Debian Weekly News - March 14th, 2001
---------------------------------------------------------------------------
Debian Weekly News
http://www.debian.org/News/weekly/2001/8/
Debian Weekly News - March 14th, 2001
---------------------------------------------------------------------------
Welcome to Debian Weekly News, a newsletter for the Debian community.
For years we've known that Debian's means of getting packages and
releases out to users is lacking from a security standpoint. There has
been no way to know that the package you just downloaded was really
made by a Debian developer and is really a part of a current Debian
release. This is rapidly changing, and soon users will have two
complimentary ways to verify that they are installing legitimate
packages. This week a [1]patch was posted to the debian-dpkg list that
adds support to dpkg for checking signatures of Debian packages. The
signatures are held in a new section of the package itself, and tools
are entering Debian now to add and check such signatures. This type of
package signing parallels similar techniques that have been present in
the rpm world for a long time, and they are a welcome addition to
dpkg, but their usefulness should not be over-emphasized.
Signed packages alone still leave open several avenues of attack.
Various evil things can be done to the [2]Packages file, or by
tricking apt into downloading an [3]old and insecure package. Closing
off these attacks requires another layer of security -- signed
releases. Already Release.gpg files are appearing on the archive, and
apt will soon be able to verify these signatures when it upgrades a
Debian system. In the final analysis, neither of these schemes
guarantees absolute security, but they will make attacks much harder
for the black hats, and perhaps by the time woody is released, both
types of signatures will be widely available.
Preparations are underway for an update to stable, Debian version
2.2r3. As in most minor revisions, packages with security problems,
copyright issues, or very bad bugs are candidates to be updated in
this release. It may also include updates to make it compatible with
the 2.4 kernel, since all the necessary packages are [4]already
backported. Martin Schulze is [5]coordinating the new release, and
his list of packages that will get in is available [6]on the web.
DPL elections are under way, after a few false starts. Developers can
pick up a [7]ballot and mail it in, gpg-signed. Voting ends on the
28th.
Another bug squashing party is planned for [8]this weekend. Nearly
350 release critical bugs remain after the last party, and they all
need to be fixed before woody is released, so anyone with spare time
this weekend is encouraged to lend a hand and fix a bug or two.
Some weeks, unending security fixes pour into Debian. This was such a
week. Some of these announcements are for problems that were actually
fixed earlier but not announced, but many are brand-new security
fixes.
* [9]Several minor bugs in stable's proftpd package could lead to
minor security problems.
* A remotely exploitable [10]buffer overflow in analog could be
exploited via the CGI interface.
* Several [11]buffer overflows in ePerl were discovered that could
lead to a remote root exploit in some setups.
* A [12]remote denial of service attack was found in man2html -- it
could be forced to consume all memory.
* A [13]local exploit in midnight commander.
* All of the xaw replacement libraries (nextaw, xaw3d, and xaw95)
were updated to fix some [14]security holes that were earlier
found and fixed in xaw itself.
* A [15]temp file security hole was fixed in sgml-tools.
* [16]Two security holes in stable's glibc, both root exploits, were
fixed. (Note that the fix broke ldd on suid binaries, so an update
will probably be released eventually to fix that.)
* A [17]remotely exploitable buffer overflow in stable's slrn.
* Joe [18]unsafely read .joerc from the current directory, this was
locally exploitable joe was ran in directories such as /tmp/.
* A [19]remotely exploitable buffer overflow in gnuserv and xemacs.
* Several [20]remote exploits in Zope.
* A [21]buffer overflow in mailx that could locally yield access to
the mail group.
The security team deserves many thanks for all their hard work this
week.
---------------------------------------------------------------------------
References
1. http://lists.debian.org/debian-dpkg-0103/msg00024.html
2. http://lists.debian.org/debian-dpkg-0103/msg00046.html
3. http://lists.debian.org/debian-dpkg-0103/msg00035.html
4. http://www.fs.tum.de/~bunk/kernel-24.html
5. http://lists.debian.org/debian-devel-announce-0103/msg00008.html
6. http://master.debian.org/~joey/2.2r3/
7. http://lists.debian.org/debian-devel-announce-0103/msg00005.html
8. http://lists.debian.org/debian-devel-announce-0103/msg00009.html
9. http://www.debian.org/security/2001/dsa-032
10. http://www.debian.org/security/2001/dsa-033
11. http://www.debian.org/security/2001/dsa-034
12. http://www.debian.org/security/2001/dsa-035
13. http://www.debian.org/security/2001/dsa-036
14. http://www.debian.org/security/2001/dsa-037
15. http://www.debian.org/security/2001/dsa-038
16. http://www.debian.org/security/2001/dsa-039
17. http://www.debian.org/security/2001/dsa-040
18. http://www.debian.org/security/2001/dsa-041
19. http://www.debian.org/security/2001/dsa-042
20. http://www.debian.org/security/2001/dsa-043
21. http://lists.debian.org/debian-security-announce-01/msg00042.html
--
see shy jo
Reply to: