[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian Weekly News - March 14th, 2001

Debian Weekly News
Debian Weekly News - March 14th, 2001
Welcome to Debian Weekly News, a newsletter for the Debian community.

For years we've known that Debian's means of getting packages and
releases out to users is lacking from a security standpoint. There has
been no way to know that the package you just downloaded was really
made by a Debian developer and is really a part of a current Debian
release. This is rapidly changing, and soon users will have two
complimentary ways to verify that they are installing legitimate
packages. This week a [1]patch was posted to the debian-dpkg list that
adds support to dpkg for checking signatures of Debian packages. The
signatures are held in a new section of the package itself, and tools
are entering Debian now to add and check such signatures. This type of
package signing parallels similar techniques that have been present in
the rpm world for a long time, and they are a welcome addition to
dpkg, but their usefulness should not be over-emphasized.

Signed packages alone still leave open several avenues of attack.
Various evil things can be done to the [2]Packages file, or by
tricking apt into downloading an [3]old and insecure package. Closing
off these attacks requires another layer of security -- signed
releases. Already Release.gpg files are appearing on the archive, and
apt will soon be able to verify these signatures when it upgrades a
Debian system. In the final analysis, neither of these schemes
guarantees absolute security, but they will make attacks much harder
for the black hats, and perhaps by the time woody is released, both
types of signatures will be widely available.

Preparations are underway for an update to stable, Debian version
2.2r3. As in most minor revisions, packages with security problems,
copyright issues, or very bad bugs are candidates to be updated in
this release. It may also include updates to make it compatible with
the 2.4 kernel, since all the necessary packages are [4]already
backported. Martin Schulze is [5]coordinating the new release, and
his list of packages that will get in is available [6]on the web.

DPL elections are under way, after a few false starts. Developers can
pick up a [7]ballot and mail it in, gpg-signed. Voting ends on the

Another bug squashing party is planned for [8]this weekend. Nearly
350 release critical bugs remain after the last party, and they all
need to be fixed before woody is released, so anyone with spare time
this weekend is encouraged to lend a hand and fix a bug or two.

Some weeks, unending security fixes pour into Debian. This was such a
week. Some of these announcements are for problems that were actually
fixed earlier but not announced, but many are brand-new security
  * [9]Several minor bugs in stable's proftpd package could lead to
    minor security problems.
  * A remotely exploitable [10]buffer overflow in analog could be
    exploited via the CGI interface.
  * Several [11]buffer overflows in ePerl were discovered that could
    lead to a remote root exploit in some setups.
  * A [12]remote denial of service attack was found in man2html -- it
    could be forced to consume all memory.
  * A [13]local exploit in midnight commander.
  * All of the xaw replacement libraries (nextaw, xaw3d, and xaw95)
    were updated to fix some [14]security holes that were earlier
    found and fixed in xaw itself.
  * A [15]temp file security hole was fixed in sgml-tools.
  * [16]Two security holes in stable's glibc, both root exploits, were
    fixed. (Note that the fix broke ldd on suid binaries, so an update
    will probably be released eventually to fix that.)
  * A [17]remotely exploitable buffer overflow in stable's slrn.
  * Joe [18]unsafely read .joerc from the current directory, this was
    locally exploitable joe was ran in directories such as /tmp/.
  * A [19]remotely exploitable buffer overflow in gnuserv and xemacs.
  * Several [20]remote exploits in Zope.
  * A [21]buffer overflow in mailx that could locally yield access to
    the mail group.
The security team deserves many thanks for all their hard work this

  1. http://lists.debian.org/debian-dpkg-0103/msg00024.html
  2. http://lists.debian.org/debian-dpkg-0103/msg00046.html
  3. http://lists.debian.org/debian-dpkg-0103/msg00035.html
  4. http://www.fs.tum.de/~bunk/kernel-24.html
  5. http://lists.debian.org/debian-devel-announce-0103/msg00008.html
  6. http://master.debian.org/~joey/2.2r3/
  7. http://lists.debian.org/debian-devel-announce-0103/msg00005.html
  8. http://lists.debian.org/debian-devel-announce-0103/msg00009.html
  9. http://www.debian.org/security/2001/dsa-032
  10. http://www.debian.org/security/2001/dsa-033
  11. http://www.debian.org/security/2001/dsa-034
  12. http://www.debian.org/security/2001/dsa-035
  13. http://www.debian.org/security/2001/dsa-036
  14. http://www.debian.org/security/2001/dsa-037
  15. http://www.debian.org/security/2001/dsa-038
  16. http://www.debian.org/security/2001/dsa-039
  17. http://www.debian.org/security/2001/dsa-040
  18. http://www.debian.org/security/2001/dsa-041
  19. http://www.debian.org/security/2001/dsa-042
  20. http://www.debian.org/security/2001/dsa-043
  21. http://lists.debian.org/debian-security-announce-01/msg00042.html

see shy jo

Reply to: