Re: goals for hardening Debian: ideas and help wanted
Apologies for the top posting, I'm writing this from my phone. I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone. Amusing. Lesley On 24 Apr 2014 03:58, Paul Wise p...@debian.org wrote: Hi all, I have written a non-exhaustive list of goals for hardening the Debian distribution, the Debian project and computer systems of the Debian project, contributors and users. https://wiki.debian.org/Hardening/Goals If you have more ideas, please add them to the wiki page. If you have more information, please add it to the wiki page. If you would like to help, please choose an item and start work. -- bye, pabs http://wiki.debian.org/PaulWise
Re: goals for hardening Debian: ideas and help wanted
On 10:57 Thu 24 Apr 2014, Paul Wise wrote: ..[snip].. https://wiki.debian.org/Hardening/Goals Regarding the line (at that page): Refuse to install packages that are known to have X number of unplugged exploits (i.e. X number of open security bugs in the bug tracker) unless e.g. --allow-vulnerable-packages is used. This makes it clear that you are installing software that is vulnerable. I suggest it might be better if exploits were each given a quick/approximate ranking in terms of severity (and if the severity is unknown it could be assigned a default median ranking), so that the algorithm you mention wouldn't just add number of unplugged exploits, but add them by weight. For example: the recent heartbleed exploit would be worth more than a few smaller exploits in less critical software, and would be calculated as such... -- PGP fingerprint: BB0A 0787 C0EE BDD8 7F97 3D30 49F2 13A5 265D CCBD -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140424080627.GB31307@hernia
Re: goals for hardening Debian: ideas and help wanted
I suggest it might be better if exploits were each given a quick/approximate ranking in terms of severity (and if the severity is unknown it could be assigned a default median ranking), so that the algorithm you mention wouldn't just add number of unplugged exploits, but add them by weight That is a good idea. The Common Vulnerability Scoring System was invented for this purpose: http://en.wikipedia.org/wiki/CVSS Kind regards, Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/7f6371fd-0ee0-4f36-8f36-7736f65e7...@vdberg.org
Re: goals for hardening Debian: ideas and help wanted
On 24/04/2014 5:49 PM, Lesley Binks wrote: Apologies for the top posting, I'm writing this from my phone. I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone. Amusing. It works for me [Orbot/Orweb -- 4.3 on both i9300 and i9505], did you get the case right? Strangely though my i9300 wouldn't use Tor properly until I rebooted it; Orbot said it was fine, but Orweb gave my public IP address! It was fine after a reboot, but I don't know why that was necessary. Cheers A. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5358e019.7090...@affinityvision.com.au
Re: goals for hardening Debian: ideas and help wanted
On Thu, 24 Apr 2014, Paul Wise wrote: On Thu, 2014-04-24 at 02:53 -0007, Cameron Norman wrote: Would the inclusion of more AppArmor profiles be applicable? Thanks, added along with SELinux/etc. I second that. Actually, some time ago I tried using both AppArmor and SELinux, but gave up because it took forever to find legitimate behaviour of all kinds of common packages (most of them standard debian packages) and prepare configuration files for things to work. If debian wants to foster adoption of such security enhancements, it must go to great lengths in making sure that (in order of importance in my humble opinion) 1) all debian-packaged software works (very nearly) out of the box with debian-supported MAC frameworks. It should be very clear that if they don't it's an important bug that needs fixing. For example, such bugs should prevent the inclusion of a package in an official stable release. Or split the main debian archive in two, one that is MAC-ready and one that is not, so each user can decide to only use packages known to work well with debian-supported MAC frameworks. 2) for each debian-supported MAC framework there should be an expert team which should a) help package maintainers learn how to create and include appropriate configuration files so that their package works with the MAC framework b) create some tools (debhelper-like?) to make it relatively easy to find the minimum access rights a package needs and implement them in a configuration file c) define appropriate style guidelines to make configuration files as readable and maintainable as possible. All of this is going to be a lot of work at the beginning, but it will quickly decrease as more and more package maintainers get familiar with MAC frameworks. 3) there should be a category of packages in contrib which just contain configuration files for commonly used non-free software. Such configuration files should be audited by the appropriate expert teams before acceptance, to make sure they do not grant unnecessary access privileges. Until at very least point 1) is fulfilled, I doubt there will be widespread adoption of MAC frameworks, except for very specialised systems for which the amount of effort in setting them up is limited. General purpose computers (i.e. the ones in a pool of computers available for PhD students at a University, which must have a lot of packages installed for general use) will remain out of the question. Bye Giacomo -- _ Giacomo Mulas gmu...@oa-cagliari.inaf.it _ INAF - Osservatorio Astronomico di Cagliari via della scienza 5 - 09047 Selargius (CA) tel. +39 070 71180244 mob. : +39 329 6603810 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.10.1404241121540.8...@capitanata.oa-cagliari.inaf.it
Re: [SECURITY] [DSA 2911-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/22/2014 11:25 AM, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-2911-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff April 22, 2014 http://www.debian.org/security/faq - snippage For the unstable distribution (sid), these problems have been fixed in version 24.4.0esr-1. I've been checking ever since I saw this announcement and I still don't see a sign of this version in the sid repos yet (I'm not pasting in my apt-get update, but I obviously did that immediately prior): root@yap:~# apt-get install icedove Reading package lists... Done Building dependency tree Reading state information... Done icedove is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 1459 not upgraded. root@yap:~# dpkg -l icedove ii icedove24.4.0-1 Does anyone have any more information about the delay? Or possibly I'm wrong about my own assumption(s)/understanding here. thanks so much in advance for any clues, ~c We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTWRoTAAoJELuLPXMxqTZ/XrEQALH+i7IVNdXuq61AEn3/3j4p v3sHGuV3vOo1m5SsrjONWUvftYeQBAnv9A9king1vcEGz2yzB8wNkjDzvJH13HW1 CqmQWLdaMpHyz10fjt3GIECGSYgs0j5U19SU1QDEs0JuYYi+2j52CWTenfSlASAU PcgCKYlOu5DBJkzxrdRChKNflMPbn5pAvPt+kSlzyvl2jZzjPv5iI+qOy1I8GQt3 tdhKEJlz/sKHH66evvEfMooxvsnZRktsRrAh4IQ83A+a0YzE1KOvud9f3QQn7LkB vM5JvNgnUoVR/iQADxL5jsh0w/03jS9PkdRqtwjvNp9F0Jl4cWXFHdcl1/XB7PpG sPXS4jj5t1eiCKjLQeRs6XLzWi3N3GTPzeQN65YU5xUfSrXTwVK8HfenXoyv0Ig/ ogIluo5Xzr+V2di6hlzCqJMwO0Ecc9GsDNCfXD/4Sas0/5PjUjtJY82cSQ6Mm1i2 JvYIaEDqdvQap/XHv1n3iHpxM+Gh6rYbAPHsqzyV1DU+0agNwA3OgewixmIc7QqB Clt7Q9Pr0eQ9xYbxjmtl0LkJw21VI4e3XQcaAOQioHAjq4pmI6gcYSW1BYHxwj1l F4zgEdIfZsmkj9V0nROdaCAnb5ThLUDKm9fZrA2RK+SE58FYraqzJAWE0PQjIi+L zKB/yhCp7FkItVUscEg/ =4vIn -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53591a14.7080...@simons-rock.edu
Re: goals for hardening Debian: ideas and help wanted
On 24. huhtikuuta 2014 12.57.45 EEST, Andrew McGlashan andrew.mcglas...@affinityvision.com.au wrote: It works for me [Orbot/Orweb -- 4.3 on both i9300 and i9505], did you get the case right? wiki.d.o seems to be blocking at least some Tor exit nodes. IMHO it should not do that, at least for read-only access. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/13fd383a-8c0b-4647-91fc-d3c73850b...@email.android.com
Re: [SECURITY] [DSA 2911-1] icedove security update
Hi, On Thu, Apr 24, 2014 at 10:05:08AM -0400, charlie derr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/22/2014 11:25 AM, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-2911-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff April 22, 2014 http://www.debian.org/security/faq - snippage For the unstable distribution (sid), these problems have been fixed in version 24.4.0esr-1. I've been checking ever since I saw this announcement and I still don't see a sign of this version in the sid repos yet (I'm not pasting in my apt-get update, but I obviously did that immediately prior): root@yap:~# apt-get install icedove Reading package lists... Done Building dependency tree Reading state information... Done icedove is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 1459 not upgraded. root@yap:~# dpkg -l icedove ii icedove24.4.0-1 Does anyone have any more information about the delay? Or possibly I'm wrong about my own assumption(s)/understanding here. thanks so much in advance for any clues, This is indeed seem a typo in the DSA-2911-1. The fixed version for the unstable distribution for the given CVEs is icedove/24.4.0-1. For reference see also [1]. [1] https://security-tracker.debian.org/tracker/DSA-2911-1 Hope that thelps, Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140424152132.GA2695@eldamar.local
Re: [SECURITY] [DSA 2911-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/24/2014 11:21 AM, Salvatore Bonaccorso wrote: This is indeed seem a typo in the DSA-2911-1. The fixed version for the unstable distribution for the given CVEs is icedove/24.4.0-1. For reference see also [1]. [1] https://security-tracker.debian.org/tracker/DSA-2911-1 Hope that thelps, Regards, Salvatore Thank you very much, that does help some, but still doesn't really completely explain the mystery to me. In searching through my /var/log/apt/history files, I see that my current version of icedove (24.4.0-1) was installed on 2014-03-26 Was all of this really patched in the sid version of the icedove package a full month before the official announcement of these vulnerabilities? This timing is confusing to me (though I suppose there may be a reasonable explanation for it). Any further information that might help me understand would be very welcome. best, ~c -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTWS+RAAoJELuLPXMxqTZ/FSwP/1D1d178V3rGXoLp57O78Be/ n7BcW6Q8JkBT19ycr5c20ae2vdpiPl1IbjGPea0c7DiGI116kbVUYaWqx9b6H9mT HoLzznrQOVFL+vwTD1guJ0ShuTKchXXieyz06cZ48srC28P7fGtd+MtcNuSukqD/ 0tNY7/ix5GdnSWP3eZZK+qdE6M8GY19Llu+7b+iSe4+JrMCninV6i3D33spR6HI8 s8vrFdsi6WUXRayV/DtPHgnQUf4Spv7d/k6lLpMS+dF+eWzSh3gAFNseT0FfYlEH Sm68LTKqB9sSTQNYN4BOdH7h0c9NpyMDGPupYutTA6V1TjpDbH+8PSu42eUx+AKI 9C/j2EwkyEJrOIv0jMfr1Gwmo8WAEiQtjVXlkmgBRCJKZCI23jpZScjFgFMkvNoB Mok+SQZXMWoray7uaEiUSMpAezODG0K3ix83O8QV6R8kfaQe7c+BfLpejNFufb84 0YHTP2Mj3uc+pSdM9aVN18ZiaoAVVBshfKDvzqdp1XF3Y4/QDtHIZ5MYDZ6c8W/q nnZNre20yjZq2z8x/yr7stdqWpkCuzEtuvXbC6sppdgViGUXC7Ndw4XB/cdEV8IY k3YPEmstFQpnbbAHgD/XvPht29iSGkohTZX+lYbzfZtJUGLUM2zBYlfY65GEqCWR PG9H1mlXEaIKPwL5JdRp =Rv0q -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53592f91.1040...@simons-rock.edu
Re: goals for hardening Debian: ideas and help wanted
On Thu, Apr 24, 2014 at 11:45:46AM +0200, Giacomo Mulas wrote: On Thu, 24 Apr 2014, Paul Wise wrote: Would the inclusion of more AppArmor profiles be applicable? Thanks, added along with SELinux/etc. I second that. Actually, some time ago I tried using both AppArmor and SELinux, but gave up because it took forever to find legitimate behaviour of all kinds of common packages (most of them standard debian packages) and prepare configuration files for things to work. If debian wants to foster adoption of such security enhancements, it must go to great lengths in making sure that (in order of importance in my humble opinion) 1) all debian-packaged software works (very nearly) out of the box with debian-supported MAC frameworks. It should be very clear that if they don't it's an important bug that needs fixing. For example, such bugs should prevent the inclusion of a package in an official stable release. Or split the main debian archive in two, one that is MAC-ready and one that is not, so each user can decide to only use packages known to work well with debian-supported MAC frameworks. The apparmor policies in Debian apply a principle of minimal harm, confining only those services for which someone has taken the time to verify the correct profile. There are obviously pros and cons to each approach to MAC, which I'm not interested in arguing about; but one of the pros of the approach taken for apparmor is that all software *does* continue to work out of the box. If you found it otherwise, I think you should be filing a bug report against apparmor. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: goals for hardening Debian: ideas and help wanted
On Thu, 24 Apr 2014, Steve Langasek wrote: The apparmor policies in Debian apply a principle of minimal harm, confining only those services for which someone has taken the time to verify the correct profile. There are obviously pros and cons to each approach to MAC, which I'm not interested in arguing about; but one of the pros of the approach taken for apparmor is that all software *does* continue to work out of the box. If you found it otherwise, I think you should be filing a bug report against apparmor. Good to know, actually I had tried apparmor quite some time ago and did not try again. I will give it another spin as soon as I can. However, I do not agree that I should file bugs against apparmor if a debian package does not work properly, it should go to the package manager (and maybe cc to some apparmor expert team). It cannot be the maintainer(s) of apparmor to have to shoulder the effort of creating and maintaining profiles for all debian packages. They may be called in for support, but regular package maintainers should be involved IMHO, otherwise it will never really take off and provide significantly better security. Thanks for the information. Giacomo -- _ Giacomo Mulas gmu...@oa-cagliari.inaf.it _ INAF - Osservatorio Astronomico di Cagliari via della scienza 5 - 09047 Selargius (CA) tel. +39 070 71180244 mob. : +39 329 6603810 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.10.1404241841420.15...@capitanata.oa-cagliari.inaf.it
Re: WG: [SECURITY] [DSA 2912-1] openjdk-6 security update
Verstehe. Am 25. April 2014 00:07:51 schrieb Diegmann, Bjoern b.diegm...@syborg.de: Einfach nur weils grad so schoen passt ,) !-- sent from a dumbphone -- --- Ursprüngl. Mitteilung --- Von: Moritz Muehlenhoff Gesend.: 24.04.2014, 23:38 An: debian-security-annou...@lists.debian.org Betreff: [SECURITY] [DSA 2912-1] openjdk-6 security update -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2912-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff April 24, 2014 http://www.debian.org/security/faq - - Package: openjdk-6 CVE ID : CVE-2014-0429 CVE-2014-0446 CVE-2014-0451 CVE-2014-0452 CVE-2014-0453 CVE-2014-0456 CVE-2014-0457 CVE-2014-0458 CVE-2014-0459 CVE-2014-0460 CVE-2014-0461 CVE-2014-0462 CVE-2014-1876 CVE-2014-2397 CVE-2014-2398 CVE-2014-2403 CVE-2014-2405 CVE-2014-2412 CVE-2014-2414 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 6b31-1.13.3-1~deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 6b31-1.13.3-1~deb7u1. For the testing distribution (jessie), these problems have been fixed in version 6b31-1.13.3-1. For the unstable distribution (sid), these problems have been fixed in version 6b31-1.13.3-1. We recommend that you upgrade your openjdk-6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTWYPVAAoJEBDCk7bDfE42OQAP/2yIC+GTa/xwYwToxjZwm2BQ qWcv1oIDcVe/xNT/GO9EOdHfYIUa16a7Y3Th66iW3e8wVZ2bpZjhzh34VCO32tMo EfU7EAvLbkIFFF/afK3aw6wnKraWQuERKe49lwulhqr3fJ/4jOlzZhjqmupPGzPW GH8C1VGvuUoIwtAKaZe4SC5QzoqxoFGW7ISnlnBclWbI5JS0LHWbVpRjfZ8L0CI6 5c3zd4/x5HB7kPRRPLE209Aa28+KJICV7eDcBXpPrZ98WUJG6+y6TgOz6fWVaOha c5nPo1oL5kWJ19SwDqJHDXN6RWi3cXhoFx4AVnzK25Z+sBxmBicbuou0Bm5+h6Nz 8k/jGgQi/QxujzGiNiRhvQCItad0vf8x9WIlJ4xGrt/cg1YJUrWBnH32+O3iI6E5 rJv9ZjhbdI2JVhIkiQ1zXNiqzebMojSOW0FVFf2/I4JsGfSclR1hHXiG11Mxx80n BXYoSH/80inyT7LauSzOAPfheg/xkb/rU+rYnZn6k8CZ1kN8MKmwo5BXY6f2OMNt qMeEmYCw6i3o6SWJxnz6Q9ezovk+9zsaxF5AKb2FPqDon6p9mY/BaIW8JLWUdRK0 Ui8B7YSwhaSDEcNXP+F1SbO4ErgL2hnbgj5S36jxSBUlbBHGli5pDb0ipv/lhFYO FbWpxTxqGaWYeAJMXxFt =jtHJ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140424213802.GA2856@pisco.westfalen.local
External check
CVE-2014-0188: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5358b297.sboxrs3rwc45m1ge%atomo64+st...@gmail.com