Re: Bug#651510: #651510 (gpw) - Not sure if security bug
On Tue, Jan 17, 2012 at 07:38:08AM +0100, Yves-Alexis Perez wrote: tag 651510 security thanks On lun., 2012-01-16 at 11:30 +0100, Michael Stummvoll wrote: Hi, last month I filed the bug #651510 against gpw. Short version of this bug: Hi, sorry for the delay. gpw is a password generator util. The user provides the length of password and gpw generates one or some with this. The bug brings gpw to generate shorter passwords then provided in some cases. This case is very seldom: in ~20 out of 1 mio, the password is shorter then provided - for an provided length on 10. and in ~5-10 out of 1 mio, the password is only 3 chars long (should be independ of provided length) This rate should'nt affect an normal user I think. But e.g. if used in a script for automaticly generation of logins, that could be security relevant if a 3-char-password is assumed as a secure password. Agreed, the manpage is pretty specific about that, the passwords are supposed to be of the specified length. Sorry, I did not receive the mail about that, maybe filtered out by my multi-layer spam filters. That said, it is a bug. About security I would note that an alphabetic only password should not be considered safe enough. Gpw should be used in combination with some other randomizer to obtain a semi-pronounceable password. So I consider that bug from minor to neglectable at the security level. Gpw can be considered safe enough in some contexts, but not in general. And that's true independently on this bug. However, this case looks very constructed to me. I hoped for a response from maintainer to get a clear point if he see this bug as security-bug, but since i filed it a month ago, nothing happened, and i am still not sure about the servity of this bug. To me that's definitely a security issue, though I'm not sure how much people use gpw in a script (or gpw at all). Now, i am thinking about to retag it to security, but therefore I want to obtain some opinions here. That'd be a start, but note that gpw doesn't look like the most maintained piece of software. That's sure but as for a lot of softwares, it is useful enough for some goals. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120117090310.GA2589@mithrandir
Re: ProFTPD still vulnerable (Sarge)
On Wed, Dec 06, 2006 at 09:21:34PM -0500, Jim Popovitch wrote: On Thu, 2006-11-30 at 12:28 -0500, Jim Popovitch wrote: On Thu, 2006-11-30 at 15:10 +0100, Francesco P. Lovergine wrote: This is unfortunately an effect of an issue with the old mod_delay patch. It's not an exploiting of the known issue. You have to either disable mod_delay or use 1.2.10-20sarge1 which is available at http://people.debian.org/~frankie/debian/sarge That is in use successfully since ages on high-load server like alioth. The sarge1 version also manages the 3 recent security issues. So, should we use 1.2.10-20sarge1 or the just released 1.2.10-15sarge3? My suggestion is using the not-official 1.2.10-20sarge1 iff you are experiencing segfaults on high-load servers and you wouldn't to set mod_delay use off for security concerns. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ProFTPD still vulnerable (Sarge)
On Thu, Nov 30, 2006 at 07:28:53AM +0100, Lupe Christoph wrote: Hi! On 23. November I updated the proftpd package on a Sarge machine that regretably has to have FTP open to the world. Soon after, somebody ran many attempts to log in as 'Administrator'. These attempts ran again on the 28th and again on the 29th. On that day, they managed to make proftp fall over: Nov 29 03:35:54 somehost proftpd[9887]: connect from 210.64.51.245 (210.64.51.245) Nov 29 03:36:15 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - FTP session opened. Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - no such user 'Administrator' Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - mod_delay/0.4: delaying for 1 usecs Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - mod_delay/0.4: delaying for 63 usecs Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - ProFTPD terminating (signal 11) Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - FTP session closed. The attacks ceased before I noticed, so I was not able to capture a TCP stream. I would just like to alert people that there is still some vulnerability in the ProFTPD code that was not fixed by DSA-1218-1. This is unfortunately an effect of an issue with the old mod_delay patch. It's not an exploiting of the known issue. You have to either disable mod_delay or use 1.2.10-20sarge1 which is available at http://people.debian.org/~frankie/debian/sarge That is in use successfully since ages on high-load server like alioth. The sarge1 version also manages the 3 recent security issues. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php vulnerabilities
On Wed, Dec 22, 2004 at 09:27:52AM -0200, Henrique de Moraes Holschuh wrote: On Tue, 21 Dec 2004, Michael Stone wrote: dealing with packages which will not be maintainable over the course of a stable release. Apache doesn't meet that criterion because its Wasn't there a big thread about exactly this issue, centered around amavis, clamav and snort a while ago? Yes, the answer is volatile.debian.net(.org) as you prefer. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php vulnerabilities
On Wed, Dec 22, 2004 at 08:22:18AM -0500, Michael Stone wrote: On Wed, Dec 22, 2004 at 01:56:18PM +0100, Francesco P. Lovergine wrote: On Wed, Dec 22, 2004 at 09:27:52AM -0200, Henrique de Moraes Holschuh wrote: On Tue, 21 Dec 2004, Michael Stone wrote: dealing with packages which will not be maintainable over the course of a stable release. Apache doesn't meet that criterion because its Wasn't there a big thread about exactly this issue, centered around amavis, clamav and snort a while ago? Yes, the answer is volatile.debian.net(.org) as you prefer. No, that's the answer to a different question. (What to do with software that's inherently dependent on volatile information, like virus or ids signatures.) Mike Stone I did mean that in the same thread me and other proposed to extend volatile to giant programs which have known supporting problem (an example is mozilla which is notoriously broken in stable, and none can decently update it or ensure it is in sane state). Many people did not agree about, of course. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php vulnerabilities
On Wed, Dec 22, 2004 at 09:07:34AM -0500, Michael Stone wrote: On Wed, Dec 22, 2004 at 03:03:29PM +0100, Florian Weimer wrote: My best guess is that things are fine until Debian is the last guy left in town, and no one else (upstream, other vendors) support the version in stable. Is this correct? Mostly. Unfortunately, that is increasingly the case as debian's release cycles stay long and those of other desktop-oriented distributions grow shorter. (Server-oriented stuff like RH's enterprise edition has a long release cycle but *much* less software.) BTW, I suspect RHE has a more relaxed policy for security, i.e. major upgrades are allowed when patching obsolete programs is impractical. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php vulnerabilities
On Wed, Dec 22, 2004 at 09:09:03AM -0500, Michael Stone wrote: On Wed, Dec 22, 2004 at 03:03:29PM +0100, Florian Weimer wrote: My best guess is that things are fine until Debian is the last guy left in town, and no one else (upstream, other vendors) support the version in stable. Is this correct? Eh, and the other point I forgot to include is that other distributions aren't shy about just releasing a new version rather than backporting if the fix is non-trivial. And we should seriously consider this possibility when needed. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: 2.2.18 exploit, and updating the kernel
On Fri, Mar 15, 2002 at 06:16:22PM -0500, [EMAIL PROTECTED] wrote: I have a potato system - with the 2.2.18 kernel. Somone has gotten into a box on my network and used this exploit to gain root: http://:infected.ilm.net/xpl0itz/l1nux/epcs2.c+epcs2hl=enie=ISO-8859-1 The other boxes that are net accessible are openbsd -- This system is a dual p6 so I need debian for smp. Is there a proper 'debian' way to go about patching the kernel against this exploit, or updating the kernel to 2.4. 2.2.18 is deprecated. Use the latest one (2.2.19) in potato. It's rock solid (some security patches were backported in it). -- Francesco P. Lovergine
Re: 2.2.18 exploit, and updating the kernel
On Fri, Mar 15, 2002 at 06:16:22PM -0500, [EMAIL PROTECTED] wrote: I have a potato system - with the 2.2.18 kernel. Somone has gotten into a box on my network and used this exploit to gain root: http://:infected.ilm.net/xpl0itz/l1nux/epcs2.c+epcs2hl=enie=ISO-8859-1 The other boxes that are net accessible are openbsd -- This system is a dual p6 so I need debian for smp. Is there a proper 'debian' way to go about patching the kernel against this exploit, or updating the kernel to 2.4. 2.2.18 is deprecated. Use the latest one (2.2.19) in potato. It's rock solid (some security patches were backported in it). -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: default Apache configuration
On Tue, Mar 12, 2002 at 03:10:43PM +0100, Ralf Dreibrodt wrote: Hi, i just saw an error on a debian box with apache(-common) 1.3.9-13.2: drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var drwxr-xr-x6 root root 4096 Mar 11 06:30 /var/log drwxr-xr-x2 root root 4096 Mar 10 06:25 /var/log/apache -rw-rw-r--1 www-data nogroup134382 Mar 12 13:45 /var/log/apache/access.log tail -n 1 /var/log/apache/access.log 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] GET /cgi-bin/login.pl?user=adminpassword=tztztz HTTP/1.1 200 148 Never use GET for password fields. to whom belongs this problem? the programmer, who used GET for a login or the sysadmin who shows every ordinary user the GET-request? btw, i think the apache-paket is not useable for a webhosting-server (e.g frontpage is missing, security is in general too bad), so i normaly Uhm, security is also more bad if you enable frontpage extensions. Moreover, I think there are major DFSG problems which keep FP extensions off Debian. -- Francesco P. Lovergine
Re: proftp DoS in debian stable?
On Wed, Mar 06, 2002 at 09:48:46AM -0500, Noah L. Meyerhans wrote: On Wed, Mar 06, 2002 at 10:36:03AM +0100, Francesco P. Lovergine wrote: potato version is not exploitable (patched with a backported hack many months ago). See old DSA on www.debian.org. No, it is still vulnerable. I have confirmed for myself that the fix applied in the DSA did not eliminate the DoS. The only way to be safe right now is to add the following to /etc/proftpd.conf: Global DenyFilter\*.*/ /Global The problem is not likely with proftpd, but with glibc. I am going to begin investigating fixes ASAP. noah glibc has been patched for glob problems too. There is a not too old thread about the same subject... -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftp DoS in debian stable?
On Wed, Mar 06, 2002 at 09:48:46AM -0500, Noah L. Meyerhans wrote: On Wed, Mar 06, 2002 at 10:36:03AM +0100, Francesco P. Lovergine wrote: potato version is not exploitable (patched with a backported hack many months ago). See old DSA on www.debian.org. No, it is still vulnerable. I have confirmed for myself that the fix applied in the DSA did not eliminate the DoS. The only way to be safe right now is to add the following to /etc/proftpd.conf: Global DenyFilter\*.*/ /Global The problem is not likely with proftpd, but with glibc. I am going to begin investigating fixes ASAP. noah glibc has been patched for glob problems too. There is a not too old thread about the same subject... -- Francesco P. Lovergine
Re: root's home world readable
On Wed, Feb 27, 2002 at 09:40:05PM +0100, eim wrote: Well, that's *BSD security. :) I'll always thinking about installing some OpenBSD boxes in my network. gotta try. thanks for the tip. - Ivo On Fri, 2002-02-15 at 08:48, Sean Whitney wrote: bash-2.05$ uname -a OpenBSD www 3.0 GENERIC#27 sparc64 drwx-- 3 root wheel 512 Jan 24 22:19 root Sean On Thursday 14 February 2002 13:49, Jacques Lav!gnotte hammered on some keys: On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote: Hallo debian-sec folks, While I was checking up some configurations, I've noticed that the root's home directory /root is world readable... $ drwxr-xr-x2 root root 4.0k Jan 21 15:33 root This seems to be Debian's default configuration, because also on other Potato boxes I've found that same configuration. Well, as far as I can remember from the Slackware times, root's home dir wasn't world readable by default. Hu let me see : $ uname -a NetBSD netbsd 1.5.2 NetBSD $ ls -la /root total 2276 drwxr-xr-x 6 root wheel 512 Dec 12 22:31 . Huh :-) Debian asks if home dirs should be word readable or not at installation time. I assume this is true for root also. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root's home world readable
On Wed, Feb 27, 2002 at 09:40:05PM +0100, eim wrote: Well, that's *BSD security. :) I'll always thinking about installing some OpenBSD boxes in my network. gotta try. thanks for the tip. - Ivo On Fri, 2002-02-15 at 08:48, Sean Whitney wrote: bash-2.05$ uname -a OpenBSD www 3.0 GENERIC#27 sparc64 drwx-- 3 root wheel 512 Jan 24 22:19 root Sean On Thursday 14 February 2002 13:49, Jacques Lav!gnotte hammered on some keys: On Mon, Jan 21, 2002 at 07:54:03PM +0100, eim wrote: Hallo debian-sec folks, While I was checking up some configurations, I've noticed that the root's home directory /root is world readable... $ drwxr-xr-x2 root root 4.0k Jan 21 15:33 root This seems to be Debian's default configuration, because also on other Potato boxes I've found that same configuration. Well, as far as I can remember from the Slackware times, root's home dir wasn't world readable by default. Hu let me see : $ uname -a NetBSD netbsd 1.5.2 NetBSD $ ls -la /root total 2276 drwxr-xr-x 6 root wheel 512 Dec 12 22:31 . Huh :-) Debian asks if home dirs should be word readable or not at installation time. I assume this is true for root also. -- Francesco P. Lovergine