[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[paul@murphy.nl: debian 2.2 review at http://www.securityportal.com/closet/]

Non ricordo chi parlava dell'articolo che 'smonta' la debian 2.2.

Qui riporto una risposta dalla debian-devel.


----- Forwarded message from Paul Slootman <paul@murphy.nl> -----

Date: Wed, 30 Aug 2000 15:26:46 +0200
From: Paul Slootman <paul@murphy.nl>
To: seifried@securityportal.com
Subject: debian 2.2 review at http://www.securityportal.com/closet/

I've just read your article on debian 2.2.
While you make many valid points, I'm confused about a couple of

	Moving on. Once the basic install is done, you will discover
	that several services are enabled in inetd that shouldn't
	be. Discard, daytime, time, shell, login, and exec (r
	services) are all enabled by default

echo, daytime, time were specifically disabled on my installation.

	crypt passwords are trivial to brute-force when
	compared to MD5ed ones.

I think the operative phrase is "when compared to MD5ed ones".
Besides, you need access to the crypted password to be able to
brute-force it. /etc/shadow isn't readable for mortals.

	As an example, the ftp site ftp.win.tue.nl was
	cracked into some time ago, and several packages
	were replaced with Trojaned versions.  TCP_WRAPPERS
	was compromised, among other things. Over 50 people
	downloaded these packages before someone noticed
	they were not properly signed with PGP, and raised
	the alarm. 

Doesn't this in fact indicate that signed packages aren't that useful,
as people don't check them anyway?

	You'd think that now that 2.2 is out the door,
	Debian could focus a lot of activity on fixing it.

Actually, the intention is to get 2.3 out of the door now.  Unlike
some vendors, debian tries to release _after_ problems are resolved,
not "release first, patch later".  The freeze period, during which the
system is tested and all serious bugs (as far as they are detected)
are fixed, was a couple of months long. During this time no new
packages are allowed in, which explains for example why apache is
1.3.9.  Anyway, had you taken the time to do some investigation, you
would have seen the following in the debian changelog for apache:

  * [RC, security] Backported security fix for Cross Site Scripting issue
    (CERT Advisory CA-2000-02) from apache 1.3.11 patch.

This was done  Sun, 16 Apr 2000. I haven't checked others, I expect that
you will find that there too fixes have been backported. Please update
your review to reflect any such findings.

It would have been much more useful to have done your review during
the freeze period, when these reports can make a difference. The
freeze period is a time where debian encourages people like yourself
to test the system and submit bug reports where necessary. I hope that
when debian 2.3 is frozen you will take the time to do another
thorough review _before_ it is released.

Paul Slootman <paul@murphy.nl> <paul@debian.org>

Reply to: