Re: [SECURITY] [DSA 122-1] New zlib other packages fix bufferoverflow
Jor-el [EMAIL PROTECTED] writes: Doesnt dpkg also compile with a static zlib? Why does it not make this list? At least on unstable, it does. /usr/bin/dpkg-deb: zlib configuration table, little endian, 32 bit /usr/bin/dpkg-deb: zlib inflate table, little endian (Tool is available at http://cert.uni-stuttgart.de/files/fw/find-zlib.) -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS Front page extensions for Linux
I have tried to install FP several times (by client request, not desire :-), without any success. Some of the programs are binary only from MS and they segfault consistently, even though they are statically linked. If you decide to, or are forced to infect a system with FP, it probably won't be easy to make it work. In fact, it might not be worthwhile the effort. It might not even be possible, thus resolving the security issues completely :-) If you make it work, please let the rest of us know how you did it. René Seindal. On Tue, 2002-03-12 at 04:31, Marcel Welschbillig wrote: Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. -- René Seindal ([EMAIL PROTECTED]) http://www.seindal.dk/rene/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Mon, Mar 11, 2002 at 09:42:39PM +0100, Michael Stone wrote: The zlib vulnerability is fixed in the Debian zlib package version 1.1.3-5.1. A number of programs either link statically to zlib or include a private copy of zlib code. These programs must also be upgraded to eliminate the zlib vulnerability. The affected packages and fixed versions follow: amaya 2.4-1potato1 dictd 1.4.9-9potato1 erlang 49.1-10.1 freeamp 2.0.6-2.1 mirrordir 0.10.48-2.1 ppp 2.3.11-1.5 rsync 2.3.2-1.6 vrweb 1.5-5.1 For comparison, here is a list of packages reported to be affected by the zlib vulnerability in ALT Linux Sisyphus (fixed src.rpms listed): XFree86-4.2.0-alt2.src.rpm XFree86-compat-3.3.6-ipl23mdk.src.rpm freeswan-1.95-alt3.src.rpm iptables-1.2.5-alt1.src.rpm kernel-headers-common-1.0-alt1.src.rpm kernel22-2.2.21-alt3.p4.src.rpm kernel24-2.4.18-alt2.src.rpm kernel24-2.4.7-alt3.src.rpm libpopt-1.7-alt2.src.rpm mkinitrd-2.7.1-alt6.1.src.rpm mktemp-1.4-alt1.src.rpm modutils-2.4.12-alt1.src.rpm pngcrush-1.5.8-alt2.src.rpm rpm-3.0.6-ipl29.2mdk.src.rpm rsync-2.5.3-alt2.src.rpm vnc-3.3.3r2-alt2.src.rpm zlib-1.1.3-ipl15mdk.src.rpm As you can see, there are packages fixed in Sisyphus that are not mentioned in Debian announcement. Does this mean that Debian counterparts were not affected in the first place, or that they were overlooked? -- Dmitry Borodaenko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote: Unless your are going to dial into a malicious ISP, I doubt this will be a problem (AFAIK, but don't quote me). Or unless you happen to be a small ISP using pppd on the receiving end and have malicious users? Zephaniah E. Hull. -- 1024D/E65A7801 Zephaniah E. Hull [EMAIL PROTECTED] 92ED 94E4 B1E6 3624 226D 5727 4453 008B E65A 7801 CCs of replies from mailing lists are requested. * Culus thinks we should go to trade shows and see how many people we can kill by throwing debian cds at them msg05949/pgp0.pgp Description: PGP signature
Re: best way to create pop only accounts
On Mon, Mar 11, 2002 at 09:21:45AM -0300, Pedro Zorzenon Neto wrote: Hi, Which is the best way to create a POP only account? just change the last field in /etc/passwd to /bin/false? I want that the user will not be able to do anything on the machine but retriving mail. I will enable APOP in qpopper or use some ssl wrapper for POP3, will disable the plain password POP3. If I use APOP, then it uses /etc/pop.auth. I could then put * in the password field in /etc/shadow as it will never match any password. What do you think about this? I am running cyrus imapd with user-accounts stored in a mysql-database. So I don't need to create system-accounts. It works really fine here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
this depend on how the packager choosed to build the package: with static or dynamic library. The only missing packages on the list i reckon are the kernel images. JeF On Tue, Mar 12, 2002 at 12:15:49PM +0200, Dmitry Borodaenko wrote: On Mon, Mar 11, 2002 at 09:42:39PM +0100, Michael Stone wrote: The zlib vulnerability is fixed in the Debian zlib package version 1.1.3-5.1. A number of programs either link statically to zlib or include a private copy of zlib code. These programs must also be upgraded to eliminate the zlib vulnerability. The affected packages and fixed versions follow: amaya 2.4-1potato1 dictd 1.4.9-9potato1 erlang 49.1-10.1 freeamp 2.0.6-2.1 mirrordir 0.10.48-2.1 ppp 2.3.11-1.5 rsync 2.3.2-1.6 vrweb 1.5-5.1 For comparison, here is a list of packages reported to be affected by the zlib vulnerability in ALT Linux Sisyphus (fixed src.rpms listed): XFree86-4.2.0-alt2.src.rpm XFree86-compat-3.3.6-ipl23mdk.src.rpm freeswan-1.95-alt3.src.rpm iptables-1.2.5-alt1.src.rpm kernel-headers-common-1.0-alt1.src.rpm kernel22-2.2.21-alt3.p4.src.rpm kernel24-2.4.18-alt2.src.rpm kernel24-2.4.7-alt3.src.rpm libpopt-1.7-alt2.src.rpm mkinitrd-2.7.1-alt6.1.src.rpm mktemp-1.4-alt1.src.rpm modutils-2.4.12-alt1.src.rpm pngcrush-1.5.8-alt2.src.rpm rpm-3.0.6-ipl29.2mdk.src.rpm rsync-2.5.3-alt2.src.rpm vnc-3.3.3r2-alt2.src.rpm zlib-1.1.3-ipl15mdk.src.rpm As you can see, there are packages fixed in Sisyphus that are not mentioned in Debian announcement. Does this mean that Debian counterparts were not affected in the first place, or that they were overlooked? -- Dmitry Borodaenko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- - Jean-Francois Dive -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
default Apache configuration
Hi, i just saw an error on a debian box with apache(-common) 1.3.9-13.2: drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 /var/log/apache/access.log tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly do not use it. bye, Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: default Apache configuration
On Tue, 12 Mar 2002, Ralf Dreibrodt wrote: tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? The programmer. There's no reason I know why the logs shouldn't be made public to the users. (Though if security was _that_ important for whatever it is that this password is for, it should be using apache-ssl, not apache.) btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly do not use it. Meep. You said frontpage. *hides* T -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: default Apache configuration
Hi, Thomas Thurman wrote: On Tue, 12 Mar 2002, Ralf Dreibrodt wrote: tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? The programmer. There's no reason I know why the logs shouldn't be made public to the users. What about session-ids? Should really be every request a POST-request? I do not think, that this is a good (html)programming style, but perhaps i am wrong. what about apache-ssl-logs? has anyone the possibility to test it? btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly do not use it. Meep. You said frontpage. well, german customers/endusers want to have frontpage, the big companys (schlund, strato, etc.) offer frontpage, so every small webhostingcompany has to do the same...unfortunalety. bye, Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: default Apache configuration
Ralf Dreibrodt wrote/napisa[a]/schrieb: Hi, i just saw an error on a debian box with apache(-common) 1.3.9-13.2: drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 /var/log/apache/access.log tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? The programmer. This is a very bad practice, the password also lands in the logs of w3caches along the way, in browser history, etc. Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! ~) ? | Pyn chc na Wschd, za Suez, gdzie jest dobrem kade zo | l_|/ A ~-=-~ O| Gdzie przykaza brak dziesiciu, a pi mona a po dno; | | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: default Apache configuration
On Tue, Mar 12, 2002 at 03:28:43PM +0100, Ralf Dreibrodt wrote: Thomas Thurman wrote: On Tue, 12 Mar 2002, Ralf Dreibrodt wrote: btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly do not use it. Meep. You said frontpage. well, german customers/endusers want to have frontpage, the big companys (schlund, strato, etc.) offer frontpage, so every small webhostingcompany has to do the same...unfortunalety. Doesn't *have* to, no. We don't. Frontpage the client can do FTP you know? Simon. -- UK based domain, email and web hosting ***/ A lie, Mr. Mulder, is most /* http://www.blackcatnetworks.co.uk/ **/ convincingly hidden between /** [EMAIL PROTECTED] */two truths - Deep Throat /*** Black Cat Networks / / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS Front page extensions for Linux
Hello, I also am forced to install M$ Front Page extensions. I am using Debian by choice, M$ Front Page by management decision... I have yet to ever get this to work correctly in the past, and I don't want to break the Apache and Apache-ssl install on my servers just for the M$ stuff. Is there an accepted or unofficial method of getting Debian and FrontPage to play nicely or am I going to have to use M$/IIS and not Debian/apache? That last part was very hard to type... Thanks for any help, Loren At 11:31 AM 03/12/2002 +0800, Marcel Welschbillig wrote: Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. Thanks ! -- Regards, Marcel Welschbillig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: default Apache configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Said Janusz A. Urbanowicz on Tue, Mar 12, 2002 at 03:27:35PM +0100: The programmer. This is a very bad practice, the password also lands in the logs of w3caches along the way, in browser history, etc. Not to mention that if the user happens to link to another site from this page, the query string will be seen in the HTTP referrer header on the remote site, which often shows up in stats programs. - -- [!] Justin R. Miller [EMAIL PROTECTED] PGP 0xC9C40C31 -=- http://codesorcery.net http://www.cnn.com/2002/ALLPOLITICS/01/29/inv.terror.probe/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8jhtC94d6K8nEDDERAsJWAJ9RH35acbFTq5NCq2kgmmvdBsB8TgCeJph7 15Da2MZxGIrNQuaQAsqfUqo= =kIvO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: default Apache configuration
Doesn't *have* to, no. We don't. Frontpage the client can do FTP you know? It is another thing for people to have to understand and learn. And unfortunately, the vast majority of web users have no intent and desire to learn new things, they just want to go with what is familiar. I had to deal with this especially. Eventually, we just installed an IIS server w/ FP extensions on it. Wasn't my choice. - James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: MS Front page extensions for Linux
You could always go the route of Plesk. (http://www.plesk.com) they don't officially support Debian, only freebsd and redhat, but I was talking to my sales agent and he said he knew plenty of people who set it up on Debian, slackware, or anything. Plesk 2.5 has frontpage2002 extensions, however you would have to get rid of your current apache/apache-ssl install, due to Plesk compiling it's own copy. -- Matt Andreko On-Ramp Indiana (317)774-2100 -Original Message- From: Loren Jordan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 10:01 AM To: Debian-Security List Subject: Re: MS Front page extensions for Linux Hello, I also am forced to install M$ Front Page extensions. I am using Debian by choice, M$ Front Page by management decision... I have yet to ever get this to work correctly in the past, and I don't want to break the Apache and Apache-ssl install on my servers just for the M$ stuff. Is there an accepted or unofficial method of getting Debian and FrontPage to play nicely or am I going to have to use M$/IIS and not Debian/apache? That last part was very hard to type... Thanks for any help, Loren At 11:31 AM 03/12/2002 +0800, Marcel Welschbillig wrote: Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. Thanks ! -- Regards, Marcel Welschbillig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS Front page extensions for Linux
At 11:19 AM 3/12/2002 +0100, René Seindal wrote: I have tried to install FP several times (by client request, not desire :-), without any success. Some of the programs are binary only from MS and they segfault consistently, even though they are statically linked. If you decide to, or are forced to infect a system with FP, it probably won't be easy to make it work. In fact, it might not be worthwhile the effort. It might not even be possible, thus resolving the security issues completely :-) If you make it work, please let the rest of us know how you did it. I too would be interested in this. So far I have stalled. I am tempted to install zope for the potential fp users because you can use it via webdav and you can also work right inside you browser. :wq Tim Uckun US Investigations Services/Due Diligence http://www.diligence.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: default Apache configuration
Hy! On Tue, 12 Mar 2002, Ralf Dreibrodt wrote: tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? I would say firstly the programmer who used GET for a password field, _and_ secondly the admin who is giving his password to a non-SSL web form! The programmer. There's no reason I know why the logs shouldn't be made public to the users. Should really be every request a POST-request? I do not think, that this is a good (html)programming style, but perhaps i am wrong. There is no reason to make every request a POST-request. You should use post request if the request contains - a password field - a lot of data - data witch may modify a database at the server-side There is no reason to use POST if the request contains only parameters like - keywords for a search engine - a session id - a page number I think i've read about this in a RFC, but i don't know exactly in witch one. what about apache-ssl-logs? has anyone the possibility to test it? Yes, it's the same: everyone can read it, and the full GET requests are enclosed. The ssl extension only means that the server communicates over https instead of http. regards, Tibor Repasi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
zlib ssh
On bugtraq I read something about openssh being vulnerable to the doube-free bug. On my woody boxes, I installed the updated zlib1g from unstable and restarted sshd. Is this enough to be protected? Yours, Martin -- PGP/GPG encrypted mail preferred, see header ,-- | Nur tote Fische schwimmen mit dem Strom `-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
IP chains logs to console
I recently upgraded to Woody and now my ipchains is logging all DENY packets to the console, as well as to disk. I changed /etc/syslog.conf to contain one line: kern.* /var/log/mbtest.log and set user = root group = adm on the file and the DENY messages are still logged to disk and the console. I've got plenty of disk space. I found two threads via Google (June '02 and Sept. '02) where people were having the same problem, but neither thread had a solution. http://lists.debian.org/debian-firewall/2001/debian-firewall-200106/msg00167.html http://www.progsoc.uts.edu.au/lists/slug/2001/September/msg00436.html Anyone know how I fix this? Thanks. Mark P.S. I'm not subscribed to debian-security, so if you could include my email in the reply I would appreciate it. - This mail sent through IMP: http://horde.org/imp/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems with tripwire:
On Tue, Mar 12, 2002 at 08:59:08AM +0100, Martin Peikert wrote: Petro wrote: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. Try samhain or freeveracity: http://samhain.sourceforge.net/surround.html?main_q.html2 This seems to be exactly what I'm looking for. These guys are paranoid. That is good. That stealth option looks...interesting. http://www.freeveracity.org/ GTi -- For encrypted messages please use my public key, key-ID: 0xA9E35B01 The fingerprint is A684 87F3 C7AA 9728 3C1B 85BF 0500 B2C7 A9E3 5B01 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems with tripwire:
On Tue, Mar 12, 2002 at 08:57:40PM +0100, Michel Verdier wrote: Petro [EMAIL PROTECTED] a écrit : | !/var/log/ksymoops/ | /var/log@@LOGSEARCH | | Now, according to my understanding, the ! in front of /var/log/ksymoops/ | should be telling tripwire to ignore things under there, right? | | Obviously, it's not. The last match is used, try to switch these ones I did, that is the second. I'll try it again. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: IP chains logs to console
[EMAIL PROTECTED] writes: [snip] and set user = root group = adm on the file and the DENY messages are still logged to disk and the console. I've got plenty of disk space. I found two threads via Google (June '02 and Sept. '02) where people were having the same problem, but neither thread had a solution. http://lists.debian.org/debian-firewall/2001/debian-firewall-200106/msg00167.html http://www.progsoc.uts.edu.au/lists/slug/2001/September/msg00436.html Anyone know how I fix this? Thanks. `klogd -c 4' is your friend. Adjust /etc/init.d/klogd to suit. ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib other packages fix bufferoverflow
On Tue, 12 Mar 2002, Zephaniah E. Hull wrote: On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote: Unless your are going to dial into a malicious ISP, I doubt this will be a problem (AFAIK, but don't quote me). Or unless you happen to be a small ISP using pppd on the receiving end and have malicious users? That is what I am concerned about. We are a freenet with about 1000 active users. Depending on your viewpoint, unfortunatley one of the other volunteers upgraded dialup server to 2.4 kernel with the bunk packages in an attempt to improve the problematic equinox SST and upgrade the eqnx module. We are moving to an acend max within a couple of months, but a real exploit to our current pppd problem is likely to available before then. Our non-profit board of directors recently decided to allow a user back on that stole one of our machines over 2 years ago and has continued to be a pain in the ass. If a script kiddie exploit becomes available, he just might do some serious damage. Unless someone has some other suggestions, I'll try the hyrid potato/woody suggested by Andrew Tait sometime this weekend. Thanks, Chuck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: IP chains logs to console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Said [EMAIL PROTECTED] on Tue, Mar 12, 2002 at 03:20:29PM -0500: Anyone know how I fix this? Typing 'dmesg -n1' will turn down the console output. I'm not sure what downsides this may have, though. - -- [!] Justin R. Miller [EMAIL PROTECTED] PGP 0xC9C40C31 -=- http://codesorcery.net http://www.cnn.com/2002/ALLPOLITICS/01/29/inv.terror.probe/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8jn7w94d6K8nEDDERAlTxAJ4ihJfZWwwgVWK44zbKckWeygIfTwCaA/rO uro+5Ogsa47QsJSlhUBIHXo= =TUjw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: zlib ssh
On Tue, Mar 12, 2002 at 09:19:22PM +0100, Martin Hermanowski wrote: On my woody boxes, I installed the updated zlib1g from unstable and restarted sshd. Is this enough to be protected? As far as SSH is concerned (and providing your mirror was up to date enough to have 1:1.1.3-19.1 or later of zlib), yes. -- You grabbed my hand and we fell into it, like a daydream - or a fever. msg05971/pgp0.pgp Description: PGP signature
Re: default Apache configuration
Ralf Dreibrodt [EMAIL PROTECTED] writes: i just saw an error on a debian box with apache(-common) 1.3.9-13.2: Time to upgrade ;-), potato's apache is at 1.3.9-14. drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 /var/log/apache/access.log The ownership and permissions of apache log files is known to be (have been?) a problem. See #72468. I have recently done a fresh install of 1.3.23-1 and noticed that all of these problems have gone away, but for the fact that the initial logs are created root.root 0644. -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote: Update your sources.list to have both stable and testing (and make sure you called them that, not potato/woody), Why should they be named potato/woody rather than stable/testing? -- David Hart [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
ii ppp2.4.1-0.bunk.2 Point-to-Point Protocol (PPP) daemon. How does this affect ppp servers running potato with the unofficial 2.4 packages provided by Adrian Bunk? Does anyone have any recommendations for fixing this potential exploit? Thanks, Chuck
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
Unless your are going to dial into a malicious ISP, I doubt this will be a problem (AFAIK, but don't quote me). Most of my servers are stable/testing hybrids, including 2 running 2.4 (and I have been very happy with them). Update your sources.list to have both stable and testing (and make sure you called them that, not potato/woody), and then do an apt-get install apt. Which will install testing's apt onto your stable box, along with any dependencies. Then add this to your apt.conf file: APT::Default-Release stable; You can then install packages (and dependencies) from testing via apt-get install ssh -t testing. Otherwise packages will be pulled from stable. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 It's the smell! If there is such a thing. Agent Smith - The Matrix - Original Message - From: Chuck Peters [EMAIL PROTECTED] To: [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Tuesday, March 12, 2002 5:07 PM Subject: Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow ii ppp2.4.1-0.bunk.2 Point-to-Point Protocol (PPP) daemon. How does this affect ppp servers running potato with the unofficial 2.4 packages provided by Adrian Bunk? Does anyone have any recommendations for fixing this potential exploit? Thanks, Chuck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems with tripwire:
Petro wrote: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. Try samhain or freeveracity: http://samhain.sourceforge.net/surround.html?main_q.html2 http://www.freeveracity.org/ GTi -- For encrypted messages please use my public key, key-ID: 0xA9E35B01 The fingerprint is A684 87F3 C7AA 9728 3C1B 85BF 0500 B2C7 A9E3 5B01
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
Jor-el [EMAIL PROTECTED] writes: Doesnt dpkg also compile with a static zlib? Why does it not make this list? At least on unstable, it does. /usr/bin/dpkg-deb: zlib configuration table, little endian, 32 bit /usr/bin/dpkg-deb: zlib inflate table, little endian (Tool is available at http://cert.uni-stuttgart.de/files/fw/find-zlib.) -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: MS Front page extensions for Linux
I have tried to install FP several times (by client request, not desire :-), without any success. Some of the programs are binary only from MS and they segfault consistently, even though they are statically linked. If you decide to, or are forced to infect a system with FP, it probably won't be easy to make it work. In fact, it might not be worthwhile the effort. It might not even be possible, thus resolving the security issues completely :-) If you make it work, please let the rest of us know how you did it. René Seindal. On Tue, 2002-03-12 at 04:31, Marcel Welschbillig wrote: Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. -- René Seindal ([EMAIL PROTECTED]) http://www.seindal.dk/rene/
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Mon, Mar 11, 2002 at 09:42:39PM +0100, Michael Stone wrote: The zlib vulnerability is fixed in the Debian zlib package version 1.1.3-5.1. A number of programs either link statically to zlib or include a private copy of zlib code. These programs must also be upgraded to eliminate the zlib vulnerability. The affected packages and fixed versions follow: amaya 2.4-1potato1 dictd 1.4.9-9potato1 erlang 49.1-10.1 freeamp 2.0.6-2.1 mirrordir 0.10.48-2.1 ppp 2.3.11-1.5 rsync 2.3.2-1.6 vrweb 1.5-5.1 For comparison, here is a list of packages reported to be affected by the zlib vulnerability in ALT Linux Sisyphus (fixed src.rpms listed): XFree86-4.2.0-alt2.src.rpm XFree86-compat-3.3.6-ipl23mdk.src.rpm freeswan-1.95-alt3.src.rpm iptables-1.2.5-alt1.src.rpm kernel-headers-common-1.0-alt1.src.rpm kernel22-2.2.21-alt3.p4.src.rpm kernel24-2.4.18-alt2.src.rpm kernel24-2.4.7-alt3.src.rpm libpopt-1.7-alt2.src.rpm mkinitrd-2.7.1-alt6.1.src.rpm mktemp-1.4-alt1.src.rpm modutils-2.4.12-alt1.src.rpm pngcrush-1.5.8-alt2.src.rpm rpm-3.0.6-ipl29.2mdk.src.rpm rsync-2.5.3-alt2.src.rpm vnc-3.3.3r2-alt2.src.rpm zlib-1.1.3-ipl15mdk.src.rpm As you can see, there are packages fixed in Sisyphus that are not mentioned in Debian announcement. Does this mean that Debian counterparts were not affected in the first place, or that they were overlooked? -- Dmitry Borodaenko
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote: Unless your are going to dial into a malicious ISP, I doubt this will be a problem (AFAIK, but don't quote me). Or unless you happen to be a small ISP using pppd on the receiving end and have malicious users? Zephaniah E. Hull. -- 1024D/E65A7801 Zephaniah E. Hull [EMAIL PROTECTED] 92ED 94E4 B1E6 3624 226D 5727 4453 008B E65A 7801 CCs of replies from mailing lists are requested. * Culus thinks we should go to trade shows and see how many people we can kill by throwing debian cds at them pgpGAoAKi935a.pgp Description: PGP signature
Re: best way to create pop only accounts
On Mon, Mar 11, 2002 at 09:21:45AM -0300, Pedro Zorzenon Neto wrote: Hi, Which is the best way to create a POP only account? just change the last field in /etc/passwd to /bin/false? I want that the user will not be able to do anything on the machine but retriving mail. I will enable APOP in qpopper or use some ssl wrapper for POP3, will disable the plain password POP3. If I use APOP, then it uses /etc/pop.auth. I could then put * in the password field in /etc/shadow as it will never match any password. What do you think about this? I am running cyrus imapd with user-accounts stored in a mysql-database. So I don't need to create system-accounts. It works really fine here.
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
this depend on how the packager choosed to build the package: with static or dynamic library. The only missing packages on the list i reckon are the kernel images. JeF On Tue, Mar 12, 2002 at 12:15:49PM +0200, Dmitry Borodaenko wrote: On Mon, Mar 11, 2002 at 09:42:39PM +0100, Michael Stone wrote: The zlib vulnerability is fixed in the Debian zlib package version 1.1.3-5.1. A number of programs either link statically to zlib or include a private copy of zlib code. These programs must also be upgraded to eliminate the zlib vulnerability. The affected packages and fixed versions follow: amaya 2.4-1potato1 dictd 1.4.9-9potato1 erlang 49.1-10.1 freeamp 2.0.6-2.1 mirrordir 0.10.48-2.1 ppp 2.3.11-1.5 rsync 2.3.2-1.6 vrweb 1.5-5.1 For comparison, here is a list of packages reported to be affected by the zlib vulnerability in ALT Linux Sisyphus (fixed src.rpms listed): XFree86-4.2.0-alt2.src.rpm XFree86-compat-3.3.6-ipl23mdk.src.rpm freeswan-1.95-alt3.src.rpm iptables-1.2.5-alt1.src.rpm kernel-headers-common-1.0-alt1.src.rpm kernel22-2.2.21-alt3.p4.src.rpm kernel24-2.4.18-alt2.src.rpm kernel24-2.4.7-alt3.src.rpm libpopt-1.7-alt2.src.rpm mkinitrd-2.7.1-alt6.1.src.rpm mktemp-1.4-alt1.src.rpm modutils-2.4.12-alt1.src.rpm pngcrush-1.5.8-alt2.src.rpm rpm-3.0.6-ipl29.2mdk.src.rpm rsync-2.5.3-alt2.src.rpm vnc-3.3.3r2-alt2.src.rpm zlib-1.1.3-ipl15mdk.src.rpm As you can see, there are packages fixed in Sisyphus that are not mentioned in Debian announcement. Does this mean that Debian counterparts were not affected in the first place, or that they were overlooked? -- Dmitry Borodaenko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- - Jean-Francois Dive -- [EMAIL PROTECTED]
default Apache configuration
Hi, i just saw an error on a debian box with apache(-common) 1.3.9-13.2: drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 /var/log/apache/access.log tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly do not use it. bye, Ralf
Re: default Apache configuration
On Tue, 12 Mar 2002, Ralf Dreibrodt wrote: tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? The programmer. There's no reason I know why the logs shouldn't be made public to the users. (Though if security was _that_ important for whatever it is that this password is for, it should be using apache-ssl, not apache.) btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly do not use it. Meep. You said frontpage. *hides* T
Re: default Apache configuration
On Tue, Mar 12, 2002 at 03:10:43PM +0100, Ralf Dreibrodt wrote: Hi, i just saw an error on a debian box with apache(-common) 1.3.9-13.2: drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 /var/log/apache/access.log tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 Never use GET for password fields. to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly Uhm, security is also more bad if you enable frontpage extensions. Moreover, I think there are major DFSG problems which keep FP extensions off Debian. -- Francesco P. Lovergine
Re: default Apache configuration
Hi, Thomas Thurman wrote: On Tue, 12 Mar 2002, Ralf Dreibrodt wrote: tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? The programmer. There's no reason I know why the logs shouldn't be made public to the users. What about session-ids? Should really be every request a POST-request? I do not think, that this is a good (html)programming style, but perhaps i am wrong. what about apache-ssl-logs? has anyone the possibility to test it? btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly do not use it. Meep. You said frontpage. well, german customers/endusers want to have frontpage, the big companys (schlund, strato, etc.) offer frontpage, so every small webhostingcompany has to do the same...unfortunalety. bye, Ralf
Re: default Apache configuration
Ralf Dreibrodt wrote/napisał[a]/schrieb: Hi, i just saw an error on a debian box with apache(-common) 1.3.9-13.2: drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 /var/log/apache/access.log tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? The programmer. This is a very bad practice, the password also lands in the logs of w3caches along the way, in browser history, etc. Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! ~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/ A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | |
Re: default Apache configuration
On Tue, Mar 12, 2002 at 03:28:43PM +0100, Ralf Dreibrodt wrote: Thomas Thurman wrote: On Tue, 12 Mar 2002, Ralf Dreibrodt wrote: btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly do not use it. Meep. You said frontpage. well, german customers/endusers want to have frontpage, the big companys (schlund, strato, etc.) offer frontpage, so every small webhostingcompany has to do the same...unfortunalety. Doesn't *have* to, no. We don't. Frontpage the client can do FTP you know? Simon. -- UK based domain, email and web hosting ***/ A lie, Mr. Mulder, is most /* http://www.blackcatnetworks.co.uk/ **/ convincingly hidden between /** [EMAIL PROTECTED] */two truths - Deep Throat /*** Black Cat Networks / /
Re: MS Front page extensions for Linux
Hello, I also am forced to install M$ Front Page extensions. I am using Debian by choice, M$ Front Page by management decision... I have yet to ever get this to work correctly in the past, and I don't want to break the Apache and Apache-ssl install on my servers just for the M$ stuff. Is there an accepted or unofficial method of getting Debian and FrontPage to play nicely or am I going to have to use M$/IIS and not Debian/apache? That last part was very hard to type... Thanks for any help, Loren At 11:31 AM 03/12/2002 +0800, Marcel Welschbillig wrote: Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. Thanks ! -- Regards, Marcel Welschbillig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: default Apache configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Said Janusz A. Urbanowicz on Tue, Mar 12, 2002 at 03:27:35PM +0100: The programmer. This is a very bad practice, the password also lands in the logs of w3caches along the way, in browser history, etc. Not to mention that if the user happens to link to another site from this page, the query string will be seen in the HTTP referrer header on the remote site, which often shows up in stats programs. - -- [!] Justin R. Miller [EMAIL PROTECTED] PGP 0xC9C40C31 -=- http://codesorcery.net http://www.cnn.com/2002/ALLPOLITICS/01/29/inv.terror.probe/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8jhtC94d6K8nEDDERAsJWAJ9RH35acbFTq5NCq2kgmmvdBsB8TgCeJph7 15Da2MZxGIrNQuaQAsqfUqo= =kIvO -END PGP SIGNATURE-
RE: default Apache configuration
Doesn't *have* to, no. We don't. Frontpage the client can do FTP you know? It is another thing for people to have to understand and learn. And unfortunately, the vast majority of web users have no intent and desire to learn new things, they just want to go with what is familiar. I had to deal with this especially. Eventually, we just installed an IIS server w/ FP extensions on it. Wasn't my choice. - James
RE: MS Front page extensions for Linux
You could always go the route of Plesk. (http://www.plesk.com) they don't officially support Debian, only freebsd and redhat, but I was talking to my sales agent and he said he knew plenty of people who set it up on Debian, slackware, or anything. Plesk 2.5 has frontpage2002 extensions, however you would have to get rid of your current apache/apache-ssl install, due to Plesk compiling it's own copy. -- Matt Andreko On-Ramp Indiana (317)774-2100 -Original Message- From: Loren Jordan [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 12, 2002 10:01 AM To: Debian-Security List Subject: Re: MS Front page extensions for Linux Hello, I also am forced to install M$ Front Page extensions. I am using Debian by choice, M$ Front Page by management decision... I have yet to ever get this to work correctly in the past, and I don't want to break the Apache and Apache-ssl install on my servers just for the M$ stuff. Is there an accepted or unofficial method of getting Debian and FrontPage to play nicely or am I going to have to use M$/IIS and not Debian/apache? That last part was very hard to type... Thanks for any help, Loren At 11:31 AM 03/12/2002 +0800, Marcel Welschbillig wrote: Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. Thanks ! -- Regards, Marcel Welschbillig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS Front page extensions for Linux
At 11:19 AM 3/12/2002 +0100, René Seindal wrote: I have tried to install FP several times (by client request, not desire :-), without any success. Some of the programs are binary only from MS and they segfault consistently, even though they are statically linked. If you decide to, or are forced to infect a system with FP, it probably won't be easy to make it work. In fact, it might not be worthwhile the effort. It might not even be possible, thus resolving the security issues completely :-) If you make it work, please let the rest of us know how you did it. I too would be interested in this. So far I have stalled. I am tempted to install zope for the potential fp users because you can use it via webdav and you can also work right inside you browser. :wq Tim Uckun US Investigations Services/Due Diligence http://www.diligence.com/
RE: default Apache configuration
Hy! On Tue, 12 Mar 2002, Ralf Dreibrodt wrote: tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 to whom belongs this problem? I would say firstly the programmer who used GET for a password field, _and_ secondly the admin who is giving his password to a non-SSL web form! The programmer. There's no reason I know why the logs shouldn't be made public to the users. Should really be every request a POST-request? I do not think, that this is a good (html)programming style, but perhaps i am wrong. There is no reason to make every request a POST-request. You should use post request if the request contains - a password field - a lot of data - data witch may modify a database at the server-side There is no reason to use POST if the request contains only parameters like - keywords for a search engine - a session id - a page number I think i've read about this in a RFC, but i don't know exactly in witch one. what about apache-ssl-logs? has anyone the possibility to test it? Yes, it's the same: everyone can read it, and the full GET requests are enclosed. The ssl extension only means that the server communicates over https instead of http. regards, Tibor Repasi
zlib ssh
On bugtraq I read something about openssh being vulnerable to the doube-free bug. On my woody boxes, I installed the updated zlib1g from unstable and restarted sshd. Is this enough to be protected? Yours, Martin -- PGP/GPG encrypted mail preferred, see header ,-- | Nur tote Fische schwimmen mit dem Strom `--
IP chains logs to console
I recently upgraded to Woody and now my ipchains is logging all DENY packets to the console, as well as to disk. I changed /etc/syslog.conf to contain one line: kern.* /var/log/mbtest.log and set user = root group = adm on the file and the DENY messages are still logged to disk and the console. I've got plenty of disk space. I found two threads via Google (June '02 and Sept. '02) where people were having the same problem, but neither thread had a solution. http://lists.debian.org/debian-firewall/2001/debian-firewall-200106/msg00167.html http://www.progsoc.uts.edu.au/lists/slug/2001/September/msg00436.html Anyone know how I fix this? Thanks. Mark P.S. I'm not subscribed to debian-security, so if you could include my email in the reply I would appreciate it. - This mail sent through IMP: http://horde.org/imp/
Re: Problems with tripwire:
On Tue, Mar 12, 2002 at 08:59:08AM +0100, Martin Peikert wrote: Petro wrote: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. Try samhain or freeveracity: http://samhain.sourceforge.net/surround.html?main_q.html2 This seems to be exactly what I'm looking for. These guys are paranoid. That is good. That stealth option looks...interesting. http://www.freeveracity.org/ GTi -- For encrypted messages please use my public key, key-ID: 0xA9E35B01 The fingerprint is A684 87F3 C7AA 9728 3C1B 85BF 0500 B2C7 A9E3 5B01 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Share and Enjoy.
Re: Problems with tripwire:
On Tue, Mar 12, 2002 at 08:57:40PM +0100, Michel Verdier wrote: Petro [EMAIL PROTECTED] a ?crit : | !/var/log/ksymoops/ | /var/log@@LOGSEARCH | | Now, according to my understanding, the ! in front of /var/log/ksymoops/ | should be telling tripwire to ignore things under there, right? | | Obviously, it's not. The last match is used, try to switch these ones I did, that is the second. I'll try it again. -- Share and Enjoy.
Re: IP chains logs to console
[EMAIL PROTECTED] writes: [snip] and set user = root group = adm on the file and the DENY messages are still logged to disk and the console. I've got plenty of disk space. I found two threads via Google (June '02 and Sept. '02) where people were having the same problem, but neither thread had a solution. http://lists.debian.org/debian-firewall/2001/debian-firewall-200106/msg00167.html http://www.progsoc.uts.edu.au/lists/slug/2001/September/msg00436.html Anyone know how I fix this? Thanks. `klogd -c 4' is your friend. Adjust /etc/init.d/klogd to suit. ~Tim -- http://spodzone.org.uk/
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Tue, 12 Mar 2002, Zephaniah E. Hull wrote: On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote: Unless your are going to dial into a malicious ISP, I doubt this will be a problem (AFAIK, but don't quote me). Or unless you happen to be a small ISP using pppd on the receiving end and have malicious users? That is what I am concerned about. We are a freenet with about 1000 active users. Depending on your viewpoint, unfortunatley one of the other volunteers upgraded dialup server to 2.4 kernel with the bunk packages in an attempt to improve the problematic equinox SST and upgrade the eqnx module. We are moving to an acend max within a couple of months, but a real exploit to our current pppd problem is likely to available before then. Our non-profit board of directors recently decided to allow a user back on that stole one of our machines over 2 years ago and has continued to be a pain in the ass. If a script kiddie exploit becomes available, he just might do some serious damage. Unless someone has some other suggestions, I'll try the hyrid potato/woody suggested by Andrew Tait sometime this weekend. Thanks, Chuck
Re: IP chains logs to console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Said [EMAIL PROTECTED] on Tue, Mar 12, 2002 at 03:20:29PM -0500: Anyone know how I fix this? Typing 'dmesg -n1' will turn down the console output. I'm not sure what downsides this may have, though. - -- [!] Justin R. Miller [EMAIL PROTECTED] PGP 0xC9C40C31 -=- http://codesorcery.net http://www.cnn.com/2002/ALLPOLITICS/01/29/inv.terror.probe/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8jn7w94d6K8nEDDERAlTxAJ4ihJfZWwwgVWK44zbKckWeygIfTwCaA/rO uro+5Ogsa47QsJSlhUBIHXo= =TUjw -END PGP SIGNATURE-
Re: zlib ssh
On Tue, Mar 12, 2002 at 09:19:22PM +0100, Martin Hermanowski wrote: On my woody boxes, I installed the updated zlib1g from unstable and restarted sshd. Is this enough to be protected? As far as SSH is concerned (and providing your mirror was up to date enough to have 1:1.1.3-19.1 or later of zlib), yes. -- You grabbed my hand and we fell into it, like a daydream - or a fever. pgpcvfshjDupJ.pgp Description: PGP signature
Re: default Apache configuration
Ralf Dreibrodt [EMAIL PROTECTED] writes: i just saw an error on a debian box with apache(-common) 1.3.9-13.2: Time to upgrade ;-), potato's apache is at 1.3.9-14. drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 /var/log/apache/access.log The ownership and permissions of apache log files is known to be (have been?) a problem. See #72468. I have recently done a fresh install of 1.3.23-1 and noticed that all of these problems have gone away, but for the fact that the initial logs are created root.root 0644. -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH
Re: [SECURITY] [DSA 122-1] New zlib other packages fix buffer overflow
On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote: Update your sources.list to have both stable and testing (and make sure you called them that, not potato/woody), Why should they be named potato/woody rather than stable/testing? -- David Hart [EMAIL PROTECTED]