On Tue, Jan 25, 2005 at 01:16:53PM +0100, Sebastian Hegler wrote: > Package: bugs.debian.org > Severity: critical > Justification: root security hole Its not a root security hole, since knowing an IP address does not grant you any access to a system. If there's up-to-date vulernable software installed which is managed by Debian, then *that* is a security hole.
> Full email headers are visible on "http://bugs.debian.org";. > > This introduces several problems: > > 1) Privacy concerns. It is just not neccessary to keep anything > except for the "From:" (and possibly "Sender:", and "Subject:") > header line. Absolutely nobody is required to know the IP address > the bug reporter is online with. Maybe so, but we use an SMTP-based BTS, and so we show all of the SMTP information. Having an IP address still doesn't grant you anything. And the IPv4 address space is probably at least 25% full, so you could also just generate a random 32 bit number. > 2) Simplified scanning for vulnerable boxes. The source IP will be > exposed, an all IP addresses the email traversed, and those systems > possibly exposed their MTA in the "Delivered to:" lines. This data > gives priceless hints on the running system and patch levels. I don't really see the point in "discovering" someone's mailserver. Rather that downloading bugs, I suspect that it would be much more efficient to run nmap. Consider also that some anti-spam scheme's require mailservers to be published. Also, consider that at least 50% of the spam that gets sent is from a compromized host of some sort; if you're trying to take over a computer, its probably easier to wait for a spam to show up in your mailbox and then to read those headers. But that's not a problem with which Debian is typically concerned. > 3) Scenario: *1. Traverse all bug report, extract IP addresses. *2. > Resolve IP addresses, check for static ranges. *3. Check those > boxes for vulnerable software first. That's 30GB of bugs, btw. You now have a very long list of IP addresses, I agree. Okay, so you resolve the address; what does that do for your vuln scan? You don't want to scan that address unless its the same computer that was used to report a bug on Debian? That seems unwise; if you just scan it anyway, it either will or will not respond; no matter: if its a Debian box, then, fine scan away. Much worse if its a windows box, and the Asian ISP doesn't block tcp/135-139, or if its a home router with its admin telnet/web interface left opened, or ... > I believe that such an attack scenario is very well possible, though > my concerns regarding privacy clearliy weigh heavier on my mind. Is the point to attack computers running Debian? If not, then there are much better and more efficient attacks anyway. Justin, Revealing my IPv4 address -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
