Re: Bookworm and ZFS (zfs-dkms 2.1.11) data corruption bug
On Wed, Jan 10, 2024 at 10:48 PM Xiyue Deng wrote: > > You can check the developer page of zfs-linux[1] on which the "action > needed" section has information about security issues (along with > version info as Gareth posted). The one you mentioned was being tracked > in [2] and the corresponding Debian bug is [3]. My guess is that as > zfs-linux is not in "main" but "contrib", and the issue is marked > "no-dsa" (see [4]), there may be no urgency to provide a stable update. > But you may send a follow up in the tracking bug and ask for > clarification from the maintainers on whether an (old)stable-update is > desired. > Thanks, so it *was* my searching skills that failed me: "The fix will land in bookworm-backports and bullseye-backports-sloppy shortly after 2.1.14-1 migrates to testing, which will take about 2 days hopefully. Fixes to 2.0.3-9+deb11u1 (bullseye) and 2.1.11-1 (bookworm) are planned but will likely take more time." I think the bug is mislabeled as "security" and "important", as this is primarily a severe data corruption bug, but with *possible* security implications. It is far more concerning that one cannot trust that cp actually copies a file, and this is a blocker for installing the ZFS packages in Debian. -- Jan
Bookworm and ZFS (zfs-dkms 2.1.11) data corruption bug
Hi, It seems that Bookworm's zfs-dkms package (from contrib) has the data corruption bug that was fixed with OpenZFS 2.1.14 (and 2.2.2) on 2023-11-30. https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14 However, I see no relevant bug report in the bug tracker - have my searching skills failed? -- Jan
Jessie - PHP 5.6 update?
Hi, I was wondering if the security updates in 5.6.25 and 5.6.26 might make it into Jessie soon, does anyone know why there is a delay? It's of course possible to use dotdeb's packages, but I prefer the official update path. -- Jan
Re: Spamhaus Blacklist
On Thu, May 22, 2014 at 12:06 PM, basti mailingl...@unix-solution.de wrote: Actually I get some spam from 84.19.164.45but this ip is not blocked at the moment. Forward the message including all headers to the abuse contact for the IP address. You can look this up using whois. whois 84.19.164.45 = ... % Abuse contact for '84.19.164.32 - 84.19.164.63' is 'ab...@keyweb.de' ... -- Cheers, Jan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAEffzkzcbzg8rW96yvafq-4dN=xpgekfzv58ifpx2m33xjy...@mail.gmail.com
Re: Spamhaus Blacklist
On Thu, May 22, 2014 at 10:15 PM, Bob Holtzman hol...@cox.net wrote: On Thu, May 22, 2014 at 01:47:50PM +0200, Jan Ingvoldstad wrote: On Thu, May 22, 2014 at 12:06 PM, basti mailingl...@unix-solution.de wrote: Actually I get some spam from 84.19.164.45but this ip is not blocked at the moment. Forward the message including all headers to the abuse contact for the IP address. You can look this up using whois. whois 84.19.164.45 = % Abuse contact for '84.19.164.32 - 84.19.164.63' is 'ab...@keyweb.de' I would think that that's a good way of getting a *bunch* of people pissed off when the entire block is blacklisted. Better to filter the ip at your mail client. What? No, you misunderstand. I'm saying: Send an _e-mail_ to the abuse contact point for the IP address block owner. Don't simply blacklist. Well, feel free to add the IP address in question to a local blacklist, but if you can't be arsed to notify the netblock owner, don't expect anything to happen with the problem. -- Jan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAEffzkw-bD0Q2RfMS7w3K7VBMc2WPAN8MVZ+jZX532198k=q...@mail.gmail.com
Re: device naming (was: should an end user stick to a kernel with an initrd?)
On Mon, Sep 30, 2013 at 5:18 PM, Linux-Fan ma_sys...@web.de wrote: On 09/28/2013 04:54 AM, Ralf Mardorf wrote: I only want to mention that this never happened on my machine within the last = 10 years and I turn my PC often on and off. How often does it switch on your machine? Does anybody experience that sda became sdb after rebooting? I don't claim that this can't happen. I have a similar situation here: The device names never change -- sda is always the same disk etc. This may be true in some setups/motherboards. Others will have different experiences, e.g. when a motherboard has two or more disk controllers (e.g. one for SATA RAID and one for regular SATA), or you have a controller in a PCIe slot and use disks on either the controller or the motherboard, or you have several controllers in PCIe slots. -- Jan
Re: Re: Security support for CMSes
On Mon, Oct 8, 2012 at 12:18 AM, Peter Viskup skupko...@gmail.com wrote: Overlooked it was not sent to debian-user list. … I do not know what security issue was used to crack my site - they used some Drupal weakness to create some php files in Drupal install dir remotely and without getting SFTP access. I had a look on the state of the drupal6 package just after and noticed there are some critical bugfixes not backported to stable branch. That's all at the very moment. In my experience, this correlation is good enough to reasonably assume causation. When a website is compromised, and the software running the website has known vulnerabilities, there is rarely any need to look further. Such attacks are usually automated or semi-automated. You can reduce the problems somewhat by using ModSecurity, and disallowing a bunch of PHP functions (eval, system, etc.) that many components/extensions/modules/plugins/themes seem to find useful. This is not always practical, for instance when you use a third party webhost which does not offer these options, or when you do not have the know-how to configure these right. I suspect that for software like Drupal, using a secondary package manager such as Portage may actually be better for the sysadmin. -- Jan
Re: Strange Bind 9 crash (lenny, squeeze)
On Fri, May 27, 2011 at 10:04, mail...@securitylabs.it mail...@securitylabs.it wrote: On 26/05/2011 22:53, Jan Ingvoldstad wrote: Hi. At $workplace, two of our internal, caching DNS servers, running Bind 9 experienced crashes in quick order today. Hello, may be it has something related to this? *** *Summary:* A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash. *Document ID:* CVE-2011-1910 Yes, that one might be relevant. Thanks! *Exploit Status:* High. This issue has caused un-intentional outages. Indeed. :) -- Jan
Strange Bind 9 crash (lenny, squeeze)
Hi.
At $workplace, two of our internal, caching DNS servers, running Bind
9 experienced crashes in quick order today.
I was wondering if other Debian users with Bind 9 have experienced
similar crashes lately, and know how to avoid them (installing other
recursive DNS servers is, of course, an option).
They were both running 1:9.6.ESV.R4+dfsg-0+lenny1 at the time, and
here's the log lines from daemon.log I think are relevant (the logs
are fairly spammy):
May 26 17:16:14 dns2 named[13336]: buffer.c:285: REQUIRE(b-used + 1
= b-length) failed
May 26 17:16:14 dns2 named[13336]: exiting (due to assertion failure)
May 26 17:36:15 dns1 named[4488]: buffer.c:285: REQUIRE(b-used + 1 =
b-length) failed
May 26 17:36:15 dns1 named[4488]: exiting (due to assertion failure)
I then upgraded dns2 to squeeze, which provides 1:9.7.3.dfsg-1~squeeze1.
There was a change: more log entries in daemon.log:
May 26 22:26:19 dns2 named[1608]: buffer.c:285: REQUIRE(b-used + 1 =
b-length) failed, back trace
May 26 22:26:19 dns2 named[1608]: #0 0xb77ebfa0 in ??
May 26 22:26:19 dns2 named[1608]: #1 0xb7411093 in ??
May 26 22:26:19 dns2 named[1608]: #2 0xb7412d78 in ??
May 26 22:26:19 dns2 named[1608]: #3 0xb76793ce in ??
May 26 22:26:19 dns2 named[1608]: #4 0xb76f7e3e in ??
May 26 22:26:19 dns2 named[1608]: #5 0xb76feb9f in ??
May 26 22:26:19 dns2 named[1608]: #6 0xb7433ebb in ??
May 26 22:26:19 dns2 named[1608]: #7 0xb7235955 in ??
May 26 22:26:19 dns2 named[1608]: #8 0xb708be7e in ??
May 26 22:26:19 dns2 named[1608]: exiting (due to assertion failure)
The relevant code snippet from lib/isc/buffer.c is:
void
isc__buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
isc_uint16_t valhi;
isc_uint32_t vallo;
REQUIRE(ISC_BUFFER_VALID(b));
REQUIRE(b-used + 6 = b-length);
valhi = (isc_uint16_t)(val 32);
vallo = (isc_uint32_t)(val 0x);
ISC__BUFFER_PUTUINT16(b, valhi);
ISC__BUFFER_PUTUINT32(b, vallo);
}
This function is used via the macro isc_buffer_putuint48 only in lib/dns/tsig.c.
I have googled for these problems, and found other examples of Bind 9
falling over because of assertion failures, but not for this
particular case. I have also found that Bind 10 has copied this code
verbatim, which may not be such a good idea, if it falls over every so
often. :)
--
Jan
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/banlktikkg4yhyoqq88v1tvf1cxp5rut...@mail.gmail.com
Re: Security and dual booting/running in VM Windows and Linux
On Mon, Oct 4, 2010 at 12:07, Lisi lisi.re...@gmail.com wrote: I have no metrics myself against which to measure this. I have Googled, but have found it difficult to distinguish the FUD and biased/inaccurate information from the real - and reliable - information. I would be glad of some opinions from the list. If I set up a computer to dual boot Windows and Linux (specifically Debian Lenny) does the fact that Windows is sharing the computer in any way jeopardise the security of the Linux installation? If your basic assumption is that your Windows system is less secure than your Debian system, then yes, it might. Even though Windows itself doesn't understand filesystem information etc. for Linux, Linux is open source, so it's hardly a secret how that works. There is userspace software for this. It is, however, extremely unlikely that someone will attempt to break into a Linux partition on a Windows box through an automated process: there are so few people doing this compared to the mass of Windows boxes, that there is little profit in it for script kiddies and crackers. So, yes, it does jeopardise the security, but not significantly, and probably less so than the Linux installation jeopardises the Windows installation. Does it make any difference whether they are in separate partitions on the same disk or on separate HDDs? No. Would running Windows in a VM from Linux make the Linux host less secure than dual booting, or more so? Would the Linux host in fact be more/less/equally secure than/as it would be if Windows were not on the box at all? I think you may be approaching this the wrong way, and that you instead should ask yourself: How can I secure my system(s) in the best possible way? If your main fear is that a Windows security vulnerability might screw up your Linux data, use encryption for your Linux partition, e.g. with dm-crypt (http://www.saout.de/misc/dm-crypt/), and _do not store the password in a file_. -- Jan
Re: Xen on Squeeze won't start
On Fri, Jul 2, 2010 at 22:51, Rippl, Steve rip...@woodlandschools.orgwrote: Well just in case someone else hits this... once my colleague suggested I look closer at what grub2 was doing, and after more time on Google and experimenting I came up with this... the actual xen 3.4 hypervisor isn't being put into the grub2 boot list. It's not good booting off the one that says ...-xen-... as that appears to be the paravirtualised kernel, not the hypervisor. So, the following in /etc/grub.d/40_custom The simpler way appears to be: cd /etc/grub.d mv 20_linux_xen 08_linux_xen update-grub A search for xen in the bugs for grub-common yields the following hit, which has been merged with other bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505517 However, in the yesterday's squeeze, the problem was still present; Xen dom0 does not get preference over the other installed kernels, which is a pretty big bummer. Should I file a new bugreport for this? -- Jan
Re: top-posting
On Sat, Mar 7, 2009 at 8:32 AM, karun ka...@mail.karund.de wrote: Top Posting is an unfortunate side effect, of Microsoft Outlook becoming the standard for non Opensource computer software users. Well, Google with Gmail certainly aren't helping. I also thoroughly loathe answers in the form my response in green below, where the Outlook users have tried to answer each point in turn, but failed in the point that Outlook doesn't make this easy for the rest of us. Usually, top posting is a sign that the poster might as well not have quoted the original text at all, since the quoted text rarely aids in understanding. I agree, though, that complaining publicly on a mailing list regarding one part's choice of quoting or not usually is bad netiquette. -- Jan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
etch/bind9 problems after OpenSSL and kernel security upgrade
Hi. I work for a DNS-provider with a six-digit number of zones in our main nameserver. The main nameserver is running Debian etch, kept up to date with security patches from security.debian.org. After the by now well-known OpenSSL security upgrade (openssl 0.9.8c-4etch1 - 0.9.8c-4etch3) and a reboot with linux-image-2.6.18-6-686 (2.6.18.dfsg.1-18etch4), named (bind9 9.3.4-2etch1) has become quite unstable. So far, we've had two cases of named just being completely unresponsive, and the first case was during the first startup of named after reboot. I suspect the problem may be with the changes in OpenSSL from 0.9.8c-4etch1 to 0.9.8c-4etch2 (0.9.8c-4etch2 was never released through security.debian.org, so the changes were rolled up with the 0.9.8c-4etch3 release). It's fairly hard for me to provide a really good test case. Our named.conf is 10 MB and contains 130k zones, and named uses 25 minutes to start in the best of times, sometimes up to an hour or so. It's not realistic to perform testing on this platform. According to the changelog for the openssl package, the changes that aren't related to the security fix are: openssl (0.9.8c-4etch2) proposed-updates; urgency=low * Apply patch from SuSe for CVE-2007-4995. This should also get DTLS in a working state. * Fix CVE-2007-3108 wrong Montgomery multiplication. This was also included in the patch from SuSe. (Closes: #438142) -- Kurt Roeckx [EMAIL PROTECTED] Sun, 06 Apr 2008 16:31:28 +0200 CVE-2007-4995 seems pretty serious, so it's a bit strange that the urgency was low, but would it be fairly easy to regress to 0.9.8c-4etch1 with patches for CVE-2007-4995 and the random seed problem only? Am I barking up the wrong tree here, and should I instead be looking at problems in bind9 itself, or even the kernel? It does seem too much of a coincidence that these problems only started occurring after the OpenSSL + kernel upgrade, though. -- Jan
Re: eMail Relaying to ISP using SMPT-Auth login
On 12/24/05, Michael Przysucha [EMAIL PROTECTED] wrote: I've got a problem with my eMail-client and my ISP, the client does not support the SMTP-Auth machanisms required bymy ISP.Trying to solve the problem I wanted to set up a Debian box (Soekris net4501 headless system) with a relaying system. I tried sendmail, postfix, exim4 and so on but it didn't work any way. the system should work the way described in thegraphic below, maybe someone can help selecting the right program an configuring it for this purpose!? Thanks in advance,Michael PrzysuchaeMail-client (Opera 5.12 build 932)Regardless of the other advice you've gotten, you should upgrade from this ancient version of Opera as soon as possible. This version has several well-known and published security holes.Try downloading and upgrading to the most recent version from Opera.com.Incidentally, this will result in a version that supports SMTP auth. :) -- Jan
