Bug#871568: Debian OVAL Files Improvement
Hi, I see, but it doesn't answer the problem of how can someone judge the severity of DSA-X against DSA-Y and say which one is more important? Yes local factors can take precedence, for example having a local user vs not having local users - note that CVSSv3 takes this into account with the part of authentication. You should note that RedHat, Ubnutu, CentOS, and others provide a severity rating, either based on the NIST NVD, or based on some internal "mechanism" But they provide that information to assist their customers to understand the threat It would be disappointing if this is not done for Debian as well. On Wed, Aug 9, 2017 at 2:33 PM, Moritz Muehlenhoff <j...@debian.org> wrote: > On Wed, Aug 09, 2017 at 02:16:54PM +0300, Noam Rathaus wrote: > > Package: security.debian.org > > > > Currently the Debian OVAL lack (critical) information from the files, > > specifically the severity setting of the patch. > > > > I wanted to ask if it would be possible for the XML files that the script > > you run will include the rating of the DSA advisory? > > DSA advisories intentionally don't have a severity rating and we're not > planning to add one (since the severity depends strongly on local factors). > > I don't feel comfortable pulling in external CVSS classifications that we > don't have any control over. > > Cheers, > Moritz > -- Thanks, Noam Rathaus Beyond Security PGP Key ID: 2D24B275B1EB4475 (Exp 2018-03)
Bug#871568: Debian OVAL Files Improvement
Package: security.debian.org Currently the Debian OVAL lack (critical) information from the files, specifically the severity setting of the patch. I wanted to ask if it would be possible for the XML files that the script you run will include the rating of the DSA advisory? The DSA advisory itself doesn't include the severity but the CVE do, so scraping the information from the NIST site would allow you to know what is the severity ( by taking each CVE's CVSSv3 score and seeing which number is "highest" ) If you agree to this, and need help getting this to work, I can lend a hand - I can provide code on how to "harvest" the NVD NIST site for the information, or take the information from NDV NIST's XML files (which they provide) -- Thanks, Noam Rathaus Beyond Security PGP Key ID: 2D24B275B1EB4475 (Exp 2018-03)
Bug#429961: dumpasn1: Off-By-One overflow
Package: dumpasn1 Version: 20030222-2 Severity: normal Hi, It is possible to cause an off-by-one overflow in the ASN1_Item structure by causing: item-header[ i + index ] = ch; To write to position 8 of the header by causing i+index to equal 8. This is the file used: ff d6 a3 54 84 00 10 ff 75 e0 ff d6 83 c4 14 a3 |...Tu...| 0010 50 84 00 10 c7 45 fc fe ff ff ff e8 09 00 00 00 |PE..| 0020 8b 45 dc e8 80 05 00 00 c3 6a 08 e8 21 05 00 00 |.E...j..!...| 0030 59 c3 ff 74 24 04 e8 52 ff ff ff f7 d8 1b c0 f7 |Y..t$..R| 0040 d8 59 48 c3 56 68 80 00 00 00 ff 15 f0 60 00 10 |.YH.Vh...`..| 0050 8b f0 56 ff 15 04 61 00 10 85 f6 59 59 a3 54 84 |..V...aYY.T.| 0060 00 10 a3 50 84 00 10 75 05 33 c0 40 5e c3 83 26 |[EMAIL PROTECTED]| 0070 00 e8 75 05 00 00 68 c4 57 00 10 e8 b2 ff ff ff |..u...h.W...| 0080 c7 04 24 94 57 00 10 e8 a6 ff ff ff 59 33 c0 5e |..$.W...Y3.^| 0090 c3 8b 44 24 08 55 33 ed 3b c5 75 0e 39 2d e0 80 |..D$.U3.;.u.9-..| 00a0 00 10 7e 3a ff 0d e0 80 00 10 83 f8 01 8b 0d dc |..~:| 00b0 60 00 10 8b 09 53 56 57 89 0d 40 84 00 10 0f 85 |[EMAIL PROTECTED]| 00c0 d4 00 00 00 64 a1 18 00 00 00 8b 70 04 8b 1d 1c |d..p| 00d0 60 00 10 89 6c 24 18 bf 48 84 00 10 eb 16 33 c0 |`...l$..H.3.| 00e0 e9|.| 00e1 As corruption is very small, it appears to be non-exploitable Proposed patch: for( i = 0; i length i + index sizeof(item-header); i++ ) Instead of the existing test. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.16 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages dumpasn1 depends on: ii libc6 2.5-9+b1 GNU C Library: Shared libraries dumpasn1 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328909: wordpress: CSS Security Vulnerability
Package: wordpress Version: 1.5.2-1 Severity: normal A cross site scripting vulnerability exists in Wordpress, the vulnerability manifests itself only when viewed by IE, as Mozilla converts in the URL to lt; I attached a patch to resolve this issue. # diff -u /tmp/template-functions-links.php.orig /usr/share/wordpress/wp-includes/template-functions-links.php --- /tmp/template-functions-links.php.orig 2005-09-18 06:18:54.0 + +++ /usr/share/wordpress/wp-includes/template-functions-links.php 2005-09-18 06:20:23.0 + @@ -353,6 +353,17 @@ global $wp_rewrite; $qstr = $_SERVER['REQUEST_URI']; +$replacement = array ('quot;', // Replace HTML entities + 'amp;', + 'lt;', + 'gt;'); + +$pattern = array ('//', + '//', + '//', + '//'); + +$qstr = preg_replace($pattern, $replacement, $qstr); $page_querystring = paged; $page_modstring = page/; @@ -489,4 +500,4 @@ } } -? \ No newline at end of file +? -- System Information: Debian Release: 3.1 Architecture: i386 (x86_64) Kernel: Linux 2.6.11.6-RH1956 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages wordpress depends on: ii apache [httpd]1.3.33-6sarge1 versatile, high-performance HTTP s ii mysql-server [virtual-mys 4.0.24-10 mysql database server binaries ii php4 4:4.3.10-16server-side, HTML-embedded scripti ii php4-mysql4:4.3.10-16MySQL module for php4 -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328909: wordpress: CSS Security Vulnerability
Cool. On 9/19/05, Kai Hendry [EMAIL PROTECTED] wrote: Thanks for the bug report. I've forwarded this issue upstream on their BTS: http://trac.wordpress.org/ticket/1686 Best wishes, -- Thanks Noam Rathaus CTO Beyond Security Ltd. Join the SecuriTeam community on Orkut: http://www.orkut.com/Community.aspx?cmm=1
Bug#319338: postgresql: PostgreSQL upgrade doesn't work if its listening on localhost (127.0.0.1)
Hi, I don't know from what version I am upgrade, I don't have that record, the original submition should have it. Yes the server is running during the upgrade. 2005-09-01 13:19:16 [10875] LOG: received fast shutdown request 2005-09-01 13:19:16 [3085] LOG: shutting down 2005-09-01 13:19:19 [3085] LOG: database system is shut down 2005-09-01 13:19:20 [3155] LOG: database system was shut down at 2005-09-01 13:19:19 IDT 2005-09-01 13:19:20 [3155] LOG: checkpoint record is at 0/844F648 2005-09-01 13:19:20 [3155] LOG: redo record is at 0/844F648; undo record is at 0/0; shutdown TRUE 2005-09-01 13:19:20 [3155] LOG: next transaction ID: 1547644; next OID: 62651 2005-09-01 13:19:20 [3155] LOG: database system is ready 2005-09-01 13:19:33 [3181] LOG: connection received: host=127.0.0.1 port=36698 2005-09-01 13:19:33 [3181] LOG: connection authorized: user=postgres database=WhatEver On Tue August 30 2005 23:07, Martin Pitt wrote: Hi Noam! Noam Rathaus [2005-07-21 14:25 +0300]: Trying to upgrade returns: Setting up postgresql (7.4.7-6sarge1) ... psql: could not connect to server: ? Is the server running locally and accepting connections on Unix domain socket /var/run/postgresql/.s.PGSQL.5432? Applying security update in database template0... dpkg: error processing postgresql (--configure): subprocess post-installation script returned error exit status 2 Setting up postgresql-doc (7.4.7-6sarge1) ... So you upgraded from which version? Was the server running before? Can you please send your /var/log/postgresql/postgres.log? Thanks, Martin -- Noam Rathaus CTO Beyond Security Ltd. http://www.beyondsecurity.com http://www.securiteam.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#319338: postgresql: PostgreSQL upgrade doesn't work if its listening on localhost (127.0.0.1)
Package: postgresql Version: 7.4.7-6sarge1 Severity: grave Justification: renders package unusable Trying to upgrade returns: Setting up postgresql (7.4.7-6sarge1) ... psql: could not connect to server: ÷� Is the server running locally and accepting connections on Unix domain socket /var/run/postgresql/.s.PGSQL.5432? Applying security update in database template0... dpkg: error processing postgresql (--configure): subprocess post-installation script returned error exit status 2 Setting up postgresql-doc (7.4.7-6sarge1) ... Errors were encountered while processing: postgresql E: Sub-process /usr/bin/dpkg returned an error code (1) --- This is because my PostgreSQL is listeing on localhost, and for some reason the upgrade is unable to upgrade. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.11.7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages postgresql depends on: ii adduser 3.59Add and remove users and groups ii debconf [debconf 1.4.30.11 Debian configuration management sy ii debianutils 2.8.4 Miscellaneous utilities specific t ii dpkg 1.10.25 Package maintenance system for Deb ii libc62.3.2.ds1-21GNU C Library: Shared libraries an ii libcomerr2 1.35-6 The Common Error Description libra ii libkrb53 1.3.5-1 MIT Kerberos runtime libraries ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libperl5.8 5.8.4-3 Shared Perl library ii libpq3 7.4.6-5 PostgreSQL C client library ii libreadline4 4.3-11 GNU readline and history libraries ii libssl0.9.7 0.9.7e-2SSL shared libraries ii mailx1:8.1.2-0.20040524cvs-3 A simple mail user agent ii postgresql-clien 7.4.7-6sarge1 front-end programs for PostgreSQL ii procps 1:3.2.1-2 The /proc file system utilities ii python2.32.3.4-18An interactive high-level object-o ii ucf 1.13Update Configuration File: preserv ii zlib1g 1:1.2.2-3 compression library - runtime -- debconf information: * postgresql/initdb/location: /var/lib/postgres/data postgresql/upgrade/preserve_location: $PGDATA/.. * postgresql/settings/day_month_order: European postgresql/upgrade/policy: true * postgresql/settings/locale: C postgresql/enable_lang: true * postgresql/purge_data_too: true postgresql/very_old_version_warning: true postgresql/upgrade/dump_location: $PGDATA/.. * postgresql/settings/encoding: per_locale postgresql/convert-pg_hba.conf: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#315250: logcheck: Installation fails due to an error
Package: logcheck Version: 1.2.39 Severity: grave Justification: renders package unusable During installation the following is returned: Setting up logcheck (1.2.39) ... gpasswd: unknown user adm adduser: `/usr/bin/gpasswd -M root,adm,daemon,logcheck adm' returned error code 1. Aborting. Cleaning up. From this point the logcheck won't work anymore, sending emails that something wrong has happened. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.3-1-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages logcheck depends on: ii adduser 3.63Add and remove users and groups ii cron 3.0pl1-86 management of regular background p ii debconf [debconf 1.4.30.13 Debian configuration management sy ii debianutils 2.13.1 Miscellaneous utilities specific t ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.39 A database of system log rules for ii logtail 1.2.39 Print log file lines that have not ii mailx1:8.1.2-0.20040524cvs-4 A simple mail user agent ii sendmail-bin [ma 8.13.4-3powerful, efficient, and scalable ii sysklogd [system 1.4.1-17System Logging Daemon -- debconf information: logcheck/changes: * logcheck/install-note: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#315071: Results to your question
Hi, See below: # getent group adm adm:x:4:root,adm,daemon And: # ls -l /var/log total 20384 -rw-r- 1 root adm 43310 Jun 21 16:00 auth.log -rw-r- 1 root adm 128247 Jun 19 06:47 auth.log.0 -rw-r- 1 root adm 10318 Jun 12 06:47 auth.log.1.gz -rw-r- 1 root adm 9508 Jun 5 06:47 auth.log.2.gz -rw-r- 1 root adm 12475 May 29 06:47 auth.log.3.gz -rw-r--r-- 1 root root 9838 May 3 17:43 base-config.log.1 -rw-r--r-- 1 root root 384 May 3 17:43 base-config.timings.1 -rw-rw-r-- 1 root utmp 0 Jun 1 06:25 btmp -rw-rw-r-- 1 root utmp 384 May 22 15:57 btmp.1 drwxr-xr-x 2 clamav clamav4096 Jun 19 06:25 clamav -rw-r- 1 root adm 479384 Jun 21 16:15 daemon.log -rw-r- 1 root adm2017570 Jun 21 06:24 daemon.log.0 -rw-r- 1 root adm 57638 Jun 19 06:24 daemon.log.1.gz -rw-r- 1 root adm 71562 Jun 17 06:24 daemon.log.2.gz -rw-r- 1 root adm 122795 Jun 16 06:23 daemon.log.3.gz -rw-r- 1 root adm 87333 Jun 14 06:25 daemon.log.4.gz -rw-r- 1 root adm 24716 Jun 12 06:45 daemon.log.5.gz -rw-r- 1 root adm 81834 Jun 11 06:24 daemon.log.6.gz drwxr-xr-x 2 root root 4096 Jun 16 10:14 dcc -rw-r- 1 root adm160 Jun 19 16:25 debug -rw-r- 1 root adm 2512 Jun 9 15:26 debug.0 -rw-r- 1 root adm248 May 31 16:56 debug.1.gz -rw-r- 1 root adm297 May 27 01:55 debug.2.gz -rw-r- 1 root adm126 May 19 11:16 debug.3.gz -rw-r--r-- 1 root root 8841 Jun 7 13:28 dmesg -rw-r--r-- 1 root root 24072 Jun 21 15:53 faillog -rw-r--r-- 1 root root360284 Jan 19 2004 installer.log -rw-r--r-- 1 root root 43431 Jan 19 2004 installer.timings -rw-r- 1 root adm 3451 Jun 21 10:11 kern.log -rw-r- 1 root adm4677518 Jun 20 21:05 kern.log.0 -rw-r- 1 root adm298 Jun 14 13:52 kern.log.1.gz -rw-r- 1 root adm 4236 Jun 9 17:02 kern.log.2.gz -rw-r- 1 root adm396 May 31 17:03 kern.log.3.gz -rw-r- 1 root adm208 May 26 11:47 kern.log.4.gz drwxr-xr-x 2 root root 4096 Mar 29 2004 ksymoops -rw-rw-r-- 1 root utmp292876 Jun 21 15:53 lastlog -rw-r--r-- 1 root root 0 Jan 19 2004 lpr.log drwxrws--- 2 root root 4096 Jun 19 06:47 mail lrwxrwxrwx 1 root root22 Jan 20 2004 mail.log - /var/log/mail/mail.log -rw-r- 1 root adm 4543 Jun 21 16:10 messages -rw-r- 1 root adm4682345 Jun 21 06:09 messages.0 -rw-r- 1 root adm 1504 Jun 19 06:25 messages.1.gz -rw-r- 1 root adm 6856 Jun 12 06:25 messages.2.gz -rw-r- 1 root adm 2536 Jun 5 06:38 messages.3.gz -rw-r- 1 root adm 3152 May 29 06:38 messages.4.gz drwxr-sr-x 2 news news 4096 Jan 19 2004 news -rw--- 1 root root 24774 Jun 21 09:16 openvpn -rw--- 1 root root 202 Jun 9 15:25 ppp-connect-errors.1.gz -rw--- 1 root root 175 May 31 16:56 ppp-connect-errors.2.gz -rw--- 1 root root 189 May 24 18:33 ppp-connect-errors.3.gz -rw--- 1 root root 171 May 22 17:11 ppp-connect-errors.4.gz -rw-r- 1 root adm 2261 Mar 1 2004 setuid.changes -rw-r- 1 root adm849 Feb 27 2004 setuid.changes.0 -rw-r- 1 root adm363 Feb 26 2004 setuid.changes.1.gz -rw-r- 1 root adm337 Feb 25 2004 setuid.changes.2.gz -rw-r- 1 root adm208 Feb 24 2004 setuid.changes.3.gz -rw-r- 1 root adm463 Feb 23 2004 setuid.changes.4.gz -rw-r- 1 root adm213 Feb 22 2004 setuid.changes.5.gz -rw-r- 1 root adm207 Feb 21 2004 setuid.changes.6.gz -rw-r- 1 root adm 463518 Mar 1 2004 setuid.today -rw-r- 1 root adm 463518 Feb 27 2004 setuid.yesterday -rw-r- 1 root adm 497972 Jun 21 16:15 syslog -rw-r- 1 root adm5714380 Jun 21 06:25 syslog.0 -rw-r- 1 root adm 71445 Jun 20 06:25 syslog.1.gz -rw-r- 1 root adm 29879 Jun 19 06:25 syslog.2.gz -rw-r- 1 root adm 30894 Jun 18 06:25 syslog.3.gz -rw-r- 1 root adm 79468 Jun 17 06:25 syslog.4.gz -rw-r- 1 root adm 69985 Jun 16 06:25 syslog.5.gz -rw-r- 1 root adm 74408 Jun 15 06:25 syslog.6.gz -rw-r- 1 root adm 0 Apr 24 06:47 user.log -rw-r- 1 root adm143 Apr 20 14:54 user.log.0 -rw-r- 1 root adm 96 Dec 15 2004 user.log.1.gz -rw-r- 1 root adm 96 Oct 20 2004 user.log.2.gz -rw-r- 1 root adm 95 Oct 6 2004 user.log.3.gz -rw-r- 1 root adm 0 Mar 7 2004 uucp.log -rw-r- 1 root adm309 Feb 26 2004 uucp.log.0 -rw-rw-r-- 1 root utmp 21120 Jun 17 10:52 wtmp -rw-rw-r-- 1 root utmp 17280 May 31 17:06 wtmp.1 Hope this help debug the issue. -- Noam Rathaus
Bug#315071: [Logcheck-devel] Bug#315071: Results to your question
Hi, On Tue June 21 2005 17:18, maximilian attems wrote: tags 315071 moreinfo thanks On Tue, 21 Jun 2005, Noam Rathaus wrote: See below: # getent group adm adm:x:4:root,adm,daemon ok strange. because of the failure i didn't expect logcheck there anyway. but all my debian systems just show $ getent group adm adm:x:4:logcheck are you using ldap or any other fancy group db backend? Nope. also what does this cmd run as root show: # adduser logcheck adm # adduser logcheck adm Adding user `logcheck' to group `adm'... gpasswd: unknown user adm adduser: `/usr/bin/gpasswd -M root,adm,daemon,logcheck adm' returned error code 1. Aborting. Cleaning up. are you using selinux or any other security tool, which disable root capabilities? Nope. thanks for your feedback - hope we can nail that down. -- maks -- Noam Rathaus CTO Beyond Security Ltd. http://www.beyondsecurity.com http://www.securiteam.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#315071: [Logcheck-devel] Bug#315071: Results to your question
On Tue June 21 2005 18:10, maximilian attems wrote: On Tue, 21 Jun 2005, Noam Rathaus wrote: snipp also what does this cmd run as root show: # adduser logcheck adm # adduser logcheck adm Adding user `logcheck' to group `adm'... gpasswd: unknown user adm adduser: `/usr/bin/gpasswd -M root,adm,daemon,logcheck adm' returned error code 1. Aborting. Cleaning up. ok so without quiet nothing really new. what are the permissions of your group file: # ls -l /etc/group # ls -l /etc/group -rw-r--r-- 1 root root 987 Jun 21 17:37 /etc/group # lsattr /etc/group # lsattr /etc/group - /etc/group what is you root fs mounted on? following output: $ mount # mount /dev/hda1 on / type ext3 (rw,errors=remount-ro) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw) thanks again for your feedback. -- maks -- Noam Rathaus CTO Beyond Security Ltd. http://www.beyondsecurity.com http://www.securiteam.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#315071: [Logcheck-devel] Bug#315071: Results to your question
On Tue June 21 2005 18:34, maximilian attems wrote: On Tue, 21 Jun 2005, Noam Rathaus wrote: See below: # getent group adm adm:x:4:root,adm,daemon ok guess it's bug #284688 from adduser. what does cmd return? $ getent passwd adm # getent passwd adm (Nothing) adm is not a user on none of my running Sarge system. that means that doesn't return anything. don't know why it was added to your /etc/group could you please handedit it (if aboves assumbtion is correct) the adm line should look like that: adm:x:4:root,daemon I had this entry: adm:x:4:root,adm,daemon I replaced it with yours then please rerun: # adduser logcheck adm And it worked. with your adm line i could reproduce your error. i guess we should reassign and merge that bug with aboves. thanks for a confirmation. -- maks Thanks :) -- Noam Rathaus CTO Beyond Security Ltd. http://www.beyondsecurity.com http://www.securiteam.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]