debian 2.2 review at http://www.securityportal.com/closet/
I've just read your article on debian 2.2.
While you make many valid points, I'm confused about a couple of
Moving on. Once the basic install is done, you will discover
that several services are enabled in inetd that shouldn't
be. Discard, daytime, time, shell, login, and exec (r
services) are all enabled by default
echo, daytime, time were specifically disabled on my installation.
crypt passwords are trivial to brute-force when
compared to MD5ed ones.
I think the operative phrase is "when compared to MD5ed ones".
Besides, you need access to the crypted password to be able to
brute-force it. /etc/shadow isn't readable for mortals.
As an example, the ftp site ftp.win.tue.nl was
cracked into some time ago, and several packages
were replaced with Trojaned versions. TCP_WRAPPERS
was compromised, among other things. Over 50 people
downloaded these packages before someone noticed
they were not properly signed with PGP, and raised
Doesn't this in fact indicate that signed packages aren't that useful,
as people don't check them anyway?
You'd think that now that 2.2 is out the door,
Debian could focus a lot of activity on fixing it.
Actually, the intention is to get 2.3 out of the door now. Unlike
some vendors, debian tries to release _after_ problems are resolved,
not "release first, patch later". The freeze period, during which the
system is tested and all serious bugs (as far as they are detected)
are fixed, was a couple of months long. During this time no new
packages are allowed in, which explains for example why apache is
1.3.9. Anyway, had you taken the time to do some investigation, you
would have seen the following in the debian changelog for apache:
* [RC, security] Backported security fix for Cross Site Scripting issue
(CERT Advisory CA-2000-02) from apache 1.3.11 patch.
This was done Sun, 16 Apr 2000. I haven't checked others, I expect that
you will find that there too fixes have been backported. Please update
your review to reflect any such findings.
It would have been much more useful to have done your review during
the freeze period, when these reports can make a difference. The
freeze period is a time where debian encourages people like yourself
to test the system and submit bug reports where necessary. I hope that
when debian 2.3 is frozen you will take the time to do another
thorough review _before_ it is released.
Paul Slootman <firstname.lastname@example.org> <email@example.com>