Re: Strange segmentation faults and Zombies

2003-09-17 Thread Ralf Dreibrodt 
Hi,

Markus Schabel wrote:
> 
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it also crashed. Interesting was that the executable was bigger
> after the segfault.

try the following:

md5sum /bin/gzip
scp goodserver:/bin/gzip /bin/gzip
md5sum /bin/gzip
ls /bin/gzip
md5sum /bin/gzip

can you send the output?

i had the same problem on a few servers, every file was bigger before
the ls, but still worked.
beside gzip, it segfaultet.
you can also strace ls, normally ls does nothing in /proc, but this ls
had done anything in /proc.

But where is it from?
Have you installed/executed any binarys beside debian-packages?

Regards,
Ralf Dreibrodt


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

about sendmail hole - relay restrictions bypassed

2003-09-17 Thread Hideki Yamane 
Hi list,

 You know, as DSA-384-1, sendmail buffer overflow vulnerability
 is fixed but another hole "sendmail relay access restrictions 
 can be bypassed with bogus DNS"(*) is NOT fixed yet.

 * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174907

 Do you know why maintainer let this issue alone ?
 or not effect Debian package? (if so, this bug should be closed.)

-- 
Regards,

 Hideki Yamanemailto:henrich @ iijmio-mail.jp

about sendmail hole - relay restrictions bypassed

2003-09-17 Thread Hideki Yamane 
Hi list,

 You know, as DSA-384-1, sendmail buffer overflow vulnerability
 is fixed but another hole "sendmail relay access restrictions 
 can be bypassed with bogus DNS"(*) is NOT fixed yet.

 * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174907

 Do you know why maintainer let this issue alone ?
 or not effect Debian package? (if so, this bug should be closed.)

-- 
Regards,

 Hideki Yamanemailto:henrich @ iijmio-mail.jp


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-17 Thread Laurent Corbes {Caf'} 
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <[EMAIL PROTECTED]> wrote:

> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it also crashed. Interesting was that the executable was bigger
> after the segfault.

curious.

> In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
> idea where they come from.
> 

it's the daily cronjob that stole.

> You think the server got hacked? Are there any other things that can
> lead to this? man also behaves strange, it says either "No manual entry
> for...", "What manual page do you want?" or nothing.

i'm thinking about a hardware problem. 
may the harddrive is in failure (get the ouput of dmesg) or a very big
ram problem that corrupt files on the hard drive.

in every case simply copy all the data you can and inspect the hdd in another 
box mounting it read only.

-- 
 http://glot.net/, [EMAIL PROTECTED]
 Cycom http://www.rezal.net/, Epidemic http://epidemic.glot.net/
--

Re: Strange segmentation faults and Zombies

2003-09-17 Thread Laurent Corbes {Caf'} 
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <[EMAIL PROTECTED]> wrote:

> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it also crashed. Interesting was that the executable was bigger
> after the segfault.

curious.

> In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
> idea where they come from.
> 

it's the daily cronjob that stole.

> You think the server got hacked? Are there any other things that can
> lead to this? man also behaves strange, it says either "No manual entry
> for...", "What manual page do you want?" or nothing.

i'm thinking about a hardware problem. 
may the harddrive is in failure (get the ouput of dmesg) or a very big
ram problem that corrupt files on the hard drive.

in every case simply copy all the data you can and inspect the hdd in another box 
mounting it read only.

-- 
 http://glot.net/, [EMAIL PROTECTED]
 Cycom http://www.rezal.net/, Epidemic http://epidemic.glot.net/
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Strange segmentation faults and Zombies

2003-09-17 Thread Markus Schabel 

Hello!

I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfault.

In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
idea where they come from.

I thougt I should try chkrootkit downloaded and compiled on an external
computer (because on the server there are no development programs) and
scp'ed it over. After running I see the following in the ps aux output:


root 23029  0.2  0.1  2320 1300 pts/0S18:53   0:00 /bin/sh 
./chkrootkit
root 23088  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
(^|[^A-Za-z0-9_])biff([^A-Za-z0-9_]|$)
root 23089  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23093  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23094  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23113  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
(^|[^A-Za-z0-9_])chsh([^A-Za-z0-9_]|$)
root 23117  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23118  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23119  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23134  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23136  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23150  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23151  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23170  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23171  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23191  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
^/bin/.*sh$|bash|elite$|vejeta|\.ark
root 23194  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep ^...s
root 23195  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23198  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
(^|[^A-Za-z0-9_])echo([^A-Za-z0-9_]|$)
root 23203  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23204  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23216  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep ^...s
root 23220  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
(^|[^A-Za-z0-9_])egrep([^A-Za-z0-9_]|$)
root 23221  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23225  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23226  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23227  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23240  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23245  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
^/bin/.*sh$|bash|elite$|vejeta|\.ark
root 23258  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23259  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23260  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23261  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23287  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23288  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23299  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23304  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
givemer
root 23306  0.0  0.0  1272  412 pts/0S18:53   0:00 /bin/egrep ^...s
root 23307  0.0  0.0  1604  308 pts/0T18:53   0:00 /bin/ls -l 
/bin/grep
root 23308  0.0  0.0 00 pts/0Z18:53   0:00 [ls ]
root 23309  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23311  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23313  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]


As you can see there's a lot of Zombies. That output started when
chkrootkit analysed grep (it stopped there and continued only after I
removed all processes in T state), then the same with inetd and after
that I gave up.

You think the server got hacked? Are there any other things that can
lead to this? man also behaves strange, it says either "No manual entry
for...", "What manual page do you want?" or nothing.

regards
Markus

Re: Pat on the back

2003-09-17 Thread Antti Tolamo 
Viestissä Keskiviikko 17. Syyskuuta 2003 18:18, Robert Brockway kirjoitti:
> Hi.  I just wanted to say thanks to the security team for the rapid
> deployment of the fixed versions of OpenSSH (twice).
>
> Often people are quick to post negative emails and not so quick to post
> positive emails, so I just wanted to say that many of us really do
> appreciate the work the security team does.  Knowing that fixed versions
> will be in the security archive quickly helps to keep my blood pressure
> down :)
>
> Cheers,
>   Rob


Same here. I give few applauds too.
Keep the updates flowing in!

Antti

-- 
My PGP public key:

http:://tola.org/pgp.txt

Strange segmentation faults and Zombies

2003-09-17 Thread Markus Schabel 
Hello!

I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfault.
In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
idea where they come from.
I thougt I should try chkrootkit downloaded and compiled on an external
computer (because on the server there are no development programs) and
scp'ed it over. After running I see the following in the ps aux output:
root 23029  0.2  0.1  2320 1300 pts/0S18:53   0:00 /bin/sh ./chkrootkit
root 23088  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
(^|[^A-Za-z0-9_])biff([^A-Za-z0-9_]|$)
root 23089  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23093  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23094  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23113  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
(^|[^A-Za-z0-9_])chsh([^A-Za-z0-9_]|$)
root 23117  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23118  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23119  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23134  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23136  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23150  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23151  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23170  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23171  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23191  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
^/bin/.*sh$|bash|elite$|vejeta|\.ark
root 23194  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep ^...s
root 23195  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23198  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
(^|[^A-Za-z0-9_])echo([^A-Za-z0-9_]|$)
root 23203  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23204  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23216  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep ^...s
root 23220  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
(^|[^A-Za-z0-9_])egrep([^A-Za-z0-9_]|$)
root 23221  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23225  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23226  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23227  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23240  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23245  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep 
^/bin/.*sh$|bash|elite$|vejeta|\.ark
root 23258  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23259  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23260  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23261  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23287  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23288  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23299  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep c
root 23304  0.0  0.0  1220  216 pts/0T18:53   0:00 /bin/egrep givemer
root 23306  0.0  0.0  1272  412 pts/0S18:53   0:00 /bin/egrep ^...s
root 23307  0.0  0.0  1604  308 pts/0T18:53   0:00 /bin/ls -l /bin/grep
root 23308  0.0  0.0 00 pts/0Z18:53   0:00 [ls ]
root 23309  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23311  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
root 23313  0.0  0.0 00 pts/0Z18:53   0:00 [egrep ]
As you can see there's a lot of Zombies. That output started when
chkrootkit analysed grep (it stopped there and continued only after I
removed all processes in T state), then the same with inetd and after
that I gave up.
You think the server got hacked? Are there any other things that can
lead to this? man also behaves strange, it says either "No manual entry
for...", "What manual page do you want?" or nothing.
regards
Markus
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Pat on the back

2003-09-17 Thread Antti Tolamo 
Viestissä Keskiviikko 17. Syyskuuta 2003 18:18, Robert Brockway kirjoitti:
> Hi.  I just wanted to say thanks to the security team for the rapid
> deployment of the fixed versions of OpenSSH (twice).
>
> Often people are quick to post negative emails and not so quick to post
> positive emails, so I just wanted to say that many of us really do
> appreciate the work the security team does.  Knowing that fixed versions
> will be in the security archive quickly helps to keep my blood pressure
> down :)
>
> Cheers,
>   Rob


Same here. I give few applauds too.
Keep the updates flowing in!

Antti

-- 
My PGP public key:

http:://tola.org/pgp.txt


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Pat on the back

2003-09-17 Thread Christopher Taylor 

Robert Brockway wrote:

Hi.  I just wanted to say thanks to the security team for the rapid
deployment of the fixed versions of OpenSSH (twice).

I fully agree. thanks a lot!
  --Chris

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Rich Puhek 



Adrian von Bidder wrote:


On Tuesday 16 September 2003 22:30, Rich Puhek wrote:
[mix stable/testing/unstable]

This is what I usually do - and usually, it works quite fine. Right now, 
though, I've been pulling in more and more from testing/unstable since some 
things depend on the new glibc, and some other things randomly break when 
used with the new glibc, so I've had to upgrade those things, which in turn 
depend on foo, which...




Ahh, when it starts to want to download a lot of libraries I don't know 
much about, that's when I lean towards apt-get source. reduces the 
exploding dependancies/conflicts problem...


--Rich


_

Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746

tel:   218.262.1130
email: [EMAIL PROTECTED]
_

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Joey Hess 
Arthur de Jong wrote:
> This will only work for a little while as a colleague of mine noted. This
> will block
>   *   IN   A   64.94.110.11
> but not
>   *   IN   NS  64.94.110.11
> which is a valid delegation. The 64.94.110.11 nameserver should then only
> return 64.94.110.11 for all requests for A records.

Paul Vixie addressed just this possibility in
<[EMAIL PROTECTED]> on the NANOG list. You can mark
such a name server as "bogus". Assuming that IP is routable at all; I have
not seen a packet from 64.94.110.11 in over 24 hours.

-- 
see shy jo


pgpV66eptaCgn.pgp
Description: PGP signature

Re: Verisign and Bind update

2003-09-17 Thread Ilkka Tuohela 
ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
> Will the package maintainers of BIND be integrating the patches from
> ISC-BIND to negate  Verisign's recent shenanigans?

Well, it's not only a patch, it's part of bind upstream releases, so yes
of course it will eventually be in the packaged version.

Actually, there already seems to be a release with this available.

*hile*

RE: Verisign and Bind update

2003-09-17 Thread James Miller 
Ack, sorry folks.. I need to finish reading my mail before sending anything
out.



-Original Message-
From: James Miller [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 17, 2003 10:12 AM
To: debian-security@lists.debian.org
Subject: Verisign and Bind update


Will the package maintainers of BIND be integrating the patches from
ISC-BIND to negate  Verisign's recent shenanigans?

--from ISC's web site --

In response to high demand from our users, ISC is releasing a patch for BIND
to support the declaration of "delegation-only" zones in caching/recursive
name servers. Briefly, a zone which has been declared "delegation-only" will
be effectively limited to containing NS RRs for subdomains, but no actual
data outside its apex (for example, its SOA RR and apex NS RRset). This can
be used to filter out "wildcard" or "synthesized" data from NAT boxes or
from authoritative name servers whose undelegated (in-zone) data is of no
interest.

Example named.conf entry for the zone:

zone "foo" {
 type delegation-only;
};
Release Candidates/Patches that support "delegation-only" zones:



->Jim




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

Pat on the back

2003-09-17 Thread Robert Brockway 
Hi.  I just wanted to say thanks to the security team for the rapid
deployment of the fixed versions of OpenSSH (twice).

Often people are quick to post negative emails and not so quick to post
positive emails, so I just wanted to say that many of us really do
appreciate the work the security team does.  Knowing that fixed versions
will be in the security archive quickly helps to keep my blood pressure
down :)

Cheers,
Rob

-- 
Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED]
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah

Verisign and Bind update

2003-09-17 Thread James Miller 
Will the package maintainers of BIND be integrating the patches from
ISC-BIND to negate  Verisign's recent shenanigans?

--from ISC's web site --

In response to high demand from our users, ISC is releasing a patch for BIND
to support the declaration of "delegation-only" zones in caching/recursive
name servers. Briefly, a zone which has been declared "delegation-only" will
be effectively limited to containing NS RRs for subdomains, but no actual
data outside its apex (for example, its SOA RR and apex NS RRset). This can
be used to filter out "wildcard" or "synthesized" data from NAT boxes or
from authoritative name servers whose undelegated (in-zone) data is of no
interest.

Example named.conf entry for the zone:

zone "foo" {
 type delegation-only;
};
Release Candidates/Patches that support "delegation-only" zones:



->Jim

Re: Pat on the back

2003-09-17 Thread Christopher Taylor 
Robert Brockway wrote:
Hi.  I just wanted to say thanks to the security team for the rapid
deployment of the fixed versions of OpenSSH (twice).
I fully agree. thanks a lot!
  --Chris
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Rich Puhek 


Adrian von Bidder wrote:

On Tuesday 16 September 2003 22:30, Rich Puhek wrote:
[mix stable/testing/unstable]
This is what I usually do - and usually, it works quite fine. Right now, 
though, I've been pulling in more and more from testing/unstable since some 
things depend on the new glibc, and some other things randomly break when 
used with the new glibc, so I've had to upgrade those things, which in turn 
depend on foo, which...

Ahh, when it starts to want to download a lot of libraries I don't know 
much about, that's when I lean towards apt-get source. reduces the 
exploding dependancies/conflicts problem...

--Rich

_

Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746
tel:   218.262.1130
email: [EMAIL PROTECTED]
_
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Joey Hess 
Arthur de Jong wrote:
> This will only work for a little while as a colleague of mine noted. This
> will block
>   *   IN   A   64.94.110.11
> but not
>   *   IN   NS  64.94.110.11
> which is a valid delegation. The 64.94.110.11 nameserver should then only
> return 64.94.110.11 for all requests for A records.

Paul Vixie addressed just this possibility in
<[EMAIL PROTECTED]> on the NANOG list. You can mark
such a name server as "bogus". Assuming that IP is routable at all; I have
not seen a packet from 64.94.110.11 in over 24 hours.

-- 
see shy jo


pgp0.pgp
Description: PGP signature

unsubscribe

2003-09-17 Thread Daniel Lampertseder

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Thomas Horsten 
On Wed, 17 Sep 2003, Gaël Le Mignot wrote:

>  > What precisely have they done? I'd not heard about
>  > their latest idiocy...
>
> They decided  to answer to all  requests for a  non-existing domain in
> .com  or .net  with the  IP  of some  of their  computers, hosting  an
> advertising page...

Please note they include the sentence "The Value Of Trust" in their
corporate logo.

// Thomas

Re: Verisign and Bind update

2003-09-17 Thread Ilkka Tuohela 
ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
> Will the package maintainers of BIND be integrating the patches from
> ISC-BIND to negate  Verisign's recent shenanigans?

Well, it's not only a patch, it's part of bind upstream releases, so yes
of course it will eventually be in the packaged version.

Actually, there already seems to be a release with this available.

*hile*


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Verisign and Bind update

2003-09-17 Thread James Miller 
Ack, sorry folks.. I need to finish reading my mail before sending anything
out.



-Original Message-
From: James Miller [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 17, 2003 10:12 AM
To: [EMAIL PROTECTED]
Subject: Verisign and Bind update


Will the package maintainers of BIND be integrating the patches from
ISC-BIND to negate  Verisign's recent shenanigans?

--from ISC's web site --

In response to high demand from our users, ISC is releasing a patch for BIND
to support the declaration of "delegation-only" zones in caching/recursive
name servers. Briefly, a zone which has been declared "delegation-only" will
be effectively limited to containing NS RRs for subdomains, but no actual
data outside its apex (for example, its SOA RR and apex NS RRset). This can
be used to filter out "wildcard" or "synthesized" data from NAT boxes or
from authoritative name servers whose undelegated (in-zone) data is of no
interest.

Example named.conf entry for the zone:

zone "foo" {
 type delegation-only;
};
Release Candidates/Patches that support "delegation-only" zones:



->Jim




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Pat on the back

2003-09-17 Thread Robert Brockway 
Hi.  I just wanted to say thanks to the security team for the rapid
deployment of the fixed versions of OpenSSH (twice).

Often people are quick to post negative emails and not so quick to post
positive emails, so I just wanted to say that many of us really do
appreciate the work the security team does.  Knowing that fixed versions
will be in the security archive quickly helps to keep my blood pressure
down :)

Cheers,
Rob

-- 
Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED]
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Unidentified subject!

2003-09-17 Thread Vít Vomáčko

Verisign and Bind update

2003-09-17 Thread James Miller 
Will the package maintainers of BIND be integrating the patches from
ISC-BIND to negate  Verisign's recent shenanigans?

--from ISC's web site --

In response to high demand from our users, ISC is releasing a patch for BIND
to support the declaration of "delegation-only" zones in caching/recursive
name servers. Briefly, a zone which has been declared "delegation-only" will
be effectively limited to containing NS RRs for subdomains, but no actual
data outside its apex (for example, its SOA RR and apex NS RRset). This can
be used to filter out "wildcard" or "synthesized" data from NAT boxes or
from authoritative name servers whose undelegated (in-zone) data is of no
interest.

Example named.conf entry for the zone:

zone "foo" {
 type delegation-only;
};
Release Candidates/Patches that support "delegation-only" zones:



->Jim




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

unsubscribe

2003-09-17 Thread Mark Pingert

unsubscribe

2003-09-17 Thread Daniel Lampertseder 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

security updates vs. proposed-updates

2003-09-17 Thread Marcin Owsiany 
Hi!

Many people asked (in messages to [EMAIL PROTECTED]) how to get the security
updates when there's a newer version of the package in question in
proposed-updates, so I thought that posting this here could be useful.

Here's the way I do it recently:

Add (for every package you need) an entry like this into /etc/apt/preferences:

Explanation: override stable-updates/stable-security desync
Package: ssh
Pin: release l=Debian-Security
Pin-Priority: 1001

This seems to work better then othe suggested ways:
 - puting the package on hold (you need to override it when the security
   update is updated again)
 - removing proposed-updates from sources.list (2.4.x kernels from
   Herbert are there)

Maybe this could be added to the security team FAQ?

Disclaimer: I'm not a member of the security team.

Marcin
-- 
Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216


signature.asc
Description: Digital signature

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Thomas Horsten 
On Wed, 17 Sep 2003, Gaël Le Mignot wrote:

>  > What precisely have they done? I'd not heard about
>  > their latest idiocy...
>
> They decided  to answer to all  requests for a  non-existing domain in
> .com  or .net  with the  IP  of some  of their  computers, hosting  an
> advertising page...

Please note they include the sentence "The Value Of Trust" in their
corporate logo.

// Thomas


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Arthur de Jong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


> While the "first generation" patches work with hardcoded values, there
> are others that are much more general. Check the link of the ISC patch
> for a description:
>
>   http://www.isc.org/products/BIND/delegation-only.html

This will only work for a little while as a colleague of mine noted. This
will block
  *   IN   A   64.94.110.11
but not
  *   IN   NS  64.94.110.11
which is a valid delegation. The 64.94.110.11 nameserver should then only
return 64.94.110.11 for all requests for A records.

- -- arthur - [EMAIL PROTECTED] - http://tiefighter.et.tudelft.nl/~arthur --
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE/aE23VYan35+NCKcRAsu1AKDTcrzQ664BAeERJjQ0gM/g/XEkdwCgrL7Z
0QCNqEsJooAzYP5oNtraSmU=
=4xx8
-END PGP SIGNATURE-

Unidentified subject!

2003-09-17 Thread Vít Vomáčko 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

unsubscribe

2003-09-17 Thread Mark Pingert 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Andy Coates 
Dale Amon ([EMAIL PROTECTED]) wrote:
> On Wed, Sep 17, 2003 at 11:57:16AM +0100, Andy Coates wrote:
> > They've put a wildcard DNS entry for .com and .net to resolve to their
> > product called "SiteFinder" which offers a IE/MSN like "Did you mean
> > to type " services.
> > 
> > So any domain that doesn't exist, or in the PENDING/DELETE states, or has
> > no nameservers associated with it, now resolves.
> 
> Ah, so what would happen if many thousands of people ran pings 
> and other things against nonexistant names?
> 

Pings are being blocked AFAIK, but there are many ports open (mail for
example).  Best bet is to search the NANOG lists (www.nanog.org), whole
lotta information and discussion about it there.

Andy.

Re: OpenSSH

2003-09-17 Thread Emmanuel Lacour 
On Wed, Sep 17, 2003 at 12:41:48PM +0200, Lukas Ruf wrote:
> 
> do you also provide the sources of your unofficial distribution?
> 

I just uploaded them (http://debian.home-dn.net/woody/ssh/)


apt-get source should work too


-- 
Emmanuel Lacour  Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76
mailto:[EMAIL PROTECTED]   -http://www.easter-eggs.com

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Dale Amon 
On Wed, Sep 17, 2003 at 11:57:16AM +0100, Andy Coates wrote:
> They've put a wildcard DNS entry for .com and .net to resolve to their
> product called "SiteFinder" which offers a IE/MSN like "Did you mean
> to type " services.
> 
> So any domain that doesn't exist, or in the PENDING/DELETE states, or has
> no nameservers associated with it, now resolves.

Ah, so what would happen if many thousands of people ran pings 
and other things against nonexistant names?

security updates vs. proposed-updates

2003-09-17 Thread Marcin Owsiany 
Hi!

Many people asked (in messages to [EMAIL PROTECTED]) how to get the security
updates when there's a newer version of the package in question in
proposed-updates, so I thought that posting this here could be useful.

Here's the way I do it recently:

Add (for every package you need) an entry like this into /etc/apt/preferences:

Explanation: override stable-updates/stable-security desync
Package: ssh
Pin: release l=Debian-Security
Pin-Priority: 1001

This seems to work better then othe suggested ways:
 - puting the package on hold (you need to override it when the security
   update is updated again)
 - removing proposed-updates from sources.list (2.4.x kernels from
   Herbert are there)

Maybe this could be added to the security team FAQ?

Disclaimer: I'm not a member of the security team.

Marcin
-- 
Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216


signature.asc
Description: Digital signature

Re: OpenSSH

2003-09-17 Thread Lukas Ruf 
Emmanuel,

> Emmanuel Lacour <[EMAIL PROTECTED]> [2003-09-17 12:33]:
>
> On Wed, Sep 03, 2003 at 11:20:45AM +0200, Matthias Faulstich wrote:
> > Hello,
> > 
> > does anybody know, whether the chroot-patch will be included in future 
> > versions of the official ssh package?
> > 
> 
> I maintain an unofficial at :
> 
> deb http://debian.home-dn.net/woody ssh/
> 
> 
> (up to date with last security fix)

do you also provide the sources of your unofficial distribution?

Gruss,
Lukas
-- 
Lukas RufSwiss Federal Institute of Technology
Office: ETZ-G61.2Computer Engineering and Networks Lab
Fon:  +41/1/632 7312  ETH Zentrum / Gloriastr. 35 / CH-8092 Zurich
Fax:  +41/1/632 1035  PGP: 6323 B9BC 9C8E 6563 B477 BADD FEA6 E6B7

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Mike Hommey 
On Wednesday 17 September 2003 12:46, Dale Amon wrote:
> What precisely have they done? I'd not heard about
> their latest idiocy...

[EMAIL PROTECTED]:~$ dig verisign-go-fuck-yourself.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.2.2 <<>> verisign-go-fuck-yourself.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24755
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;verisign-go-fuck-yourself.com. IN  A

;; ANSWER SECTION:
verisign-go-fuck-yourself.com. 900 IN   A   64.94.110.11

;; AUTHORITY SECTION:
com.116276  IN  NS  g.gtld-servers.net.
com.116276  IN  NS  i.gtld-servers.net.
com.116276  IN  NS  l.gtld-servers.net.
com.116276  IN  NS  d.gtld-servers.net.
com.116276  IN  NS  m.gtld-servers.net.
com.116276  IN  NS  h.gtld-servers.net.
com.116276  IN  NS  c.gtld-servers.net.
com.116276  IN  NS  k.gtld-servers.net.
com.116276  IN  NS  f.gtld-servers.net.
com.116276  IN  NS  j.gtld-servers.net.
com.116276  IN  NS  a.gtld-servers.net.
com.116276  IN  NS  e.gtld-servers.net.
com.116276  IN  NS  b.gtld-servers.net.

;; ADDITIONAL SECTION:
g.gtld-servers.net. 116118  IN  A   192.42.93.30
i.gtld-servers.net. 116118  IN  A   192.43.172.30
l.gtld-servers.net. 116118  IN  A   192.41.162.30
d.gtld-servers.net. 116118  IN  A   192.31.80.30
m.gtld-servers.net. 116118  IN  A   192.55.83.30
h.gtld-servers.net. 116118  IN  A   192.54.112.30
c.gtld-servers.net. 116118  IN  A   192.26.92.30
k.gtld-servers.net. 116118  IN  A   192.52.178.30
f.gtld-servers.net. 116118  IN  A   192.35.51.30
j.gtld-servers.net. 116118  IN  A   192.48.79.30
a.gtld-servers.net. 115467  IN  A   192.5.6.30
e.gtld-servers.net. 116118  IN  A   192.12.94.30
b.gtld-servers.net. 116118  IN  A   192.33.14.30

;; Query time: 110 msec
;; SERVER: 62.4.16.70#53(62.4.16.70)
;; WHEN: Wed Sep 17 12:58:57 2003
;; MSG SIZE  rcvd: 495

-- 
"I have sampled every language, french is my favorite. Fantastic language,
especially to curse with. Nom de dieu de putain de bordel de merde de
saloperie de connard d'enculé de ta mère. It's like wiping your ass
with silk! I love it." -- The Merovingian, in the Matrix Reloaded

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Adrian von Bidder 
On Wednesday 17 September 2003 12:46, Dale Amon wrote:
> What precisely have they done? I'd not heard about
> their latest idiocy...

They have registered domains like
http://www.islandone-is-bad.org
to point to their own web site. (Note: the web site is overloaded and thus 
frequently doesn't work).

HTH
-- vbi

-- 
Packages should build-depend on what they should build-depend.
-- Santiago Vila on debian-devel


pgpn2o3pf2IdC.pgp
Description: signature

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Gaël Le Mignot 
 > What precisely have they done? I'd not heard about
 > their latest idiocy... 

They decided  to answer to all  requests for a  non-existing domain in
.com  or .net  with the  IP  of some  of their  computers, hosting  an
advertising page...

-- 
Gael Le Mignot "Kilobug" - [EMAIL PROTECTED] - http://kilobug.free.fr
GSM : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA

Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Andy Coates 
Dale Amon ([EMAIL PROTECTED]) wrote:
> What precisely have they done? I'd not heard about
> their latest idiocy... 
> 
> [I note that I just got html mail from them about 
>  a domain renewal... I just delete html mail 
>  without reading.]

They've put a wildcard DNS entry for .com and .net to resolve to their
product called "SiteFinder" which offers a IE/MSN like "Did you mean
to type " services.

So any domain that doesn't exist, or in the PENDING/DELETE states, or has
no nameservers associated with it, now resolves.

Andy.

Re: OpenSSH

2003-09-17 Thread A.Bory G2MS 

> > does anybody know, whether the chroot-patch will be included in
future
> > versions of the official ssh package?

thanks to Emmanuel Lacour, there is also a private repository with
ssh+chroot for woody:

http://debian.home-dn.net/woody/ssh/

Alexis Bory

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Adrian von Bidder 
On Wednesday 17 September 2003 11:57, Ronny Adsetts wrote:

> Better to get Verisign to revoke this stupidity. After all, another TLD
> did the same some time ago and the US government intervened, IIRC, to
> get it changed back (.biz?).
>

host sdkljhsdlfkjsdfkljsdf.cc
sdkljhsdlfkjsdfkljsdf.cc has address 206.253.214.102

So - no, it's not been changed back, at least in that case. But then, who uses 
.cc (except spammers).

cheers
-- vbi

-- 
 Turns out that grep returns error code 1 when there are no matches.
   I KNEW that.  Why did it take me half an hour?
-- Seen on #Debian


pgpxeU6OrFoWK.pgp
Description: signature

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Arthur de Jong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


> While the "first generation" patches work with hardcoded values, there
> are others that are much more general. Check the link of the ISC patch
> for a description:
>
>   http://www.isc.org/products/BIND/delegation-only.html

This will only work for a little while as a colleague of mine noted. This
will block
  *   IN   A   64.94.110.11
but not
  *   IN   NS  64.94.110.11
which is a valid delegation. The 64.94.110.11 nameserver should then only
return 64.94.110.11 for all requests for A records.

- -- arthur - [EMAIL PROTECTED] - http://tiefighter.et.tudelft.nl/~arthur --
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE/aE23VYan35+NCKcRAsu1AKDTcrzQ664BAeERJjQ0gM/g/XEkdwCgrL7Z
0QCNqEsJooAzYP5oNtraSmU=
=4xx8
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Dale Amon 
What precisely have they done? I'd not heard about
their latest idiocy... 

[I note that I just got html mail from them about 
 a domain renewal... I just delete html mail 
 without reading.]

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Oliver Hitz 
On 17 Sep 2003, Ronny Adsetts wrote:
> Adding this *hard coded* value to an official Debian package that could
> be around for a couple of years (in stable) would be foolish IMHO. I
> haven't reviewed the patch, so may be wrong about the nature of it...
> (anyone have a link for the patch?)

While the "first generation" patches work with hardcoded values, there
are others that are much more general. Check the link of the ISC patch
for a description:

  http://www.isc.org/products/BIND/delegation-only.html

Regards,
Oliver

Re: OpenSSH

2003-09-17 Thread Emmanuel Lacour 
On Wed, Sep 03, 2003 at 11:20:45AM +0200, Matthias Faulstich wrote:
> Hello,
> 
> does anybody know, whether the chroot-patch will be included in future 
> versions of the official ssh package?
> 

I maintain an unofficial at :

deb http://debian.home-dn.net/woody ssh/


(up to date with last security fix)

-- 
Emmanuel Lacour  Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76
mailto:[EMAIL PROTECTED]   -http://www.easter-eggs.com

RE: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Boyan Krosnov 
It is not hardcoded. A new configuration directive has been added, and
it is completely up to the administrator to decide to use it.

http://www.isc.org/products/BIND/delegation-only.html

Boyan Krosnov, CCIE#8701
http://boyan.ludost.net/
just another techie speaking for himself

> -Original Message-
> From: Ronny Adsetts [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, September 17, 2003 12:58 PM
> To: Adrian von Bidder
> Cc: debian-security@lists.debian.org
> Subject: Re: Debian + Verisign's .com/.net hijack
> 
> 
> Adrian von Bidder said the following on 17/09/03 10:11:
> >> Patches for various dns servers to get back to the old behaviour of
> >> the dns system have been published. For example, the ISC has just 
> >> released an "official" patch for BIND9.
> >> 
> >> I wonder if there are plans to make security upgrades of the dns 
> >> servers shipped with Debian. Any comments?
> > 
> > I for one would really, really, really like for this 'fix' 
> to appear 
> > soon.  Maintaining hand compiled software is awkward - but I guess
> > I'll do that quite soon.
> > 
> 
> Adding this *hard coded* value to an official Debian package 
> that could
> be around for a couple of years (in stable) would be foolish IMHO. I
> haven't reviewed the patch, so may be wrong about the nature of it...
> (anyone have a link for the patch?)
> 
> Better to get Verisign to revoke this stupidity. After all, 
> another TLD
> did the same some time ago and the US government intervened, IIRC, to
> get it changed back (.biz?).
> 
> Regards,
> Ronny Adsetts
> -- 
> Technical Director
> Amazing Internet Ltd, London
> t: +44 20 8607 9535
> f: +44 20 8607 9536
> w: www.amazinginternet.com
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 
>

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Ronny Adsetts 

Adrian von Bidder said the following on 17/09/03 10:11:

Patches for various dns servers to get back to the old behaviour of
the dns system have been published. For example, the ISC has just 
released an "official" patch for BIND9.


I wonder if there are plans to make security upgrades of the dns 
servers shipped with Debian. Any comments?


I for one would really, really, really like for this 'fix' to appear 
soon.  Maintaining hand compiled software is awkward - but I guess

I'll do that quite soon.



Adding this *hard coded* value to an official Debian package that could
be around for a couple of years (in stable) would be foolish IMHO. I
haven't reviewed the patch, so may be wrong about the nature of it...
(anyone have a link for the patch?)

Better to get Verisign to revoke this stupidity. After all, another TLD
did the same some time ago and the US government intervened, IIRC, to
get it changed back (.biz?).

Regards,
Ronny Adsetts
--
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Andy Coates 
Dale Amon ([EMAIL PROTECTED]) wrote:
> On Wed, Sep 17, 2003 at 11:57:16AM +0100, Andy Coates wrote:
> > They've put a wildcard DNS entry for .com and .net to resolve to their
> > product called "SiteFinder" which offers a IE/MSN like "Did you mean
> > to type " services.
> > 
> > So any domain that doesn't exist, or in the PENDING/DELETE states, or has
> > no nameservers associated with it, now resolves.
> 
> Ah, so what would happen if many thousands of people ran pings 
> and other things against nonexistant names?
> 

Pings are being blocked AFAIK, but there are many ports open (mail for
example).  Best bet is to search the NANOG lists (www.nanog.org), whole
lotta information and discussion about it there.

Andy.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH

2003-09-17 Thread Emmanuel Lacour 
On Wed, Sep 17, 2003 at 12:41:48PM +0200, Lukas Ruf wrote:
> 
> do you also provide the sources of your unofficial distribution?
> 

I just uploaded them (http://debian.home-dn.net/woody/ssh/)


apt-get source should work too


-- 
Emmanuel Lacour  Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76
mailto:[EMAIL PROTECTED]   -http://www.easter-eggs.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Dale Amon 
On Wed, Sep 17, 2003 at 11:57:16AM +0100, Andy Coates wrote:
> They've put a wildcard DNS entry for .com and .net to resolve to their
> product called "SiteFinder" which offers a IE/MSN like "Did you mean
> to type " services.
> 
> So any domain that doesn't exist, or in the PENDING/DELETE states, or has
> no nameservers associated with it, now resolves.

Ah, so what would happen if many thousands of people ran pings 
and other things against nonexistant names?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH

2003-09-17 Thread Lukas Ruf 
Emmanuel,

> Emmanuel Lacour <[EMAIL PROTECTED]> [2003-09-17 12:33]:
>
> On Wed, Sep 03, 2003 at 11:20:45AM +0200, Matthias Faulstich wrote:
> > Hello,
> > 
> > does anybody know, whether the chroot-patch will be included in future 
> > versions of the official ssh package?
> > 
> 
> I maintain an unofficial at :
> 
> deb http://debian.home-dn.net/woody ssh/
> 
> 
> (up to date with last security fix)

do you also provide the sources of your unofficial distribution?

Gruss,
Lukas
-- 
Lukas RufSwiss Federal Institute of Technology
Office: ETZ-G61.2Computer Engineering and Networks Lab
Fon:  +41/1/632 7312  ETH Zentrum / Gloriastr. 35 / CH-8092 Zurich
Fax:  +41/1/632 1035  PGP: 6323 B9BC 9C8E 6563 B477 BADD FEA6 E6B7


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Mike Hommey 
On Wednesday 17 September 2003 12:46, Dale Amon wrote:
> What precisely have they done? I'd not heard about
> their latest idiocy...

[EMAIL PROTECTED]:~$ dig verisign-go-fuck-yourself.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.2.2 <<>> verisign-go-fuck-yourself.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24755
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;verisign-go-fuck-yourself.com. IN  A

;; ANSWER SECTION:
verisign-go-fuck-yourself.com. 900 IN   A   64.94.110.11

;; AUTHORITY SECTION:
com.116276  IN  NS  g.gtld-servers.net.
com.116276  IN  NS  i.gtld-servers.net.
com.116276  IN  NS  l.gtld-servers.net.
com.116276  IN  NS  d.gtld-servers.net.
com.116276  IN  NS  m.gtld-servers.net.
com.116276  IN  NS  h.gtld-servers.net.
com.116276  IN  NS  c.gtld-servers.net.
com.116276  IN  NS  k.gtld-servers.net.
com.116276  IN  NS  f.gtld-servers.net.
com.116276  IN  NS  j.gtld-servers.net.
com.116276  IN  NS  a.gtld-servers.net.
com.116276  IN  NS  e.gtld-servers.net.
com.116276  IN  NS  b.gtld-servers.net.

;; ADDITIONAL SECTION:
g.gtld-servers.net. 116118  IN  A   192.42.93.30
i.gtld-servers.net. 116118  IN  A   192.43.172.30
l.gtld-servers.net. 116118  IN  A   192.41.162.30
d.gtld-servers.net. 116118  IN  A   192.31.80.30
m.gtld-servers.net. 116118  IN  A   192.55.83.30
h.gtld-servers.net. 116118  IN  A   192.54.112.30
c.gtld-servers.net. 116118  IN  A   192.26.92.30
k.gtld-servers.net. 116118  IN  A   192.52.178.30
f.gtld-servers.net. 116118  IN  A   192.35.51.30
j.gtld-servers.net. 116118  IN  A   192.48.79.30
a.gtld-servers.net. 115467  IN  A   192.5.6.30
e.gtld-servers.net. 116118  IN  A   192.12.94.30
b.gtld-servers.net. 116118  IN  A   192.33.14.30

;; Query time: 110 msec
;; SERVER: 62.4.16.70#53(62.4.16.70)
;; WHEN: Wed Sep 17 12:58:57 2003
;; MSG SIZE  rcvd: 495

-- 
"I have sampled every language, french is my favorite. Fantastic language,
especially to curse with. Nom de dieu de putain de bordel de merde de
saloperie de connard d'enculé de ta mère. It's like wiping your ass
with silk! I love it." -- The Merovingian, in the Matrix Reloaded


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Adrian von Bidder 
On Wednesday 17 September 2003 10:48, Oliver Hitz wrote:

> Patches for various dns servers to get back to the old behaviour of the
> dns system have been published. For example, the ISC has just released
> an "official" patch for BIND9.
>
> I wonder if there are plans to make security upgrades of the dns servers
> shipped with Debian. Any comments?

I for one would really, really, really like for this 'fix' to appear soon. 
Maintaining hand compiled software is awkward - but I guess I'll do that 
quite soon.

Greets
-- vbi

-- 
The prablem with Manoca is thot it's difficult ta tell the difference
between o cauple af the letters.
-- Jacob W. Haller on alt.religion.kibology


pgpE4Dt5hCpNW.pgp
Description: signature

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Adrian von Bidder 
On Wednesday 17 September 2003 12:46, Dale Amon wrote:
> What precisely have they done? I'd not heard about
> their latest idiocy...

They have registered domains like
http://www.islandone-is-bad.org
to point to their own web site. (Note: the web site is overloaded and thus 
frequently doesn't work).

HTH
-- vbi

-- 
Packages should build-depend on what they should build-depend.
-- Santiago Vila on debian-devel


pgp0.pgp
Description: signature

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Gaël Le Mignot 
 > What precisely have they done? I'd not heard about
 > their latest idiocy... 

They decided  to answer to all  requests for a  non-existing domain in
.com  or .net  with the  IP  of some  of their  computers, hosting  an
advertising page...

-- 
Gael Le Mignot "Kilobug" - [EMAIL PROTECTED] - http://kilobug.free.fr
GSM : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA

Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Andy Coates 
Dale Amon ([EMAIL PROTECTED]) wrote:
> What precisely have they done? I'd not heard about
> their latest idiocy... 
> 
> [I note that I just got html mail from them about 
>  a domain renewal... I just delete html mail 
>  without reading.]

They've put a wildcard DNS entry for .com and .net to resolve to their
product called "SiteFinder" which offers a IE/MSN like "Did you mean
to type " services.

So any domain that doesn't exist, or in the PENDING/DELETE states, or has
no nameservers associated with it, now resolves.

Andy.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH

2003-09-17 Thread A.Bory G2MS 

> > does anybody know, whether the chroot-patch will be included in
future
> > versions of the official ssh package?

thanks to Emmanuel Lacour, there is also a private repository with
ssh+chroot for woody:

http://debian.home-dn.net/woody/ssh/

Alexis Bory




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Adrian von Bidder 
On Wednesday 17 September 2003 11:57, Ronny Adsetts wrote:

> Better to get Verisign to revoke this stupidity. After all, another TLD
> did the same some time ago and the US government intervened, IIRC, to
> get it changed back (.biz?).
>

host sdkljhsdlfkjsdfkljsdf.cc
sdkljhsdlfkjsdfkljsdf.cc has address 206.253.214.102

So - no, it's not been changed back, at least in that case. But then, who uses 
.cc (except spammers).

cheers
-- vbi

-- 
 Turns out that grep returns error code 1 when there are no matches.
   I KNEW that.  Why did it take me half an hour?
-- Seen on #Debian


pgp0.pgp
Description: signature

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Dale Amon 
What precisely have they done? I'd not heard about
their latest idiocy... 

[I note that I just got html mail from them about 
 a domain renewal... I just delete html mail 
 without reading.]

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Debian + Verisign's .com/.net hijack

2003-09-17 Thread Oliver Hitz 
Hi all,

By now probably everybody has heard about Verisign's latest change to
the .net and .com domains (otherwise read about it in your favourite
tech news site). While the security of dns per se is not really
affected, the change influences other services such as spam
countermeasures.

Patches for various dns servers to get back to the old behaviour of the
dns system have been published. For example, the ISC has just released
an "official" patch for BIND9.

I wonder if there are plans to make security upgrades of the dns servers
shipped with Debian. Any comments?

Regards,

Oliver

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Oliver Hitz 
On 17 Sep 2003, Ronny Adsetts wrote:
> Adding this *hard coded* value to an official Debian package that could
> be around for a couple of years (in stable) would be foolish IMHO. I
> haven't reviewed the patch, so may be wrong about the nature of it...
> (anyone have a link for the patch?)

While the "first generation" patches work with hardcoded values, there
are others that are much more general. Check the link of the ISC patch
for a description:

  http://www.isc.org/products/BIND/delegation-only.html

Regards,
Oliver


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH

2003-09-17 Thread Emmanuel Lacour 
On Wed, Sep 03, 2003 at 11:20:45AM +0200, Matthias Faulstich wrote:
> Hello,
> 
> does anybody know, whether the chroot-patch will be included in future 
> versions of the official ssh package?
> 

I maintain an unofficial at :

deb http://debian.home-dn.net/woody ssh/


(up to date with last security fix)

-- 
Emmanuel Lacour  Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76
mailto:[EMAIL PROTECTED]   -http://www.easter-eggs.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Boyan Krosnov 
It is not hardcoded. A new configuration directive has been added, and
it is completely up to the administrator to decide to use it.

http://www.isc.org/products/BIND/delegation-only.html

Boyan Krosnov, CCIE#8701
http://boyan.ludost.net/
just another techie speaking for himself

> -Original Message-
> From: Ronny Adsetts [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, September 17, 2003 12:58 PM
> To: Adrian von Bidder
> Cc: [EMAIL PROTECTED]
> Subject: Re: Debian + Verisign's .com/.net hijack
> 
> 
> Adrian von Bidder said the following on 17/09/03 10:11:
> >> Patches for various dns servers to get back to the old behaviour of
> >> the dns system have been published. For example, the ISC has just 
> >> released an "official" patch for BIND9.
> >> 
> >> I wonder if there are plans to make security upgrades of the dns 
> >> servers shipped with Debian. Any comments?
> > 
> > I for one would really, really, really like for this 'fix' 
> to appear 
> > soon.  Maintaining hand compiled software is awkward - but I guess
> > I'll do that quite soon.
> > 
> 
> Adding this *hard coded* value to an official Debian package 
> that could
> be around for a couple of years (in stable) would be foolish IMHO. I
> haven't reviewed the patch, so may be wrong about the nature of it...
> (anyone have a link for the patch?)
> 
> Better to get Verisign to revoke this stupidity. After all, 
> another TLD
> did the same some time ago and the US government intervened, IIRC, to
> get it changed back (.biz?).
> 
> Regards,
> Ronny Adsetts
> -- 
> Technical Director
> Amazing Internet Ltd, London
> t: +44 20 8607 9535
> f: +44 20 8607 9536
> w: www.amazinginternet.com
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 
> 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Ronny Adsetts 
Adrian von Bidder said the following on 17/09/03 10:11:
Patches for various dns servers to get back to the old behaviour of
the dns system have been published. For example, the ISC has just 
released an "official" patch for BIND9.

I wonder if there are plans to make security upgrades of the dns 
servers shipped with Debian. Any comments?
I for one would really, really, really like for this 'fix' to appear 
soon.  Maintaining hand compiled software is awkward - but I guess
I'll do that quite soon.

Adding this *hard coded* value to an official Debian package that could
be around for a couple of years (in stable) would be foolish IMHO. I
haven't reviewed the patch, so may be wrong about the nature of it...
(anyone have a link for the patch?)
Better to get Verisign to revoke this stupidity. After all, another TLD
did the same some time ago and the US government intervened, IIRC, to
get it changed back (.biz?).
Regards,
Ronny Adsetts
--
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: SSH Update for Potato?

2003-09-17 Thread Andreas Barth 
* Shane Machon ([EMAIL PROTECTED]) [030917 06:50]:
> On a more general note, is potato still supported by the Security Team?

No. There was a notice sometimes ago.


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Birzan George Cristian 
On Wed, Sep 17, 2003 at 12:12:35AM -0700, Rick Moen wrote:
> I note:
> http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb 
> http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb  
> http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb 
> 
> ...and would guess they're built from upstream's v. 3.7.1.
> 
> (The two latter arrived within the last fifteen minutes.)


openssh (1:3.6.1p2-8) unstable; urgency=high
  * Merge more buffer allocation fixes from new upstream version 3.7.1p1
(closes: #211324).

Still waiting for a similar version on security.debian.org, for Woody.

-- 
Regards
Birzan George Cristian


pgpl5xM3j0rlI.pgp
Description: PGP signature

Re: Debian + Verisign's .com/.net hijack

2003-09-17 Thread Adrian von Bidder 
On Wednesday 17 September 2003 10:48, Oliver Hitz wrote:

> Patches for various dns servers to get back to the old behaviour of the
> dns system have been published. For example, the ISC has just released
> an "official" patch for BIND9.
>
> I wonder if there are plans to make security upgrades of the dns servers
> shipped with Debian. Any comments?

I for one would really, really, really like for this 'fix' to appear soon. 
Maintaining hand compiled software is awkward - but I guess I'll do that 
quite soon.

Greets
-- vbi

-- 
The prablem with Manoca is thot it's difficult ta tell the difference
between o cauple af the letters.
-- Jacob W. Haller on alt.religion.kibology


pgp0.pgp
Description: signature

Unidentified subject!

2003-09-17 Thread peyyala phillip 
To,Digital Brand Manager,clear express web support,from: [EMAIL PROTECTED]Dear brother Christ,common Name:Peyyala PhillipOrganisation Name:Mr&Mrs Peyyala Phillip marys ministries
we have already rigistered delphi advanced mail registration membership option 3 paid US $15 to delphi forms LLC.USA  dated 22-07-2003.if our check process within 3weeks in delphi clearence but no process no payment and also site of www.verisign.com/compref if your profile changes published.your request will be processed in fourty eight hours but no process no payment.Please kindly request account changes information and our server id and digital id(Certificate order) and lists and payment informations.our payment  very late.
please kindly request immediately to our Email.
  Thanking You Sir, P.Phillip
Yahoo! India Matrimony: Find your partner online.
Post your profile.

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Rick Moen 
Quoting Jan Niehusmann ([EMAIL PROTECTED]):

> So I guess we all have to upgrade again. Didn't see packages with
> patches derived from 3.7.1, yet.

I note:
http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb 
http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb  
http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb 

...and would guess they're built from upstream's v. 3.7.1.

(The two latter arrived within the last fifteen minutes.)

-- 
Cheers, Founding member of the Hyphenation Society, a grassroots-based, 
Rick Moen   not-for-profit, locally-owned-and-operated, cooperatively-managed,
[EMAIL PROTECTED] modern-American-English-usage-improvement association.

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Adrian von Bidder 
On Tuesday 16 September 2003 22:30, Rich Puhek wrote:
[mix stable/testing/unstable]

This is what I usually do - and usually, it works quite fine. Right now, 
though, I've been pulling in more and more from testing/unstable since some 
things depend on the new glibc, and some other things randomly break when 
used with the new glibc, so I've had to upgrade those things, which in turn 
depend on foo, which...

I expect once the libc/gcc issues have settled down it should be a bit better 
- but I now run quite a bit a sarge system already, so security support for 
many things is non-existant for me. Thankfully, ssh/stable seems to work fine 
with libc6/unstable.

Greets
-- vbi

-- 
featured product: GNU Privacy Guard - http://gnupg.org


pgpClNjzn6LF1.pgp
Description: signature

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Jan Niehusmann 
On Wed, Sep 17, 2003 at 08:24:43AM +0300, Birzan George Cristian wrote:
> According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists
> the only not vulnerable version as 3.7.1. In my mind, that means the ssh
> version on security.debian.org right now is _STILL_ vulnerable. I'm not
> a security expert, nor do I have time to actually see if that's true,
> so, I'm asking the list if anyone can confirm/deny that.

Yes, it seems like OpenSSH 3.7.1 appeared quickly after 3.7 (or 3.7
didn't really appear at all?) and fixed additional security bugs.
The first debian patches did only contain patches from 3.7, not from
3.7.1, so ssh is still vulnerable. (But I did not check if all these
vulnerabilities affect both woody and sid)

So I guess we all have to upgrade again. Didn't see packages with
patches derrived from 3.7.1, yet.

Jan



signature.asc
Description: Digital signature

ssh v2 hostbased authentication after woody security upgrade

2003-09-17 Thread Norbert Preining 
Hi all!

After the woody security fix of ssh (new version 3.4p1-1.1) we cannot
use HostBased Authentication for SSH V.2. There was no change in the
configuration files or the host keys, besides, interestingly the 
/etc/ssh/ssh_host_key
(responsible for V.1 authentication, thus uninteresing for my problem I
guess) has a newer timestamp, while the corresponding .pub file has not
changed at all.

We have on both ssh ends the followng permission (in /etc/ssh)
-rw---1 root root  672 Feb  2  2002 ssh_host_dsa_key
-rw-r--r--1 root root  600 Feb  2  2002 ssh_host_dsa_key.pub
-rw---1 root root  883 Feb  2  2002 ssh_host_rsa_key
-rw-r--r--1 root root  220 Feb  2  2002 ssh_host_rsa_key.pub

in sshd_config:
HostbasedAuthentication yes

in ssh_config:
Host *
  Protocol 2,1
  HostbasedAuthentication yes

ssh-keysign is setuid root:
-rwsr-xr-x1 root root   151496 Sep 16 13:33 /usr/lib/ssh-keysign

So I do not understand what is going on. The only thing I found in the
log files is:

sshd[26845]: error: ssh_rsa_verify: RSA_verify failed: 
error:0A071003:lib(10):func(113):reason(3)
sshd[26847]: error: ssh_rsa_verify: RSA_verify failed: 
error:0A071003:lib(10):func(113):reason(3)
sshd[26847]: Failed password for user from AAA.BBB.CCC.DDD port 1028 ssh2

I started the server with LogLevel DEBUG3 and this is what I got:

sshd[5432]: debug1: Bind to port 22 on 0.0.0.0.
sshd[5432]: Server listening on 0.0.0.0 port 22.
sshd[5432]: Generating 768 bit RSA key.
sshd[5432]: RSA key generation complete.
sshd[5440]: Connection from AAA.BBB.CCC.DDD port 3894
sshd[5432]: debug1: Forked child 5440.
sshd[5440]: debug1: Client protocol version 2.0; client software version 
OpenSSH_3.4p1 Debian 1:3.4p1-1.1
sshd[5440]: debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.1 pat OpenSSH*
sshd[5440]: Enabling compatibility mode for protocol 2.0
sshd[5440]: debug1: Local version string SSH-1.99-OpenSSH_3.4p1 Debian 
1:3.4p1-1.1
sshd[5440]: debug2: Network child is on pid 5441
sshd[5440]: debug3: preauth child monitor started
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 0
sshd[5440]: debug3: mm_answer_moduli: got parameters: 1024 2048 8192
sshd[5440]: debug3: mm_request_send entering: type 1
sshd[5440]: debug2: monitor_read: 0 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 4
sshd[5440]: debug3: mm_answer_sign
sshd[5440]: debug3: mm_answer_sign: signature 0x8095650(143)
sshd[5440]: debug3: mm_request_send entering: type 5
sshd[5440]: debug2: monitor_read: 4 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 6
sshd[5440]: debug3: mm_answer_pwnamallow
sshd[5440]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
sshd[5440]: debug3: mm_request_send entering: type 7
sshd[5440]: debug2: monitor_read: 6 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 37
sshd[5440]: debug1: Starting up PAM with username "user"
sshd[5440]: debug3: Trying to reverse map address AAA.BBB.CCC.DDD.
sshd[5440]: debug1: PAM setting rhost to "origin.mydomain.foo"
sshd[5440]: debug2: monitor_read: 37 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 3
sshd[5440]: debug3: mm_answer_authserv: service=ssh-connection, style=
sshd[5440]: debug2: monitor_read: 3 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 10
sshd[5440]: debug3: mm_answer_authpassword: sending result 0
sshd[5440]: debug3: mm_request_send entering: type 11
sshd[5440]: Failed none for user from AAA.BBB.CCC.DDD port 3894 ssh2
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 20
sshd[5440]: debug3: mm_answer_keyallowed entering
sshd[5440]: debug3: mm_answer_keyallowed: key_from_blob: 0x809fd20
sshd[5440]: debug2: userauth_hostbased: chost origin.mydomain.foo. resolvedname 
origin.mydomain.foo ipaddr AAA.BBB.CCC.DDD
sshd[5440]: debug2: stripping trailing dot from chost origin.mydomain.foo.
sshd[5440]: debug2: auth_rhosts2: clientuser user hostname origin.mydomain.foo 
ipaddr AAA.BBB.CCC.DDD
sshd[5440]: debug1: temporarily_use_uid: 1045/1000 (e=0)
sshd[5440]: debug1: restore_uid
sshd[5440]: debug2: userauth_hostbased: access allowed by auth_rhosts2
sshd[5440]: debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
sshd[5440]: debug3: key_read: type mismatch

OK here we start with host based authentication:

sshd[5440]: debug3: check_host_in_hostfile: match line 18
sshd[5440]: debug2: check_key_in_hostfiles: key ok for origin.mydomain.foo

Found the right key

sshd[5440]: debug3: mm_answer_keyallowed: key 0x809fd20 is allowed
sshd[5440]: debug3: mm_app

Debian + Verisign's .com/.net hijack

2003-09-17 Thread Oliver Hitz 
Hi all,

By now probably everybody has heard about Verisign's latest change to
the .net and .com domains (otherwise read about it in your favourite
tech news site). While the security of dns per se is not really
affected, the change influences other services such as spam
countermeasures.

Patches for various dns servers to get back to the old behaviour of the
dns system have been published. For example, the ISC has just released
an "official" patch for BIND9.

I wonder if there are plans to make security upgrades of the dns servers
shipped with Debian. Any comments?

Regards,

Oliver


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Colin Watson 
On Tue, Sep 16, 2003 at 09:51:43PM +0200, Matthias Merz wrote:
> So only one problem remains: The version in woody-proposed-updates is
> 1:3.4p1-1.woody.1 which is "newer" than the patched version. So I had to
> manually "downgrade" my proposed-updates-version to get the fix.
> (apt-get dist-upgrade didn't show any packages to upgrade)
> When will there be a "new" version in proposed-updates for apt-getting
> the fix?

This will be sorted out soon: I believe the next version in security
will include the changes in proposed-updates and so will have a higher
version number.

-- 
Colin Watson  [EMAIL PROTECTED]

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Colin Watson 
On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote:
> On 2003.09.16, Christian Hammers <[EMAIL PROTECTED]> wrote:
> > The new version has already been installed. This was quick. Good work,
> > security team.
> > 
> >  openssh (1:3.4p1-1.1) stable-security; urgency=high
> > 
> >   * NMU by the security team.
> >   * Merge patch from OpenBSD to fix a security problem in buffer handling
> > 
> >  -- Wichert Akkerman <[EMAIL PROTECTED]>  Tue, 16 Sep 2003 13:06:31 +0200
> 
> Is 3.6.1p2-3 vulnerable?  For those of us who want security, must we
> downgrade to 3.4p1-1.1 or build from source after patching by hand?  Or
> will this security fix be applied to sarge as well?

It's not routine practice, but assuming glibc doesn't suddenly get fixed
in the next couple of days, I expect to upload a fixed openssh to
testing-proposed-updates once the dust settles. That should be able to
get into testing fairly quickly.

-- 
Colin Watson  [EMAIL PROTECTED]

Re: SSH Update for Potato?

2003-09-17 Thread Andreas Barth 
* Shane Machon ([EMAIL PROTECTED]) [030917 06:50]:
> On a more general note, is potato still supported by the Security Team?

No. There was a notice sometimes ago.


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Birzan George Cristian 
On Wed, Sep 17, 2003 at 12:12:35AM -0700, Rick Moen wrote:
> I note:
> http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb 
> http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb  
> http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb 
> 
> ...and would guess they're built from upstream's v. 3.7.1.
> 
> (The two latter arrived within the last fifteen minutes.)


openssh (1:3.6.1p2-8) unstable; urgency=high
  * Merge more buffer allocation fixes from new upstream version 3.7.1p1
(closes: #211324).

Still waiting for a similar version on security.debian.org, for Woody.

-- 
Regards
Birzan George Cristian


pgp0.pgp
Description: PGP signature

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Birzan George Cristian 
On Tue, Sep 16, 2003 at 05:31:06PM +0200, Christian Hammers wrote:
> The new version has already been installed. This was quick. Good work,
> security team.
> 
>  openssh (1:3.4p1-1.1) stable-security; urgency=high
> 
>   * NMU by the security team.
>   * Merge patch from OpenBSD to fix a security problem in buffer handling
> 
>  -- Wichert Akkerman <[EMAIL PROTECTED]>  Tue, 16 Sep 2003 13:06:31 +0200

According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists
the only not vulnerable version as 3.7.1. In my mind, that means the ssh
version on security.debian.org right now is _STILL_ vulnerable. I'm not
a security expert, nor do I have time to actually see if that's true,
so, I'm asking the list if anyone can confirm/deny that.

-- 
Regards
Birzan George Cristian


pgpu1uixft7Pe.pgp
Description: PGP signature

Unidentified subject!

2003-09-17 Thread peyyala phillip 
To,Digital Brand Manager,clear express web support,from: [EMAIL PROTECTED]Dear brother Christ,common Name:Peyyala PhillipOrganisation Name:Mr&Mrs Peyyala Phillip marys ministries
we have already rigistered delphi advanced mail registration membership option 3 paid US $15 to delphi forms LLC.USA  dated 22-07-2003.if our check process within 3weeks in delphi clearence but no process no payment and also site of www.verisign.com/compref if your profile changes published.your request will be processed in fourty eight hours but no process no payment.Please kindly request account changes information and our server id and digital id(Certificate order) and lists and payment informations.our payment  very late.
please kindly request immediately to our Email.
  Thanking You Sir, P.Phillip
Yahoo! India Matrimony: Find your partner online.
Post your profile.

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Rick Moen 
Quoting Jan Niehusmann ([EMAIL PROTECTED]):

> So I guess we all have to upgrade again. Didn't see packages with
> patches derived from 3.7.1, yet.

I note:
http://incoming.debian.org/ssh_3.6.1p2-8_i386.deb 
http://incoming.debian.org/ssh_3.6.1p2-8_mipsel.deb  
http://incoming.debian.org/ssh_3.6.1p2-8_powerpc.deb 

...and would guess they're built from upstream's v. 3.7.1.

(The two latter arrived within the last fifteen minutes.)

-- 
Cheers, Founding member of the Hyphenation Society, a grassroots-based, 
Rick Moen   not-for-profit, locally-owned-and-operated, cooperatively-managed,
[EMAIL PROTECTED] modern-American-English-usage-improvement association.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Adrian von Bidder 
On Tuesday 16 September 2003 22:30, Rich Puhek wrote:
[mix stable/testing/unstable]

This is what I usually do - and usually, it works quite fine. Right now, 
though, I've been pulling in more and more from testing/unstable since some 
things depend on the new glibc, and some other things randomly break when 
used with the new glibc, so I've had to upgrade those things, which in turn 
depend on foo, which...

I expect once the libc/gcc issues have settled down it should be a bit better 
- but I now run quite a bit a sarge system already, so security support for 
many things is non-existant for me. Thankfully, ssh/stable seems to work fine 
with libc6/unstable.

Greets
-- vbi

-- 
featured product: GNU Privacy Guard - http://gnupg.org


pgp0.pgp
Description: signature

Re: [d-security] Re: ssh vulnerability in the wild

2003-09-17 Thread Jan Niehusmann 
On Wed, Sep 17, 2003 at 08:24:43AM +0300, Birzan George Cristian wrote:
> According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists
> the only not vulnerable version as 3.7.1. In my mind, that means the ssh
> version on security.debian.org right now is _STILL_ vulnerable. I'm not
> a security expert, nor do I have time to actually see if that's true,
> so, I'm asking the list if anyone can confirm/deny that.

Yes, it seems like OpenSSH 3.7.1 appeared quickly after 3.7 (or 3.7
didn't really appear at all?) and fixed additional security bugs.
The first debian patches did only contain patches from 3.7, not from
3.7.1, so ssh is still vulnerable. (But I did not check if all these
vulnerabilities affect both woody and sid)

So I guess we all have to upgrade again. Didn't see packages with
patches derrived from 3.7.1, yet.

Jan



signature.asc
Description: Digital signature