Re: [SECURITY] [DSA 2972-1] linux security update
Thank You S. B. very much. now all I have to do; is Buy a new PC. Thanks again, dth On Sun, Jul 6, 2014 at 9:16 AM, Salvatore Bonaccorso car...@debian.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2972-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 06, 2014 http://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2014-4699 Andy Lutomirski discovered that the ptrace syscall was not verifying the RIP register to be valid in the ptrace API on x86_64 processors. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. For the stable distribution (wheezy), this problem has been fixed in version 3.2.60-1+deb7u1. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTuW7PAAoJEAVMuPMTQ89EryEP/3iUzWWveiBYU6GCWfFEqUMw 5BBcKFkNsxLbWWMXTpAShO9x1VPOQznddYA1qg5rMqvsNjoQFqKJN7d3tMjzYUi4 wVpYnBCsmskXHXYTlkr/43Iafn7v4J7796X6uZiUpvosqXJr6wBdqwo57KjL4IRc K0YlnmU6PrJ2scEEph/czP+c9o3f5MPGhw8YyHN0GFeQmLAc2JdrAZwKCD5Awloj CCH5Wh34km3v/y4HzBDeBeqxp8s610vre/+Crt4aD/HvAf7Dho/uyw1VR5D8vKHH eHvwVX9JYMAsDAuDd7j4xooTh4l9ts3NVivvLK/flFEj+1lLo+WEhZO+MvNt/lRH XOpHLNltAt7LHQZqh07RqJ/Ggf8ieotqiNSCUJJoJy+3FiVvSIvqYbsA0OmvbVY5 c97dxLJSZMjCnPpkMdn8Xh66HGznHbsmT436nngsoneejSpieViNRH4T9rskJylw 6epCTKW/aLbn2+Avju0b3H7s0teiafhWXfNuIk/q6tuu1WDYuqvhimxs94EVWtFz SynAiszxbjnOAGrvsy0EYM+5Kof/VUvPm2Q7supucXbcsVI3ffyEHKoqukAZhAs6 Lx4m6dYQQ3dzbubalFLBoklVqkIGV3+M6aXrLgdcGa+rRBee1+c4ZRXgHjKVAl2L dcifXWXUR3J/5gJbs2yq =Zy2b -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1x3p6s-0001vj...@master.debian.org
UNSUSCRIBE
THX Message du : 08/07/2014 23:34 De : Salvatore Bonaccorso car...@debian.org A : debian-security-annou...@lists.debian.org Copie à : Sujet : [SECURITY] [DSA 2974-1] php5 security update -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2974-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 08, 2014 http://www.debian.org/security/faq - - Package: php5 CVE ID : CVE-2014-0207 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3515 CVE-2014-4721 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0207 Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_read_short_sector() function. CVE-2014-3478 Francisco Alonso of the Red Hat Security Response Team discovered a flaw in the way the truncated pascal string size in the mconvert() function is computed. CVE-2014-3479 Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_check_stream_offset() function. CVE-2014-3480 Francisco Alonso of the Red Hat Security Response Team reported an insufficient boundary check in the cdf_count_chain() function. CVE-2014-3487 Francisco Alonso of the Red Hat Security Response Team discovered an incorrect boundary check in the cdf_read_property_info() funtion. CVE-2014-3515 Stefan Esser discovered that the ArrayObject and the SPLObjectStorage unserialize() handler do not verify the type of unserialized data before using it. A remote attacker could use this flaw to execute arbitrary code. CVE-2014-4721 Stefan Esser discovered a type confusion issue affecting phpinfo(), which might allow an attacker to obtain sensitive information from process memory. For the stable distribution (wheezy), these problems have been fixed in version 5.4.4-14+deb7u12. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release. For the testing distribution (jessie), these problems have been fixed in version 5.6.0~rc2+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 5.6.0~rc2+dfsg-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTvGOcAAoJEAVMuPMTQ89EC90P/RbqBCzbcPKK6S/9sQeSTuDV h3NpP8a9dYZRW0jOoycC0BwmuuO8JfJlUItD02wmiU4Yjjk64d2PDdhkNGKC7MQr dDOboHGBxdmjBrj2HGxDwvqx1soi652aLr8Vvj7w6nWuWZVKF6LyRFc6PLnCLAil RsjDe65+VTf/Ayymp6W+Epdx7H7z8uURRrsPg/kypDEKINSh+WedkW4G/XyQuGWL zBtCHHpAHZqn4gz1pDEveuloFQXmia9GsVH2wLWtZZurtxwLZgYCDuhzAJnNfUzO ihF2rA/8cgxb1808P50QqN8An05uvXABz6YCJPQusgZf/v27CP4xfpFDkDk9yll4 n1Jgw3b9Xui+5qi3VoH7qQ7Ho/scHmEzEs+24iNn5apx3LSbTTCAiThugLCqPzdR oIrOlw0dwFC0fKrpG5TzKHjjzKLpKl8+yjKb7Dudoj4ESh2cQlTT82BrtO+N8rRw 4dWYrt8yH77CFp9tddbHz96BS3bjSasGdBxbhA2Ta83puTo37YfR8xiEl18Wwa5B e1xwAkVgGKdeX0iEr/pqZg99rK6t3URdFKopfmxKnOodDQYu1ygm3GsuWIXtzoSH leAHHOMC6jvSAml3C+Fk5AdihdbT2BvwIySTzJhMZW2kHF4V6HlR3TyDJeSgaKQ4 +ww4LJZzcwUptYveSGum =+AZH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1x4d2d-0008tu...@master.debian.org
Re: concrete steps for improving apt downloading security and privacy
For years I have been concerned with MITM attacks on Debian mirrors. I think the only valid solution would be to individually sign EACH package with a valid GPG signature from a trusted source. I think EACH official package from Debian should be GPG signed by both package maintainers and also signed by official Debian release people. For example... What is secure about this download link? http://cdimage.debian.org/debian-cd/7.5.0/i386/iso-cd/debian-7.5.0-i386-netinst.iso Sure I can also download and check the signatures from here: http://cdimage.debian.org/debian-cd/7.5.0/i386/iso-cd/ However, what if http://cdimage.debian.org/ is actually an NSA mirror site and not the real one? Lets say that I want download anything from http://cdimage.debian.org/ http://cdimage.debian.org/debian-cd/7.5.0/amd64/iso-cd/ My downloader resolves http://cdimage.debian.org/ http://cdimage.debian.org/debian-cd/7.5.0/amd64/iso-cd/ to NSA mirror site through DNS cache poisoning or some other means. So, whatever I am downloading is already compromised. All signatures are valid but are from the NSA. So there is no way for me to actually check that I have downloaded valid files if everything that I see is actually faked! If I go edit apt sources list and manage to get an actual real Debian server update, then apt tells me that all packages available to download are security compromised. Or lets say that I get a real install ISO disc and then later on my apt mirror site is redirected to NSA mirror. Apt will tell me that all packages available to download are security compromised. One of the two scenarios above has actually happened to me!!! I don't know if it is actually the NSA but it DID happen to me. Aptitude was telling me that every single package available for download was compromised! Think about this for a minute. If my ISP or upstream provider is secretly cooperating with the NSA and the NSA wants to compromise my machine, they can make it so that everything that I download is through an NSA source! *Remember, the NSA can create VALID SSL certificates for any website on the fly.* Your web browser trusts many certificate authorities and which ones are cooperating with the NSA? So how can we really be sure that our Debian install has not been compromised from the beginning? On Thu, Jul 3, 2014 at 8:44 PM, Hans-Christoph Steiner h...@at.or.at wrote: After the latest revelation about NSA tracking all Tor downloads[1] (with source code!) and the whole Debian mirrors and MITM redux, I think we should start talking about concrete steps that we can take to improve the situation. The first things that came to mind would be quite easy to do: * include apt-transport-https by default in Debian * include existing HTTPS mirrors wherever Debian mirrors are listed * https://www.debian.org/mirror/list * netselect-apt * http://http.debian.net/ * apt-get's mirror:// * make http://cdn.debian.net/ have an only-HTTPS version * encourage mirror operators to set up a Tor Hidden Service There is already a good collection of HTTPS mirrors to choose from (not-counting all the ones that have HTTPS enabled without a proper certificate). https://mirror.i3d.net/pub/debian/ https://mirror.cpsc.ucalgary.ca/mirror/debian.org/debian/ https://mirror.cse.unsw.edu.au/debian/ https://mirrors.kernel.org/debian/ https://the.earth.li/debian/ https://mirror.vorboss.net/debian/ https://ftp.arnes.si/pub/packages/debian/ https://ftp.iitm.ac.in/debian/ https://ftp.uni-erlangen.de/debian/ https://ftp-stud.hs-esslingen.de/debian/ https://mirrors.ustc.edu.cn/debian/ https://mirror.cpsc.ucalgary.ca/mirror/debian.org/debian/ https://dennou-q.gfd-dennou.org/debian/ https://dennou-k.gfd-dennou.org/debian/ https://dennou-h.gfd-dennou.org/debian/ .hc [1] http://daserste.ndr.de/panorama/aktuell/nsa230_page-1.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53b6150a.3000...@at.or.at
Re: concrete steps for improving apt downloading security and privacy
On Wed, Jul 9, 2014 at 10:11 PM, Michael Stone mst...@debian.org wrote: On Wed, Jul 09, 2014 at 06:29:09PM -0600, Kitty Cat wrote: For years I have been concerned with MITM attacks on Debian mirrors. We discussed this literally within the past couple of months on this list, at length. Have you read the archives, including the posts about how to establish a trust path to the ISOs? It would be nice for this information to be somewhere more formal than in mailing list archives. Threat models are becoming increasingly important to convey to end users. -- Darius Jahandarie -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cafanwtwqzfcvnb9ozm1wmccmzytvpjbtot4om9w+bf9anpc...@mail.gmail.com
Re: concrete steps for improving apt downloading security and privacy
On Wed, Jul 09, 2014 at 06:29:09PM -0600, Kitty Cat wrote: For years I have been concerned with MITM attacks on Debian mirrors. We discussed this literally within the past couple of months on this list, at length. Have you read the archives, including the posts about how to establish a trust path to the ISOs? Mike Stone -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140710021124.ga27...@mathom.us
Re: concrete steps for improving apt downloading security and privacy
On Wed, Jul 09, 2014 at 10:15:59PM -0400, Darius Jahandarie wrote: It would be nice for this information to be somewhere more formal than in mailing list archives. Threat models are becoming increasingly important to convey to end users. The mailing list discussion referenced the sources... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/44b71312-07dd-11e4-8a0a-00163eeb5...@msgid.mathom.us
Re: concrete steps for improving apt downloading security and privacy
On Wed, Jul 9, 2014 at 10:53 PM, Michael Stone mst...@debian.org wrote: On Wed, Jul 09, 2014 at 10:15:59PM -0400, Darius Jahandarie wrote: It would be nice for this information to be somewhere more formal than in mailing list archives. Threat models are becoming increasingly important to convey to end users. The mailing list discussion referenced the sources... What I mean by more formal can be approximated by discoverable by searching 'debian security' on Google and clicking on the first link. If Tux Q. Debiannewbie doesn't know what adversaries with what powers they are/aren't protected against for their use cases without looking hard and being a security expert, it's hard to make serious claims that Debian is actually protecting its users. (Halting the endless discussion loops on debian-security@ is just a nice side effect of fixing the actual problem.) -- Darius Jahandarie -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cafanwtvwpq8qxoj+yyn_nhpxymq4hoazn58oo5etcquzoke...@mail.gmail.com
Re: concrete steps for improving apt downloading security and privacy
On Wed, Jul 09, 2014 at 11:11:44PM -0400, Darius Jahandarie wrote: If Tux Q. Debiannewbie doesn't know what adversaries with what powers they are/aren't protected against for their use cases without looking hard and being a security expert, it's hard to make serious claims that Debian is actually protecting its users. I frankly find it hard to believe that someone who is unwilling to click past the first link when researching actually cares much about any kind of writeup of threat models. I'll make it simple: if you're completely unsophisticated and worried about a government hijacking your linux distribution to spy on you, there's nothing debian can do to help you. If you're low profile and uninteresting, the government doesn't care about you. If you're actually being targeted by well funded and sophisticated adversaries, they're going to get you unless you put a heck of a lot more effort in than clicking on the first link. Mike Stone -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/efdda2b2-07e0-11e4-bd13-00163eeb5...@msgid.mathom.us
Re: concrete steps for improving apt downloading security and privacy
On Wed, Jul 9, 2014 at 11:23 PM, Michael Stone mst...@debian.org wrote: I frankly find it hard to believe that someone who is unwilling to click past the first link when researching actually cares much about any kind of writeup of threat models. I'll make it simple: if you're completely unsophisticated and worried about a government hijacking your linux distribution to spy on you, there's nothing debian can do to help you. If you're low profile and uninteresting, the government doesn't care about you. If you're actually being targeted by well funded and sophisticated adversaries, they're going to get you unless you put a heck of a lot more effort in than clicking on the first link. Someone who is unwilling to click past the first link /now/ may become very willing to continue clicking once they read it. Debian will not protect you against nation-state adversaries is a very useful bit of information for many non-technical activists, which often leads to the questions: * Why? (what powers can they use to subvert existing protections?) * What /does/ protect you? (what new protections need I put in place such that those powers cannot subvert them?) It would be lovely to have the answers nearby. -- Darius Jahandarie -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAFANWtVc1URqiCiOBYBpxEDUyWh8Qn0sf_=esqt3x9bu3u_...@mail.gmail.com
Re: concrete steps for improving apt downloading security and privacy
Thanks. I'm new here. I was not on this list then. However, I just read the thread: https://lists.debian.org/debian-security/2011/01/msg2.html I saw that some of my concerns were mentioned there about obtaining and verifying installation media, MITM attacks, etc. I have previously verified installation media via the methods described in the FAQ, downloading GPG keys, etc. and still had an issue of having aptitude telling me that all available packages are from untrusted sources. (This was some years ago when I had this issue) I seem to remember being offered security updates for the kernel, OpenSSL, SSH, etc. where my only option was to download untrusted packages. I would get warning messages from aptitude about installing security updates. Maybe there should be written a document that describes in detail in easy to understand language what steps to take to verify keys and verify that apt has not been compromised in an already installed system. And also verifying that GPG has not been compromised. It is the job of the NSA to be able to compromise systems. We should make that task as difficult as possible at every level and also be able to easily verify that our system has not been corrupted. I think having a good guide to checking your installed Debian system would be of use. Particularly useful would be instructions to check to see if your system has been compromised by validating all already installed packages. MS Windows has an option to check installed Windows components. Some relevant links that I have previously discovered: https://wiki.debian.org/Keysigning https://wiki.debian.org/Keysigning/Coordination http://www.debian.org/CD/verify http://www.debian.org/CD/faq/#verify On Wed, Jul 9, 2014 at 8:11 PM, Michael Stone mst...@debian.org wrote: On Wed, Jul 09, 2014 at 06:29:09PM -0600, Kitty Cat wrote: For years I have been concerned with MITM attacks on Debian mirrors. We discussed this literally within the past couple of months on this list, at length. Have you read the archives, including the posts about how to establish a trust path to the ISOs? Mike Stone -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140710021124.ga27...@mathom.us
External check
CVE-2012-2682: RESERVED CVE-2014-0537: RESERVED CVE-2014-0539: RESERVED CVE-2014-3540: RESERVED CVE-2014-4671: RESERVED CVE-2014-4722: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53bce569.+lzgbxp8zyhccqh3%atomo64+st...@gmail.com