[SECURITY] [DSA 407-1] New ethereal packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 407-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 5th, 2004 http://www.debian.org/security/faq - -- Package: ethereal Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE IDs: CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013 Several vulnerabilities were discovered upstream in ethereal, a network traffic analyzer. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2003-0925 A buffer overflow allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed GTP MSISDN string. CAN-2003-0926 Via certain malformed ISAKMP or MEGACO packets remote attackers are able to cause a denial of service (crash). CAN-2003-0927 A heap-based buffer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. CAN-2003-1012 The SMB dissector allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of selected packets. CAN-2003-1013 The Q.931 dissector allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. For the stable distribution (woody) this problem has been fixed in version 0.9.4-1woody6. For the unstable distribution (sid) this problem has been fixed in version 0.10.0-1. We recommend that you upgrade your ethereal and tethereal packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6.dsc Size/MD5 checksum: 679 6c3d2beab693578b827bc0c2ecc13eb2 http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6.diff.gz Size/MD5 checksum:37597 7456c1b4708a869295bb71480300370d http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4.orig.tar.gz Size/MD5 checksum: 3278908 42e999daa659820ee9339ea1e9ea Alpha architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_alpha.deb Size/MD5 checksum: 1940256 e8a45a24a24a145f2870d65b26fdda20 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_alpha.deb Size/MD5 checksum: 334238 0035322af1972fa6c1547e881b5b27fa http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_alpha.deb Size/MD5 checksum: 222006 da4e9538a37ac5dd740010b828afed8b http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_alpha.deb Size/MD5 checksum: 1706878 3c2e6c03f6383f3ae8d599a01853c344 ARM architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_arm.deb Size/MD5 checksum: 1634664 f5f5d2aeba5fa26ac8d6b722f4d52b39 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_arm.deb Size/MD5 checksum: 297294 267317a8d6f43f009673f3e9864e0308 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_arm.deb Size/MD5 checksum: 205964 fe0528d0ee4b0922d1a449f9c12c0b81 http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_arm.deb Size/MD5 checksum: 1439166 390f1e6d9173454162195c47a10c6a0e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/e/ethereal/ethereal_0.9.4-1woody6_i386.deb Size/MD5 checksum: 1512408 b9efde468cca1ddd6b731a3b343bd51d http://security.debian.org/pool/updates/main/e/ethereal/ethereal-common_0.9.4-1woody6_i386.deb Size/MD5 checksum: 286370 c618774e3718d11d94347b0d66f72af4 http://security.debian.org/pool/updates/main/e/ethereal/ethereal-dev_0.9.4-1woody6_i386.deb Size/MD5 checksum: 198298 a7c01d2560880e783e899cd623a27e7a http://security.debian.org/pool/updates/main/e/ethereal/tethereal_0.9.4-1woody6_i386.deb Size/MD5 checksum: 1325838 a7706f7f82b44a30d4a99b299c58b4ca Intel IA-64 architecture:
[SECURITY] [DSA 409-1] New bind packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 409-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq - -- Package: bind Vulnerability : denial of service Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0914 A vulnerability was discovered in BIND, a domain name server, whereby a malicious name server could return authoritative negative responses with a large TTL (time-to-live) value, thereby rendering a domain name unreachable. A successful attack would require that a vulnerable BIND instance submit a query to a malicious nameserver. The bind9 package is not affected by this vulnerability. For the current stable distribution (woody) this problem has been fixed in version 1:8.3.3-2.0woody2. For the unstable distribution (sid) this problem has been fixed in version 1:8.4.3-1. We recommend that you update your bind package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2.dsc Size/MD5 checksum: 639 ade872aa1e8b6bb0b55bd871207d8a36 http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2.diff.gz Size/MD5 checksum:31925 cdf79e7828e5de2a4cf8ee8e5062a627 http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3.orig.tar.gz Size/MD5 checksum: 2713120 847ba93d1ac71b94560c002c9f730100 Architecture independent components: http://security.debian.org/pool/updates/main/b/bind/bind-doc_8.3.3-2.0woody2_all.deb Size/MD5 checksum: 1290814 37075f1a0c5a674d0dc81696f1043a57 Alpha architecture: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2_alpha.deb Size/MD5 checksum: 999312 ecfa16c08ff20b8d4bcdd6c77c32ed6b http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody2_alpha.deb Size/MD5 checksum: 509452 3c7d5b70a191c01417e3df9eb6b889a9 ARM architecture: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2_arm.deb Size/MD5 checksum: 826590 696c53c2e7da00d72de0ddce3e9f0bf3 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody2_arm.deb Size/MD5 checksum: 427084 df67dbc243f6a88fe1b80e8774bcb366 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2_i386.deb Size/MD5 checksum: 793732 214489ee9312f15a4a86cc8fccec22a2 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody2_i386.deb Size/MD5 checksum: 381988 7a625ae2de5b673d9c3a834826f72526 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2_ia64.deb Size/MD5 checksum: 1285864 81bad842984112df3997702fa06173ec http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody2_ia64.deb Size/MD5 checksum: 575890 24d29d3e6f9dd9f67f1b35690ede36f5 HP Precision architecture: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2_hppa.deb Size/MD5 checksum: 921460 1828a8f102cf3fe1953c960147fc2880 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody2_hppa.deb Size/MD5 checksum: 475208 166521ce1dbe1d65320b4ba22f7fe659 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2_m68k.deb Size/MD5 checksum: 720658 db9f23af2a807675f221c44c861d7019 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody2_m68k.deb Size/MD5 checksum: 362762 2c1981f62b69bb3bdf60dd955155514d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2_mips.deb Size/MD5 checksum: 926968 63314aa98265e5641eb25a4a47c868d9 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody2_mips.deb Size/MD5 checksum: 469896 385520c21f7e8bc43a9b33fe3b19963f Little endian MIPS architecture: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody2_mipsel.deb Size/MD5 checksum: 934550 31bc0a5466e17746ca2b3cbf1795ad53
[SECURITY] [DSA 410-1] New libnids packages fix buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 410-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq - -- Package: libnids Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0850 A vulnerability was discovered in libnids, a library used to analyze IP network traffic, whereby a carefully crafted TCP datagram could cause memory corruption and potentially execute arbitrary code with the privileges of the user executing a program which uses libnids (such as dsniff). For the current stable distribution (woody) this problem has been fixed in version 1.16-3woody1. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you update your libnids package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/libn/libnids/libnids_1.16-3woody1.dsc Size/MD5 checksum: 603 c9e8989f8cb7d6706d512f8c34519443 http://security.debian.org/pool/updates/main/libn/libnids/libnids_1.16-3woody1.diff.gz Size/MD5 checksum: 7053 5db55f605de05b18238c8d8f1e0d5eaa http://security.debian.org/pool/updates/main/libn/libnids/libnids_1.16.orig.tar.gz Size/MD5 checksum:72309 95497093d0de330be12ddc658ad7decc Alpha architecture: http://security.debian.org/pool/updates/main/libn/libnids/libnids-dev_1.16-3woody1_alpha.deb Size/MD5 checksum:53924 e26ca5f38905360771ed53e406cfd551 http://security.debian.org/pool/updates/main/libn/libnids/libnids1_1.16-3woody1_alpha.deb Size/MD5 checksum:21948 05c1ba0882f274c0e91b366158c3aba6 ARM architecture: http://security.debian.org/pool/updates/main/libn/libnids/libnids-dev_1.16-3woody1_arm.deb Size/MD5 checksum:49500 2861aab1d3425667206a39fe1a18236e http://security.debian.org/pool/updates/main/libn/libnids/libnids1_1.16-3woody1_arm.deb Size/MD5 checksum:18684 b56d1950c95bb179f70216b1a2d18659 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libn/libnids/libnids-dev_1.16-3woody1_i386.deb Size/MD5 checksum:47424 0a0ee5573c7f849a0c4b8a6c60c6a080 http://security.debian.org/pool/updates/main/libn/libnids/libnids1_1.16-3woody1_i386.deb Size/MD5 checksum:17074 9b0358382397ba1d8b0485dede78892f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/libn/libnids/libnids-dev_1.16-3woody1_ia64.deb Size/MD5 checksum:59322 7a024fb46ce17e1ee6f3c0e201627c42 http://security.debian.org/pool/updates/main/libn/libnids/libnids1_1.16-3woody1_ia64.deb Size/MD5 checksum:28432 8934206dbb404dc64d4c87d9255d5638 HP Precision architecture: http://security.debian.org/pool/updates/main/libn/libnids/libnids-dev_1.16-3woody1_hppa.deb Size/MD5 checksum:52302 711d6f7c949a60984ee7d30fb8894160 http://security.debian.org/pool/updates/main/libn/libnids/libnids1_1.16-3woody1_hppa.deb Size/MD5 checksum:20930 62ad021f6c7767cc8a4454096ccd1d1d Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/libn/libnids/libnids-dev_1.16-3woody1_m68k.deb Size/MD5 checksum:46716 feaeeac9a1f2762313d8e59f313373e1 http://security.debian.org/pool/updates/main/libn/libnids/libnids1_1.16-3woody1_m68k.deb Size/MD5 checksum:16674 4cb2fd1cdbbf5900474f4329bab3bfbc Big endian MIPS architecture: http://security.debian.org/pool/updates/main/libn/libnids/libnids-dev_1.16-3woody1_mips.deb Size/MD5 checksum:52226 e0abaa180510965d91faed6b3cf14aae http://security.debian.org/pool/updates/main/libn/libnids/libnids1_1.16-3woody1_mips.deb Size/MD5 checksum:18658 731f3f124e0f50dd0f2ad12edddacebc Little endian MIPS architecture: http://security.debian.org/pool/updates/main/libn/libnids/libnids-dev_1.16-3woody1_mipsel.deb Size/MD5 checksum:52404 588dc4b4cc9526f43dbe758ac42a5fa7 http://security.debian.org/pool/updates/main/libn/libnids/libnids1_1.16-3woody1_mipsel.deb Size/MD5 checksum:18894 f138fa9a58029d8d4045214f689f433a PowerPC architecture:
tiger: howto manage flood of `deleted files' alerts ???
I have been using tiger for nearly a year. Several months ago, a new test was added in: /usr/lib/tiger/scripts/check_finddeleted Since then, several of my servers are flooded with alerts like this: NEW: --FAIL-- [kis011f] Server [apache] (pid 31863) is using deleted files Yes, I know what it means; but, of the thousands that I have received, I have not found one that warranted the alert. No, I do *not* want to turn OFF this check; but, I need to find some way to manage the output of this check. I have searched the archives of debian-user and debian-security, and I have googled; but, I have not found a solution to this dilemma. What do you think? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: suspicious files in /tmp
Quoting Marcel Weber ([EMAIL PROTECTED]): But what made me shudder was this: In the /tmp folder I found these files: drwx-- 2 root root 48 Aug 10 19:36 Ib2KZi drwx-- 2 root root 88 Jan 3 06:12 MF2oMw drwx-- 2 root root 48 Aug 11 16:32 S0oNze srwxr-x--- 1 root root0 Aug 10 20:32 fileCOpZW0 -rw-r--r-- 1 root root 11 Aug 10 20:10 fileXVutPe drwx-- 2 root root 48 Aug 10 19:37 nYBXvZ And in the /tmp/MF20Mw folder this one (I attached it to the posting): -rw--- 1 root root 8192 Aug 10 19:33 L8823-7955TMP.txt.gz Is this a left over from an attempt to hack my system? Highly unlikely. Attackers know that /tmp isn't an out-of-the-way place. Admins and other users look there all the time. Intruders tend to hide things away in places like boring-sounding subdirectories of /dev . Speaking of that: I'll bet that, if you looked around in /tmp more often, you'd see lots of tempoary files and directories like that, from time to time -- especially after installing and building software. How can I check what happened and if the attacker succeeded? Read the advisories from your well-tuned IDS. ;- http://linuxgazette.net/issue98/moen.html -- Cheers,A raccoon tangled with a 23,000 volt line, today. The results Rick Moen blacked out 1400 homes and, of course, one raccoon. [EMAIL PROTECTED] -- Steel City News -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious files in /tmp
Emmanuel Lacour wrote: It's a gzip file of the perl modules available from CPAN... Try zcat your_file Thanks! I counter checked and indeed I upgraded perl to 5.8.0 on the same date these suspicious directories have. In this case everything should be fine. The env and netstat were false alarms and the /tmp files were some CPAN left overs... Thanks again! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
another kernel vulnerability
If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt Patch: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: suspicious files in /tmp
Quoting Marcel Weber ([EMAIL PROTECTED]): [Snip explanation for suspicious directories, which sadly doesn't suffice to imply the more general conclusion] In this case everything should be fine. Actually, you don't know that. I just thought I'd mention that fact, to add an extra frisson of generalised paranoia to your day. ;- -- Cheers, Rick Moen This .signature intentionally left blank. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
On Monday 05 January 2004 15:50, Thomas Sjögren wrote: If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] Yeah I just finished updating my first server of many ;-) BTW even though not all mirrors are updated yet, you can get a patch from www.kernel.org -- that would probably be a better place to get the patch from. Regards, Ricardo. -- Ricardo Kustner PGP-key: http://www.ic-s.nl/keys/ricardo.txt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious files in /tmp
Incoming from Rick Moen: Quoting Marcel Weber ([EMAIL PROTECTED]): But what made me shudder was this: In the /tmp folder I found these files: drwx-- 2 root root 48 Aug 10 19:36 Ib2KZi drwx-- 2 root root 88 Jan 3 06:12 MF2oMw drwx-- 2 root root 48 Aug 11 16:32 S0oNze Is this a left over from an attempt to hack my system? Highly unlikely. Attackers know that /tmp isn't an out-of-the-way place. Admins and other users look there all the time. Intruders tend to hide things away in places like boring-sounding subdirectories of /dev . How can I check what happened and if the attacker succeeded? Read the advisories from your well-tuned IDS. ;- http://linuxgazette.net/issue98/moen.html Install chkrootkit (www.chkrootkit.org) and run it regularly (from cron). It's very easy to use, and chkrootkit-users is a very low volume, high S/N ratio list. BTW: (0) keeling /home/keeling/dox_ all `which netstat` `which env` -rwxr-xr-x1 root root86892 Nov 23 2001 /bin/netstat* -rwxr-xr-x1 root root10332 Jul 26 2001 /usr/bin/env* 1 Mb is *way* out of line! -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
Hi, Ricardo Kustner wrote: Yeah I just finished updating my first server of many ;-) BTW even though not all mirrors are updated yet, you can get a patch from www.kernel.org -- that would probably be a better place to get the patch from. This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 regards, Thijs Welman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: 2.4.18-bf2.4 version confusion, patches?
On Mon, Jan 05, 2004 at 02:26:12PM +0100, kuene wrote: thanks a lot to all. now I really understand. :b below I write down what I have understood. please correct me if I am still wrong. You are still wrong. What you do not understand is, when you install Debian, you do not have the package kernel-image-2.4.18-bf2.4 installed. You have a copy of some of the files in that package, but the package itself is not installed, and so will never be automatically upgraded. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious files in /tmp
On Mon, Jan 05, 2004 at 02:44:05PM +0100, Marcel Weber wrote: Hi It isn't exactly a debian question, but nevertheless I think this is the appropriate place to post this. I ran chkrootkit 0.43 on my LFS box. This system is a mail and web server. Chkrootkit complained about two files: /bin/netstat and /usr/bin/env. What exactly did chkrootkit say about those files? Were they writable by non-root users, did they have setuid permission, or what? -- Absurd Procrustean Egghead Cornstarch Variant Bill Marcum -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
El lun, 05-01-2004 a las 16:38, Thijs Welman escribió: Hi, Ricardo Kustner wrote: Yeah I just finished updating my first server of many ;-) BTW even though not all mirrors are updated yet, you can get a patch from www.kernel.org -- that would probably be a better place to get the patch from. This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 What about 2.6? Is it fixed anyhow? Regards. -- teo Res publica non dominetur signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
Re: another kernel vulnerability
On Monday 05 January 2004 16:38, Thijs Welman wrote: This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 Yeah, it seems Marcello released this to specifically address this issue. Perhaps he has adopted the policy of keeping a separate tree with just critical updates for the cases where things like this happens, so a new kernel can be pushed out the door rapidly. I remember seeing the policy proposal discussed on Kerneltrap some weeks ago. Anyway, any idea when we will see a kernel-source-2.4.24 package? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tiger: howto manage flood of `deleted files' alerts ???
Michael, Javier appears to be addressing this issue in the following debian bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=225112 Hope this helps. Thanks, - Ryan No, I do *not* want to turn OFF this check; but, I need to find some way to manage the output of this check. I have searched the archives of debian-user and debian-security, and I have googled; but, I have not found a solution to this dilemma. What do you think? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 407-1] New ethereal packages fix several vulnerabilities
Incoming from Martin Schulze: - -- Debian Security Advisory DSA 407-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 5th, 2004 http://www.debian.org/security/faq - -- Package: ethereal This showed up this morning with a couple of others (lftp, screen), so I did apt-get update ; apt-get upgrade. That picked up the others but not ethereal. Why is that? I had ethereal installed, though I've never used it. It was easily sorted out with apt-get install ethereal; I just wonder why it didn't come along with the other two updates. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: suspicious files in /tmp
Bill Marcum wrote: On Mon, Jan 05, 2004 at 02:44:05PM +0100, Marcel Weber wrote: What exactly did chkrootkit say about those files? Were they writable by non-root users, did they have setuid permission, or what? They had the following access rights: They had the usual access rights 751. chkrootkit just said INFECTED but nothing more about them. Whatever, I guess during the inital setup of LFS I made a mistake and compiled these files statically... This probably explains the size. I do not think, that they're belonging to a rootkit, as I have the same files on my initial install backup. Anyways, if someone is interested in them, I could send them, but I think 1.3 MB of files is too much for this mailing list... Regards Marcel PS: I installed AIDE on this box which is run on a daily basis now. (Before this I only had logwatch and some manual tiger run from time to time) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: 2.4.18-bf2.4 version confusion, patches?
On Mon, Jan 05, 2004 at 07:57:15AM -0800, Matt Zimmerman wrote: On Mon, Jan 05, 2004 at 02:26:12PM +0100, kuene wrote: thanks a lot to all. now I really understand. :b below I write down what I have understood. please correct me if I am still wrong. You are still wrong. What you do not understand is, when you install Debian, you do not have the package kernel-image-2.4.18-bf2.4 installed. You have a copy of some of the files in that package, but the package itself is not installed, and so will never be automatically upgraded. I've been following this thread, trying to learn something. I'm beginning to realize that, within Debian, the meaning to the word 'install' is highly context dependent, especially when the object being installed is a kernel. For instance, the initial install of Debian puts a file structure on the hard disk, but this is not an install of a Debian package. The initial install of Debian also puts a file containing a kernel image into that file structure at an appropriate place so that it can be used to boot the system. In some contexts this action might be referred to as install of a kernel, but it is NOT an install of a kernel-image debian package. When the initial install of Debian is complete, a kernel-image debian package is NOT (yet) installed. The Debian apt-get / dpkg system does not upgrade/update files that are not part of a Debian package. (Double negative intended.) In order to bring the kernel that is being used into the management system of the apt-get/dpkg, one must 'install' a Debian package that contains the image of file that is pointed to by the softlink /vmlinuz. You can install the debian package for the kernel that you are actually using, or you can install a debian package for a kernel that will also work on your hardware, with, maybe less bloat and better code optimization. Upgrade of a running kernel is fraught with difficulties. Instead, the upgrade version of the kernel is placed on the hard disk during the 'install' of the kernel-image package and the user/admin is told to reboot the computer. Because of this, you should never try to have a kernel 'upgraded automatically'. HTH -- Paul E Condon [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
* Thomas Sjögren ([EMAIL PROTECTED]) [040105 16:10]: If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt Patch: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] There's one other security problems open in 2.4.* (24), see http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] (second is fix for the first fix). Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
Incoming from Matt Zimmerman: Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq Package: mpg321 Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0969 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) --] gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] I'm using mutt, and ESC-P usually works checking traditional PGP signatures, but not with these three (bind, libnids, mpg321). -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 06 January 2004 06.37, s. keeling wrote: Incoming from Matt Zimmerman: Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq Package: mpg321 Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0969 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) --] gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] I'm using mutt, and ESC-P usually works checking traditional PGP signatures, but not with these three (bind, libnids, mpg321). -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - maybe you have to import [EMAIL PROTECTED]'s public key. ZsoL - -- ICQ#: 66782170 PGP key: http://pks.gpg.cz:11371/pks/lookup?op=getsearch=0x440202C3137B1CB4 I love deadlines. I like the whooshing sound they make as they fly by. - Douglas Adams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQE/+lHZRAICwxN7HLQRAmk9AKC9NYqT7GOgOw9ClKkwV+2KskLq3QCfTtcX TypB/rTlckTUvsO1U/ZYEus= =G2Rd -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
tiger: howto manage flood of `deleted files' alerts ???
I have been using tiger for nearly a year. Several months ago, a new test was added in: /usr/lib/tiger/scripts/check_finddeleted Since then, several of my servers are flooded with alerts like this: NEW: --FAIL-- [kis011f] Server [apache] (pid 31863) is using deleted files Yes, I know what it means; but, of the thousands that I have received, I have not found one that warranted the alert. No, I do *not* want to turn OFF this check; but, I need to find some way to manage the output of this check. I have searched the archives of debian-user and debian-security, and I have googled; but, I have not found a solution to this dilemma. What do you think? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgppJ0B37lQoC.pgp Description: PGP signature
Re: IPSec WinXP interop
Hi, looks like an ipsec isssue as l2tp cant connect. How does freeswan logs looks like ? On Wed, Dec 24, 2003 at 12:49:31AM +, Antony Gelberg wrote: Hi all, My first post here - long time d-u subscriber. I'm trying to set up a VPN where WinXP roadwarriors can access a LAN that sits behind a Linux router. I want to use X.509 certificates rather than PSKs. So I've installed freeswan and l2tpd on the router. There is quite a bit of documentation out there and I have read: http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html and http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. Not to mention http://www.natecarlson.com/linux/ipsec-x509.php. I'm running Woody, hence: Package: freeswan Version: 1.96-1.4 I heard that Woody l2tpd (0.67) wouldn't work, so I downloaded and built 0.69. I have created a .p12 certificate, which I have successfully imported into XP. It's valid. The XP VPN connection is set up properly (e.g. CHAP on, no PPTP etc.) But I still can't connect, and I'm sure it's somewhere in the l2tpd/ppp config that I have a problem. The firewall does run iptables, but I've disabled it and tried, with the same results. I'm confident that I've altered the iptables rules as specified in the docs. Here's some various configs: mailhost:~# cat /etc/ppp/chap-secrets # Secrets for authentication using CHAP # clientserver secret IP addresses roadwarrior *roadwarrior * mailhost:~# cat /etc/ipsec.conf # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for # lots. klipsdebug=all plutodebug=all # Use auto= parameters in conn descriptions to control startup # actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions # (mostly to fix internal defaults which, in retrospect, were badly # chosen) conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn mailhost-rw left=firewall public IP leftcert=mailhostCert.pem leftnexthop=what it says! leftsubnet=10.0.0.0/8 right=%any auto=add keyingtries=1 pfs=yes mailhost:~# cat /etc/l2tp/l2tpd.conf ; Sample l2tpd.conf ; [global] ; listen-addr = 192.168.1.98 [lns default] ip range = 10.100.100.1-10.100.100.100 local ip = 10.100.100.101 require chap = yes refuse pap = yes require authentication = yes name = VPNserver ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd length bit = yes mailhost:~# cat /etc/ppp/options.l2tpd ipcp-accept-local ipcp-accept-remote auth crtscts idle 1800 debug lock proxyarp connect-delay 5000 When I try to log in, I get Error 792: The L2TP connection attempt failed because security negotiation timed out. I don't get any verifying username... message. Nothing in /var/log appears to be of much use. There's lots of klips stuff which is very verbose, but nothing sticks out. Any insight would be much appreciated. I must admit I'm still a little unclear how the whole idea works, but I believe that IPSec receives the connection, then calls l2tpd, which starts ppp. I can post more config / debug if needed. A -- Documentation - http://www.debian.org/doc/ FAQ - http://www.debian.org/doc/FAQ/ Install manual (i386) - http://www.debian.org/releases/stable/i386/install -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- - Jean-Francois Dive -- [EMAIL PROTECTED] I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde
sendmail problem:connection timed out
hello, I am using sendmail 8.12 in redhat linux9.0 to send mail.It sends the message between the internal network. But it doesnot send the message to the external network. I want to send mail to [EMAIL PROTECTED] But it is not sending mail.The following logs are generated in maillog . From the message i understand that it is accepting the mail.But it is not able to relay to the user_account @hotmail.com Please reply as soon as possible. very urgent. logs ** Jan 5 12:04:56 arun sendmail[5213]: i056YuFS005213: from=root, size=133, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] Jan 5 12:04:56 arun sendmail[5215]: i056Yuor005215: from=[EMAIL PROTECTED], size=333, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] (may be forged) Jan 5 12:04:56 arun sendmail[5213]: i056YuFS005213: [EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30086, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (i056Yuor005215 Message accepted for delivery) Jan 5 12:07:56 arun sendmail[5217]: i056Yuor005215: to=[EMAIL PROTECTED], ctladdr=[EMAIL PROTECTED] (0/0), delay=00:03:00, xdelay=00:03:00, mailer=esmtp, pri=30286, relay=hotmail.com [64.4.33.7], dsn=4.0.0, stat=Deferred: Connection timed out with hotmail.com thanks, arun my email_id: [EMAIL PROTECTED] Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com
Re: sendmail problem:connection timed out
Are you able to ping 64.4.33.7 !? If so, try 'telnet 64.4.33.7 25' next to get a smtp prompt. If nothing works look at your connection: Firewall rules etc. Beside that your sendmail seems to work. Christian - Original Message - From: arun raj [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Monday, January 05, 2004 11:48 AM Subject: sendmail problem:connection timed out hello, I am using sendmail 8.12 in redhat linux9.0 to send mail.It sends the message between the internal network. But it doesnot send the message to the external network. I want to send mail to [EMAIL PROTECTED] But it is not sending mail.The following logs are generated in maillog . From the message i understand that it is accepting the mail.But it is not able to relay to the user_account @hotmail.com Please reply as soon as possible. very urgent. logs ** Jan 5 12:04:56 arun sendmail[5213]: i056YuFS005213: from=root, size=133, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] Jan 5 12:04:56 arun sendmail[5215]: i056Yuor005215: from=[EMAIL PROTECTED], size=333, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] (may be forged) Jan 5 12:04:56 arun sendmail[5213]: i056YuFS005213: [EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30086, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (i056Yuor005215 Message accepted for delivery) Jan 5 12:07:56 arun sendmail[5217]: i056Yuor005215: to=[EMAIL PROTECTED], ctladdr=[EMAIL PROTECTED] (0/0), delay=00:03:00, xdelay=00:03:00, mailer=esmtp, pri=30286, relay=hotmail.com [64.4.33.7], dsn=4.0.0, stat=Deferred: Connection timed out with hotmail.com thanks, arun my email_id: [EMAIL PROTECTED] Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: 2.4.18-bf2.4 version confusion, patches?
thanks a lot to all. now I really understand. :b below I write down what I have understood. please correct me if I am still wrong. In debian every package is pached if security holes are known. -- exception is the package: kernel-image-2.4.18-bf2.4 Even if you install it (apt-get install kernel-image-2.4.18-bf2.4) it will be an old one, with security holes! However, in the past there have been paches for this one: DSA-311 http://www.debian.org/security/2003/dsa-311 DSA-311-1 linux-kernel-2.4.18 -- several vulnerabilities [snip] If you are using the kernel installed by the installation system when the bf24 option is selected (for a 2.4.x kernel), you should install the kernel-image-2.4.18-bf2.4 package [snip] - now the package kernel-image-2.4.18-bf2.4 is no longer patched -- Quote from Matt Zimmerman [EMAIL PROTECTED] More accurately, the installer should have prevented you from falling into this trap in the first place. This is one of the many improvements in debian-installer. -- so it is really strange because: apt-cache show kernel-image-2.4.18-bf2.4 [snip] NOTE: This package is primarily intended to be used as the initial installation kernel. You may go fine with it but if you need additional drivers or optimisation for your CPU type, please look at the other kernel-image-2.4.18-* packages. [snip] there is written: you may go fine with it. but how can I possibly go fine with it when there are no security updates?? summary: the package kernel-image-2.4.18-bf2.4 is VULNERABLE and should be changed with an other kernel-package. thanks a lot for your help. greetings kuene
unsubscribe
suspicious files in /tmp
Hi It isn't exactly a debian question, but nevertheless I think this is the appropriate place to post this. I ran chkrootkit 0.43 on my LFS box. This system is a mail and web server. Chkrootkit complained about two files: /bin/netstat and /usr/bin/env. Both of these files were quite big (215 kB and 1 MB), but they had the correct date, etc and I checked them against an older backup I made before attaching the box to the internet and they look the same. I thought that these files were probably still statically linked (something that dates back the setup of the LFS box...) But what made me shudder was this: In the /tmp folder I found these files: drwx-- 2 root root 48 Aug 10 19:36 Ib2KZi drwx-- 2 root root 88 Jan 3 06:12 MF2oMw drwx-- 2 root root 48 Aug 11 16:32 S0oNze srwxr-x--- 1 root root0 Aug 10 20:32 fileCOpZW0 -rw-r--r-- 1 root root 11 Aug 10 20:10 fileXVutPe drwx-- 2 root root 48 Aug 10 19:37 nYBXvZ And in the /tmp/MF20Mw folder this one (I attached it to the posting): -rw--- 1 root root 8192 Aug 10 19:33 L8823-7955TMP.txt.gz Is this a left over from an attempt to hack my system? How can I check what happened and if the attacker succeeded? The bad thing is, there are no log files left from august. Has anybody a clue what this L8823-7955TMP.txt.gz file could be? Regards Marcel L8823-7955TMP.txt.gz Description: application/gzip
Re: suspicious files in /tmp
On Mon, Jan 05, 2004 at 02:44:05PM +0100, Marcel Weber wrote: Hi Is this a left over from an attempt to hack my system? How can I check what happened and if the attacker succeeded? The bad thing is, there are no log files left from august. Has anybody a clue what this L8823-7955TMP.txt.gz file could be? It's a gzip file of the perl modules available from CPAN... Try zcat your_file -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com
another kernel vulnerability
If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt Patch: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: suspicious files in /tmp
On Mon, Jan 05, 2004 at 02:44:05PM +0100, Marcel Weber wrote: Hi It isn't exactly a debian question, but nevertheless I think this is the appropriate place to post this. I ran chkrootkit 0.43 on my LFS box. This system is a mail and web server. Chkrootkit complained about two files: /bin/netstat and /usr/bin/env. What exactly did chkrootkit say about those files? Were they writable by non-root users, did they have setuid permission, or what? -- Absurd Procrustean Egghead Cornstarch Variant Bill Marcum
Re: suspicious files in /tmp
Quoting Marcel Weber ([EMAIL PROTECTED]): [Snip explanation for suspicious directories, which sadly doesn't suffice to imply the more general conclusion] In this case everything should be fine. Actually, you don't know that. I just thought I'd mention that fact, to add an extra frisson of generalised paranoia to your day. ;- -- Cheers, Rick Moen This .signature intentionally left blank. [EMAIL PROTECTED]
Re: 2.4.18-bf2.4 version confusion, patches?
On Mon, Jan 05, 2004 at 02:26:12PM +0100, kuene wrote: thanks a lot to all. now I really understand. :b below I write down what I have understood. please correct me if I am still wrong. You are still wrong. What you do not understand is, when you install Debian, you do not have the package kernel-image-2.4.18-bf2.4 installed. You have a copy of some of the files in that package, but the package itself is not installed, and so will never be automatically upgraded. -- - mdz
Re: another kernel vulnerability
On Monday 05 January 2004 16:38, Thijs Welman wrote: This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 Yeah, it seems Marcello released this to specifically address this issue. Perhaps he has adopted the policy of keeping a separate tree with just critical updates for the cases where things like this happens, so a new kernel can be pushed out the door rapidly. I remember seeing the policy proposal discussed on Kerneltrap some weeks ago. Anyway, any idea when we will see a kernel-source-2.4.24 package? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: another kernel vulnerability
Hi, Ricardo Kustner wrote: Yeah I just finished updating my first server of many ;-) BTW even though not all mirrors are updated yet, you can get a patch from www.kernel.org -- that would probably be a better place to get the patch from. This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 regards, Thijs Welman
Re: suspicious files in /tmp
Incoming from Rick Moen: Quoting Marcel Weber ([EMAIL PROTECTED]): But what made me shudder was this: In the /tmp folder I found these files: drwx-- 2 root root 48 Aug 10 19:36 Ib2KZi drwx-- 2 root root 88 Jan 3 06:12 MF2oMw drwx-- 2 root root 48 Aug 11 16:32 S0oNze Is this a left over from an attempt to hack my system? Highly unlikely. Attackers know that /tmp isn't an out-of-the-way place. Admins and other users look there all the time. Intruders tend to hide things away in places like boring-sounding subdirectories of /dev . How can I check what happened and if the attacker succeeded? Read the advisories from your well-tuned IDS. ;- http://linuxgazette.net/issue98/moen.html Install chkrootkit (www.chkrootkit.org) and run it regularly (from cron). It's very easy to use, and chkrootkit-users is a very low volume, high S/N ratio list. BTW: (0) keeling /home/keeling/dox_ all `which netstat` `which env` -rwxr-xr-x1 root root86892 Nov 23 2001 /bin/netstat* -rwxr-xr-x1 root root10332 Jul 26 2001 /usr/bin/env* 1 Mb is *way* out of line! -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: another kernel vulnerability
El lun, 05-01-2004 a las 16:38, Thijs Welman escribió: Hi, Ricardo Kustner wrote: Yeah I just finished updating my first server of many ;-) BTW even though not all mirrors are updated yet, you can get a patch from www.kernel.org -- that would probably be a better place to get the patch from. This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 What about 2.6? Is it fixed anyhow? Regards. -- teo Res publica non dominetur signature.asc Description: Esta parte del mensaje está firmada digitalmente
Re: another kernel vulnerability
On Monday 05 January 2004 15:50, Thomas Sjögren wrote: If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] Yeah I just finished updating my first server of many ;-) BTW even though not all mirrors are updated yet, you can get a patch from www.kernel.org -- that would probably be a better place to get the patch from. Regards, Ricardo. -- Ricardo Kustner PGP-key: http://www.ic-s.nl/keys/ricardo.txt
Re: tiger: howto manage flood of `deleted files' alerts ???
Michael, Javier appears to be addressing this issue in the following debian bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=225112 Hope this helps. Thanks, - Ryan No, I do *not* want to turn OFF this check; but, I need to find some way to manage the output of this check. I have searched the archives of debian-user and debian-security, and I have googled; but, I have not found a solution to this dilemma. What do you think?
Re: [SECURITY] [DSA 407-1] New ethereal packages fix several vulnerabilities
Incoming from Martin Schulze: - -- Debian Security Advisory DSA 407-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 5th, 2004 http://www.debian.org/security/faq - -- Package: ethereal This showed up this morning with a couple of others (lftp, screen), so I did apt-get update ; apt-get upgrade. That picked up the others but not ethereal. Why is that? I had ethereal installed, though I've never used it. It was easily sorted out with apt-get install ethereal; I just wonder why it didn't come along with the other two updates. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
Re: suspicious files in /tmp
Bill Marcum wrote: On Mon, Jan 05, 2004 at 02:44:05PM +0100, Marcel Weber wrote: What exactly did chkrootkit say about those files? Were they writable by non-root users, did they have setuid permission, or what? They had the following access rights: They had the usual access rights 751. chkrootkit just said INFECTED but nothing more about them. Whatever, I guess during the inital setup of LFS I made a mistake and compiled these files statically... This probably explains the size. I do not think, that they're belonging to a rootkit, as I have the same files on my initial install backup. Anyways, if someone is interested in them, I could send them, but I think 1.3 MB of files is too much for this mailing list... Regards Marcel PS: I installed AIDE on this box which is run on a daily basis now. (Before this I only had logwatch and some manual tiger run from time to time)
Re: 2.4.18-bf2.4 version confusion, patches?
On Mon, Jan 05, 2004 at 07:57:15AM -0800, Matt Zimmerman wrote: On Mon, Jan 05, 2004 at 02:26:12PM +0100, kuene wrote: thanks a lot to all. now I really understand. :b below I write down what I have understood. please correct me if I am still wrong. You are still wrong. What you do not understand is, when you install Debian, you do not have the package kernel-image-2.4.18-bf2.4 installed. You have a copy of some of the files in that package, but the package itself is not installed, and so will never be automatically upgraded. I've been following this thread, trying to learn something. I'm beginning to realize that, within Debian, the meaning to the word 'install' is highly context dependent, especially when the object being installed is a kernel. For instance, the initial install of Debian puts a file structure on the hard disk, but this is not an install of a Debian package. The initial install of Debian also puts a file containing a kernel image into that file structure at an appropriate place so that it can be used to boot the system. In some contexts this action might be referred to as install of a kernel, but it is NOT an install of a kernel-image debian package. When the initial install of Debian is complete, a kernel-image debian package is NOT (yet) installed. The Debian apt-get / dpkg system does not upgrade/update files that are not part of a Debian package. (Double negative intended.) In order to bring the kernel that is being used into the management system of the apt-get/dpkg, one must 'install' a Debian package that contains the image of file that is pointed to by the softlink /vmlinuz. You can install the debian package for the kernel that you are actually using, or you can install a debian package for a kernel that will also work on your hardware, with, maybe less bloat and better code optimization. Upgrade of a running kernel is fraught with difficulties. Instead, the upgrade version of the kernel is placed on the hard disk during the 'install' of the kernel-image package and the user/admin is told to reboot the computer. Because of this, you should never try to have a kernel 'upgraded automatically'. HTH -- Paul E Condon [EMAIL PROTECTED]
Re: another kernel vulnerability
* Thomas Sjögren ([EMAIL PROTECTED]) [040105 16:10]: If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt Patch: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] There's one other security problems open in 2.4.* (24), see http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] (second is fix for the first fix). Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
Incoming from Matt Zimmerman: Debian Security Advisory DSA 411-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman January 5th, 2004 http://www.debian.org/security/faq Package: mpg321 Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0969 Were any of you able to verify the PGP signatures on the latest debian-security-announce messages? I can't: [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST) --] gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E gpg: Can't check signature: public key not found [-- End of PGP output --] I'm using mutt, and ESC-P usually works checking traditional PGP signatures, but not with these three (bind, libnids, mpg321). -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
