Re: [SECURITY] [DSA 3672-1] irssi security update
also sprach Moritz Muehlenhoff [2016-09-21 22:40 +0200]: > No, the mailing announcements and the Debian Security Tracker are the > canonical > source of information. The entries on the website are added subsequently by > the Debian WWW team. You are listing https://www.debian.org/security/ in the announcement, not the security tracker though. This is also not addressed in the FAQ. Hence maybe it'd make sense to add a note to the announcement? -- .''`. martin f. krafft @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems "i am not in favour of long engagements. they give people the opportunity of finding out each other's character before marriage, which i think is never advisable." -- oscar wilde digital_signature_gpg.asc Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Re: [SECURITY] [DSA 3672-1] irssi security update
also sprach Salvatore Bonaccorso [2016-09-21 21:53 +0200]: > - > Debian Security Advisory DSA-3672-1 secur...@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > September 21, 2016https://www.debian.org/security/faq > - The DSA is not on the website yet. Maybe it'd be better to wait for web sync before sending, or force web sync? -- .''`. martin f. krafft @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems "the search for the perfect martini is a fraud. the perfect martini is a belt of gin from the bottle; anything else is the decadent trappings of civilization." -- t. k. digital_signature_gpg.asc Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Re: securing server
also sprach Simon Brandmair <[EMAIL PROTECTED]> [2008.05.07.2020 +0100]: > > no security benefit > > Just wondering: Why not? http://www.bpfh.net/simes/computing/chroot-break.html -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems "nothing can cure the soul but the senses, just as nothing can cure the senses but the soul." -- oscar wilde digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: securing server
also sprach weakish <[EMAIL PROTECTED]> [2008.05.07.1028 +0100]: > Use update-rc.d or sysv-rc-conf to disable unwanted daemons disable by making them all K00 links > logcheck hardly a security measure. > use integrit/aide/tripwire only useful with read-only media > You may consider chroot. no security benefit > It's a good idea to read through securing debian howto yes! -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems "the pure and simple truth is rarely pure and never simple." -- oscar wilde digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: debian.org DNSs allow unrestricted zone transfers
also sprach Giacomo A. Catenazzi <[EMAIL PROTECTED]> [2007.05.15.1646 +0200]: > the theory: zone transfer of a DNS gives internal information about > structure and IPs of internal machines. my theory: that information should be public, or at least if it were, the network should not be unsafer because of it. > I think a simple scan could give the same information, and anyway > the name of debian machines is listed also on the web. i see no attack vector. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems i've not lost my mind. it's backed up on tape somewhere. signature.asc Description: Digital signature (GPG/PGP)
Re: debian.org DNSs allow unrestricted zone transfers
also sprach Abel Martín <[EMAIL PROTECTED]> [2007.05.15.1356 +0200]: > I thought zone transfers should only be possible between DNSs > which have records for the same domain, so why are debian.org DNSs > (raff, rietz, klecker) allowing zone transfers? Maybe I'm > paranoid, but I think there are security issues related to this, > including the possibility of suffering DoS attacks (it serves 254 > records). Is there an explanation for this? Where is the attack vector? I can DoS those servers in other ways too. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems #include signature.asc Description: Digital signature (GPG/PGP)
security mirror out of date: 128.101.240.212
FYI: < weinholt> one of the security.debian.org mirrors is out of date. 128.101.240.212 has a /debian-security/dists/etch/updates/Release file dated 10 May 2007 < madduck> weinholt: please email [EMAIL PROTECTED] and cc [EMAIL PROTECTED] < madduck> also write a mail to debian-security@lists.debian.org to alert people. < weinholt> i don't really have time for that, unfortunately, i have work to do -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems "a woman is like your shadow; follow her, she flies; fly from her, she follows." -- sébastien-roch-nicolas chamfort signature.asc Description: Digital signature (GPG/PGP)
Re: denying mail relay + iptables rule
also sprach Felipe Figueiredo <[EMAIL PROTECTED]> [2007.02.13.1837 +]: > I am currently using 0.6.1-7 from backports, is this the > deprecated version you meant? Yes, but if you go through the trouble of creating the rules, it won't be very hard to migrate. I can help you then. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems "si tu veux construire un bateau, il ne faut pas réunir des hommes pour aller chercher le bois et les outils et les préparer à se répartir les différents travaux. Il faut plutôt leur donner l'envie, la passion de la mer infinie." -- antoine de saint-exupéry signature.asc Description: Digital signature (GPG/PGP)
Re: denying mail relay + iptables rule
also sprach Felipe Figueiredo <[EMAIL PROTECTED]> [2007.02.13.1238 +]: > I would like to take further measures and add the offender's ip to > a blacklist, in a similar way as fail2ban do to ssh, i.e., block > access from it temporarily. You can use fail2ban for this. Once you created the rules, please make sure to submit a bug. It can't be that hard, but do try to go with fail2ban from etch, since sarge's configuration is deprecated. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems fighting for peace is like screwing for virginity. -- the irish times, washington dc signature.asc Description: Digital signature (GPG/PGP)
Re: Allow password auth for one user with sftp?
also sprach Adrian von Bidder <[EMAIL PROTECTED]> [2007.01.11.1855 +0100]: > Anybody has an idea if and how this is possible? The obvious but > ugly solution would be to run a second sshd on a different port, > but I'd rather avoid that. It'll be possible if and only if SSH differentiates between authentication and authorisation/session. If it does, you can limit authentication with PAM via pam_file to one user, knowing that publickey auth will be handled by sshd. All users, however, need to be authenticated against the PAM session component. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems never trust an operating system for which you do not have the source. -- source unknown signature.asc Description: Digital signature (GPG/PGP)
Re: ignored redirects
also sprach Stephen Gran <[EMAIL PROTECTED]> [2006.11.03.1246 +0100]: > I see them at one installation at work. There, the gateway is > 10.103.4.3 or something, but some machines have their gateway > still set to the old router, 10.103.4.1. When packets arrive at > .1 for an internet site, .1 sends an icmp redirect to tell them to > use .3 instead, and they do. This is correct behavior by all > parties. It's some wasted network traffic, and we're cleaning it > up as we notice it, but it's harmless overall. Doesn't this also mean that I could plug into this network and send redirects for 10.103.4.3 to .251 (which is my machine) and snoop in on traffic that way? ICMP is, after all, datagram-based. Granted, I could do the same with ARP spoofs anyway, but arpwatch would detect those. Short of a complete snort install, I doubt people check ICMP redirects on their networks. Stephen, could you forward me the relevant log messages from your work gateway so that I can make sure to properly draft the logcheck filters? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems NP: Solar Project / Music from Time & Space (Volume 1) signature.asc Description: Digital signature (GPG/PGP)
Re: ignored redirects
also sprach Stephen Gran <[EMAIL PROTECTED]> [2006.11.03.1227 +0100]: > > net.ipv4.conf.all.accept_redirects = 0 > > That looks like overkill, see below. Right, it may not be needed, but it's probably not overkill to disable a feature, is it? :) I do the above on all my machines. > No. icmp redirect is only honored when it redirects to another host in > your subnet. Unless you have a really large subnet, this looks like > nonsense. The kernel will ignore it if it redirects you outside of your > subnet. So is this what these messages are about, and would it look different if someone tried a valid redirect that would be ignored due to my configuration? Sorry, I currently only have one functional machine in my test network. :/ -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems NP: Friends of Dean Martinez / Music from Time & Space (Volume 0) signature.asc Description: Digital signature (GPG/PGP)
ignored redirects
I saw this in our firewall logs this morning for the first time: kernel: Redirect from 84.42.143.87 on wan about 84.42.143.1 ignored. kernel: Advised path = 84.72.16.145 -> 62.24.70.39, tos 00 I am aware of ICMP redirects and that they're generally to be ignored, so I do: net.ipv4.conf.all.accept_redirects = 0 Nevertheless, I am curious what's going on. 84.72.16.145 is my own IP, the other three seem Czech. Was 84.42.143.87 telling me that 84.42.143.1 is really at 62.24.70.39? All three IPs appear to belong to the same organisation (mistral.cz) as they have the same hostmaster in whois. Is this legitimate? Is someone trying to redirect me in a cheap hack attempt? Are people seeing this often? Since the Linux kernel handles it quite alright, should I have logcheck filter it? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems NP: vidnaObmana & Bass Communion / Continuum signature.asc Description: Digital signature (GPG/PGP)
Re: kernel.panic (was: Re: DD machine mysterious reboot)
also sprach Jim Popovitch <[EMAIL PROTECTED]> [2006.10.30.0142 +0100]: > > Do you set kernel.panic in /etc/sysctl.conf? > > I'm curious, what does that do? From proc(5): /proc/sys/kernel/panic gives read/write access to the kernel variable panic_timeout. If this is zero, the kernel will loop on a panic; if non-zero it indicates that the kernel should autoreboot after this number of seconds. When you use the software watchdog device driver, the recommended setting is 60. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems because light travels faster than sound, some people appear to be intelligent, until you hear them speak. signature.asc Description: Digital signature (GPG/PGP)
Re: DD machine mysterious reboot
also sprach Adam C Powell IV <[EMAIL PROTECTED]> [2006.10.29.2308 +0100]: > I don't have automatic security upgrades on the machine (not sure if > those trigger a reboot). I would say no, definitely not. > I guess I'm wondering: how concerned should I be? Can you think of > other reasons the machine might have auto-rebooted? A kernel panic? Do you set kernel.panic in /etc/sysctl.conf? > happened right after the morning cron exercises; do any common cron jobs > reboot the machine? No. Rebooting is for adding new hardware. :) I would run a memory and harddisk check. Is the kernel still the same as before? Do you have any means to boot the machine with e.g. Knoppix and verifying md5sums of installed files? Also, check the output from `last -100` for any unusual logins. Somehow I doubt that this is something to worry about. If it's x86 hardware, you may just have found out how incredibly crap it is. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems micro$oft windoze: proof that p. t. barnum was correct. signature.asc Description: Digital signature (GPG/PGP)
Re: help: duplicate MAC address
also sprach Lestat V <[EMAIL PROTECTED]> [2006.10.18.1115 +0200]: > Thanx. I am not quite sure about what you mean. However, the HAddress > as indicated by the "ifconfig -a" is "00:11:2F:57:9B:6F", which is not > the one as indicated in the ARP cache in other machine. in that case you may just have a broken machine on the network. Try removing that one that poisons all the caches. This is not a security topic, please take it to [EMAIL PROTECTED] And also, please take a moment to read over http://www.netmeister.org/news/learn2quote.html and act accordingly. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems NP: Porcupine Tree / Coma Divine (Disc 2) signature.asc Description: Digital signature (GPG/PGP)
Re: help: duplicate MAC address
also sprach Lestat V <[EMAIL PROTECTED]> [2006.10.18.0509 +0200]: > Can it be normal? Or what may be going on my computer and the LAN? Yes, this can happen. I suggest you use the ifupdown pre-up hook to change them on each machine. iface eth0 inet dhcp pre-up ip link set $IFACE address de:ad:be:ef:ba:be -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems NP: Porcupine Tree / Coma Divine (Disc 1) signature.asc Description: Digital signature (GPG/PGP)
Re: "su -" and "su" - what is the real difference?
also sprach LeVA <[EMAIL PROTECTED]> [2006.07.28.1533 +0100]: > So running su with the '-' option is safer then running without it? In that it bears less surprises, yes. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "in diving to the bottom of pleasure we bring up more gravel than pearls." -- honoré de balzac signature.asc Description: Digital signature (GPG/PGP)
Re: BADSIG verifying s.d.o Release file
also sprach Martin Schulze <[EMAIL PROTECTED]> [2006.06.30.1450 +0200]: > > W: GPG error: http://security.debian.org stable/updates Release: The > > following signatures were invalid: BADSIG 010908312D230C5F Debian > > Archive Automatic Signing Key (2006) <[EMAIL PROTECTED]> > > Could the reason be that the Release.gpg file has a size of zero? > If so, I've already informed ftpmasters. If not, what's the other > cause? I don't know. My file was *not* zero, it was really a BADSIG. Now it seems fixed though. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system military justice is to justice what military music is to music. -- groucho marx signature.asc Description: Digital signature (GPG/PGP)
Re: BADSIG verifying s.d.o Release file
also sprach Steve Kemp <[EMAIL PROTECTED]> [2006.06.30.1043 +0200]: > I think nobody thought of it to be honest, and people started > to notice just around the time we did. > > (The problem here comes from the new "dak" software being used to > handle the archive, and this is just a problem that hadn't been > spotted since we've only just started releasing advisories with it.) Ok. Thanks for your time and the explanation, Steve. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "it takes more keystrokes to enter a windows license key than it takes to do a complete debian desktop install!" -- joey hess signature.asc Description: Digital signature (GPG/PGP)
Re: BADSIG verifying s.d.o Release file
also sprach Steve Kemp <[EMAIL PROTECTED]> [2006.06.30.1004 +0200]: > This is a known issue, relating to some of the infrastructure > changes. Hopefully it will be resolved shortly. Thanks Steve. Do you know why this was not publicised beforehand on debian-security-announce or debian-announce? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "lessing was a heretics' heretic" -- walter kaufmann signature.asc Description: Digital signature (GPG/PGP)
BADSIG verifying s.d.o Release file
I've been seeing this a bunch in the past few weeks. Just making sure you know about it, and maybe someone knows what's going on: W: GPG error: http://security.debian.org stable/updates Release: The following signatures were invalid: BADSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006) <[EMAIL PROTECTED]> Cheers, -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "if a man treats life artistically, his brain is his heart." -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: Command history log for audit trail
also sprach [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2006.06.15.2208 +0200]: > I need to set up an audit trail for all commands run on machines. I > know that the auth.log records who logs in and when, and that each > user's .bash_history has a history of their commands. But is there some > other way to create a log for all commands run on a system? apt-cache show acct? Though it really lacks a lot of information. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system plan to be spontaneous tomorrow. signature.asc Description: Digital signature (GPG/PGP)
Re: How to prevent daemons from ever being started?
also sprach Uwe Hermann <[EMAIL PROTECTED]> [2006.05.15.1009 -0500]: > What is "the Debian way" to prevent any daemon from ever starting, > whether upon reboot, upon upgrade, upon new install etc. Right now, the best you can do is > * /usr/sbin/update-rc.d -f foobar remove >to prevent the starting of the daemon upon reboot. However, most >often this will have to be done _again_ if the foobar package is >upgraded... and then run update-rc.d foobar stop 0 0 1 2 3 4 5 6 . This will "stop" it on startup, and if the package is upgraded, update-rc.d will not install new links, because some are already in place. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "wer in einem gewissen alter nicht merkt, daß er hauptsächlich von idioten umgeben ist, merkt das aus einem gewissen grund nicht." -- kurt götz signature.asc Description: Digital signature (GPG/PGP)
Re: masking out invalid root logins with logcheck?
also sprach Emanuele Rocca <[EMAIL PROTECTED]> [2006.05.08.2106 +0200]: > For instance, a co-worker which temporary allows remote root > logins, god knows why. I'd be sad of my choice of filtering out > root login attempts in that case. I'd have such a co-worker immediately shot. :) But yes, you are right. To be on the safe side, I added a comment to sshd_config. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "nothing can cure the soul but the senses, just as nothing can cure the senses but the soul." -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: masking out invalid root logins with logcheck?
also sprach Jeff Coppock <[EMAIL PROTECTED]> [2006.05.07.1836 +0200]: > I came up against the same issue some time ago and decided to move my sshd to > a non-standard port. This dramatically reduced the number of log entries, > and I see hardly any login attempts logged. I also updated my snort rules > with the new port. This works for me. I'm also considering setting up a > specific iptables rule to log the ssh hits separately, but there aren't > enough to bother with that so far. This can work in small-scale scenarios, but not in large-scale ones with a number of different clients. I do not want to go down this path; instead, I prefer to enforce a strong password policy. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system linux: because a pc is a terrible thing to waste signature.asc Description: Digital signature (GPG/PGP)
Re: masking out invalid root logins with logcheck?
also sprach Michael Stone <[EMAIL PROTECTED]> [2006.05.07.1606 +0200]: > >machines. On all these machines, sshd root login is restricted to > >password-less login (RSA/DSA keys), so brute force attacks are never > >going to succeed. > > Probably what you want to highlight, then, is a *successful* login. Sure, those get logged anyway, as cracking attempts, because our policy is never to log in as root. However, we leave without-password in there and keep a separate root DSA key, just in case. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "i am not in favor of long engagements. they give people the opportunity of finding out each other's character before marriage, which i think is never advisable." -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: masking out invalid root logins with logcheck?
also sprach paddy <[EMAIL PROTECTED]> [2006.05.07.1159 +0200]: > IMHO logcheck is not so much a way of monitoring and analysing > what's going on on your systems as a way of filtering out what you > already have better covered by other systems. This is a nice way of putting it. Thanks for your feedback. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system obviously i was either onto something, or on something. -- larry wall on the creation of perl signature.asc Description: Digital signature (GPG/PGP)
Re: masking out invalid root logins with logcheck?
also sprach Stefano Salvi <[EMAIL PROTECTED]> [2006.05.07.0926 +0200]: > Unfortunately Fail2Ban doesn't block the attackers on this attack, as > the Log line doesn't contain the IP of the attacker (the IP is only > listed if the login doesn't exist). Sure it blocks it. That would be a pretty bad bug if it didn't. At least version 0.6.1 does. > However, having the attempted attack listed in LogCheck mails > doesn't block it...I also ask is there any use however in having > it listed? Not really. My theory is that I don't need to know when someone tries a password login for the root account, since password logins are not possible anyway. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "when zarathustra was alone... he said to his heart: 'could it be possible! this old saint in the forest hath not yet heard of it, that god is dead!'" - friedrich nietzsche signature.asc Description: Digital signature (GPG/PGP)
masking out invalid root logins with logcheck?
I use logcheck on almost all machines. With the increased SSH brute force attacks of the last 2-3 years, I am now at a point where almost 95% of all logcheck messages are login attempts as root to my machines. On all these machines, sshd root login is restricted to password-less login (RSA/DSA keys), so brute force attacks are never going to succeed. Thus, I am considering to mask out entries of the following sort with logcheck: sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2 but somehow am not comfortable to just do it, which is why I am asking for opinions, advice, and feedback from you guys. Would you be able to think of reasons why I would *not* want to do that? I don't really care being informed that my servers are being brute-forced, which is what fail2ban takes care of anyway... Cheers, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "... and so he killed Miguel in a rit of fealous jage." -- inspector clouseau signature.asc Description: Digital signature (GPG/PGP)
fail2ban [was: howto block ssh brute-force]
also sprach johannes weiß <[EMAIL PROTECTED]> [2006.03.13.1132 +0100]: > I use fail2ban and I'm very happy with it. Am I correct in assuming that it simply adds rules like -A fail2ban_chain -s 1.2.3.4/32 -j DROP to iptables whenever 1.2.3.4/32 has too many login failures? Does it expire entries? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "we are ready for any unforeseen event that may or may not occur." - george w. bush signature.asc Description: Digital signature (GPG/PGP)
Re: umn.edu security.d.o host unreachable
also sprach Martin Schulze <[EMAIL PROTECTED]> [2006.03.13.1114 +0100]: > > Hi, it seems 128.101.240.212, one of the two remaining security > > mirrors, is unreachable. Other mirrors (non-Debian, like > > 128.101.240.209 and 128.101.240.210, which seem to be right "next > > door") are reachable. > > The host is not reachable. Good to see you're on top of the issue. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "it usually takes more than three weeks to prepare a good impromptu speech. -- mark twain signature.asc Description: Digital signature (GPG/PGP)
umn.edu security.d.o host unreachable
Hi, it seems 128.101.240.212, one of the two remaining security mirrors, is unreachable. Other mirrors (non-Debian, like 128.101.240.209 and 128.101.240.210, which seem to be right "next door") are reachable. It would be great to get a status update from the administration team. Thanks, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "america may be unique in being a country which has leapt from barbarism to decadence without touching civilization." -- john o'hara signature.asc Description: Digital signature (GPG/PGP)
Re: howto block ssh brute-force
also sprach Michael Loftis <[EMAIL PROTECTED]> [2006.03.12.2301 +0100]: > Yes you can make arbitrarily deep jumps/chains, but any single > list is still processed sequentially. Once could probably > implement scripting to produce a sort of binary tree on > hashes/jumps to chains. Fact is it does not do long lists well at > all because they are processed sequentially, unless this has > changed for 2.6. it has not. which other firewall software uses binary trees? > I'd love to see a Linux box capable of 4Gbps throughput but > somehow I really doubt this as being possible without a LOT more > work, and some pretty trick hardware. I have set up a bunch of boxes filtering 10Gbps links. On one, there is a continuous >3.2 Gb. Mean is below 4 Gbps, but they have never faltered. however, my rulesets hardly exceed 20-30 lines except for the various subchains which handle special cases. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "the vast majority of our imports come from outside the country." - george w. bush signature.asc Description: Digital signature (GPG/PGP)
Re: howto block ssh brute-force
also sprach Michael Loftis <[EMAIL PROTECTED]> [2006.03.12.1159 +0100]: > The only thing I can say is be *VERY* careful on a busy Linux box. > iptables sucks. It's sequential, meaning every entry in a list has to be > processed. This is not the case. You can branch iptables rulesets to arbitrary complexity. In fact, I often wanted Firewall-1 to have a similar feature. Firewall-1 scales pretty damn well (4 Gbps throughput, stateful), but in my experience, iptables can handle way more. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "geld ist das brecheisen der macht." - friedrich nietzsche signature.asc Description: Digital signature (GPG/PGP)
Re: howto block ssh brute-force
also sprach Felipe Figueiredo <[EMAIL PROTECTED]> [2006.03.12.0850 +0100]: > Maybe there is a way to temporarily block ips upon such attempts (is > this a FAQ?), or maybe divert them like what portsentry does for > portscans? http://kindergarten.madduck.net/configs/iptables but there's a problem with the iptables module. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "i sometimes think that god in creating man somewhat overestimated his ability." -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: howto block ssh brute-force
also sprach TiB <[EMAIL PROTECTED]> [2006.03.12.0927 +0100]: > I'm using to limit access from a each address to 3 connections per > minute. It's easy to set up and works fine using iptables ipt_recent > module. Be careful: http://lists.debian.org/debian-firewall/2006/03/msg00017.html -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! if con is the opposite of pro, is congress the opposite of progress? signature.asc Description: Digital signature (GPG/PGP)
Re: tartini (one of the security mirrors) unreliable
also sprach Martin Schulze <[EMAIL PROTECTED]> [2006.03.10.1541 +0100]: > I've finally removed tartini from the security round robin. Thanks! I assume wiggy is in charge to solve the problem with tartini? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "never attribute to malice what can be adequately explained by incompetence." -- mark twain signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.28.1824 +0100]: > I can not use rsync because I have a different directory structure AND > I do not want to kill one of the security mirrors of debian, fow often > should I poll the Packages.gz/Sources.gz for changes daily? Once. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! military justice is to justice what military music is to music. -- groucho marx signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
also sprach Michael Stone <[EMAIL PROTECTED]> [2006.03.02.2032 +0100]: > The explanation is far simpler--debian *does* have mirrors of > security.debian.org. At the moment I see three hosts in the rotation. Yeah, push, not pull mirrors. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "if one cannot enjoy reading a book over and over again, there is no use in reading it at all." -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
also sprach Florian Weimer <[EMAIL PROTECTED]> [2006.03.02.2006 +0100]: > By default, package authenticity is not validated in sarge and > earlier releases. From a security POV, it's better to download > those updates from a limited set of well-maintained servers. It > reduces the attack surface somewhat. Sure it does. But it cannot be the reason why there are no officially-endorsed mirrors -- I'd just upload my trojans to sarge's archive with a higher version number then. http://www.debian.org/security/faq#mirror -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "doesn't he know who i think i am?" -- phil collins signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
also sprach Florian Weimer <[EMAIL PROTECTED]> [2006.03.01.2255 +0100]: > > You are not really supposed to use those as they are pulled once > > daily only, and security is a time-critical domain where sometimes > > it's very important to have updates without any delays. > > One day more or less doesn't really matter. So far, Debian security > updates predated widespread (semi-)automated exploits by weeks. Why then do you think security.d.o is not mirrored by Debian? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! security at micro$oft: how do we secure a billion dollar profit? signature.asc Description: Digital signature (GPG/PGP)
Re: db.debian.org certificate
also sprach Noèl Köthe <[EMAIL PROTECTED]> [2006.02.28.2224 +0100]: > the https db.debian.org certificate is expired on 2006-01-30. #354747 -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "a woman begins by resisting a man's advances and ends by blocking his retreat." -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.25.2036 +0100]: > debian-security is allready mirrored by some servers including > > <ftp://ftp.de.debian.org/debian-security/> You are not really supposed to use those as they are pulled once daily only, and security is a time-critical domain where sometimes it's very important to have updates without any delays. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! no micro$oft components were used in the creation or posting of this email. therefore, it is 100% virus free and does not use html by default (yuck!). signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
also sprach Brett Parker <[EMAIL PROTECTED]> [2006.02.21.1023 +0100]: > *blink* - erm, just out of interest, how does this help? This is just > going to stop packets from going to that IP, it's not going to stop > things resolving to that IP, so instead of getting a slow connection > you're just going to get a connection refused... ... at which point APT will try the next record IIRC. I hope I am not misremembering this... > seems like an odd way of doing things - maybe it would be better > to use a local caching nameserver that you can configure to filter > out that IP when there is more than one A record available > instead? (I can't think of a simple way of doing that off the top > of my head, though) It also bears the risk of hardcoding and forgetting, or missing an update. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "if confronted with a choice between all the truth in god's right hand and the ever live struggle for truth, coupled with eternal error, in god's left, i would choose the left." -- gotthold lessing signature.asc Description: Digital signature (GPG/PGP)
Re: first A record of security.debian.org extremely slow
also sprach Michal Sabala <[EMAIL PROTECTED]> [2006.02.20.2328 +0100]: > host -t a security.debian.org > security.debian.org has address 82.94.249.158 <- slow Please see http://lists.debian.org/debian-security/2006/02/msg00041.html > Editing /etc/hosts to contain: > 128.101.80.133 security.debian.org > > solves the problem. Our network is working properly BTW. Please do not do this. A better fix is to REJECT 82.94.249.158/32 with iptables: iptables -I OUTPUT -d 82.94.249.158/32 -j REJECT (amend as needed). This leaves a round-robin of two servers rather than everyone banging on 128.101.80.133 (or the other one). > Can somebody please take a look at 82.94.249.158 host/net please, please, > please? FWIW, this is not the list for such requests. [EMAIL PROTECTED] are responsible for that. > I'm considering starting to mirror security. I don't see a reason > why security repository shouldn't be mirrored, while in reality > tampering with packages on _any_ repository has the same outcome. This has been discussed at length. Basically it's less to do with tampering than with timeliness. > Mike (not on the mailing list, please Cc). Please set your Mail-Followup-Header correctly. Cheers, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "glaube heißt nicht wissen wollen, was wahr ist." - friedrich nietzsche signature.asc Description: Digital signature (GPG/PGP)
tartini (one of the security mirrors) unreliable
Hi all, tartini.debian.org, one of the three servers providing security.debian.org seems to have intermittent problems: Get:1 http://security.debian.org sarge/updates/main Packages [189kB] Err http://security.debian.org sarge/updates/main Packages Connection timed out [IP: 82.94.249.158 80] This isn't the first time I am seeing this. The host does recover after a short time, but the problem keeps coming back. I doubt the problem is on my end, this is from a rack machine with a triple-redundant connection directly onto Berlin's Level3 backbone and I see no other problems. Maybe the administrators would be so kind as to investigate the issue and send an update when it's resolved? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! remember, half the people you know are below average. signature.asc Description: Digital signature (GPG/PGP)
Re: getting to www servers from inside where they have an Internal IP
also sprach Yves Junqueira <[EMAIL PROTECTED]> [2006.02.01.1712 +0100]: > Bind9 implements "views". It can provide different resolutions to > the same domain for different networks/hosts. "bind9 view" is the > way to go, I guess. most nameservers do, but yes, this is what I meant. This, or a second nameserver. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "the less you know about computers the more you want micro$oft!" -- micro$oft ad campaign, circa 1996 (proof that micro$oft's advertising _isn't_ dishonest!) signature.asc Description: Digital signature (GPG/PGP)
Re: getting to www servers from inside where they have an Internal IP
This is hardly a topic for debian-security but anyway... also sprach hanasaki <[EMAIL PROTECTED]> [2006.01.29.1945 +0100]: > What iptable rule can be put on the firewall so that internal port 80 > traffic going to the external NIC on port 80 comes back to the internal > webserver on port ? None that I know. I suggest using a second nameserver to resolve the A record to the internal IP. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "we have a firm commitment to nato, we are a part of nato. we have a firm commitment to europe. we are a part of europe." - george w. bush signature.asc Description: Digital signature (GPG/PGP)
Re: Security implications of allowing init to re-exec from another path
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2006.01.04.1829 +0100]: > Yes, but we've already established through years of experience that, > once an attacker has root access, all bets are off. Of course. It's not like the attacker couldn't just replace /sbin/init anyway. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "writing a book is like washing an elephant: there no good place to begin or end, and it's hard to keep track of what you've already covered." -- anonymous signature.asc Description: Digital signature (GPG/PGP)
Re: Security implications of allowing init to re-exec from another path
also sprach Thomas Hood <[EMAIL PROTECTED]> [2006.01.04.1619 +0100]: > Nevertheless the sysvinit maintainers thought it would be a good > idea to ask here whether anyone sees any security problems arising > from this feature. ... sounds like a nice way to infest a system with a trojan, in addition to kernel modules and other Linux maladities. That is, if the attacker gets root... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "love is a grave mental disease." -- platon signature.asc Description: Digital signature (GPG/PGP)
anonftpsync (was: security archive defective!?)
also sprach Andreas Barth <[EMAIL PROTECTED]> [2005.09.01.0858 +0200]: > I strongly recommend to use anonftpsync for mirroring any of the debian > archives What's the advantage over debmirror? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! an avocado-tone refrigerator would look good on your resume. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.29.2013 +0200]: > > 2) I bring the Debian Security Team under delegation[2]. > > Martin Michlmayr has made the security team a delegate by this > message: > > <http://lists.debian.org/debian-devel-announce/2003/05/msg5.html> > > Have you withdrawn this delegation in the meantime? AIUI, DPL > elections don't rollback the whole organizational framework. Uh, where does it say that the security team is now delegated? It says mdz was promoted, nothing more or less. Sure, the subject says "delegations", but that doesn't mean that anything therein is a delegation. Looks more like tbm actually wanted to write a different message and forgot to change the subject afterwards. :) -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! micro$oft windows psychic edition: we will tell you where you are going tomorrow. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Branden Robinson / Debian Project Leader <[EMAIL PROTECTED]> [2005.08.29.1846 +0200]: > As far as I know, the stable/oldstable security team was never (recently) > down to Joey S. alone. Mike Stone and Steve Kemp have been active members > for some time (Steve was, as I understand it, promoted from secretary to > full member within the past couple of months). Can you officially confirm this, or can somebody? [0] still lists him as a secretary, and that's what he said to me when we last talked since debconf. 0. http://www.debian.org/intro/organization -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! micro$oft windows psychic edition: we will tell you where you are going tomorrow. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.08.28.1328 +0200]: > nah ... they're doing fine .. to the extent is needed ?? > if it's important... they will post dsa ?? Where have you been? > what i think is needed is an automated script that checks > debian against known exploits or a way to verify that > the exploits/vulnerability does not affect debian This has been done. http://spohr.debian.org/~joeyh/stable-security.html http://spohr.debian.org/~joeyh/testing-security.html That doesn't mean the stable security team uses this information. From what I know, Joey prefers editing text files and expects others to do the same. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "on the other hand, with the advent of msvc 5, i can claim i use emacs because it's smaller and more efficient." :-)" -- darin johnson signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.28.1154 +0200]: > Or are there many packages with backported security patches, ready > for upload, and the security team does not act on them? I don't > think so. This was the case throughout June. > Maybe that's because it was a non-issue which didn't affect anyone? 8-) Maybe this s.d.o downtime was, as it appears to have lasted very shorrtly anyway. However, in June/July, it was the same scenario... our users found out from the media about lack of security support, not from us. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "he gave me his card he said, 'call me if they die' i shook his hand and said goodbye ran out to the street when a bowling ball came down the road and knocked me off my feet" -- bob dylan signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Petter Reinholdtsen <[EMAIL PROTECTED]> [2005.08.28.0025 +0200]: > In short, I see no downsides to helping out the testing security team > while we at the same time try to address the issues with stable > security work. I was not trying to suggest so. The testing security team is a true asset and a keystone in the future of Debian security. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "if you are going to run a rinky-dink distro made by a couple of volunteers, why not run a rinky-dink distro made by a lot of volunteers?" -- jaldhar h. vyas signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Petter Reinholdtsen <[EMAIL PROTECTED]> [2005.08.27.2255 +0200]: > I've been told that the current stable security team consist of one > person doing the work, Martin Schulze. If this "team" do not want new > members, something strange is afoot. At least one other member is working actively. However, uploads and announcements still have to go through Joey, and from what I learnt, the workflow processes in the team are archaic yet Joey doesn't want to divert from them. Note: this is all hearsay and may well be wrong. I'd love for Joey to step in and give us the complete picture. > And prospective security team members should start working in the > testing security team. There are no need to keep secrets (all is done > in public), Which doesn't address the problem that embargoed bugs are possibly handled suboptimally in Debian. And it does not address the problem that our security infrastructure went down for a while and we found out about it from a German news magazine. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "be the change you want to see in the world" -- mahatma gandhi signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.27.1107 +0200]: > > Do we have a security team for stable? I know, that we have a > > security team for testing consisting of nine DDs and ten > > non-DDs, but it seems to me, that stable is handled by Joey > > alone. Has this changed since the havoc a few months ago? > > I don't think so. Joey seems to be satisfied with this situation, How would you know? And I don't think the question is whether Joey is satisfied, it's more whether our users are satisfied, and that includes all of us. > and apart from unanswered email messages to <[EMAIL PROTECTED]>, > there are few complaints, AFAIK. That's because complaints don't actually have any result, so I, for instance, have stopped. I've pointed to severe problems with Debian stable security several times before and usually got around 30 private messages a day thanking me for raising these issues and for staying on track. I don't think Joey found it necessary just a single time to articulate a position on the issue of e.g. the three week outage in the security team throughout June. The final announcement that was sent was not authored by Joey, but by other DDs who were similarly concerned. Now we've had another issue of problems with s.d.o, but we had to learn about them from Heise. Following the debate around LinuxTag, Branden put a trusted and very active and skilled developer on the task to research the security problems. Unfortunately, he has not been able to get far with this job yet, probably due to numerous reasons. If Branden reads this (and he should as it's CC'd), I hope he does something about the situation, not by putting pressure on the researcher, but by actually causing some change. > The email part is very unfortunate indeed, but it probably doesn't > warrant drastic measures. Not if we want Debian to become known as an amateur club and lose value among professionals. And yeah, client switching to Solaris may tell something about their understanding of security... but then isn't it all the more important for Debian to get it right and help protect those that don't know better? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! will kill for oil! signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.2019 +0200]: > Show how much they know about Solaris security. Still, why don't you drop > by IRC and try to talk to Branden and Joey? Branden is offline, and Joey can't be bothered to talk about this stuff with me, it seems. He's never replied to mails or pings from me about this stuff. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! /.ing an issue is like asking an infinite number of monkeys for advice -- in #debian-devel signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1720 +0200]: > Huh? They probably do, for all I know. Whether they have people > they trust for the job right now is something else, though. We > can probably expect It's hard to tell for the requirements are not publicly available. This means that it's impossible for anyone to actually work towards the goal of helping the stable security team. > that some people will be promoted from the testing security team > to the stable one in a reasonable timeframe (some months) without > much fuss. Some months is not a reasonable time frame for something like security; ever additional day hurts the project reputation severely, at least here in Germany and Switzerland. I have clients (one of which is a major German bank) voicing their concerns and considering switching away from Debian to Solaris because of the security fiascos. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! there are only 10 types of people in the world: those who understand binary and those who don't. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.27.1648 +0200]: > Correct me if I'm wrong, but the current team doesn't seem to want > new members. If you nevertheless force new members upon them, you > are in fact looking for a complete replacement. This is what > I call "drastic". When a bottleneck arises, you either widen the neck or remove that which clogs the passage. Neither is more drastic than the other for they are not alternatives; each is a solution to its own set of problems, and if the current team blocks new members and yet does not meet the general expectations of our users, it's essentially more of a clog than a bottleneck. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! gentoo: the performance placebo. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Rudolf Lohner <[EMAIL PROTECTED]> [2005.08.27.1651 +0200]: > This scenario could be avoided if s.d.o would authenticate itself. > Is authentication of the server something which has been considered > with secure apt? I'v suggested this before but never had the time to implement it. Patches are welcome. :) Of course you'll have to add SSL support to security.debian.org as well, which may be the actual show stopper. FWIW, Florian sent me this interesting link: http://www.cs.berkeley.edu/~nweaver/0wn2.html -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "we all know linux is great... it does infinite loops in 5 seconds." -- linus torvalds signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1540 +0200]: > > security.debian.org already is a Single Point of Ownership. I don't > > think we need multiple ones, so this is definitely a post-etch thing. > > Irrelevant if secure apt is deployed correctly. No. Imagine exim gets a root exploit and I spoof the DNS to some mirror of s.d.o. That mirror will be consistent wrt secure APT, but it won't get updates, so admins who don't follow DSAs and run apt-get upgrade consciously and carefully are going to be left in the naive belief that they are safe because s.d.o doesn't have any new stuff. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! perl -e 'print "The earth is a disk!\n" if ( "a" == "b" );' (dedicated to nori) signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.08.26.1907 +0200]: > security.debian.org is not a server, it's a DNS A record. It's > a whole lot easier to point that elsewhere in case of problems than > expecting users to make sense of the errors they get when some > servers can't be reached. Ah, but this will of course fail for all those stuck on the network of T-Online and similarly incompetent ISPs, who can't run proper DNS resolver caches. One way we could do this is by providing multiple A records for s.d.o and hacking APT so that when it receives multiple A records for a DNS name, it tries them in turn and only reports an error when all of them failed. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! this message represents the official view of the voices in my head. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach tomasz abramowicz <[EMAIL PROTECTED]> [2005.08.26.1836 +0200]: > why arent all redundant security servers included in the sources.list, > or why doesnt it ask at install time to include all backup security servers? > as well as security.debian.org? security.debian.org is not a server, it's a DNS A record. It's a whole lot easier to point that elsewhere in case of problems than expecting users to make sense of the errors they get when some servers can't be reached. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! women can keep a secret just as well as men, but it takes more of them to do it. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Luis M <[EMAIL PROTECTED]> [2005.08.26.1750 +0200]: > perhaps instead of security2.d.o securyN.d.o it should be done like > the ftp aliases: > > security.us.d.o (or better by location like: security.us.ny.d.o) > security.de.d.o, etc... No matter what they are called, it should be possible to switch the security.d.o A record to another IP and have things work within minutes. I continue to be in favour of having *only* security.debian.org as the canonical security source. But add fail-over redundance! -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "der beruf ist eine schutzwehr, hinter welche man sich erlaubterweise zurückziehen kann, wenn bedenken und sorgen allgemeiner art einen anfallen." - friedrich nietzsche signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Timo Veith <[EMAIL PROTECTED]> [2005.08.26.1726 +0200]: > >either case can be solved by: security1.debian.org in LA > >and security2.debian.org in NYC and security3.debian.org in berlin :-) > > Reading Package Lists... Done > Building Dependency Tree > Reading extended state information > Initializing package states... Done > Err http://security3.debian.org sarge/updates/main Packages > Could not resolve 'security3.debian.org' I think Alvin was alluding to how it *should* be solved. As in: we should have more than one security server, globally spaced. Heck, we *should* have a responsive and communicative security team. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "the good thing about standards is that there are so many to choose from." -- andrew s. tanenbaum signature.asc Description: Digital signature (GPG/PGP)
Re: Please announce current lack of security support
also sprach Vincent Bernat <[EMAIL PROTECTED]> [2005.07.27.0805 +0200]: > security-announce seems unavailable too. How so? lists.debian.org is up and a message sent and signed by the security team to -security-announce should show up. Or am I missing something? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! if voting could really change things, it would be illegal. -- revolution books, new york signature.asc Description: Digital signature
Please announce current lack of security support
I just stumbled over [0]. At the moment, Debian is without security support because two of the most important machines of the Debian infrastructure are being relocated. 0. http://www.infodrom.org/~joey/log/?200507260932 It was unexpected that this move would have an impact on security support, but so be it. Errors like this happen, especially in volunteer projects, and under the circumstances Joey describes. However, I feel that our users should be told about the problem, and not just through Joey's blog entry. Thus, can I please urge the security team to release an appropriate announcement ASAP to alert our users of the current lack of security support? -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! after you install windows xp, you have the option to create user accounts. if you create user accounts, by default, they will have an account type of administrator with no password. way to go! signature.asc Description: Digital signature
Re: Debian Security Support in Place
also sprach Sven 'Rae the Git' Grounsell <[EMAIL PROTECTED]> [2005.07.09.1851 +0200]: > Also, you are IMHO ignoring, that Debian is one of the _very_ few > distros, that provides _seamless_ upgrades between even major > releases. No matter how seamless, dist-upgrades require a lot of time for testing afterwards. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! why didn't noah swat those two mosquitoes? signature.asc Description: Digital signature
Re: Debian Security Support in Place
also sprach Lupe Christoph <[EMAIL PROTECTED]> [2005.07.09.1022 +0200]: > > The security team will continue to support Debian GNU/Linux 3.0 > > alias woody until May 2006, or if the security support for the > > next release, codenamed etch, starts, whatever happens first. > > This is equivalent to saying "We will rip security support for > oldstable from under your feet at any time just as we please". No, it's not. It's worded a little awkwardly, but herewith you get my promise that etch will not happen first. So May 2006 it is. You are welcome to get those companies to come up with funding to allow us to pay 1-2 people taking care of sarge after May 2006. And if that is unacceptable to you: Ubuntu has announced a 5 year support plan for server systems: http://www.ubuntulinux.org/UbuntuFoundation -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "it is easier to be a lover than a husband for the simple reason that it is more difficult to be witty every day than to say pretty things from time to time." -- honoré de balzac signature.asc Description: Digital signature
Re: Sudo question
also sprach Johann Spies <[EMAIL PROTECTED]> [2005.07.08.1057 +0200]: > How is it possible that I can enable this user not only to run > programs from this directory, but to kill the process he started when > necessary using SUDO - without enabling him to kill any process on the > machine. The only way to do this is to write a script which ensures that the PID is within the range of allowed PIDs, and then to give sudo access to the script. Beware that it's easy to make mistakes in scripts which could allow the user to gain root rights. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "how do you feel about women's rights?" "i like either side of them." -- groucho marx signature.asc Description: Digital signature
Re: Where is the security announcement?
also sprach Robin Schroeder <[EMAIL PROTECTED]> [2005.07.07.1133 +0200]: > I got at least security announcements from > debian-security-announce@lists.debian.org Not between 3 June and 30 June. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "twenty-four hour room-service must be one of the premiere achievements of modern civilization." -- special agent dale cooper signature.asc Description: Digital signature
Where is the security announcement?
So Debian has had (and continues to have) problems with the security archive. This has been widely publicised, giving the world a rather shameful image of our projecti and produce. Ignoring the causes of the problems, which undoubtedly need to be fixed ASAP, no announcement whatsoever has been sent to our users, nor has there been any mention of the problem in the Debian News or other official channels. This is an unacceptable state of affairs in which it seems that Debian does not acknowledge but instead tries to hide problems from its users. Worse yet, it's being naive about it, since basically everyone knows already. I am writing this email to strongly urge those with the abilities to send an announcement with details on the situation *immediately*. If help is needed in creating this announcement, please do not hesitate to contact me. Please do not let Debian's image be tainted more. We've already given the professional world enough of a reason to abandon ship and laugh at us. PS: the random quote generator seems to be able to establish semantic context at last! -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :not-so-proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! microsoft: for when quality, reliability, and security just aren't that important! signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.06.28.1451 +0200]: > - all other debian boxes does NOT trust it and nbody else should > trust it either... it is "for testing and development" I know. But what happens when someone decides to abuse it? I could host a machine, no problem. But giving root access to others is the problem. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! why didn't noah swat those two mosquitoes? signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.06.28.1420 +0200]: > if somebody at debian.org can create yaml, say > [EMAIL PROTECTED], than the rest of us moaners, > complainers and wanna-volunteer can get started ... Just use this list. > the machine can be called sec-test.debian.org so that we have > a way to test another security update/process/procedures out Mh, I am not sure this is viable as you guys would probably need root on the machine, which is a credibility problem when someone else hosts it... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "we americans, we're a simple people... but piss us off, and we'll bomb your cities." -- robin williams, good morning vietnam signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.1215 +0200]: > Unfortunately you are right :-( At this moment there is no secure > Debian distribution. unstable. :) -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! obviously i was either onto something, or on something. -- larry wall on the creation of perl signature.asc Description: Digital signature
Re: custom sec updates, was Bad press related to (missing) Debian security
also sprach Thomas Seliger <[EMAIL PROTECTED]> [2005.06.28.1208 +0200]:
> Even if you did not use those techniques (.deb building, running an apt
> source) up to now, I think its rewarding for you, especially if you run
> a larger number of servers. I do not have any links ready to point you
> to, but i'll check my (unsorted) bookmark file later ;)
man apt-ftparchive is all you basically need.
Put the files into a directory which apache can access, e.g.
/srv/apt --> http://server/apt, then run:
apt-ftparchive packages . > Packages
and you're done. Make sure to set the proper permissions.
Now add
deb http://server/apt ./
to your machines and `apt-get update`.
Finally, make sure to use the proper version incrememts. My
suggestion is the following shell function (part of
dpkg-reversion/debedit, which is not yet part of Debian):
bump_version()
{
VERSTR='+0.local.'
case $1 in
*${VERSTR}[0-9]*)
REV=${1##*${VERSTR}}
echo ${1%${VERSTR}*}${VERSTR}$((++REV));;
*-*)
echo ${1}${VERSTR}1;;
*)
echo ${1}-0${VERSTR}1;;
esac
}
piper:~> bump_version 1.0-1
1.0-1+0.local.1
piper:~> dpkg --compare-versions 1.0-1 lt 1.0-1+0.local.1 && echo yes
yes
piper:~> dpkg --compare-versions 1.0-1+0.local.1 lt 1.0-2 && echo yes
yes
piper:~> bump_version 1.0
1.0-0+0.local.1
piper:~> dpkg --compare-versions 1.0 lt 1.0-0+0.local.1 && echo yes
yes
piper:~> dpkg --compare-versions 1.0-0+0.local.1 lt 1.0-1 && echo yes
yes
piper:~> dpkg --compare-versions 1.0-0+0.local.1 lt 1.1 && echo yes
yes
Alternatively, use APT pinning.
FWIW, my book[0] includes information about how to run your own
package repositories, and how to modify packages and properly
integrate them with APT.
0. http://debiansystem.info
Cheers,
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
man muss noch chaos in sich haben
um einen tanzenden stern zu gebähren.
-- friedrich nietzsche
signature.asc
Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.1148 +0200]: > No, it was *my* decision! I'm using Debian since 4 years and > I like this distribution. And it suprised me that my favourite > distro has problems with security. It surprised everyone, even though it was not a real surprise -- if that makes sense. The security team has been a major weakness of Debian for a while. It was only a question of time until it all came down on Joey. Anyway, if you like Debian, then you should keep using it. The current situation is unacceptable, and we are all aware of this. But the good news is that a lot of people are working on it, and after the stereotypical blow in the face, we'll have something to learn to prevent such problems in the future. So bear with us for just a little while more, consider disabling the affected services for now, or roll your own security updates until we caught up. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "der beruf ist eine schutzwehr, hinter welche man sich erlaubterweise zurückziehen kann, wenn bedenken und sorgen allgemeiner art einen anfallen." - friedrich nietzsche signature.asc Description: Digital signature
taking a break (was: Bad press related to (missing) Debian security)
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.28.1108 +0200]: > No, he installed Sarge because it was cool back at the time. Yeah so this whole thing has been growing on me a little too much. Sorry for being snappy in the last two posts (to Marek and Alvin). I am going to take the afternoon off. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "everyone has a little secret he keeps, i like the fires when the city sleeps." -- mc 900 ft jesus signature.asc Description: Digital signature
Re: safety of encrypted filesystems
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.17.0944 +0200]: > also sprach Michael Buchholz <[EMAIL PROTECTED]> [2005.06.17.0857 +0200]: > > And also, when you write any block, you have to reencrypt all the > > remaining blocks. > > Yes, don't you? From all I can tell, this is the case for EBC and CBC, but symmetric cryptography is fast enough these days for this not to be a problem. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! an avocado-tone refrigerator would look good on your resume. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Matthew Palmer <[EMAIL PROTECTED]> [2005.06.28.1104 +0200]: > > Other distros don't have such problems with security. I'm > > complain because I think it was mistake to install Debian Sarge > > on this servers. :-( > > You're complaining to *us* because someone *else* made a decision > you don't agree with? No, he installed Sarge because it was cool back at the time. I do wonder what kind of ISP switches to sarge right after the release... those who need security probably stay with woody just a little longer for all the childhood problems to resolve themselves (read: sarge r1). That said... of course woody is currently also potentially vulnerable. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! fashions have done more harm than revolutions. -- victor hugo signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.1036 +0200]: > >Then don't use it. > > I must use it. Sarge is working on a ISP production servers. I am sorry. The best I can tell you is that it currently looks as if the situation will soon be under control and resolved. And soon is likely to be very soon/this week. > >We are working to fix it. The last thing we need now are people > >complaining and moaning. > > I'm working for many ISP providers. And now I have problems with > security on this servers. What can I do? I can't patch by hand > every bug on many servers! You have to. > Other distros don't have such problems with security. I'm complain > because I think it was mistake to install Debian Sarge on this > servers. :-( If that's what you think then it's best to reinstall these servers with something else because that'll be cheaper than the risk of having them compromised. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! time wounds all heels. -- groucho marx signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.06.28.1031 +0200]: > lots of people have their own requiremetns for security ... security *is* subjective. > instead of adding to the security team's tasks, and instead of > writting emails, why don't we spend the time to write some scripts > to do what we're expecting to be done by the security team ?? thanks for the proposal. why did you write it and not just get on with those scripts already? > - yes.. i'm volunteering if there is enough "folks" that want to > solve security problems and automate security patch releases > - it's a task for debian-man .. more than what super-man or > bat-man can do people "volunteering" are useless. people actually doing something are not. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! a bachelor is a man who never made the same mistake once. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.0854 +0200]: > For me "stable distribution" means "secure". Is now Sarge secure? > No, it isn't! Most installations are secure. I know security is a delicate topic, but there is no point in polemic exaggeration. > Four weeks after new release of Debian, Get your facts straight. > Sarge has many security holes in packages and kernel, and some of > this holes are critical. In my opinion Sarge isn't stable > distribution now, it's dangerous distribution. Then don't use it. We are working to fix it. The last thing we need now are people complaining and moaning. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "it always takes longer than you expect, even when you take into account hofstadter's law." -- douglas hofstadter signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Moritz Muehlenhoff <[EMAIL PROTECTED]> [2005.06.28.0156 +0200]: > Have a look at the system we use for the testing security team (I > always thought it originated in the security team): > http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html > > This system is so efficient that most communication is basically > made through svn log messages. Not meaning to disspell it, but isn't this essentially a bug tracking system or ticket system done slightly differently? What I think Debian (as a whole) needs is an improved issue tracker with the following features: - single-bug subscription, through association with the bug (like bugzilla) - ability to set a bug as private, meaning that only associated people can view it or even find out about its existence. add to that some automated way to open tickets for new CVEs and you have a team todo list. I know that this is not really what you guys want to hear and it's probably best to adopt testing-security's approach for stable-security. However, I am considering devoting more of my time to this stuff in the future, and such a system would be needed for some of the innovative approaches I have in mind. Thus, I'd love to hear opinions. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! DISCLAIMER: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Michael Stone <[EMAIL PROTECTED]> [2005.06.28.0044 +0200]: > The security secretaries were originally going to be part of the > solution, and there was talk from some people about writing > a tracking system that didn't materialize. Mostly I think it just > needs recognition that it's a problem that needs a solution. So if we all recognise it as a problem, it will solve itself? Wouldn't a ticket system (possibly request-tracker3) be helpful here? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "the word yellow wandered through his mind in search of something to connect with." -- hitchhiker's guide to the galaxy signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.27.2100 +0200]: > There is a problem with that, namely responsible disclosure. The > team cannot be too big or else the other organisations in the > consortium will object for danger of leakage. > > I think what we do need though is an infrastructure which makes it > easier for people to contribute on public issues. Petter Reinholdtsen added the following over at -project (forwarded with permission) There already exist a larger team monitoring security lists, CVE reports, fixing bugs and helping maintainers fixing bugs etc. It works in public, and accept help for everyone interested in participating. It is the testing security team, http://secure-testing.alioth.debian.org/>. I believe that all people interested in helping out with the security work in Debian should make an effort in this team. This will directly help the security status of Debian unstable and testing (security fixes for testing are normally uploaded into unstable), and indirectly help the stable security team as this team get a list of security issues to track, proposed patches, knowledge about the security issues discovered, and thus less work fixing the publicly known security issues. In addition, it can form a good recruitment base for the stable security team. Those proving themselves in the public work with testing security, will be good candidates for the stable security team. Isn't this a good way to do it? ... nothing to add. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "when a gentoo admin tells me that the KISS principle is good for 'busy sysadmins', and that it's not an evolutionary step backwards, i wonder whether their tape is already running backwards." signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Michael Stone <[EMAIL PROTECTED]> [2005.06.27.2251 +0200]: > On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: > >Part of the problem with security updates has to do with the fact that > >it's just difficult to coordinate the work. Even when Wichert, mdz, and > >others were more active, Joey still did most of the work because it was > >often easier for one person to keep track of everything. > > That's exactly it. There's no effective tracking of security problems, > and some people don't see this as a problem. That makes it extremely > difficult for others to see what needs to be done. Do you guys see this as a de facto state with no solution, or is a good solution simply waiting to be found? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! echo '9,J8HD,[EMAIL PROTECTED]:[EMAIL PROTECTED];[EMAIL PROTECTED]@5GBIELD54DL>@8L?:5GDEJ8LDG1' |\ sed ss,s50EBsg | tr 0-M 'p.wBt SgiIlxmLhan:o,erDsduv/cyP' signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2005.06.27.2116 +0200]: > of a "secretary". (though, when trying to do that kind of work, > I've always found that I'm a whole lot better at hacking than I am > at secretarial work; I suspect that's the case with a lot of > developers) Barring that I don't have much experience as a secretary, I would actually have to say that it's the other way around for me. I tend to be good at organisation and correspondence, and while I like to hack, it usually takes too much time for me, since I am a perfectionist. Yeah, uh, so... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! i wish this wish not to be granted! -- achilles (hofstadter's geb) signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
> At the same time, though, I think we need to take immediate action. > Among the first steps would be the analysis of the status quo. I am > going through the list of CVEs right now. There are *loads*. And > I could need help. I'll ping out to joeyh to see if we could put his > scripts for testing-security to any use. Ah, thanks to the testing-security team: http://newraff.debian.org/~joeyh/demo.html This list is about testing, but joeyh is adding http://newraff.debian.org/~joeyh/stable-security.html right now. Anyway, note that the situation seems to be under control already and an announcement is under preparation. Therefore I apologise for coming across a little hectical in my post. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "when faced with a new problem, the wise algorithmist will first attempt to classify it as np-complete. this will avoid many tears and tantrums as algorithm after algorithm fails." -- g. niruta signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Frans Pop <[EMAIL PROTECTED]> [2005.06.27.2105 +0200]: > Even if 3.0.4 contains only the security fix, it will still be backported > and released as 3.0.3-1sarge1 or something like that. That's actually not guaranteed. If 3.0.4 contains only the security fix and really nothing else, I see no reason why it cannot be uploaded to security.debian.org. The reason why usually (V-1)-1sarge-1 is chosen for the version number is so that if 3.0.4 is still current by the time the next stable goes out, it will be an upgrade candidate. In this case, the delta would be zero, which would make it nonsensical and unnecessary to change the version number in the first place. Then again, I am not sure about this... just speculating. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "what's your conceptual continuity? -- well, it should be easy to see: the crux of the bisquit is the apopstrophe!" -- frank zappa signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.27.2039 +0200]:
> I don't understand the philosophy of Debian security team. It's
> really so difficult to push into sarge spamassassin 3.0.4 which is
> not vulnerable? This version is in Debian testing and why this
> version can't be push into stable?
It would not be "stable" anymore with respect to software selection.
Here's the paragraph from my book:
\item[\emph{Software feature stability}]~\\
Stability\index{stability!feature} may also refer to the feature
set provided by a software. In this definition, stable software
does not introduce drastic changes or radical new features from
one release to the next. Administrators appreciate feature
stability because it allows them to fix bugs with newer versions
without risking unwanted changes to the behaviour.
This is one of the essential and most important features of Debian
stable.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debianbook.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
this space intentionally left occupied.
signature.asc
Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2005.06.27.2036 +0200]: > Part of the problem with security updates has to do with the fact > that it's just difficult to coordinate the work. Even when > Wichert, mdz, and others were more active, Joey still did most of > the work because it was often easier for one person to keep track > of everything. Sounds like an issue of workflow management to me. I want to have a lot of discussions on this topic at debconf anyway, so there's one concrete domain in need of proper CSCW (computer-supported cooperative work). > The secretary position was originally created to help this > situation, but it was never really clear to me what my role was > supposed to be. I never understood it either. How much information can be disclosed about the inner workings of the security team without damage? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! i must confess, I was born at a very early age. -- groucho marx signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Matt Zimmerman <[EMAIL PROTECTED]> [2005.06.27.2026 +0200]: > I expect it would be enough if they were all active, but that has > never been the case for this group. Wichert, Daniel, Michael and > myself are all de facto inactive for various reasons, and have > been for some time. I, for one, very much appreciate your directness and prompt answer on this matter, Matt! > The security team has always been a difficult one to expand. > A strong level of trust is necessary due to confidentiality > issues, and security support is a lot of (mostly boring and > thankless) work. However, expanding it seems like the only way to > make it sustainable. Yes. Let me ask you this: what would you deem the ideal size of the team? In the beginning you said 5-7 would be enough. Would you make it bigger if you could? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "'this must be a thursday,' said arthur to himself, sinking low over his beer. 'i never could get the hang of thursdays.'" -- hitchhiker's guide to the galaxy signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Bob Tanner <[EMAIL PROTECTED]> [2005.06.27.1939 +0200]: > How would one go about getting on the security team? Current practice is: you don't. The security team advises you to send notices and patches their way. At any point, they may invite people who have made significant contributions to join their ranks. I don't know more details and would love to find out. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "people don't want a president to say 'never'. using violence is never the first choice of the president". -- george w. bush signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
[cc'ing -project] also sprach W. Borgert <[EMAIL PROTECTED]> [2005.06.27.1525 +0200]: > Just FYI: The well-known German Heise Newsticker (IT related) has an > article today with the title "Debian without security update for > several weeks": http://www.heise.de/newsticker/meldung/61076 > Hm, bad reputation for us... It was only a question of time. I had asked Joey publicly about this at Linuxtag, so it's likely that this is the reason for the coverage by Heise. While I did not want to push Joey into a corner, it was quite scary to hear him explain that due to his involvement with Linuxtag, he did not even find the time to read his email. This is not to blame Joey (without whom we wouldn't be where we are), but rather a plea for the Debian project to take *immediate* action. If Joey does not have time, security support just comes to a screetching halt. Talk about a bottleneck! Our security team currently consists of five members and two sectretaries. Joey is hopelessly overworked, but he is still doing a marvelous job. I do not know anything about the other members as they do not seem to be very active, neither on IRC nor on the mailing lists. The problem is that access to security.debian.org is restricted. Well, that's a good thing. But it's a problem when it comes to bottleneck situations as in the current case, when Joey is too occupied to handle his tasks as security team leader. I don't blame him at all. Without him, there would probably be far less Linuxtag, and he is after all not committed to spend 24 hours of his days on Debian! But I do wonder: if Joey was busy for two weeks and security.debian.org was not working right, what did the other four members and the two secretaries do? I think we all agree that we cannot go on like this. We need to add a lot of redundancy to the team. And with that, I don't mean the one or two new members Joey promised in his answer to me. With that, I mean that the size of the archive calls for a security team of 20 people or more. Security is a delicate domain since Debian does need to ensure a level of privacy, so calling for complete openness as with other projects won't work. Obviously, we can't just appoint the first 20 to raise their hands. But what we can do is figure out the skills needed to successfully work with the team and ensure Debian's quality. So far, these requirements have been very unclear to me, at least. There have been times when I was very active, monitoring security forums and fixing bugs, but the security team never approached me for help. I do teach security to the professional audience for five years now, so I would actually claim to have at least the necessary foundation upon which I can quickly learn to adapt to the processes of the security team. I am sure I am not the only one. And I am also sure not to be the only one without a clue what to do. In general, my experience has been that [EMAIL PROTECTED] is a black hole, and that offers to help are ignored. Of course, the Debian meritocracy calls for us to just do something to rise the ladder according to our accomplishments, but as with the other obscure domains of the Debian project, which are not open to anyone to just peek at and learn, it's really difficult to do this when it means working as a blind person with a couple of mutes. So at the end of this very long post, I guess I get in line with all the other folks who'd like to have a statement from the other members of the security team about what's going on. At the same time, though, I think we need to take immediate action. Among the first steps would be the analysis of the status quo. I am going through the list of CVEs right now. There are *loads*. And I could need help. I'll ping out to joeyh to see if we could put his scripts for testing-security to any use. As soon as we have a list of issues, everyone involved in security issues should get on the debian-security list (that's what we have) and add references to bug reports, or open new discussion threads. From there, we should try to create fixed packages one after the other and do everything we can to make it as easy as possible for Joey to upload. Once we've come back to normal, we should then see what to do about Thanks for your patience. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "i don't think so," said rene descartes. just then, he vanished. signature.asc Description: Digital signature
Re: getting the MAC address from an ip
also sprach LeVA <[EMAIL PROTECTED]> [2005.06.24.1452 +0200]: > How can I get a machines mac address, if I only know it's ip? ping it, then use /usr/sbin/arp. There are also tools that can do this, but I can't find their names now. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! a: no. q: should i include quotations after my reply? signature.asc Description: Digital signature
Re: safety of encrypted filesystems
also sprach Bernd Eckenfels <[EMAIL PROTECTED]> [2005.06.18.0253 +0200]: > have you unmounted the file before writing to it? perhaps you > changes was overwritten with the blok from cache Yes. And my simulated broken blocks were still there after checking the integrity and unmounting again. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! drink canada dry! you might not succeed, but it *is* fun trying. signature.asc Description: Digital signature
