CVE-2023-41105 not fixed in bookworm

2024-03-01 Thread Richard van den Berg 

Dear security team,

May I ask why CVE-2023-41105 was marked as " (Minor issue)"[1] ?

As the CVE description says there are plausible cases where this can 
lead to security issues.


There is a backport available for python 3.11 and it seems most other 
distros have patched this CVE.


Kind regards,

Richard van den Berg

1: https://security-tracker.debian.org/tracker/CVE-2023-41105

Re: What is the best free HIDS for Debian

2022-05-10 Thread Richard van den Berg 

On 10/05/2022 05:37, Vitaly Krasheninnikov wrote:


Thank you for debcheckroot. I think it is a great project, which makes us one 
step closer to a verifiable Debian system.
In this particular case, I'd like to point out the exact flags from fileserror.lis that you showed 
us: "..._.GM" and "..._..M".
According to the description on your website, it means the modification of the 
file permissions, not the actual content.


Thanks a lot for clarifying this. I found the interpretation of the 
results of debcheckroot at https://www.elstel.org/debcheckroot/


On 06/05/2022 15:52, Elmar Stellnberger wrote:

Am 06.05.22 um 15:05 schrieb Sylvain Sécherre:
> Here's the fileserror.lis:
> ..._.GM /usr/bin/crontab cron_3.0pl1-137_amd64 root root 755
> ..._..M /usr/bin/pkexec policykit-1_0.105-31+deb11u1_amd64 root root 
755

> ..._.GM /usr/bin/ssh-agent openssh-client_1:8.4p1-5_amd64 root root 755
> ...

  I hope you won´t mind that I am citing the output of debcheckroot 
you have given me.
  These three files point to an infection with a rootkit. Don´t care 
about modified configuration files like in /etc too much (but you may 
still have a look at them). Executable files on the other hand must 
never be modified. If these three files are different it means that 
someone has altered your system. If you look at the man pages of these 
executables then you also know that a maker of a rootkit would have 
interest to modify exactly these files. 


Since you are the author of the debcheckroot tool, why do you think that 
the G (group) and M (mode) flags indicate the content of the files were 
altered? Or did you make a mistake and forgot what the output of 
debcheckroot actually means? If so, does this change your opinion that a 
rootkit is installed on this system?


Kind regards,

Richard

Re: /home/loser is with permissions 755, default umask 0022

2020-11-13 Thread Richard van den Berg 

On 13-11-2020 08:18, Georgi Guninski wrote:

Some more exploit vectors from the FD list:
https://seclists.org/fulldisclosure/2020/Nov/13

Partial results:

1. mutt (text email client) exposes ~/.mutt/muttrc,
which might contain the imap password in plaintext.


Interesting find. Please report this to the mutt package maintainer 
using reportbug[1].




2. Some time ago on a multiuser debian mirror we found a lot of data,
including the wordpress password of the admin.


As Giacomo already explained, there is nothing an OS can do to stop the 
insecure behavior of its users.




3. Anything created by EDITOR NEWFILE is readable, unless the directory
prevents. This include root doing EDITOR /etc/NEWFILE


Yes, that is indeed the default. If you don't like it, you can change 
the system umask in /etc/login.defs or /etc/profile


Somehow I get the feeling you are using debian-security@lists.debian.org 
to report a security issues with Debian. This is however just a 
discussion mailing list about Debian security. If you wish to report a 
serious security issue (which I did not find in your E-mails) you need 
to contact the Debian Security Team[2].


Kind regards,

Richard

[1]: https://wiki.debian.org/reportbug
[2]: https://www.debian.org/security/faq#contact

Re: vulnerability in 8.6

2016-11-07 Thread Richard van den Berg 
On 7 Nov 2016, at 16:54, Ozgur  wrote:
> 
> Linux 3.16.0-4-amd64 (Debian 8.6)
> 

Always test security vulnerabilities on a fully patched system. According to 
https://security-tracker.debian.org/tracker/CVE-2016-5195 this was fixed in 
version 3.16.36-1+deb2 of the linux package. 

 Kind regards,

Richard

DSA for CVE-2016-5696 (off-path blind TCP session attack)

2016-08-11 Thread Richard van den Berg 

Dear Debian security team,

Will there be a DSA written for CVE-2016-5696 [1]? It looks pretty 
serious and I'd like to fix this on my systems ASAP.


Kind regards,

Richard van den Berg

[1] https://security-tracker.debian.org/tracker/CVE-2016-5696

Re: Unverifiable Signature on Debian Security Advisory Emails

2014-12-12 Thread Richard van den Berg 
 You can also use the finger interface at db.debian.org:

 finger seb/k...@db.debian.org

The 90's called: they want their finger back. ;-)  It seems RFC 1288 was
never updated for TLS support.
https://www.debian.org/events/keysigning points to
http://keyring.debian.org/ which should be the defacto place to look for
Debian PGP/GPG keys. It even mentions the finger interface.

-- Richard

Re: streql - Constant-time string comparison

2014-10-29 Thread Richard van den Berg 
On 28-10-14 20:59 , Riley Baird wrote:
 As far as I can tell, your code ensures that even if the strings are of
 different length, an equality calculation should be performed anyway,
 however returning 0, on the grounds that this would make it more
 difficult for an attacker to know that the two strings entered were of
 different lengths. Is this right?

Pardon my ignorance, but how much more difficult does it actually become
to determine the two inputs are of different length? In the original the
function returns right away if xlen != ylen. If the attacker can control
one of the inputs (say x), the change proposed by Joel will cause the
time of the compare to increment when xlen in increased until xlen ==
ylen. If this can be observed with enough precision the same objective
can be achieved.

-- Richard



--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5450ab6e.1080...@vdberg.org

Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy

2014-09-21 Thread Richard van den Berg 
On 21 sep. 2014, at 20:29, W. Martin Borgert deba...@debian.org wrote:
 If a package would change by adding another signature, then this
 would invalidate previous signatures.

Package formats like apk and jar avoid this chicken and egg problem by hashing 
the files inside a package, and storing those hashes in a manifest file. 
Signatures only sign the manifest file. The manifest itself and the signature 
files are not part of the manifest, but are part of the package. So a package 
including it's signature(s) is still a single file.

Richard

--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/8ce64b3d-6269-47a6-8cf2-5ecaa631b...@vdberg.org

Re: Debians security features in comparison to Ubuntu

2014-05-17 Thread Richard van den Berg 

Joel Rees wrote On 17-05-14 03:19:

He gave me a link to the following site: 
https://wiki.ubuntu.com/Security/Features

None of the meaningful items in that list are unavailable on Debian, and
the defaults are reasonably secure in Debian.


I might be misinterpreting your definition of meaningful, but I have been looking for a public 
entropy source for my Debian system for quite a while. If you can point me to the Debian equivalent 
of pollinate and https://entropy.ubuntu.com/ that would be highly appreciated.


Kind regards,

Richard


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5377818b.3050...@vdberg.org

Re: Debians security features in comparison to Ubuntu

2014-05-17 Thread Richard van den Berg 

Joel Rees wrote On 17-05-14 18:20:
Hmm. Early boot has problems getting enough randomness (for what?), 


To seed the kernel random number generator.

so let's go get some randomness from a server somebody in the Ubuntu project set up. 


I never said it was a great solution, but the lack of good quality entropy on headless (virtual) 
Linux systems is a real problem. I merely asked if the Debian project provides something similar, or 
hopefully better.


Kind regards,

Richard


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5377b3e9.3080...@vdberg.org

Re: Debians security features in comparison to Ubuntu

2014-05-17 Thread Richard van den Berg 

Emmanuel Thierry wrote On 17-05-14 18:37:

Isn't it a better idea to use local entropy generators such as haveged instead 
of online ones ?


Haveged is great, but IMHO it cannot replace a hardware PRNG.


I'm quite disturbed about using a online (and moreover third-party) service to 
improve security of a local system. In my sense, this requires a huge level of 
trust towards the considered service.


I agree with you, but one can argue that increasing the entropy of a system by using an online 
service provided by the same organization that distributes the software of that system does not 
decrease the overall security of that system.


Kind regards,

Richard


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5377b5dd.8010...@vdberg.org

Re: goals for hardening Debian: ideas and help wanted

2014-04-24 Thread Richard van den Berg 
 I suggest it might be better if exploits were each given a quick/approximate
 ranking in terms of severity (and if the severity is unknown it could be
 assigned a default median ranking), so that the algorithm you mention wouldn't
 just add number of unplugged exploits, but add them by weight

That is a good idea. The Common Vulnerability Scoring System was invented for 
this purpose:  http://en.wikipedia.org/wiki/CVSS

Kind regards,

Richard

--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/7f6371fd-0ee0-4f36-8f36-7736f65e7...@vdberg.org

Re: process to include upstream jar sig in Debian-generated jar

2013-08-29 Thread Richard van den Berg 
On 29 aug. 2013, at 09:39, Florian Weimer f...@deneb.enyo.de wrote:

 How would you tell a legitimate security update from a version that
 lacks a signature for other reasons?

If you are worried about a non-official/malicious update for the package, the 
.deb will still need to have a proper signature. The discussion here is the 
signature on the jar file that is read/verified by the jre. 

-- Richard


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4dedc154-c4cc-4ded-86ec-373b760de...@vdberg.org

CVE-2013-2266 fix for bind9 in stable?

2013-03-29 Thread Richard van den Berg 
Thanks a lot for the quick fix. Will bind9 9.7.3.dfsg-1 in stable also be 
fixed? I don't see any reports on http://www.debian.org/security/#DSAS and 
http://lists.debian.org/debian-security-announce/2013/threads.html

Kind regards,

Richard van den Berg

security.debian.org down, mirror needed

2002-11-20 Thread Richard van den Berg 
security.debian.org is hosted by the University of Twente in The
Netherlands (www.utwente.nl). Their data center caught fire a few hours
ago. As a result their class B (130.89.0.0/16) disappeared from the
internet. A news article mentions that most servers and infrastructure
has been distroyed.

Is it possible to set up a mirror somewhere for the time being?

--
Richard van den Berg, CISSP

Trust Factory B.V.  | http://www.trust-factory.com/
Bazarstraat 44a | Phone: +31 70 3620684
NL-2518AK The Hague | Fax  : +31 70 3603009
The Netherlands |




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

security.debian.org down, mirror needed

2002-11-20 Thread Richard van den Berg 

security.debian.org is hosted by the University of Twente in The
Netherlands (www.utwente.nl). Their data center caught fire a few hours
ago. As a result their class B (130.89.0.0/16) disappeared from the
internet. A news article mentions that most servers and infrastructure
has been distroyed.

Is it possible to set up a mirror somewhere for the time being?

--
Richard van den Berg, CISSP

Trust Factory B.V.  | http://www.trust-factory.com/
Bazarstraat 44a | Phone: +31 70 3620684
NL-2518AK The Hague | Fax  : +31 70 3603009
The Netherlands |