been debian 8.9 user for 2 years.
> > > I have security issues that force me to reinstall the system often,
> > > once a year.
> >
> > What security issues?
> >
> > > I have read documents and help to improve security.
> >
> > What documents?
> >
> > > But I am not a user with advanced systems knowledge.
> >
> > That is not problem, you can find lots of tutorials and documents
> > around.
> >
> > > My goal is to get a safe work station.
> > > I have known tools like:
> > > Lynis, openval, nessus, grsecurity, apparmor, selinux, etc.
> >
> > Apparmor and selinux do not go together, use just apparmor because it
> > is easier to set up and easier not to mess up. Selinux in theory can
> > provide you with more protection, but in practical use you will not
> > see it. Lynis is probably too much for you. Openval I do not know,
> > nessus I did not use. Grsecurity is, according to Linus Torvald:
> >
> > "
> >
> > Don't bother with grsecurity.
> >
> > Their approach has always been "we don't care if we break
> > anything, we'll just claim it's because we're extra secure".
> >
> > The thing is a joke, and they are clowns. When they started
> > talking about people taking advantage of them, I stopped
> > trying to be polite about their bullshit.
> >
> > Their patches are pure garbage.
> >
> > Linus
> > "
> >
> > > If anyone with safety knowledge can help me. Or is there any support
> > > company.
> > >
> > > Thank you very much, Roberto
> >
> > For someone who knows little, you are sure installing too much things.
> > Here are some general advices, but do not take this for granted, it is
> > based on personal opinion after all, and I'm not security expert,
> > though I did read for few of those have to say about security in
> > linux.
> >
> > 1. Firewall. If you are connected to net and use some services you
> > really want it. Choose simple one, like gufw. That is front end for
> > ufw ( uncomplicated firewall ) and will serve your needs well. If you
> > want something more secure, but really more complicated, you will have
> > to learn iptables.
> 
> If the security being worried about is external, coming in and attacking  
> you from the internet, then I would recommend getting an aftermarket 
> router with enough flashable memory to support reprogramming it with 
> dd-wrt. I don't worry about local security here as we're an older couple 
> and the wife is not computer litterate, so I am the only user.  I don't 

That's what you think! But while you are slumbering, she is emailing
friends and talking with Donald on Twitter. Never underestimate a woman's
ability to manipulate a communication medium.

> install any of the firewall type stuff, dd-wrt in the router is the best 
> guard dog. I've been running some form of it for 15 or more years, and 
> have not been breached.

Isn't dd-wrt only suitable for particular routers?

> OTOH, if other family members are able to access your machine, then it 
> may be that apparmor needs to be installed & setup.

Not really. But, if it is to your taste, go ahead,

-- 
Brian.

Re: security issues

[Gene Heskett]

On Saturday 26 August 2017 04:13:38 Dejan Jocic wrote:

> On 26-08-17, R Calleja wrote:
> > Buenos dias, soy usuario de debian 8.9 desde hace 2 años.
> > Tengo problemas de seguridad que me obligan a reinstalar el sistema
> > a menudo, una vez al año.
> > He leido documentos y ayuda para mejorar la seguridad.
> > Pero no soy un usuario con conocimientos avanzados de sistemas.
> > Mi objetivo es conseguir una estacion de trabajo segura .
> > He conocido herramientas como:
> > Lynis, openval, nessus, grsecurity,apparmor, selinux, etc
> > Si puede alguien con conocimientos de seguridad  ayudarme. O hay
> > alguna empresa que de soporte.
> >
> > Muchas gracias, Roberto
> >
> >
> > Good afternoon, I have been debian 8.9 user for 2 years.
> > I have security issues that force me to reinstall the system often,
> > once a year.
>
> What security issues?
>
> > I have read documents and help to improve security.
>
> What documents?
>
> > But I am not a user with advanced systems knowledge.
>
> That is not problem, you can find lots of tutorials and documents
> around.
>
> > My goal is to get a safe work station.
> > I have known tools like:
> > Lynis, openval, nessus, grsecurity, apparmor, selinux, etc.
>
> Apparmor and selinux do not go together, use just apparmor because it
> is easier to set up and easier not to mess up. Selinux in theory can
> provide you with more protection, but in practical use you will not
> see it. Lynis is probably too much for you. Openval I do not know,
> nessus I did not use. Grsecurity is, according to Linus Torvald:
>
> "
>
> Don't bother with grsecurity.
>
> Their approach has always been "we don't care if we break
> anything, we'll just claim it's because we're extra secure".
>
> The thing is a joke, and they are clowns. When they started
> talking about people taking advantage of them, I stopped
> trying to be polite about their bullshit.
>
> Their patches are pure garbage.
>
> Linus
> "
>
> > If anyone with safety knowledge can help me. Or is there any support
> > company.
> >
> > Thank you very much, Roberto
>
> For someone who knows little, you are sure installing too much things.
> Here are some general advices, but do not take this for granted, it is
> based on personal opinion after all, and I'm not security expert,
> though I did read for few of those have to say about security in
> linux.
>
> 1. Firewall. If you are connected to net and use some services you
> really want it. Choose simple one, like gufw. That is front end for
> ufw ( uncomplicated firewall ) and will serve your needs well. If you
> want something more secure, but really more complicated, you will have
> to learn iptables.

If the security being worried about is external, coming in and attacking  
you from the internet, then I would recommend getting an aftermarket 
router with enough flashable memory to support reprogramming it with 
dd-wrt. I don't worry about local security here as we're an older couple 
and the wife is not computer litterate, so I am the only user.  I don't 
install any of the firewall type stuff, dd-wrt in the router is the best 
guard dog. I've been running some form of it for 15 or more years, and 
have not been breached.

OTOH, if other family members are able to access your machine, then it 
may be that apparmor needs to be installed & setup.

> 2. Always keep your system updated with latest security patches. So,
> do your daily routine of apt-get update && apt-get upgrade. Even
> apt-get dist-upgrade, in case of need.

Excellent advice.

> 3. apparmor can help to mitigate risks of some exploits and is easier
> to setup than selinux.
>
> 4. Use some tools that can help you detect potential rootkits. So,
> learn how to use rkhunter, chkrootkit and some of intrusion detection
> tools, like aide, or tripwire. Also some network based intrusion
> detection tools like Snort, or suricata.
>
> 5. If you use ssh, disable root login, disable logging with passwords,
> use pair of keys. When we are at root account, if someone else can
> physically access your comp, you should disable it too and use sudo.
> But it is not necessary and will not increase your security as
> standalone solution in cases where someone can poke your comp freely.
> For further reading about restricting root account:
> https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-wstation-pr
>ivileges-noroot.html
>
> 6. Just in case that you are connected to some windows based machines,
> you can install and use clamav. But it will not protect you
> personally, will just make you better neighbour.
>
> 7. Oh, yes, secure password is good thing to have too. Do not use your
> name, your family names, your dog name, nor anything that can be
> connected to you, or is susceptible to dictionary attacks. You can
> install some tool like john the riper to check if your password is
> weak.
>
> 8. Encrypt your data and use backups.
>
> 9. Do a lot of reading about all that, practice a bit and do not 

Re: security issues

[TheFox]

Bien, pues entonces lo que vamos a hacer es, lo primero de todo, borrar la
caché de Firefox; para lo cual debes ejecutar el siguiente comando en una
terminal:

rm -rf /.cache/mozilla/firefox

Después, vas a esnifar (escuchar) el tráfico de red, por si encuentras
tráfico sospechoso (por ejemplo, tráfico que se produzca cuando tú no estás
navegando por Internet) usando el programa Tcpdump (si no lo tienes
instalado tienes que instalarlo usando el comando «sudo apt-get install
tcpdump»). Para ello tienes que seguir los pasos que se indican en
http://tecnoloxiaxa.blogspot.com.es/2013/05/esnfiando-trafico-de-red-con-
tcpdump.html?m=1 .
Después apunta la dirección IP sospechosa y publica los resultados en la
lista.

Santiago.


El 26 ago. 2017 11:02, "R Calleja"  escribió:

Hola, gracias por responder.
Varias cosas y detalles en el funcionamiento sospechosas de estar
intervenido desde hace tiempo.
Lo mas significativo y manifiento, todos los a;os antes de vendimias se
nota un ataque al navegador, se bloquea y no funciona. Despues el sistema
va mal y tengo que reinstalarlo. Ocurre justo antes de actualizaciones de
seguridad de firefox y del kernel. En el correo aparecen
las notificaciones con dias de retraso y si lo actualizo en esos dias,
sencillamente no se actualiza. Parece como si alguien bloqueara las
actualizaciones de seguridad. En esos dias sufro el ataque.
El antivirus ha detectado un exploit en .cache/mozilla/firefox.
Tambien he notado que me faltan documentos.
Saludos, Roberto

El 26 de agosto de 2017, 8:49, TheFox 
escribió:

> Exactamente, ¿qué problemas de seguridad son los que te presenta Debian?
>
> Santiago.
>
> El 26 ago. 2017 8:59, "R Calleja"  escribió:
>
>> Buenos dias, soy usuario de debian 8.9 desde hace 2 años.
>> Tengo problemas de seguridad que me obligan a reinstalar el sistema a
>> menudo, una vez al año.
>> He leido documentos y ayuda para mejorar la seguridad.
>> Pero no soy un usuario con conocimientos avanzados de sistemas.
>> Mi objetivo es conseguir una estacion de trabajo segura .
>> He conocido herramientas como:
>> Lynis, openval, nessus, grsecurity,apparmor, selinux, etc
>> Si puede alguien con conocimientos de seguridad  ayudarme. O hay alguna
>> empresa que de soporte.
>>
>> Muchas gracias, Roberto
>>
>>
>> Good afternoon, I have been debian 8.9 user for 2 years.
>> I have security issues that force me to reinstall the system often, once a 
>> year.
>> I have read documents and help to improve security.
>> But I am not a user with advanced systems knowledge.
>> My goal is to get a safe work station.
>> I have known tools like:
>> Lynis, openval, nessus, grsecurity, apparmor, selinux, etc.
>> If anyone with safety knowledge can help me. Or is there any support company.
>>
>> Thank you very much, Roberto
>>
>>

Re: security issues

[TheFox]

Exactamente, ¿qué problemas de seguridad son los que te presenta Debian?

Santiago.

El 26 ago. 2017 8:59, "R Calleja"  escribió:

> Buenos dias, soy usuario de debian 8.9 desde hace 2 años.
> Tengo problemas de seguridad que me obligan a reinstalar el sistema a
> menudo, una vez al año.
> He leido documentos y ayuda para mejorar la seguridad.
> Pero no soy un usuario con conocimientos avanzados de sistemas.
> Mi objetivo es conseguir una estacion de trabajo segura .
> He conocido herramientas como:
> Lynis, openval, nessus, grsecurity,apparmor, selinux, etc
> Si puede alguien con conocimientos de seguridad  ayudarme. O hay alguna
> empresa que de soporte.
>
> Muchas gracias, Roberto
>
>
> Good afternoon, I have been debian 8.9 user for 2 years.
> I have security issues that force me to reinstall the system often, once a 
> year.
> I have read documents and help to improve security.
> But I am not a user with advanced systems knowledge.
> My goal is to get a safe work station.
> I have known tools like:
> Lynis, openval, nessus, grsecurity, apparmor, selinux, etc.
> If anyone with safety knowledge can help me. Or is there any support company.
>
> Thank you very much, Roberto
>
>

Re: security issues

[Nicolas George]

Le nonidi 9 fructidor, an CCXXV, Dejan Jocic a écrit :
> 10. I'm sure that there is more

0. Think about against what risks you want to protect yourself.

Security is always a compromise with convenience. The only absolute
security is when you do nothing with no computer at all, but that is not
what you want.

Think about house keys: leaving a double under the doormat is really
insecure, but it is a life saver when you lose your own; leaving them to
a neighbour is somewhat safer, but less convenient, etc.

A very important lesson to learn is that security is bounded by the
weakest link, including non-computer stuff.

You may have your 65536-bits RSA key protected by a passphrase that is
an epic poem, stored on a physical dongle with built-in fingerprint and
ear-print reader, if someone can attack you with a knife and force you
to give it, you might as well have used "swordfish" as a password.


signature.asc
Description: Digital signature

Re: security issues

[Dejan Jocic]

On 26-08-17, R Calleja wrote:
> Buenos dias, soy usuario de debian 8.9 desde hace 2 años.
> Tengo problemas de seguridad que me obligan a reinstalar el sistema a
> menudo, una vez al año.
> He leido documentos y ayuda para mejorar la seguridad.
> Pero no soy un usuario con conocimientos avanzados de sistemas.
> Mi objetivo es conseguir una estacion de trabajo segura .
> He conocido herramientas como:
> Lynis, openval, nessus, grsecurity,apparmor, selinux, etc
> Si puede alguien con conocimientos de seguridad  ayudarme. O hay alguna
> empresa que de soporte.
> 
> Muchas gracias, Roberto
> 
> 
> Good afternoon, I have been debian 8.9 user for 2 years.
> I have security issues that force me to reinstall the system often, once a 
> year.

What security issues?

> I have read documents and help to improve security.

What documents?

> But I am not a user with advanced systems knowledge.

That is not problem, you can find lots of tutorials and documents
around.

> My goal is to get a safe work station.
> I have known tools like:
> Lynis, openval, nessus, grsecurity, apparmor, selinux, etc.

Apparmor and selinux do not go together, use just apparmor because it is
easier to set up and easier not to mess up. Selinux in theory can
provide you with more protection, but in practical use you will not see
it. Lynis is probably too much for you. Openval I do not know, nessus I
did not use. Grsecurity is, according to Linus Torvald:

"

Don't bother with grsecurity.

Their approach has always been "we don't care if we break
anything, we'll just claim it's because we're extra secure".

The thing is a joke, and they are clowns. When they started
talking about people taking advantage of them, I stopped
trying to be polite about their bullshit.

Their patches are pure garbage.

Linus
"
> If anyone with safety knowledge can help me. Or is there any support company.
> 
> Thank you very much, Roberto

For someone who knows little, you are sure installing too much things.
Here are some general advices, but do not take this for granted, it is
based on personal opinion after all, and I'm not security expert, though
I did read for few of those have to say about security in linux.

1. Firewall. If you are connected to net and use some services you
really want it. Choose simple one, like gufw. That is front end for ufw
( uncomplicated firewall ) and will serve your needs well. If you want
something more secure, but really more complicated, you will have to
learn iptables.

2. Always keep your system updated with latest security patches. So, do
your daily routine of apt-get update && apt-get upgrade. Even apt-get
dist-upgrade, in case of need.

3. apparmor can help to mitigate risks of some exploits and is easier to
setup than selinux.

4. Use some tools that can help you detect potential rootkits. So, learn
how to use rkhunter, chkrootkit and some of intrusion detection tools,
like aide, or tripwire. Also some network based intrusion detection
tools like Snort, or suricata.

5. If you use ssh, disable root login, disable logging with passwords,
use pair of keys. When we are at root account, if someone else can
physically access your comp, you should disable it too and use sudo. But
it is not necessary and will not increase your security as standalone
solution in cases where someone can poke your comp freely. For further
reading about restricting root account: 
https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-wstation-privileges-noroot.html

6. Just in case that you are connected to some windows based machines,
you can install and use clamav. But it will not protect you personally,
will just make you better neighbour.

7. Oh, yes, secure password is good thing to have too. Do not use your
name, your family names, your dog name, nor anything that can be
connected to you, or is susceptible to dictionary attacks. You can
install some tool like john the riper to check if your password is weak.

8. Encrypt your data and use backups.

9. Do a lot of reading about all that, practice a bit and do not put
high hopes in paying someone to protect you. If you do not know what are
you doing, no one can babysit your 24 hours a day.

10. I'm sure that there is more and that some people around can tell
you more, but complete guide to security is hard to get on this list, or
in some forums. There are some books around about that subject, written
by people that know lots and can presented better than I can. Again, it
requires lots of reading, research and practicing. And no one can do it
for you. If you want to be more secure, than you must get "advanced
knowledge".

Hope that this can help you a bit.

Re: Security hole in LXDE?

[cbannister]

On Mon, Feb 27, 2017 at 09:00:15PM +1100, Davor Balder wrote:
> Hi Hans,
> 
> Question 1 which one: stable, testing or unstable?

IMHO if it's not stated then stable is to be assumed.

Users who run testing/sid are generally expected to have
some degree of troubleshooting knowledge (the clue is in the
name.) Unfortunately, it appears that bad advice is given to
run testing or sid just because a user wants a later version
of a piece of software.

So sure, if a user is running testing/sid then you'd expect
that it would be stated early on in the post and that the
user has a reasonable amount of troubleshooting knowledge, and
has therefore experienced a 'special' case that someone else
may have a clue about.

So in a nutshell, only experienced users should be running
testing/sid and therefore any posts where the dist isn't
mentioned should be assumed that the user is running stable.

-- 
The media's the most powerful entity on earth. 
They have the power to make the innocent guilty 
and to make the guilty innocent, and that's power.
 -- Malcolm X

Re: [SOLVED] Re: Security hole in LXDE?

[Brian]

On Tue 07 Mar 2017 at 09:05:03 +0100, to...@tuxteam.de wrote:

> On Mon, Mar 06, 2017 at 08:53:39PM +, Brian wrote:
> 
> [...]
> 
> > I'll reconstruct my previous response. If there is no root password,
> 
> (a bad idea, see my other post)
> 
> > sudo is installed and the "first user" is put into the sudo group.
> 
> I've no proof for that, but yes, that corresponds to my experience
> (in a somewhat fuzzy, mushy sense).

Obtain the proof, then. I'll mention the user-setup-udeb package again.

-- 
Brian.

Re: [SOLVED] Re: Security hole in LXDE?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Mar 06, 2017 at 08:53:39PM +, Brian wrote:

[...]

> I'll reconstruct my previous response. If there is no root password,

(a bad idea, see my other post)

> sudo is installed and the "first user" is put into the sudo group.

I've no proof for that, but yes, that corresponds to my experience
(in a somewhat fuzzy, mushy sense).

Regards
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAli+aa8ACgkQBcgs9XrR2kbv4ACff9GeeScZgZHryA6FtYQzInnz
gQUAn0Mjt3YsQ6dcnuSPspmTtc+I5xaR
=mZT6
-END PGP SIGNATURE-

Re: [SOLVED] Re: Security hole in LXDE?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Mar 06, 2017 at 08:58:25PM +, Joe wrote:

[...]

> A member of the sudo group has permanent root privileges. He might as
> well simply login as root every day, and not bother with another user.

Sorry, I've to disagree. It's a question of ergonomics. To some people
(may be not for you, and that's fine) it does make a difference to have
to invoke sudo and being prompted for a password (e.g. raise the level
of awareness, notice when an obscure app is trying to gain privileges,
whatever).

I switched from a su oriented setup to a sudo oriented setup many moons
ago and the ergonomy WorksForMe.

Stating things in as an absolute way as you did above is almost always
wrong. Or: All generalizations suck ;-)

> My understanding of the use of the sudo group was for multiple server
> admins, not workstation users.

Why that?

My only beef with the general exodus to sudo is that some (I think
the first was Ubuntu) thought you could do away with root password.
Until... you are in front of a box where the root file system check
failed and it prompts you for the root password for rescue. Sudo?
HAH.

Again: all absolutes are wrong, as I said :-)

regards
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAli+aS8ACgkQBcgs9XrR2kbCEgCdFZOKtyuroWvHTKgJc1VZVNk6
sf0AnRpLBaAfOQGFbRkwJkTvo4ryBaC7
=BeJ3
-END PGP SIGNATURE-

Re: [SOLVED] Re: Security hole in LXDE?

[Joe]

On Mon, 6 Mar 2017 20:47:50 + (UTC)
Curt  wrote:

> On 2017-03-06, Joe  wrote:
> >
> > Who said anything about lpadmin? The question is about the wisdom of
> > automatically including someone in the sudo group, which in a
> > default Debian sudoers file, gives full root privileges to
> > everything, using the user's password.
> >
> > We have someone saying this happens, someone else saying it
> > doesn't, I don't know as I haven't done a recent installation, and
> > the thread was started by someone who says it did happen to him.
> >  
> 
> I've only used the installer up to and including Wheezy and have
> always created a root password. But if I hadn't (created a root
> password) then I suppose I would've been included in the sudo group
> with full administrative privileges. If not, how would or does the
> person installing the OS (who is therefore, ipso facto, IMO, the
> administrator of the machine) do anything administratively? And what
> difference would it make security-wise to put the "first user" in the
> sudo group when she or he could have gotten there anyway by simply
> creating a root password and foregoing sudo altogether? Or am being
> stupid here, missing something obvious?
> 

A member of the sudo group has permanent root privileges. He might as
well simply login as root every day, and not bother with another user.

My understanding of the use of the sudo group was for multiple server
admins, not workstation users.

-- 
Joe

Re: [SOLVED] Re: Security hole in LXDE?

[Brian]

On Mon 06 Mar 2017 at 19:57:25 +, Joe wrote:

> On Mon, 6 Mar 2017 19:36:40 +
> Brian  wrote:
> 
> > On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote:
> > 
> > > On Mon, 6 Mar 2017 13:40:45 -0500
> > > Greg Wooledge  wrote:
> > >   
> > > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote:  
> > > > > Debian appears to use the group 'sudo' as an administrative
> > > > > group, where some other distributions use 'wheel'.
> > > > > 
> > > > > I would not have thought that users would be added to it by
> > > > > default, there are no members on my sid/xfce4 workstation.
> > > > > Indeed, up to Jessie, sudo was not installed at all by default,
> > > > > and may still not be.
> > > > 
> > > > If you use the regular Debian installer, the user account that you
> > > > create during installation gets added to a lot of these special
> > > > groups (sudo, cdrom, floppy, audio, video, ...?).  Users that you
> > > > create post-installtion using adduser or useradd do not.
> > > >   
> > > 
> > > New behaviour, then, my current sid was installed as wheezy, I added
> > > sudo manually early on, but as it was not installed by default, it
> > > would not have added the installing user to a sudo group. I'm
> > > certainly not a member of that group, and have no wish to be.  
> > 
> > The "first user" is not in the sudo group. The place to check this
> > is the templates file in the user-setup-udeb package.
> >  
> > > Possibly I'm missing something, but doesn't this repeat the Windows
> > > mistake of automatically giving the user admin privileges? Isn't
> > > that the main reason for the existence of so many Windows viruses?  
> > 
> > Look at it this way. The "first user" wishes to set up a printer. Is
> > it better for the user to be granted very limited privileges by being
> > in the lpadmin group or to become root to carry out the task?
> > 
> 
> Who said anything about lpadmin? The question is about the wisdom of
> automatically including someone in the sudo group, which in a default
> Debian sudoers file, gives full root privileges to everything, using the
> user's password.
>
> We have someone saying this happens, someone else saying it doesn't, I
> don't know as I haven't done a recent installation, and the thread was
> started by someone who says it did happen to him.

I'll reconstruct my previous response. If there is no root password,
sudo is installed and the "first user" is put into the sudo group.

-- 
Brian.

Re: [SOLVED] Re: Security hole in LXDE?

[Curt]

On 2017-03-06, Joe  wrote:
>
> Who said anything about lpadmin? The question is about the wisdom of
> automatically including someone in the sudo group, which in a default
> Debian sudoers file, gives full root privileges to everything, using the
> user's password.
>
> We have someone saying this happens, someone else saying it doesn't, I
> don't know as I haven't done a recent installation, and the thread was
> started by someone who says it did happen to him.
>

I've only used the installer up to and including Wheezy and have always
created a root password. But if I hadn't (created a root password) then
I suppose I would've been included in the sudo group with full
administrative privileges. If not, how would or does the person
installing the OS (who is therefore, ipso facto, IMO, the administrator
of the machine) do anything administratively? And what difference would
it make security-wise to put the "first user" in the sudo group when she
or he could have gotten there anyway by simply creating a root password
and foregoing sudo altogether? Or am being stupid here, missing
something obvious?

-- 
"It might be a vision--of a shell, of a wheelbarrow, of a fairy kingdom on the
far side of the hedge; or it might be the glory of speed; no one knew." --Mrs.
Ramsay, speculating on why her little daughter might be dashing about, in "To
the Lighthouse," by Virginia Woolf.

Re: [SOLVED] Re: Security hole in LXDE?

[Joe]

On Mon, 6 Mar 2017 19:36:40 +
Brian  wrote:

> On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote:
> 
> > On Mon, 6 Mar 2017 13:40:45 -0500
> > Greg Wooledge  wrote:
> >   
> > > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote:  
> > > > Debian appears to use the group 'sudo' as an administrative
> > > > group, where some other distributions use 'wheel'.
> > > > 
> > > > I would not have thought that users would be added to it by
> > > > default, there are no members on my sid/xfce4 workstation.
> > > > Indeed, up to Jessie, sudo was not installed at all by default,
> > > > and may still not be.
> > > 
> > > If you use the regular Debian installer, the user account that you
> > > create during installation gets added to a lot of these special
> > > groups (sudo, cdrom, floppy, audio, video, ...?).  Users that you
> > > create post-installtion using adduser or useradd do not.
> > >   
> > 
> > New behaviour, then, my current sid was installed as wheezy, I added
> > sudo manually early on, but as it was not installed by default, it
> > would not have added the installing user to a sudo group. I'm
> > certainly not a member of that group, and have no wish to be.  
> 
> The "first user" is not in the sudo group. The place to check this
> is the templates file in the user-setup-udeb package.
>  
> > Possibly I'm missing something, but doesn't this repeat the Windows
> > mistake of automatically giving the user admin privileges? Isn't
> > that the main reason for the existence of so many Windows viruses?  
> 
> Look at it this way. The "first user" wishes to set up a printer. Is
> it better for the user to be granted very limited privileges by being
> in the lpadmin group or to become root to carry out the task?
> 

Who said anything about lpadmin? The question is about the wisdom of
automatically including someone in the sudo group, which in a default
Debian sudoers file, gives full root privileges to everything, using the
user's password.

We have someone saying this happens, someone else saying it doesn't, I
don't know as I haven't done a recent installation, and the thread was
started by someone who says it did happen to him.

-- 
Joe

Re: [SOLVED] Re: Security hole in LXDE?

[GiaThnYgeia]

Greg Wooledge:
> On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote:
>> Debian appears to use the group 'sudo' as an administrative group,
>> where some other distributions use 'wheel'.
>>
>> I would not have thought that users would be added to it by default,
>> there are no members on my sid/xfce4 workstation. Indeed, up to Jessie,
>> sudo was not installed at all by default, and may still not be.
> 
> If you use the regular Debian installer, the user account that you
> create during installation gets added to a lot of these special groups
> (sudo, cdrom, floppy, audio, video, ...?).  Users that you create
> post-installtion using adduser or useradd do not.

On an Debian-lxde installer you are asked for a root pass and then a
username/pass
As I remember before you manually add a user in the user group the sudo
command results to error.  Before I figured it out I had to use su
instead and any admin-package required user:root and pass to run.  After
adding a user in the sudo list all such packages ask for the user's
pass.  I think it is a sensible policy.

-- 
 "The most violent element in society is ignorance" rEG

Re: [SOLVED] Re: Security hole in LXDE?

[Brian]

On Mon 06 Mar 2017 at 18:59:18 +, Joe wrote:

> On Mon, 6 Mar 2017 13:40:45 -0500
> Greg Wooledge  wrote:
> 
> > On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote:
> > > Debian appears to use the group 'sudo' as an administrative group,
> > > where some other distributions use 'wheel'.
> > > 
> > > I would not have thought that users would be added to it by default,
> > > there are no members on my sid/xfce4 workstation. Indeed, up to
> > > Jessie, sudo was not installed at all by default, and may still not
> > > be.  
> > 
> > If you use the regular Debian installer, the user account that you
> > create during installation gets added to a lot of these special groups
> > (sudo, cdrom, floppy, audio, video, ...?).  Users that you create
> > post-installtion using adduser or useradd do not.
> > 
> 
> New behaviour, then, my current sid was installed as wheezy, I added
> sudo manually early on, but as it was not installed by default, it
> would not have added the installing user to a sudo group. I'm certainly
> not a member of that group, and have no wish to be.

The "first user" is not in the sudo group. The place to check this
is the templates file in the user-setup-udeb package.
 
> Possibly I'm missing something, but doesn't this repeat the Windows
> mistake of automatically giving the user admin privileges? Isn't that
> the main reason for the existence of so many Windows viruses?

Look at it this way. The "first user" wishes to set up a printer. Is
it better for the user to be granted very limited privileges by being
in the lpadmin group or to become root to carry out the task?

-- 
Brian.

Re: [SOLVED] Re: Security hole in LXDE?

[Joe]

On Mon, 6 Mar 2017 13:40:45 -0500
Greg Wooledge  wrote:

> On Mon, Mar 06, 2017 at 06:31:46PM +, Joe wrote:
> > Debian appears to use the group 'sudo' as an administrative group,
> > where some other distributions use 'wheel'.
> > 
> > I would not have thought that users would be added to it by default,
> > there are no members on my sid/xfce4 workstation. Indeed, up to
> > Jessie, sudo was not installed at all by default, and may still not
> > be.  
> 
> If you use the regular Debian installer, the user account that you
> create during installation gets added to a lot of these special groups
> (sudo, cdrom, floppy, audio, video, ...?).  Users that you create
> post-installtion using adduser or useradd do not.
> 

New behaviour, then, my current sid was installed as wheezy, I added
sudo manually early on, but as it was not installed by default, it
would not have added the installing user to a sudo group. I'm certainly
not a member of that group, and have no wish to be.

Possibly I'm missing something, but doesn't this repeat the Windows
mistake of automatically giving the user admin privileges? Isn't that
the main reason for the existence of so many Windows viruses?

-- 
Joe