On Wed, Nov 26, 2003 at 12:47:40PM -0500, Matt Zimmerman wrote: >On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: > >> I thought it was odd there where ~50 urgent security updates all in one >> evening. > >There weren't. Read the changelogs; these were normal bugfixes which >entered stable as part of the 3.0r2 point release, whose announcement was >delayed due to the cleanup efforts.
Thanks, I appreciate the updates, and I sympathize re the post compromise workload. I've posted 3 or 4 messages re the changes and compromise, from these I really only want to raise one point: Is there a list of what has been validated and/or restored at debian? If so I see no reason to withhold it for a final report, and good reason to have it live, throughout the process. It would enable undertaking of realtime debian system threat analysis based on the trust established with debian last week verses after the compromise. In the same email I also said had there been no series of change announcements prior compromise, live progress reports would not as desirable as they are in this case (though everybody wants to know if it was an ssh bug or loose password... when known). That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on debian-changes@lists.debian.org Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like "kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high" which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. (not sure what the difference would be either) For me, only one of those 160 packages (when I use 'upgrade' on a typical box I administer) is marked 'urgency=high', debianutils. Why the program file is is not part of the list even with 'dist-upgrade'..... oic the urgent ones really did come out earlier. I clearly don't understand the methodology of the announcements and the woody r1 to r2 process. Whether technically everything was presented sufficiently for everybody to determine validity and appropriateness is not my point in all this, only that a live progress report of the restore/verification process (ie "we have verified or fixed host/service a, b and c") would have set many at ease and I imagine would have been fairly nominal to provide -- a suggestion. A few of the other important i386 changes that came out are below -- less their _actual_ dates and less relevant now that I see they've been available for a while -- as well to links to my other posts. In retrospect, a post-compromise clarification that the urgent packages are probably already installed vs people verifying and wondering when security.debian.org would come back so they could be obtained, would be as valuable as the progress report! Your follow up is much appreciated. -- thanks for all the hard work these days! // George http://lists.svlug.org/pipermail/svlug/2003-November/046244.html http://lists.svlug.org/pipermail/svlug/2003-November/046249.html Changes: ncompress (4.2.4-9.2) stable; urgency=high . * Disallow maxbits less than 10, to avoid data corruption (closes: #220820). Changes: atftp (0.6.0woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow in tftpd_send_file [tftpd_file.c] Changes: autorespond (2.0.2-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow with EXT and HOST environment variables (CAN-2003-0654) Changes: cupsys (1.1.14-5) stable-security; urgency=high . * Security fix: prevent denial of service by not freezing when an HTTP transaction is improperly terminated. * Fix Build-Depends to make sure that PAM support is always available. * CAN-2003-0195 Changes: ddskk (11.6.rel.0-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Apply patch from Takao Kawamura <[EMAIL PROTECTED]> to create temporary files safely Changes: debianutils (1.16.2woody1) stable; urgency=high . * Backport of Ian Zimmerman's run-parts program output loss patch, which fixes zombie problem. closes: #184710. Changes: ethereal (0.9.4-1woody5) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix vulnerabilities announced in enpa-sa-00010 - throw an error on zero-length bufsize in tvb_get_nstringz0 (CAN-2003-0431) [epan/tvbuff.c] - Fix over-allocation problem in DCERPC dissector (CAN-2003-0428) [packet-dcerpc-lsa.c] - Fix overflow with bad IPv4 or IPv6 prefix lengths (CAN-2003-0429) [packet-isis-lsp.c] - Use a slightly larger buffer in print_tsap (CAN-2003-0432) [packet-clnp.c] - Check snprintf return value correctly (CAN-2003-0432) [packet-isakmp.c, packet-wsp.c, packet-ieee80211.c, packet-dns.c] - Fix buffer overflows on szInfo buffer (CAN-2003-0432) [packet-wtp.c] - Use consistent buffer size for valString (CAN-2003-0432) [packet-wsp.c] - Use a GString to avoid all sorts of dangerous buffer handling with strcat, sprintf, strncpy (CAN-2003-0432) [packet-isis-clv.c, packet-dns.c, packet-bgp.c] Changes: file (3.37-3.1.woody.1) stable; urgency=high . * [SECURITY] fix buffer overflow in readelf.c Changes: gallery (1.2.5-8woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix cross-site scripting in searchstring parameter (CAN-2003-0614) [search.php] Changes: gzip (1.3.2-3woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix multiple instances of insecure temporary files - gzexe.in (CVE-1999-1332), which became un-fixed sometime since potato - znew (CAN-2003-0367) Changes: kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Apply security fixes from 2.4.18-9 - CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets - CAN-2003-0127: The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel - CAN-2003-0244: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain - CAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. - CVE-2002-0429: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a a binary compatibility interface (lcall) - CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. - CAN-2003-0247: vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops") - CAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions -- GEORGE GEORGALIS, System Admin/Architect cell: 646-331-2027 <IXOYE>< Security Services, Web, Mail, mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
