RE: SANS Alert - Snort Vulnerability - stil Vulnerabile ?
On Tue, Mar 11, 2003 at 06:53:48PM +0900, Hideki Yamane wrote: This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. snort vulnerability was posted in BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 # but, yes, DSA have not been released yet. Is Woody version stil Vulnerabile to this serious security bug ? I believe so. I'm using the bug to track the issue. Currently it's tagged sarge and woody. Snort.org said the default distribution is vulnerable, and in the Debian diff I see no change to the affected sections (for both woody and sarge). I've informed the security team, but they're likely busy with other issues. A comment from them on the bug would be nice. Drew Daniels
RE: SANS Alert - Snort Vulnerability - stil Vulnerabile ?
On Tue, Mar 11, 2003 at 06:53:48PM +0900, Hideki Yamane wrote: This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. snort vulnerability was posted in BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 # but, yes, DSA have not been released yet. Is Woody version stil Vulnerabile to this serious security bug ? -- Przemek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SANS Alert - Snort Vulnerability - stil Vulnerabile ?
Quoting Przemys?aw ?widerski [EMAIL PROTECTED]: On Tue, Mar 11, 2003 at 06:53:48PM +0900, Hideki Yamane wrote: This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. snort vulnerability was posted in BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 # but, yes, DSA have not been released yet. Is Woody version stil Vulnerabile to this serious security bug ? The fixed version is 1.9.1. # apt-cache policy snort snort: Installed: (none) Candidate: 1.8.4beta1-3 Version Table: 1.9.1-4 0 500 ftp://ftp.us.debian.org unstable/main Packages 1.8.7-4 0 500 ftp://ftp.us.debian.org testing/main Packages 1.8.4beta1-3 0 1001 ftp://ftp.us.debian.org stable/main Packages -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SANS Alert - Snort Vulnerability - stil Vulnerabile ?
snort vulnerability was posted in BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 # but, yes, DSA have not been released yet. Is Woody version stil Vulnerabile to this serious security bug ? The fixed version is 1.9.1. Yes, probably Przemek would know that, I think. He said Woody version, so that question is about Woody's snort only. You know, Woody is Stable release, so package is NOT upgraded. BUT when DSA(Debian Security Advisary) would be announced, new fixed package would come. Woody's snort would be vulnerable version but there's a setting to avoid exploit. (maybe, so that no DSA yet?) # apt-cache policy snort snort: Installed: (none) Candidate: 1.8.4beta1-3 Version Table: 1.9.1-4 0 500 ftp://ftp.us.debian.org unstable/main Packages 1.8.7-4 0 500 ftp://ftp.us.debian.org testing/main Packages 1.8.4beta1-3 0 1001 ftp://ftp.us.debian.org stable/main Packages I don't know apt-cache policy package usage. it seems useful :) -- Hideki Yamane mailto:henrich @ iijmio-mail.jp, mb.kcom.ne.jp henrich @ azumanga-daioh.org, ma-aya.{net, to} -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: SANS Alert - Snort Vulnerability - stil Vulnerabile ?
On Tue, Mar 11, 2003 at 06:53:48PM +0900, Hideki Yamane wrote: This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. snort vulnerability was posted in BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 # but, yes, DSA have not been released yet. Is Woody version stil Vulnerabile to this serious security bug ? -- Przemek
Re: SANS Alert - Snort Vulnerability - stil Vulnerabile ?
Quoting Przemys?aw ?widerski [EMAIL PROTECTED]: On Tue, Mar 11, 2003 at 06:53:48PM +0900, Hideki Yamane wrote: This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. snort vulnerability was posted in BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 # but, yes, DSA have not been released yet. Is Woody version stil Vulnerabile to this serious security bug ? The fixed version is 1.9.1. # apt-cache policy snort snort: Installed: (none) Candidate: 1.8.4beta1-3 Version Table: 1.9.1-4 0 500 ftp://ftp.us.debian.org unstable/main Packages 1.8.7-4 0 500 ftp://ftp.us.debian.org testing/main Packages 1.8.4beta1-3 0 1001 ftp://ftp.us.debian.org stable/main Packages
Re: SANS Alert - Snort Vulnerability
This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. snort vulnerability was posted in BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 # but, yes, DSA have not been released yet. # if you think that is too dangerous, post it in BTS is good. # for example, I posted in BTS about slocate vulnerability and # the security team released DSA-252. -- regards, Hideki Yamane mailto:henrich @ iijmio-mail.jp, mb.kcom.ne.jp henrich @ azumanga-daioh.org, ma-aya.{net, to} -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SANS Alert - Snort Vulnerability
This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. snort vulnerability was posted in BTS. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 # but, yes, DSA have not been released yet. # if you think that is too dangerous, post it in BTS is good. # for example, I posted in BTS about slocate vulnerability and # the security team released DSA-252. -- regards, Hideki Yamane mailto:henrich @ iijmio-mail.jp, mb.kcom.ne.jp henrich @ azumanga-daioh.org, ma-aya.{net, to}
SANS Alert - Snort Vulnerability
This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. TIA. --- Crawford == DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) has been informed of a recently discovered serious vulnerability in Snort, a widely used Intrusion Detection System, IDS. DHS/NIPC has been working closely with the Internet security industry on vulnerability awareness and is issuing this advisory in conjunction with public announcements. Snort is available in open source and commercial versions form Sourcefire, a privately held company headquartered in Columbia, MD. Details are available from Sourcefire. See Snort Vulnerability Advisory [SNORT-2003-001]. The affected Snort versions include all version of Snort from version 1.8 through current. Snort 1.9.1 has been released to resolve this issue. The vulnerability was discovered by Internet Security Systems (ISS), and is a buffer overflow in the Snort Remote Procedure Call, RPC, normalization routines. This buffer overflow can cause snort to execute arbitrary code embedded within sniffed network packets. Depending upon the particular implementation of Snort this may give local and remote users almost complete control of a vulnerable machine. The vulnerability is enabled by default. Mitigation instructions for immediate protections prior to installing patches or upgrading are described in the Snort Vulnerability Advisory. Due to the seriousness of this vulnerability, the DHS/NIPC strongly recommends that system administrators or security managers who employ Snort take this opportunity to review their security procedures and patch or upgrade software with known vulnerabilities. Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Future information can be found at: http://www.sourcefire.com/ As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SANS Alert - Snort Vulnerability
This was added to the SANS Advisory on Sendmail last week. I have not seen any news nor postings related to Snort with Debian and was wondering about the status of Snort in stable at this time. TIA. --- Crawford == DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) has been informed of a recently discovered serious vulnerability in Snort, a widely used Intrusion Detection System, IDS. DHS/NIPC has been working closely with the Internet security industry on vulnerability awareness and is issuing this advisory in conjunction with public announcements. Snort is available in open source and commercial versions form Sourcefire, a privately held company headquartered in Columbia, MD. Details are available from Sourcefire. See Snort Vulnerability Advisory [SNORT-2003-001]. The affected Snort versions include all version of Snort from version 1.8 through current. Snort 1.9.1 has been released to resolve this issue. The vulnerability was discovered by Internet Security Systems (ISS), and is a buffer overflow in the Snort Remote Procedure Call, RPC, normalization routines. This buffer overflow can cause snort to execute arbitrary code embedded within sniffed network packets. Depending upon the particular implementation of Snort this may give local and remote users almost complete control of a vulnerable machine. The vulnerability is enabled by default. Mitigation instructions for immediate protections prior to installing patches or upgrading are described in the Snort Vulnerability Advisory. Due to the seriousness of this vulnerability, the DHS/NIPC strongly recommends that system administrators or security managers who employ Snort take this opportunity to review their security procedures and patch or upgrade software with known vulnerabilities. Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Future information can be found at: http://www.sourcefire.com/ As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or [EMAIL PROTECTED]