Re: Debian servers "hacked"?
On Wed, Nov 26, 2003 at 12:47:40PM -0500, Matt Zimmerman wrote:
>On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote:
>
>> I thought it was odd there where ~50 urgent security updates all in one
>> evening.
>
>There weren't. Read the changelogs; these were normal bugfixes which
>entered stable as part of the 3.0r2 point release, whose announcement was
>delayed due to the cleanup efforts.
Thanks, I appreciate the updates, and I sympathize re the post
compromise workload.
I've posted 3 or 4 messages re the changes and compromise, from these
I really only want to raise one point:
Is there a list of what has been validated and/or restored at
debian? If so I see no reason to withhold it for a final report, and
good reason to have it live, throughout the process. It would enable
undertaking of realtime debian system threat analysis based on the
trust established with debian last week verses after the compromise.
In the same email I also said had there been no series of change
announcements prior compromise, live progress reports would not as
desirable as they are in this case (though everybody wants to know if it
was an ssh bug or loose password... when known).
That aside, I still wonder if we are talking about the same
thing. It turns out about 160 packages where posted on
debian-changes@lists.debian.org Nov 19. According to the change
logs they don't appear as normal bugfixes, but many are like
"kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high"
which includes at least one user to root vulnerability. Maybe I'm
missing something, but I don't see any indication these changes don't
effect current installs but are only relevant to r2. (not sure what the
difference would be either)
For me, only one of those 160 packages (when I use 'upgrade' on a
typical box I administer) is marked 'urgency=high', debianutils. Why the
program file is is not part of the list even with 'dist-upgrade'.....
oic the urgent ones really did come out earlier. I clearly don't
understand the methodology of the announcements and the woody r1 to r2
process.
Whether technically everything was presented sufficiently for everybody
to determine validity and appropriateness is not my point in all this,
only that a live progress report of the restore/verification process (ie
"we have verified or fixed host/service a, b and c") would have set many
at ease and I imagine would have been fairly nominal to provide -- a
suggestion.
A few of the other important i386 changes that came out are below --
less their _actual_ dates and less relevant now that I see they've
been available for a while -- as well to links to my other posts. In
retrospect, a post-compromise clarification that the urgent packages
are probably already installed vs people verifying and wondering when
security.debian.org would come back so they could be obtained, would be
as valuable as the progress report! Your follow up is much appreciated.
-- thanks for all the hard work these days!
// George
http://lists.svlug.org/pipermail/svlug/2003-November/046244.html
http://lists.svlug.org/pipermail/svlug/2003-November/046249.html
Changes:
ncompress (4.2.4-9.2) stable; urgency=high
.
* Disallow maxbits less than 10, to avoid data corruption (closes: #220820).
Changes:
atftp (0.6.0woody1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix buffer overflow in tftpd_send_file [tftpd_file.c]
Changes:
autorespond (2.0.2-2woody1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix buffer overflow with EXT and HOST environment variables
(CAN-2003-0654)
Changes:
cupsys (1.1.14-5) stable-security; urgency=high
.
* Security fix: prevent denial of service by not freezing when an
HTTP transaction is improperly terminated.
* Fix Build-Depends to make sure that PAM support is always available.
* CAN-2003-0195
Changes:
ddskk (11.6.rel.0-2woody1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Apply patch from Takao Kawamura <kawamura@debian.org> to create temporary
files safely
Changes:
debianutils (1.16.2woody1) stable; urgency=high
.
* Backport of Ian Zimmerman's run-parts program output loss
patch, which fixes zombie problem. closes: #184710.
Changes:
ethereal (0.9.4-1woody5) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix vulnerabilities announced in enpa-sa-00010
- throw an error on zero-length bufsize in tvb_get_nstringz0
(CAN-2003-0431)
[epan/tvbuff.c]
- Fix over-allocation problem in DCERPC dissector
(CAN-2003-0428)
[packet-dcerpc-lsa.c]
- Fix overflow with bad IPv4 or IPv6 prefix lengths
(CAN-2003-0429)
[packet-isis-lsp.c]
- Use a slightly larger buffer in print_tsap
(CAN-2003-0432)
[packet-clnp.c]
- Check snprintf return value correctly
(CAN-2003-0432)
[packet-isakmp.c, packet-wsp.c, packet-ieee80211.c, packet-dns.c]
- Fix buffer overflows on szInfo buffer
(CAN-2003-0432)
[packet-wtp.c]
- Use consistent buffer size for valString
(CAN-2003-0432)
[packet-wsp.c]
- Use a GString to avoid all sorts of dangerous buffer handling
with strcat, sprintf, strncpy
(CAN-2003-0432)
[packet-isis-clv.c, packet-dns.c, packet-bgp.c]
Changes:
file (3.37-3.1.woody.1) stable; urgency=high
.
* [SECURITY] fix buffer overflow in readelf.c
Changes:
gallery (1.2.5-8woody1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix cross-site scripting in searchstring parameter
(CAN-2003-0614)
[search.php]
Changes:
gzip (1.3.2-3woody1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix multiple instances of insecure temporary files
- gzexe.in (CVE-1999-1332), which became un-fixed sometime since potato
- znew (CAN-2003-0367)
Changes:
kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Apply security fixes from 2.4.18-9
- CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device
drivers do not pad frames with null bytes, which allows remote
attackers to obtain information from previous packets or kernel
memory by using malformed packets
- CAN-2003-0127: The kernel module loader allows local users to gain
root privileges by using ptrace to attach to a child process that
is spawned by the kernel
- CAN-2003-0244: The route cache implementation in Linux 2.4, and the
Netfilter IP conntrack module, allows remote attackers to cause a
denial of service (CPU consumption) via packets with forged
source addresses that cause a large number of hash table
collisions related to the PREROUTING chain
- CAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier
does not properly restrict privileges, which allows local users to
gain read or write access to certain I/O ports.
- CVE-2002-0429: The iBCS routines in arch/i386/kernel/traps.c for Linux
kernels 2.4.18 and earlier on x86 systems allow local users to kill
arbitrary processes via a a binary compatibility interface (lcall)
- CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to
modify CPU state registers via a malformed address.
- CAN-2003-0247: vulnerability in the TTY layer of the Linux kernel 2.4
allows attackers to cause a denial of service ("kernel oops")
- CAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux
kernel 2.4 allows remote attackers to cause a denial of service (CPU
consumption) via certain packets that cause a large number of hash
table collisions
--
GEORGE GEORGALIS, System Admin/Architect cell: 646-331-2027 <IXOYE><
Security Services, Web, Mail, mailto:george@galis.org
Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Reply to: