Re: [SECURITY] [DSA 149-1] New glibc packages fix security related problems
Renee Landers wrote: > But I choose to reboot since even init is linked with libc. Obviously, > that's > not always an option in a production environment. Debian's libc6 package restarts init on upgrade (telinit u). -- see shy jo
Re: [SECURITY] [DSA 149-1] New glibc packages fix security related problems
On Thu, 15 Aug 2002 at 12:22:14PM -0400, Renee Landers wrote: > But I choose to reboot since even init is linked with libc. Obviously, > that's > not always an option in a production environment. I would suggest the reboot also. I had a Debian server crash for the first time ever (in many many years) 2 nights ago. It may or may not have been attributable to the lib change... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import
Re: [SECURITY] [DSA 149-1] New glibc packages fix security related problems
Note that the postinst script restarts a lot of those services for you, too. The list is: check="nis smail sendmail exim ssh netbase apache proftpd" check="$check ssh-nonfree postfix-tls wu-ftpd boa cron postfix" check="$check wu-ftpd-academ slapd openldapd logind wwwoffle" check="$check lprng lpr autofs snmpd" Unless you have DEBIAN_FRONTEND="noninteractive" in your environment, it will prompt you as to whether or not you want it to restart the services. But I choose to reboot since even init is linked with libc. Obviously, that's not always an option in a production environment. renee At 03:23 PM 8/14/2002 -0300, Peter Cordes wrote: On Tue, Aug 13, 2002 at 06:28:01PM -0500, Paul Baker wrote: > > On Tuesday, August 13, 2002, at 03:21 AM, Martin Schulze wrote: > > > >- > >-- > >Debian Security Advisory DSA 149-1 > >[EMAIL PROTECTED] > >http://www.debian.org/security/ Martin > >Schulze > >August 13th, 2002 > >- > >-- > > > >Package: glibc > >Vulnerability : integer overflow > >Problem-Type : remote > >Debian-specific: no > >CVE Id : CAN-2002-0391 > >CERT advisory : VU#192995 > > Anyone aware of any particular daemon's that need to be restarted just > to be safe? I'd rather not have to type in the SSL passphrase for > apache+mod_ssl if I don't have to. The advisory said the overflow was "in the RPC library", so things like NFS and NIS and stuff with origins at Sun might be using that. Apache shouldn't be vulnerable unless there are some modules that use RCP stuff. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 149-1] New glibc packages fix security related problems
On Tue, Aug 13, 2002 at 06:28:01PM -0500, Paul Baker wrote: > > On Tuesday, August 13, 2002, at 03:21 AM, Martin Schulze wrote: > > > >- > >-- > >Debian Security Advisory DSA 149-1 > >[EMAIL PROTECTED] > >http://www.debian.org/security/ Martin > >Schulze > >August 13th, 2002 > >- > >-- > > > >Package: glibc > >Vulnerability : integer overflow > >Problem-Type : remote > >Debian-specific: no > >CVE Id : CAN-2002-0391 > >CERT advisory : VU#192995 > > Anyone aware of any particular daemon's that need to be restarted just > to be safe? I'd rather not have to type in the SSL passphrase for > apache+mod_ssl if I don't have to. The advisory said the overflow was "in the RPC library", so things like NFS and NIS and stuff with origins at Sun might be using that. Apache shouldn't be vulnerable unless there are some modules that use RCP stuff. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Re: [SECURITY] [DSA 149-1] New glibc packages fix security related problems
Paul Baker wrote: On Tuesday, August 13, 2002, at 03:21 AM, Martin Schulze wrote: - -- Debian Security Advisory DSA 149-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 13th, 2002 - -- Package: glibc Vulnerability : integer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0391 CERT advisory : VU#192995 Anyone aware of any particular daemon's that need to be restarted just to be safe? I'd rather not have to type in the SSL passphrase for apache+mod_ssl if I don't have to. I did some ldd's and I did not find a single executable, that wasn't dynamically linked against libc. (At least this is my interpretation of ldd's output.) Among those: sshd apache mysqld bind postfix syslogd sh I'm thinking about restarting the system. regards, Thiemo Nagel $ ldd /usr/sbin/apache libm.so.6 => /lib/libm.so.6 (0x4001b000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x4003c000) libdb.so.2 => /lib/libdb.so.2 (0x40069000) libdb2.so.2 => /lib/libdb2.so.2 (0x40076000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0x400b7000) libdl.so.2 => /lib/libdl.so.2 (0x400d8000) libc.so.6 => /lib/libc.so.6 (0x400db000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /usr/sbin/atd libc.so.6 => /lib/libc.so.6 (0x4001b000) libdl.so.2 => /lib/libdl.so.2 (0x40138000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /usr/sbin/cron libpam.so.0 => /lib/libpam.so.0 (0x4001b000) libc.so.6 => /lib/libc.so.6 (0x40023000) libdl.so.2 => /lib/libdl.so.2 (0x4014) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40143000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /sbin/getty libc.so.6 => /lib/libc.so.6 (0x4001b000) libdl.so.2 => /lib/libdl.so.2 (0x40138000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /sbin/klogd libc.so.6 => /lib/libc.so.6 (0x4001b000) libdl.so.2 => /lib/libdl.so.2 (0x40138000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /usr/lib/postfix/master libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1 (0x4001b000) libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0x40033000) libgdbm.so.1 => /usr/lib/libgdbm.so.1 (0x40051000) libdb3.so.3 => /usr/lib/libdb3.so.3 (0x40057000) libnsl.so.1 => /lib/libnsl.so.1 (0x400ff000) libresolv.so.2 => /lib/libresolv.so.2 (0x40113000) libc.so.6 => /lib/libc.so.6 (0x40123000) libdl.so.2 => /lib/libdl.so.2 (0x4024) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /usr/lib/postfix/pickup libpostfix-master.so.1 => /usr/lib/libpostfix-master.so.1 (0x4001b000) libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1 (0x40021000) libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0x40039000) libgdbm.so.1 => /usr/lib/libgdbm.so.1 (0x40057000) libdb3.so.3 => /usr/lib/libdb3.so.3 (0x4005d000) libnsl.so.1 => /lib/libnsl.so.1 (0x40105000) libresolv.so.2 => /lib/libresolv.so.2 (0x40119000) libc.so.6 => /lib/libc.so.6 (0x40129000) libdl.so.2 => /lib/libdl.so.2 (0x40246000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) [EMAIL PROTECTED]:/home/admin# ldd /usr/lib/postfix/qmgr /lib/snoopy.so => /lib/snoopy.so (0x40015000) libpostfix-master.so.1 => /usr/lib/libpostfix-master.so.1 (0x4001b000) libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1 (0x40021000) libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0x40039000) libgdbm.so.1 => /usr/lib/libgdbm.so.1 (0x40057000) libdb3.so.3 => /usr/lib/libdb3.so.3 (0x4005d000) libnsl.so.1 => /lib/libnsl.so.1 (0x40105000) libresolv.so.2 => /lib/libresolv.so.2 (0x40119000) libc.so.6 => /lib/libc.so.6 (0x40129000) libdl.so.2 => /lib/libdl.so.2 (0x40246000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /usr/sbin/named libc.so.6 => /lib/libc.so.6 (0x4001b000) libdl.so.2 => /lib/libdl.so.2 (0x40138000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /usr/sbin/popa3d libpam.so.0 => /lib/libpam.so.0 (0x4001b000) libc.so.6 => /lib/libc.so.6 (0x40023000) libdl.so.2 => /lib/libdl.so.2 (0x4014) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40143000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) $ ldd /bin/sh libncurses.so.5 => /lib/libncurses.so.5 (0x4001b000) libdl.so.2 => /lib/libdl.so.2 (0x40059000) libc.so.6 => /lib/libc.so.6 (0x4005c000) /lib/ld-linux.so.2 => /lib/ld-l
Re: [SECURITY] [DSA 149-1] New glibc packages fix security related problems
On Tuesday, August 13, 2002, at 03:21 AM, Martin Schulze wrote: - -- Debian Security Advisory DSA 149-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 13th, 2002 - -- Package: glibc Vulnerability : integer overflow Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-0391 CERT advisory : VU#192995 Anyone aware of any particular daemon's that need to be restarted just to be safe? I'd rather not have to type in the SSL passphrase for apache+mod_ssl if I don't have to. -- Paul Baker "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 GPG Key: http://homepage.mac.com/pauljbaker/public.asc
