Re: iptables and nmap

2007-06-07 Thread Lee Braiden 
Hi Joan,

On Thursday 07 June 2007 14:51:51 Joan Hérisson wrote:
> Hello,
>
>   Config:
>   - Debian 2.4.18

This is very old.  For security and better features, you'd be best to upgrade 
to a more recent version of Debian, with a more recent kernel.

>   - iptables with many rules

Without understanding those rules, you're unlikely to get it working.  
IPTables is pretty simple when you take time to understand it -- it's 
literally just a list of tests, and things to do if that test has a positive 
result.  Well, lists (tables) can have other lists/tables, but that's not 
really any more complex.

>   Problems:
>   - I have installed a tomcat 5.5 server. The server is 
> unreachable
> (connection failed from locahost or another host on my local network).

This suggests that the server isn't yet up and running.  Sometimes, installing 
things on debian means they will just work.  Other times, you have to 
configure the thing and enable it.  I've never really bothered with tomcat, 
but given that it's java-based, and fairly heavyweight, I'd expect you have 
to do some configuration before it'll run.  Try 
reading /usr/share/doc/tomcat*/README.Debian.  Also, make sure that the 
server is actually running on port 8080, and that it's listening on the 
correct IPs/interfaces.

>   Tries:
>   - I have to open port 8080. I have this rule in 
> /etc/init.d.firewal-
> start :
>   "iptables -A tcp_packets -p TCP -i eth0 -s 0/0 
> --dport 80
> -j allowed"

Appending rules to "many iptables rules" isn't likely to work, if your rules 
end with something that denies all unknown traffic.  You really should try to 
understand your firewall before adding anything to it.  Having said that, 
I've been guilty of not taking enough time for things like that, too :)

>   "iptables -A tcp_packets -p TCP -i eth1 -s 0/0 
> --dport
> 8080  -j allowed"

As someone else mentioned, this should probably be -j ACCEPT

>   Results:
>   - The server is still unreachable.

Are you actually seeing an error that says "unreachable"?  That suggests a 
routing problem, or a prohibitive firewall rule before the one you added.

>   - When I do nmap localhost, I have port 80 open but not 8080.
>   - When I comment out the line for port 80 in firewall-start and 
> I
> restart firewall, I do nmap localhost, port 80 is still open.

Your firewall script is broken.  Again, as others suggested, I'd say start 
from scratch -- either with IPTables (if you have the time to understand it) 
or with a simpler/higher-level interface, like firehol, or shorewall.


Remember not to test firewall rules for external interfaces through 
localhost -- use, at least, the ip of the interface in question.  Ideally, 
test from the machine you actually need access to be provided for.

Good luck :)

-- 
Lee Braiden
http://peacejournals.org

"Those who check rising anger as a charioteer checks a rolling
chariot... those, I call true charioteers. Others only hold the
reins."-- Dhammapada, verse 222

Re: iptables and nmap

2007-06-07 Thread Joan Hérisson 

Ok,

thank you for your answers. I will try to sum up mine.
	It is true that it is not me who wrote the firewall script and that  
I do not understand what all rules do.
	I tried different solutions that you proposed but none works, from  
localhost, local network or from the internet. The 8080 port remains  
closed. i did not try to upgrade my kernel. Actually, I am a little  
bit frightened to this idea. is it really riskless ?

Finally this is the result of 'iptables -t filter -L -n -v' command:


Chain INPUT (policy DROP 17 packets, 1088 bytes)
pkts bytes target prot opt in out source
destination
164 ACCEPT tcp  --  eth0   *   0.0.0.0/0 
0.0.0.0/0  tcp dpt:8080
  225 18816 bad_tcp_packets  tcp  --  *  *
0.0.0.0/00.0.0.0/0
0 0 ACCEPT tcp  --  eth1   *   192.168.0.3   
0.0.0.0/0  tcp dpt:22
0 0 ACCEPT tcp  --  eth1   *   192.168.0.12  
0.0.0.0/0  tcp dpt:22
0 0 ACCEPT tcp  --  eth1   *   192.168.0.31  
0.0.0.0/0  tcp dpt:22
0 0 ACCEPT tcp  --  eth1   *   192.168.0.28  
0.0.0.0/0  tcp dpt:22
0 0 REJECT tcp  --  eth1   *   0.0.0.0/0 
0.0.0.0/0  tcp dpt:22 reject-with icmp-port-unreachable
  162 18088 ACCEPT all  --  eth1   *   192.168.0.0/24
0.0.0.0/0
   10  1219 ACCEPT all  --  lo *   127.0.0.1 
0.0.0.0/0
4   156 ACCEPT all  --  lo *   192.168.0.1   
0.0.0.0/0
8   528 ACCEPT all  --  lo *   193.51.128.146
0.0.0.0/0
0 0 ACCEPT udp  --  eth1   *   0.0.0.0/0 
0.0.0.0/0  udp spts:67:68 dpts:67:68
  140 10422 ACCEPT all  --  *  *   0.0.0.0/0 
193.51.128.146 state RELATED,ESTABLISHED
   20  1280 tcp_packets  tcp  --  eth0   *
0.0.0.0/00.0.0.0/0
0 0 udp_packets  udp  --  eth0   *
0.0.0.0/00.0.0.0/0
   10   640 icmp_packets  icmp --  eth0   *
0.0.0.0/00.0.0.0/0
0 0 DROP   all  --  eth0   *   0.0.0.0/0 
224.0.0.0/8
3   192 LOGall  --  *  *   0.0.0.0/0 
0.0.0.0/0  limit: avg 3/min burst 3 LOG flags 0 level 7  
prefix `IPT INPUT packet died: '


Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 bad_tcp_packets  tcp  --  *  *
0.0.0.0/00.0.0.0/0
2   152 ACCEPT all  --  eth1   *   0.0.0.0/0 
0.0.0.0/0
2   152 ACCEPT all  --  *  *   0.0.0.0/0 
0.0.0.0/0  state RELATED,ESTABLISHED
0 0 LOGall  --  *  *   0.0.0.0/0 
0.0.0.0/0  limit: avg 3/min burst 3 LOG flags 0 level 7  
prefix `IPT FORWARD packet died: '


Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
  169 22018 bad_tcp_packets  tcp  --  *  *
0.0.0.0/00.0.0.0/0
   10  1219 ACCEPT all  --  *  *   127.0.0.1 
0.0.0.0/0
  166 16632 ACCEPT all  --  *  *   192.168.0.1   
0.0.0.0/0
  120 16559 ACCEPT all  --  *  *   193.51.128.146
0.0.0.0/0
0 0 LOGall  --  *  *   0.0.0.0/0 
0.0.0.0/0  limit: avg 3/min burst 3 LOG flags 0 level 7  
prefix `IPT OUTPUT packet died: '


Chain allowed (20 references)
pkts bytes target prot opt in out source
destination
3   192 ACCEPT tcp  --  *  *   0.0.0.0/0 
0.0.0.0/0  tcp flags:0x16/0x02
0 0 ACCEPT tcp  --  *  *   0.0.0.0/0 
0.0.0.0/0  state RELATED,ESTABLISHED
0 0 DROP   tcp  --  *  *   0.0.0.0/0 
0.0.0.0/0


Chain bad_tcp_packets (3 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp  --  *  *   0.0.0.0/0 
0.0.0.0/0  tcp flags:0x12/0x12 state NEW reject-with tcp-reset
140 LOGtcp  --  *  *   0.0.0.0/0 
0.0.0.0/0  tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4  
prefix `New not syn:'
140 DROP   tcp  --  *  *   0.0.0.0/0 
0.0.0.0/0  tcp flags:!0x16/0x02 state NEW


Chain icmp_packets (1 references)
pkts bytes target prot opt in out source
destination
   10   640 ACCEPT icmp --  *  *   0.0.0.0/0 
0.0.0.0/0  icmp type 8
0 0 ACCEPT icmp --  *  *   0.0.0.0/0 
0.0.0.0/0  icmp type 11


Chain tcp_packets (1 references)
pkts bytes target prot opt in out source

Re: iptables and nmap

2007-06-07 Thread Gian Piero Carrubba 
Il giorno Thu, 7 Jun 2007 15:51:51 +0200
"Joan Hérisson" <[EMAIL PROTECTED]> ha scritto:

>   So I added this rule :
>   "iptables -A tcp_packets -p TCP -i eth1 -s
> 0/0 --dport 8080  -j allowed"
>   where eth1 is the way toward my local network
> 
>   Results:
>   - The server is still unreachable.
>   - When I do nmap localhost, I have port 80 open but
> not 8080.
>   - When I comment out the line for port 80 in
> firewall-start and I restart firewall, I do nmap localhost, port 80
> is still open.

Just a further note: you've opened ( or tried to, don't know if the
action was successful ) the port on interface eth1, but you're testing
the rule on localhost ( loopback interface lo ).

Ciao,
Gian Piero.

Roland Lichti ist außer Haus.

2007-06-07 Thread Roland . Lichti 
Ich werde ab  06.06.2007 nicht im Büro sein. Ich kehre zurück am
17.06.2007.

Ich werde Ihre Nachricht nach meiner Rückkehr beantworten.

Re: Package management and security

2007-06-07 Thread Bernhard R. Link 
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [070607 16:21]:
> > >I saw in 'man apt-get' that using apt-get upgrade does not install new
> > >packages or remove an already installed package.
> > >Is it possible that I did'nt get the latest security fixes using
> > >apt-get upgade in a cron job ?
>
> afaik, nothing coming through in the security feed is going to introduce
> new package dependencies like this.

Except sometimes kernels (and other things changing their ABI, though I
doubt anything but the kernel will ever change that within a stable release).

On the other hand, installing a kernel automatically alone will not fix
the problem of an too old kernel running.

Hochachtungsvoll,
Bernhard R. Link


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package management and security

2007-06-07 Thread Jens Schüßler 
* Frédéric PICA <[EMAIL PROTECTED]> wrote:
> Thanks for your answer,
> 
> So I need to do an apt-get dist-upgrade in my cron job to be sure to always
> have the latest security fixes ?
> What's the risk to have a needed package uninstalled by that way ?

You could use the package cron-apt for this, it notifys you about the new
upgraded packages and can be configured for your needs.

Jens

Re: Package management and security

2007-06-07 Thread Riku Valli 

Frédéric PICA wrote:

Thanks for your answer,

So I need to do an apt-get dist-upgrade in my cron job to be sure to 
always have the latest security fixes ?

What's the risk to have a needed package uninstalled by that way ?

My goal is to have the latest security fixes for a server, but I have 
to be sure that dist-upgrade will not broke my server by removing 
needed pacakges, for example mod_php for apache or things like that.


FP

2007/6/7, Riku Valli <[EMAIL PROTECTED] 
>:


Frédéric PICA wrote:
> Greets,
>
> I saw in 'man apt-get' that using apt-get upgrade does not
install new
> packages or remove an already installed package.
> Is it possible that I did'nt get the latest security fixes using
> apt-get upgade in a cron job ?
> I think particularly about security fixes that can't be retro-ported
> to the debian stable version and needs to upgrade the package to the
> latest author available version, what's going on if the package
> dependencies changes ? Does the security patched will be installed
> with it's new dependencies anyway or does the package will not be
> upgraded ?
>
> Thanks for your help,
> FP
>
>
Hi

apt-get upgrade only upgrade your packages for newer version. When
package is upgraded this way at it need new extra packages, then
upgrade
can't upgrade your package. You must install it.


-- Riku



Hi

In normal case when you used Debian stable. You made only update/upgrade 
and possible need switch -y (assume yes for every question). At stable 
debencies normally never changes. This dist-upgrade is (at stable) only 
used when you updated Debian releases from older to newer.


Older stable there was only one kernel upgrade which needed manually 
intervention.


Maybe this is better explained man aptitude, see below.

 upgrade
  Upgrades installed packages to their most recent version. 
Installed

  packages will not be removed unless they are unused (see the
  section "Managing Automatically Installed Packages" in the 
aptitude
  reference manual); packages which are not currently installed 
will

  not be installed.

  If a package cannot be upgraded without violating these
  constraints, it will be kept at its current version. Use the
  dist-upgrade command to upgrade these packages as well.

dist-upgrade
  Upgrades installed packages to their most recent version, 
removing

  or installing packages as necessary. This command is less
  conservative than upgrade and thus more likely to perform
  unwanted actions. Users are advised to either use upgrade
  instead or to carefully inspect the list of packages to be
  installed and removed.


-- Riku

Re: Package management and security

2007-06-07 Thread Frédéric PICA 

Thanks for your answer,

So I need to do an apt-get dist-upgrade in my cron job to be sure to always
have the latest security fixes ?
What's the risk to have a needed package uninstalled by that way ?

My goal is to have the latest security fixes for a server, but I have to be
sure that dist-upgrade will not broke my server by removing needed pacakges,
for example mod_php for apache or things like that.

FP

2007/6/7, Riku Valli <[EMAIL PROTECTED]>:


Frédéric PICA wrote:
> Greets,
>
> I saw in 'man apt-get' that using apt-get upgrade does not install new
> packages or remove an already installed package.
> Is it possible that I did'nt get the latest security fixes using
> apt-get upgade in a cron job ?
> I think particularly about security fixes that can't be retro-ported
> to the debian stable version and needs to upgrade the package to the
> latest author available version, what's going on if the package
> dependencies changes ? Does the security patched will be installed
> with it's new dependencies anyway or does the package will not be
> upgraded ?
>
> Thanks for your help,
> FP
>
>
Hi

apt-get upgrade only upgrade your packages for newer version. When
package is upgraded this way at it need new extra packages, then upgrade
can't upgrade your package. You must install it.


-- Riku

Re: iptables and nmap

2007-06-07 Thread Németh Tamás 
Can you send the output of 'iptables -t filter -L -n -v ' to this mailing 
list?


2007. június 7. 15.51 dátummal Joan Hérisson ezt írta:
> Hello,
>
>   Config:
>   - Debian 2.4.18
>   - iptables with many rules
>
>   Problems:
>   - I have installed a tomcat 5.5 server. The server is 
> unreachable
> (connection failed from locahost or another host on my local network).
>
>   Tries:
>   - I have to open port 8080. I have this rule in 
> /etc/init.d.firewal-
> start :
>   "iptables -A tcp_packets -p TCP -i eth0 -s 0/0 
> --dport 80
> -j allowed"
> where eth0 is the way toward the internet.
>   So I added this rule :
>   "iptables -A tcp_packets -p TCP -i eth1 -s 0/0 
> --dport
> 8080  -j allowed"
>   where eth1 is the way toward my local network
>
>   Results:
>   - The server is still unreachable.
>   - When I do nmap localhost, I have port 80 open but not 8080.
>   - When I comment out the line for port 80 in firewall-start and 
> I
> restart firewall, I do nmap localhost, port 80 is still open.
>
>   I do not find the link between iptables rules and nmap.
>   Some ideas ?
>
> Thank you,
> Joan
> ps: sorry for my english.
>
>
> _
>
> Post-doc GENNETEC
> Programme d'Épigénomique, Genopole®
> Tour Évry2, 10è étage
> 523 Terrasses de l'Agora
> 91034 ÉVRY cedex
>
> Tél : +33 (0)1 69 47 44 34
> Fax : +33 (0)1 69 47 44 37
> Web : http://www.epigenomique.genopole.fr/opencms/opencms/
> epigenomique/en/perso/joe/
>

Re: iptables and nmap

2007-06-07 Thread Giacomo A. Catenazzi 

Joan Hérisson wrote:

Hello,

Config:
- Debian 2.4.18
- iptables with many rules

Problems:
- I have installed a tomcat 5.5 server. The server is unreachable 
(connection failed from locahost or another host on my local network).


Tries:
- I have to open port 8080. I have this rule in /etc/init.d.firewal-start :
"iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80  -j 
allowed"

  where eth0 is the way toward the internet.
So I added this rule :
"iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080  -j 
allowed"

where eth1 is the way toward my local network

Results:
- The server is still unreachable.
- When I do nmap localhost, I have port 80 open but not 8080.
- When I comment out the line for port 80 in firewall-start and I 
restart firewall, I do nmap localhost, port 80 is still open.


I do not find the link between iptables rules and nmap.
Some ideas ?


You should give us more information!
iptables is run in the tomcat server?
What about the other rules (i.e. in INPUT and OUTPUT)?
what will do the chain "accept" ?

nmap will send packets only to one interface, so you
should do nmap from a computer in the eth0 network and
an other run in eth1 network.

Add some log target in iptables and check the flux!

ciao
cate


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package management and security

2007-06-07 Thread paddy 
On Thu, Jun 07, 2007 at 05:14:53PM +0300, Riku Valli wrote:
> Fr??d??ric PICA wrote:
> >Greets,
> >
> >I saw in 'man apt-get' that using apt-get upgrade does not install new 
> >packages or remove an already installed package.
> >Is it possible that I did'nt get the latest security fixes using 
> >apt-get upgade in a cron job ?

afaik, nothing coming through in the security feed is going to introduce
new package dependencies like this.

> >I think particularly about security fixes that can't be retro-ported 
> >to the debian stable version and needs to upgrade the package to the 
> >latest author available version, 

and you are cron-ing this how ?

Regards,
Paddy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables and nmap

2007-06-07 Thread Vladislav Kurz 
On Thursday 07 June 2007 15:51, Joan Hérisson wrote:
> Hello,
>
>   Config:
>   - Debian 2.4.18
>   - iptables with many rules
>
>   Problems:
>   - I have installed a tomcat 5.5 server. The server is 
> unreachable
> (connection failed from locahost or another host on my local network).
>
>   Tries:
>   - I have to open port 8080. I have this rule in 
> /etc/init.d.firewal-start :
>   "iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed"
>   where eth0 is the way toward the internet.
>   So I added this rule :
>   "iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed"
>   where eth1 is the way toward my local network

Hello,

it seems that you are using some firewall script which uses a lot of user 
defined chains: tcp_packets, allowed. Without understanding which packets get 
filtered by chain tcp_packets and what is happening in chain allowed, it is 
hard to guess what's wrong. Try this:
iptables -A INPUT -p tcp -i eth1 --dport 8080 -j ACCEPT

I suspect that you are using some firewall script made by someone else, and 
that script is too complicated to understand for anyone else than author.
IMHO it's always better to make your own script that has only the rules you 
really need and understand.

>   Results:
>   - The server is still unreachable.
>   - When I do nmap localhost, I have port 80 open but not 8080.
>   - When I comment out the line for port 80 in firewall-start and 
> I
> restart firewall, I do nmap localhost, port 80 is still open.
>
>   I do not find the link between iptables rules and nmap.
>   Some ideas ?

nmap shows you the reality defined by iptables. If nmap shows something 
different than you expected, it just means you do not understand how iptables 
work. You should visit http://www.netfilter.org/ and read man iptables.

-- 
S pozdravem
Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === [EMAIL PROTECTED] ===


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Package management and security

2007-06-07 Thread Riku Valli 

Frédéric PICA wrote:

Greets,

I saw in 'man apt-get' that using apt-get upgrade does not install new 
packages or remove an already installed package.
Is it possible that I did'nt get the latest security fixes using 
apt-get upgade in a cron job ?
I think particularly about security fixes that can't be retro-ported 
to the debian stable version and needs to upgrade the package to the 
latest author available version, what's going on if the package 
dependencies changes ? Does the security patched will be installed 
with it's new dependencies anyway or does the package will not be 
upgraded ?


Thanks for your help,
FP



Hi

apt-get upgrade only upgrade your packages for newer version. When 
package is upgraded this way at it need new extra packages, then upgrade 
can't upgrade your package. You must install it.



-- Riku

Re: iptables and nmap

2007-06-07 Thread Manuel García 

On 6/7/07, Joan Hérisson <[EMAIL PROTECTED]> wrote:


Hello,

 Config:
 - Debian 2.4.18
 - iptables with many rules

 Problems:
 - I have installed a tomcat 5.5 server. The server is unreachable
(connection failed from locahost or another host on my local network).

 Tries:
 - I have to open port 8080. I have this rule in /etc/init.d.firewal-start :
 "iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80  -j
allowed"


Well, i don't know what iptables version are you using, but, AFAIK is
not "allowed" is "ACCEPT" what you need.

Another thing you can take in mind is upgrade your kernel, unless you
are (still) using woody, 'cause Sarge has become old-stable branch of
Debian distribution.


   where eth0 is the way toward the internet.
 So I added this rule :
 "iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080  -j
allowed"
 where eth1 is the way toward my local network

 Results:
 - The server is still unreachable.
 - When I do nmap localhost, I have port 80 open but not 8080.
 - When I comment out the line for port 80 in firewall-start and I restart
firewall, I do nmap localhost, port 80 is still open.


man nmap:
-p : Only scan specified ports
  Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
And if you have port 80 "OPEN" that's because you have some webserver
running in your machine (maybe apache?)


 I do not find the link between iptables rules and nmap.
 Some ideas ?

Thank you,
Joan
ps: sorry for my english.


Your english is not so bad, if you compare with mine :-)





_

Post-doc GENNETEC
Programme d'Épigénomique, Genopole(r)
Tour Évry2, 10č étage
523 Terrasses de l'Agora
91034 ÉVRY cedex

Tél : +33 (0)1 69 47 44 34
Fax : +33 (0)1 69 47 44 37
Web :
http://www.epigenomique.genopole.fr/opencms/opencms/epigenomique/en/perso/joe/








--
Manuel Garcia a.k.a "mannyto"
Administrador de redes y servidores
Consultor independiente
Debian GNU/Linux Testing codename "Lenny"

iptables and nmap

2007-06-07 Thread Joan Hérisson 

Hello,

Config:
- Debian 2.4.18
- iptables with many rules

Problems:
		- I have installed a tomcat 5.5 server. The server is unreachable  
(connection failed from locahost or another host on my local network).


Tries:
		- I have to open port 8080. I have this rule in /etc/init.d.firewal- 
start :
			"iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80   
-j allowed"

  where eth0 is the way toward the internet.
So I added this rule :
			"iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport  
8080  -j allowed"

where eth1 is the way toward my local network

Results:
- The server is still unreachable.
- When I do nmap localhost, I have port 80 open but not 8080.
		- When I comment out the line for port 80 in firewall-start and I  
restart firewall, I do nmap localhost, port 80 is still open.


I do not find the link between iptables rules and nmap.
Some ideas ?

Thank you,
Joan
ps: sorry for my english.


_

Post-doc GENNETEC
Programme d'Épigénomique, Genopole®
Tour Évry2, 10è étage
523 Terrasses de l'Agora
91034 ÉVRY cedex

Tél : +33 (0)1 69 47 44 34
Fax : +33 (0)1 69 47 44 37
Web : http://www.epigenomique.genopole.fr/opencms/opencms/ 
epigenomique/en/perso/joe/

Package management and security

2007-06-07 Thread Frédéric PICA 

Greets,

I saw in 'man apt-get' that using apt-get upgrade does not install new
packages or remove an already installed package.
Is it possible that I did'nt get the latest security fixes using apt-get
upgade in a cron job ?
I think particularly about security fixes that can't be retro-ported to the
debian stable version and needs to upgrade the package to the latest author
available version, what's going on if the package dependencies changes ?
Does the security patched will be installed with it's new dependencies
anyway or does the package will not be upgraded ?

Thanks for your help,
FP