Re: [SECURITY] [DSA 740-1] New zlib packages fix denial of service
On Wed, Jul 06, 2005 at 04:45:01PM +0200, Michael Stone wrote: - Debian Security Advisory DSA 740-1 [EMAIL PROTECTED] http://www.debian.org/security/Michael Stone July 06, 2005 http://www.debian.org/security/faq - Package: zlib Vulnerability : buffer overflow Problem type : remote DOS Debian-specific: no CVE Id(s) : CAN-2005-2096 An error in the way zlib handles the inflation of certain compressed files can cause a program which uses zlib to crash when opening an invalid file. This problem does not affect the old stable distribution (woody). For the stable distribution (sarge), this problem has been fixed in version 1.2.2-4.sarge.1. For the unstable distribution, this problem has been fixed in version 1.2.2-7. We recommend that you upgrade your clamav package. I would prefer to upgrade also my zlib package ;-) -- Roberto Gordo Saez - Free Software Engineer Linalco Especialistas en Linux y Software Libre http://www.linalco.com/ Tel: +34-914561700 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Shadow passwords
I am busy building two new proxy servers. I installed the first from debian-install CD with the normal installer. As an exercise in disaster recovery I decided to install the second from a CD I have build with dfsbuild on the first one. On the second machine Tiger reports: user is not configured to use shadow passwords ... How do I change that after an installation that did not ask beforehand about shadow passwords? I did a 'sudo shadowconfig on' but suspect that will only have an effect on new passwords - or not? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch Trust in the Lord with all your heart, and do not lean on your own understanding. Proverbs 3:5 Vrywaring: Jy hoef eintlik net die e-pos self te gelees het. :) Disclaimer: If you are reading this you are wasting your time :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /dev/log
On Wednesday 06 July 2005 05:05, Ian Eure [EMAIL PROTECTED] wrote: It's used by syslogd. Not 100% sure on this, but I believe it's how user-space apps send messages to syslog (e.g. with syslog(3)). If that's the case, it would need to be mode 666 for syslog(3) to work. It doesn't have to be mode 0666, it just needs to be writable by every program that you want to log via syslog. As there are many daemons which run as non-root (most daemons should not have root privs) and there is no group for daemons to allow such access it's almost required to grant every process access to /dev/log. If you want restricted access to /dev/log then you need something more capable than regular Unix access control. POSIX ACLs could do the job, but you would have to patch the syslogd to set the ACLs every time it starts up. If you run SE Linux then /dev/log access is controlled and you can determine which programs get access to it. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Shadow passwords
On Thu, Jul 07, 2005 at 09:49:17AM +0200, Johann Spies wrote: I am busy building two new proxy servers. I installed the first from debian-install CD with the normal installer. As an exercise in disaster recovery I decided to install the second from a CD I have build with dfsbuild on the first one. On the second machine Tiger reports: user is not configured to use shadow passwords ... How do I change that after an installation that did not ask beforehand about shadow passwords? I did a 'sudo shadowconfig on' but suspect that will only have an effect on new passwords - or not? man pwconv -- Tonight you will pay the wages of sin; Don't forget to leave a tip. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Shadow passwords
On Thu, Jul 07, 2005 at 04:48:51AM -0400, Bill Marcum wrote: On Thu, Jul 07, 2005 at 09:49:17AM +0200, Johann Spies wrote: I am busy building two new proxy servers. I installed the first from debian-install CD with the normal installer. As an exercise in disaster recovery I decided to install the second from a CD I have build with dfsbuild on the first one. On the second machine Tiger reports: user is not configured to use shadow passwords ... How do I change that after an installation that did not ask beforehand about shadow passwords? I did a 'sudo shadowconfig on' but suspect that will only have an effect on new passwords - or not? man pwconv Thanks! I totally forgot about that. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch Trust in the Lord with all your heart, and do not lean on your own understanding. Proverbs 3:5 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 741-1] New bzip2 packages prevent decompression bomb
Hallo, Ik ben op vakantie tot 20 juli. Voor support vragen kunt u contact opnemen met onze supportdesk. Voor sales en andere vragen kunt u mailen naar [EMAIL PROTECTED] Met vriendelijke groet, Steve Karnadi Hello, I am on vacation until the 20th of July. You can contact our supportdesk for support questions. Sales questions or other questions can be sent to [EMAIL PROTECTED] Regards, Steve Karnadi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Where is the security announcement?
martin f krafft schrieb: So Debian has had (and continues to have) problems with the security archive. This has been widely publicised, giving the world a rather shameful image of our projecti and produce. Ignoring the causes of the problems, which undoubtedly need to be fixed ASAP, no announcement whatsoever has been sent to our users, nor has there been any mention of the problem in the Debian News or other official channels. I got at least security announcements from debian-security-announce@lists.debian.org See http://lists.debian.org/debian-security-announce/debian-security-announce-2005/threads.html -- Ruhr-Universität Bochum Institut für Theoretische Physik IV Universitätsstr. 150 D-44780 Bochum Tel. +49 234 32 28878 Fax: +49 234 32 14177 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
gpg-errors with apt
I have asked this on debian-user but got no response: I have read http://www.debian-administration.org/articles/174 about this topic and have done what the article suggested: ~# gpg --keyserver keyring.debian.org --recv 4F368D5D Got a timeout here. Or if you wish you can download it from the internet, from http://www.debian.org/releases/ - towards the bottom of the page there's a link to the file ziyi_key_2005.asc. Download this and import it as follows: [EMAIL PROTECTED]:~# cat ziyi_key_2005.asc | gpg --import I have done this but I still get the following on aptitude update (on sid): W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F1D53D8C4F368D5D W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists to correct these missing files with the resulting warnings when I want to install a package: Untrusted packages could compromise your system's security. You should only proceed with the installation if you are certain that this is what you want to do. Is this a bug or how do I solve this problem? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch But Jesus said, Let the little children come to me, and do not hinder them, for the kingdom of heaven belongs to such as these. Matthew 19:14 Vrywaring: Jy hoef eintlik net die e-pos self te gelees het. :) Disclaimer: If you are reading this you are wasting your time :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch Trust in the Lord with all your heart, and do not lean on your own understanding. Proverbs 3:5 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gpg-errors with apt
On Thu, Jul 07, 2005 at 12:22:36PM +0200, Johann Spies wrote: I have read http://www.debian-administration.org/articles/174 about this topic and have done what the article suggested: ~# gpg --keyserver keyring.debian.org --recv 4F368D5D This imports the key for the Debian Unstable archive. Got a timeout here. Firewall? Or if you wish you can download it from the internet, from http://www.debian.org/releases/ - towards the bottom of the page there's a link to the file ziyi_key_2005.asc. Download this and import it as follows: [EMAIL PROTECTED]:~# cat ziyi_key_2005.asc | gpg --import (Bad '' on the end of that command line.. mistake in copy + paste?) I have done this but I still get the following on aptitude update (on sid): W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F1D53D8C4F368D5D This is a completely different key - here the complain is that the archive you have in your apt.sources list, for archive3.sun.ac.za, is signed with a key 'F1D53D8C4F368D5D' which you don't have imported. W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following signatures couldn't be verified because the public key is not available: And the error says as much. The signature isn't verified because you're missing the key. NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists to correct these missing files Find the key that the archive is signed with, import it as you did for the main Sid/Etch archive and all should be well. Is this a bug or how do I solve this problem? Not a bug with the *Debian* archive, but a missing key on your side from the look of things.. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Where is the security announcement?
also sprach Robin Schroeder [EMAIL PROTECTED] [2005.07.07.1133 +0200]: I got at least security announcements from debian-security-announce@lists.debian.org Not between 3 June and 30 June. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! twenty-four hour room-service must be one of the premiere achievements of modern civilization. -- special agent dale cooper signature.asc Description: Digital signature
Re: gpg-errors with apt
Hello Steve, On Thu, Jul 07, 2005 at 12:26:32PM +0100, Steve Kemp wrote: On Thu, Jul 07, 2005 at 12:22:36PM +0200, Johann Spies wrote: I have read http://www.debian-administration.org/articles/174 about this topic and have done what the article suggested: ~# gpg --keyserver keyring.debian.org --recv 4F368D5D This imports the key for the Debian Unstable archive. Got a timeout here. Firewall? Maybe Or if you wish you can download it from the internet, from http://www.debian.org/releases/ - towards the bottom of the page there's a link to the file ziyi_key_2005.asc. Download this and import it as follows: [EMAIL PROTECTED]:~# cat ziyi_key_2005.asc | gpg --import (Bad '' on the end of that command line.. mistake in copy + paste?) Probably. It did seem to work when I executed the command. I have done this but I still get the following on aptitude update (on sid): W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F1D53D8C4F368D5D This is a completely different key - here the complain is that the archive you have in your apt.sources list, for archive3.sun.ac.za, is signed with a key 'F1D53D8C4F368D5D' which you don't have imported. Ok, but the archive on archive3.sun.ac.za is just a mirror from a primary debian upstream source. Do I have to generate a spesific key for my server? W: GPG error: ftp://archive3.sun.ac.za unstable Release: The following signatures couldn't be verified because the public key is not available: And the error says as much. The signature isn't verified because you're missing the key. NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists to correct these missing files Find the key that the archive is signed with, import it as you did for the main Sid/Etch archive and all should be well. And where do I find this key? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch Trust in the Lord with all your heart, and do not lean on your own understanding. Proverbs 3:5 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gpg-errors with apt
On Thu, Jul 07, 2005 at 02:14:51PM +0200, Johann Spies wrote: Ok, but the archive on archive3.sun.ac.za is just a mirror from a primary debian upstream source. Do I have to generate a spesific key for my server? Strange .. but no you need do nothing with your key(s). NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists to correct these missing files Find the key that the archive is signed with, import it as you did for the main Sid/Etch archive and all should be well. And where do I find this key? gpg --keyserver some.key.server --recv-keys 07DC563D1F41B907 (For keyservers I use: keyring.debian.org pgp.mit.edu pgpkeys.pgp.net wwwkeys.uk.pgp.net or wwwkeys.pgp.net ) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gpg-errors with apt
On Thu, Jul 07, 2005 at 01:39:57PM +0100, Steve Kemp wrote: On Thu, Jul 07, 2005 at 02:14:51PM +0200, Johann Spies wrote: Ok, but the archive on archive3.sun.ac.za is just a mirror from a primary debian upstream source. Do I have to generate a spesific key for my server? Strange .. but no you need do nothing with your key(s). NO_PUBKEY 07DC563D1F41B907 W: You may want to update the package lists to correct these missing files Find the key that the archive is signed with, import it as you did for the main Sid/Etch archive and all should be well. And where do I find this key? gpg --keyserver some.key.server --recv-keys 07DC563D1F41B907 (For keyservers I use: keyring.debian.org pgp.mit.edu pgpkeys.pgp.net wwwkeys.uk.pgp.net or wwwkeys.pgp.net ) Thanks, I have done that with no error messages: # gpg --keyserver keyring.debian.org --recv-keys 07DC563D1F41B907 F1D53D8C4F368D gpg: requesting key 4F368D5D from hkp server keyring.debian.org gpg: requesting key 1F41B907 from hkp server keyring.debian.org gpg: key 4F368D5D: Debian Archive Automatic Signing Key (2005) [EMAIL PROTECTED] not changed gpg: key 1F41B907: Christian Marillat [EMAIL PROTECTED] not changed gpg: Total number processed: 2 gpg: unchanged: 2 I have also downloaded the script apt-check-sigs which reported the following: Checking sources in /etc/apt/sources.list: ~~ ... Source: deb ftp://archive3.sun.ac.za/pub/mirrors/debian unstable main contrib non-free o Origin: Debian/Debian o Suite: unstable/sid o Date: Tue, 05 Jul 2005 19:38:39 UTC o Description: Debian Unstable - Not Released * COULDN'T CHECK SIGNATURE BY KEYID: F1D53D8C4F368D5D * NO VALID SIGNATURE o Okay: main contrib non-free Source: deb-src ftp://archive3.sun.ac.za/pub/mirrors/debian unstable main contrib non-free o Origin: Debian/Debian o Suite: unstable/sid o Date: Tue, 05 Jul 2005 19:38:39 UTC o Description: Debian Unstable - Not Released * COULDN'T CHECK SIGNATURE BY KEYID: F1D53D8C4F368D5D * NO VALID SIGNATURE o Okay: main contrib non-free ... I am also the ftp-administrator of archive3.sun.ac.za so I have an uneasy feeling about this... Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch Trust in the Lord with all your heart, and do not lean on your own understanding. Proverbs 3:5 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: [SECURITY] [DSA 741-1] New bzip2 packages prevent decompression bomb
Hey Lance, Do you know how I can get myself off of this list? Somehow I signed up under my alias, so I can't just send a message from my email account. Christina -Original Message- From: Martin Schulze [mailto:[EMAIL PROTECTED] Sent: Thursday, July 07, 2005 5:06 AM To: Debian Security Announcements Subject: [SECURITY] [DSA 741-1] New bzip2 packages prevent decompression bomb -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 741-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 7th, 2005 http://www.debian.org/security/faq - -- Package: bzip2 Vulnerability : infinite loop Problem-Type : local (remote) Debian-specific: no CVE ID : CAN-2005-1260 Debian Bug : 310803 Chris Evans discovered that a specially crafted archive can trigger an infinete loop in bzip2, a high-quality block-sorting file compressor. During uncompression this results in an indefinitively growing output file which will finally fill up the disk and. On systems that automatically decompress bzip2 archives this can cause a denial of service. For the oldstable distribution (woody) this problem has been fixed in version 1.0.2-1.woody5. For the stable distribution (sarge) this problem has been fixed in version 1.0.2-7. For the unstable distribution (sid) this problem has been fixed in version 1.0.2-7. We recommend that you upgrade your bzip2 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.2-1.woody5.ds c Size/MD5 checksum: 591 2bbebaa9594819a21b293cd679e88f9e http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.2-1.woody5.di ff.gz Size/MD5 checksum:11423 d413545f13911158a7f382a1dc68008b http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.2.orig.tar.gz Size/MD5 checksum: 665198 ee76864958d568677f03db8afad92beb Alpha architecture: http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.2-1.woody5_al pha.deb Size/MD5 checksum: 233882 d3c37c8ad0cb2420ee374b524a92a07c http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.2-1.wood y5_alpha.deb Size/MD5 checksum:44560 de6c1c030622783e52c4267ba1b501e3 http://security.debian.org/pool/updates/main/b/bzip2/libbz2-dev_1.0.2-1.wood y5_alpha.deb Size/MD5 checksum:38716 0f8eef3a5703404e6e9ac0dd11898966 ARM architecture: http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.2-1.woody5_ar m.deb Size/MD5 checksum: 230474 e07a9ae2b735d7b66590dd8fb00cd300 http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.2-1.wood y5_arm.deb Size/MD5 checksum:38796 7cc672c5a6fea032afa005cfe9dad039 http://security.debian.org/pool/updates/main/b/bzip2/libbz2-dev_1.0.2-1.wood y5_arm.deb Size/MD5 checksum:35504 a923ddc75c05df5d07aff126d6f11755 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.2-1.woody5_i3 86.deb Size/MD5 checksum: 230044 956cb5c4e8c21ae3021ac4e8f3df1c94 http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.2-1.wood y5_i386.deb Size/MD5 checksum:35844 0347c033eb73e0cc20207dd4eb556955 http://security.debian.org/pool/updates/main/b/bzip2/libbz2-dev_1.0.2-1.wood y5_i386.deb Size/MD5 checksum:28372 bc465e4913826f411d6859a07cd6247a Intel IA-64 architecture: http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.2-1.woody5_ia 64.deb Size/MD5 checksum: 238600 b16122e6bd2a37085ac003ece8545ab2 http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.2-1.wood y5_ia64.deb Size/MD5 checksum:53758 e17ccb297e38c7fa4c2ccdb569ea4dbe http://security.debian.org/pool/updates/main/b/bzip2/libbz2-dev_1.0.2-1.wood y5_ia64.deb Size/MD5 checksum:47592 f1bfbf630c9fd023abb32f67e99167bc HP Precision architecture: http://security.debian.org/pool/updates/main/b/bzip2/bzip2_1.0.2-1.woody5_hp pa.deb Size/MD5 checksum: 232234 5264f07a33b904b0b33a7785c1446d82 http://security.debian.org/pool/updates/main/b/bzip2/libbz2-1.0_1.0.2-1.wood y5_hppa.deb Size/MD5 checksum:41122 e6e29616e1b93cd1c2a17f7df0daa6ec
Re: [SECURITY] [DSA 741-1] New bzip2 packages prevent decompression bomb
On Thursday 07 July 2005 15:17, Christina Miller wrote: Do you know how I can get myself off of this list? Somehow I signed up under my alias, so I can't just send a message from my email account. Use the unsubscribe button on this page after filling in the address you used to subscribe: http://lists.debian.org/debian-security/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 742-1] New cvs packages fix arbitrary code execution
Hallo, Ik ben op vakantie tot 20 juli. Voor support vragen kunt u contact opnemen met onze supportdesk. Voor sales en andere vragen kunt u mailen naar [EMAIL PROTECTED] Met vriendelijke groet, Steve Karnadi Hello, I am on vacation until the 20th of July. You can contact our supportdesk for support questions. Sales questions or other questions can be sent to [EMAIL PROTECTED] Regards, Steve Karnadi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
