From fw at deneb.enyo.de Thu Mar 1 11:02:27 2007 From: fw at deneb.enyo.de (Florian Weimer) Date: Thu Mar 1 11:21:36 2007 Subject: [Secure-testing-team] Statement regarding PHP safe mode bugs Message-ID: <87vehljn7w.fsf@mid.deneb.enyo.de> Here's my old draft for an official statement regarding PHP safe mode bugs (or more, generally speaking, bugs which can only be exploited by malicious or vulnerable PHP scripts). Recent events suggest that we should publish something to describe the focus of our security support. Things that need updating: * Explict mention of PHP kernel bugs (like the disclosed reference counting issue). In their impact, they are safe mode bugs as well, but this should be made more clear. * Somehting about suPHP. * Something about running separate web servers. I haven't got much time to work on this right now, so feel free to take over the document and bring it into shape. I hope it's a reasonable starting point. #use wml::debian::template title="PHP's Safe Mode and Security"

PHP offers a feature called Safe Mode, which is supposed to restrict what untrusted PHP scripts can do when the web server interprets them. Unfortunately, the Safe Mode feature does not reliably provide security. Therefore, the Debian Security Team does not support its use to protect against maliciously written PHP scripts.

Architectural Issues

Even the PHP developers admit that the design of PHP Safe Mode is "architecturally incorrect". Why is this so?

PHP tries to reimplement some of the security checks multi-user operating systems (like Debian GNU/Linux) perform to isolate multiple users on the same system and prevent them from accessing other users' resources without their consent. PHP performs its checks well before the potentially malicious operation is executed, and these checks reside in completely separate program code. Therefore, it is likely that these checks are too lenient and miss dangerous operations, which are then executed by the operationg system.

More concretely, many of the libraries PHP scripts can use were written with the assumption that the application is trusted. For example, they do not check some input data for correctness (which is usally not transmitted over the network, such as internal file names), or they assume that the application uses the library programming interface in the documented manner, calling functions in a particular order. By design, these libraries cannot enforce the Safe Mode restrictions on their own, which means that as soon as they implement some functionality which reads or writes to the file system or permits the invocation of arbitrary subprograms, PHP's restrictions are easily bypassed. PHP tries to address this by filtering access to the dangerous functions, but experience shows that again and again, new dangerous functions are discovered.

These design problems imply that Safe Mode offers only very weak protection against untrusted PHP scripts written by malicious authors. They also lead to a high rate of bug fixes related to the Safe Mode feature.

Security Team Support for Safe Mode

The Debian Security Team does not support Safe Mode. This means that no security updates will be issued for PHP security defects which can be exploited only by specially-crafted PHP scripts, or PHP scripts suffering from PHP command injection vulnerbilities.

This decision is based on the on two observations: Most PHP users are small-scale users, not service providers. As a result, they do not have to deal with the challenge of multiple users who need to write PHP scripts which run on the web server, but do not trust each other. These users would not benefit directly from security updates related to Safe Mode. Even worse, security updates, like all changes, come at a cost, for example in terms of stability and scheduled downtime, and should be avoided if possible.

In addition, PHP security updates are always a significant effort because the upstream developers usually do not provide isolated security patches, only new releases. According to the security backporting policy, the Security Team is forced to reverse-engineer the changes from one PHP version to another, to recover a minimal patch which just fixes the security issue. The number of updates related to Safe Mode makes this process very time-consuming.

Therefore, the Debian Security Team allocates its resources to other tasks, according to the needs of the Debian community. Consequently, PHP defects which can be exploited by maliciously written PHP scripts which are not related to Safe Mode will not be addressed in official security updates, either.

Alternatives

Most large ISPs who run customer PHP scripts on shared hosting servers do not use mod_php (or other forms of direct integration into a web server), but use the CGI version of PHP, suEXEC, and a different user account for each customer and proper permissions. This way, the operating system enforces the usual restrictions.

In such an environment, it is important to restrict the number of installed SUID and SGID applications, to prevent local privilege escalation, and promptly apply security-related kernel updates. A host-based intrusion detection system is also strongly recommended. This means that this approach is far from ideal, but experience from ISPs suggest that the necessary level of security can be achieved.

Of course, it is possible to enable Safe Mode as an additional layer of defense. However, as the only layer, it is far too weak.

From jmm at inutil.org Sat Mar 10 13:30:29 2007 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Sat Mar 10 12:31:02 2007 Subject: [Secure-testing-team] MOPB overview Message-ID: <20070310123029.GA26023@galadriel.inutil.org> Hi, I've commited a temporary tracking file for the MOPB to SVN. (data/mopb.txt). I'm away for the rest of the weekend, so it doesn't cover all issues yet. I hope to catch up in a few days, so that it can be updated daily after that. Additions, review and corrections welcome. Cheers, Moritz From sf at sfritsch.de Mon Mar 12 10:54:07 2007 From: sf at sfritsch.de (Stefan Fritsch) Date: Mon Mar 12 10:09:37 2007 Subject: [Secure-testing-team] Re: [debian-audit] Re: Security audit for TorrentFlux In-Reply-To: <20070312091330.GA2513@javifsp.no-ip.org> References: <45F34781.8090406@gmail.com> <45F4BB74.3010702@gmail.com> <20070312091330.GA2513@javifsp.no-ip.org> Message-ID: <200703121054.08140.sf@sfritsch.de> Hi, On Monday 12 March 2007 10:13, Javier Fern?ndez-Sanguino Pe?a wrote: > On Sun, Mar 11, 2007 at 07:31:16PM -0700, Cameron Dale wrote: > > unstable (at least, that's how I understand it). So, all the > > fixes for those bugs have been backported to the 2.1 version that > > is in unstable. > > You *should* update the version in unstable ASAP. Freeze only > applies to testing, *not* to unstable. The way to get securit fixes > into testing (when frozen) is through unstable. Even though your > package is not in testing you should make every effort to keep > unstable security-bug-free. Please mention all CVE names in the > changelog fixed in your new upload (like you did for 2.1-7) All open issues are fixed in unstable in 2.1-7, see http://security-tracker.debian.net/tracker/source-package/torrentflux Some more thoughts: - when I looked through it, I found far fewer issues than I expected (though I still think that the code quality is very bad). However, I am also not a PHP expert and would not consider what I did to be a full audit. - AFAIR most if not all issues were only for authenticated users, so maybe one could add a note that it should be only used with trusted users. Quake 2 was released with Sarge in this way while having lots of security issues. - in November or so I had a discussion with Micah on IRC and we agreed that we did not see any problems with it being released with etch. I didn't notice the discussion on debian-release, though. Cheers, Stefan From frx at firenze.linux.it Mon Mar 12 19:57:27 2007 From: frx at firenze.linux.it (Francesco Poli) Date: Mon Mar 12 20:01:35 2007 Subject: [Secure-testing-team] Is the security bug tracker up-to-date? Message-ID: <20070312195727.618f643f.frx@firenze.linux.it> Hi! I noticed something weird on the security bug tracker[1]. Some vulnerabilities are still listed for testing as fixed in unstable, while the package version that fixes the problem has already migrated from unstable to testing. For instance, the report[2] for CVE-2007-0981 states: | | iceweasel (PTS) etch 2.0.0.1+dfsg-2 vulnerable | sid 2.0.0.2+dfsg-3 fixed | On the other hand, the testing migration checker[3] says: | | * iceweasel has the same version in unstable and testing | (2.0.0.2+dfsg-3) | and the PTS[4] confirms that iceweasel 2.0.0.2+dfsg-3 migrated to testing on 2007-03-10. What's wrong? [1] http://security-tracker.debian.net/tracker/ [2] http://security-tracker.debian.net/tracker/CVE-2007-0981 [3] http://bjorn.haxx.se/debian/testing.pl?package=iceweasel [4] http://packages.qa.debian.org/i/iceweasel.html P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/progs/scripts/refresh-pubring.html Need to refresh your keyring in a piecewise fashion? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070312/92492928/attachment.pgp From florian_ernst at gmx.net Wed Mar 14 11:23:59 2007 From: florian_ernst at gmx.net (Florian Ernst) Date: Wed Mar 14 10:24:13 2007 Subject: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py Message-ID: <20070314102359.GB22897@rechenknecht.dynip.yawsp.de> Hello folks, just FYI: CVE-2007-1253 as e.g. summarised on only affects testing/unstable. A fix is in preparation and will be uploaded as 2.42a-6 to unstable from where it can easily propagate to testing. Upstream has decided to deal with this issue by simply dropping the script in question in 2.43, and the blender package maintainers will follow suit (2.43 will be also be uploaded to experimental soon, fwiw). Stable/oldstable are not affected as this script was first introduced in upstream 2.42, see e.g. upstream's cvs for background: HTH, Flo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070314/34a7b28d/attachment.pgp From camrdale at gmail.com Wed Mar 14 21:31:27 2007 From: camrdale at gmail.com (Cameron Dale) Date: Wed Mar 14 21:28:24 2007 Subject: [Secure-testing-team] Re: [debian-audit] Re: Security audit for TorrentFlux In-Reply-To: <200703121054.08140.sf@sfritsch.de> References: <45F34781.8090406@gmail.com> <45F4BB74.3010702@gmail.com> <20070312091330.GA2513@javifsp.no-ip.org> <200703121054.08140.sf@sfritsch.de> Message-ID: <45F85B9F.3070305@gmail.com> Stefan Fritsch wrote: > All open issues are fixed in unstable in 2.1-7, see > > http://security-tracker.debian.net/tracker/source-package/torrentflux > > Some more thoughts: > - when I looked through it, I found far fewer issues than I expected > (though I still think that the code quality is very bad). However, I > am also not a PHP expert and would not consider what I did to be a > full audit. > - AFAIR most if not all issues were only for authenticated users, so > maybe one could add a note that it should be only used with trusted > users. Quake 2 was released with Sarge in this way while having lots > of security issues. > - in November or so I had a discussion with Micah on IRC and we agreed > that we did not see any problems with it being released with etch. I > didn't notice the discussion on debian-release, though. Is there any chance of getting an audit done for this package? As Stefan mentioned, there are no open security issues in unstable and the package seems safe. I'm not sure if it's too late to get this into Etch, considering the recent announcement about the new release timeline. Anyone? Thanks, Cameron -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070314/0c081c5e/signature.pgp From jfs at debian.org Wed Mar 14 23:20:14 2007 From: jfs at debian.org (Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?=) Date: Wed Mar 14 22:21:11 2007 Subject: [Secure-testing-team] Re: [debian-audit] Re: Security audit for TorrentFlux In-Reply-To: <45F85B9F.3070305@gmail.com> References: <45F34781.8090406@gmail.com> <45F4BB74.3010702@gmail.com> <20070312091330.GA2513@javifsp.no-ip.org> <200703121054.08140.sf@sfritsch.de> <45F85B9F.3070305@gmail.com> Message-ID: <20070314222014.GA27664@javifsp.no-ip.org> On Wed, Mar 14, 2007 at 01:31:27PM -0700, Cameron Dale wrote: > Is there any chance of getting an audit done for this package? As Stefan > mentioned, there are no open security issues in unstable and the package > seems safe. I'm not sure if it's too late to get this into Etch, > considering the recent announcement about the new release timeline. Anyone? It's too late to get it into etch. In any case, an audit for this package is still possible. I cannot commit to it until after the release, but if no one steps up, I could take care of it. Regards Javier -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070314/b0127817/attachment.pgp From carpinteriacursos07 at yahoo.com.ar Thu Mar 15 09:54:01 2007 From: carpinteriacursos07 at yahoo.com.ar (Para carpinteros) Date: Thu Mar 15 08:54:43 2007 Subject: [Secure-testing-team] Como trabajar la madera... Message-ID: <20070315055400.A12C9984439A4DDD@yahoo.com.ar> Ingrese a nuestra web y aprenda todo lo que puede hacer trabajando con madera... http://agora.ya.com/carpinteria07 From auto.alert at swisslotto.ch Mon Mar 19 12:13:46 2007 From: auto.alert at swisslotto.ch (SWISS LOTTO) Date: Mon Mar 19 11:33:08 2007 Subject: [Secure-testing-team] CONGRATULATIONS!!!.....YOU HAVE WON 750, 000 Euros Message-ID: <1140150615.28818@paypal.com> An HTML attachment was scrubbed... URL: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070319/cb37a9e2/attachment.html From porridge at debian.org Wed Mar 21 15:37:42 2007 From: porridge at debian.org (Marcin Owsiany) Date: Wed Mar 21 15:02:03 2007 Subject: [Secure-testing-team] Security issues in package ekg Message-ID: <20070321143742.GA16354@kufelek> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070321/96587dbd/attachment.pgp From felipe at cathedrallabs.org Thu Mar 22 02:39:08 2007 From: felipe at cathedrallabs.org (Felipe Augusto van de Wiel (faw)) Date: Thu Mar 22 01:40:06 2007 Subject: [Secure-testing-team] Re: Security issues in package ekg In-Reply-To: <20070321143742.GA16354@kufelek> References: <20070321143742.GA16354@kufelek> Message-ID: <4601DE3C.6090504@cathedrallabs.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marcin, On 03/21/2007 11:37 AM, Marcin Owsiany wrote: [...] > 2661: A memory leak in handling image messages, which may cause memory > exhaustion resulting in a DoS (ekg program crash). Exploitable by a > hostile GG user. [...] > ----------------+-------------------+---------------+----------------------------- > Dist | Contains version | Vulnerable to | Version (to be) fixed in > ----------------+-------------------+---------------+----------------------------- > UPSTREAM | 1.7-RC2 | ALL | 1.7-RC3 (already released) > sarge | 1:1.5+20050411-5 | 2661 only (*) | 1:1.5+20050411-7 > sid,etch | 1:1.7~rc2-1 | ALL | 1:1.7~rc2+1-1 > sarge-volatile | 1:1.5+20050411-6 | 2661 only (*) | 1:1.5+20050411-8 > ----------------+-------------------+---------------+----------------------------- > > (*) No GIF OCR code was in these versions, thus they are not vulnerable > > Please have a look at the attached minimal patches, I intend to apply > them to respective versions of updated packages. > > Please allocate CVEs for the 3 above issues. I will prepare new packages > once I have the CVEs. Thanks for detailed report. Probably would be good to have an ack, so, for Debian Volatile: ACK! :-) > regards, > Marcin [...] Kind regards, - -- Felipe Augusto van de Wiel (faw) "Debian. Freedom to code. Code to freedom!" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAd48CjAO0JDlykYRAqlAAKCn2HgyQHMLf3CzIdGw5ucw3Ga1jQCgvFzX xS7ymLc3JbjV6Ru7n3vnLtg= =lJ38 -----END PGP SIGNATURE----- From henrich at iijmio-mail.jp Fri Mar 23 09:12:42 2007 From: henrich at iijmio-mail.jp (Hideki Yamane) Date: Fri Mar 23 08:45:40 2007 Subject: [Secure-testing-team] CVE-2007-0981 does NOT affect icedove Message-ID: <20070323171242.1b541379.henrich@iijmio-mail.jp> Hi list, CVE-2007-0981 (http://security-tracker.debian.net/tracker/CVE-2007-0981) is tracked as icedove(mozilla-thunderbird)'s vulnerability, but it seems that affect Firefox/Mozilla browser product (It's cross-domain cookie stealing issue, so it is for browser, not mailer). -- Regards, Hideki Yamane -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070323/1654353f/attachment.pgp From mh at glandium.org Fri Mar 23 19:52:38 2007 From: mh at glandium.org (Mike Hommey) Date: Fri Mar 23 19:25:28 2007 Subject: [Secure-testing-team] Some mozilla security bug updates Message-ID: <20070323185238.GA16619@glandium.org> Hi, I just discovered http://security-tracker.debian.net/tracker/ (shame on me not to have known it earlier) and have some comments for some bugs affecting mozilla-based packages. CVE-2006-6506 doesn't apply to iceape CVE-2007-1116 also applies to xulrunner, and is reported as debian bugs #415919, #415944 and #415945. CVE-2006-6507 does apply neither to iceape nor to xulrunner CVE-2006-0496 also affects iceape and xulrunner CVE-2007-0801 also affects iceape and xulrunner, but, according to https://bugzilla.mozilla.org/show_bug.cgi?id=369428, is fixed since iceweasel 2.0.0.2, iceape 1.0.8 and xulrunner 1.8.0.10. I guess CVE-2007-1004 affects iceape, and *may* affect browsers based on xulrunner. CVE-2007-1084 may affect iceape and browsers based on xulrunner. I can't reproduce CVE-2006-4561 with xulrunner. Neither in 1.8.0.10-3 nor in earlier (I tried 1.8.0.5-4) version... Anyways, if firefox indeed got fixed in 1.5.0.7, then it means xulrunner was fixed in 1.8.0.7-1. And if the fix was really done in mozilla code base 1.8.0.7, then iceape was never exposed. Cheers, Mike From micah at riseup.net Fri Mar 23 23:33:39 2007 From: micah at riseup.net (Micah Anderson) Date: Fri Mar 23 23:01:53 2007 Subject: [Secure-testing-team] Some mozilla security bug updates In-Reply-To: <20070323185238.GA16619@glandium.org> References: <20070323185238.GA16619@glandium.org> Message-ID: <460455C3.5020900@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mike, Mike Hommey wrote: > > I just discovered http://security-tracker.debian.net/tracker/ (shame on > me not to have known it earlier) and have some comments for some bugs > affecting mozilla-based packages. > > CVE-2006-6506 doesn't apply to iceape > CVE-2007-1116 also applies to xulrunner, and is reported as debian bugs > #415919, #415944 and #415945. > CVE-2006-6507 does apply neither to iceape nor to xulrunner > CVE-2006-0496 also affects iceape and xulrunner I made these changes, thanks. > CVE-2007-0801 also affects iceape and xulrunner, but, according to > https://bugzilla.mozilla.org/show_bug.cgi?id=369428, is fixed since > iceweasel 2.0.0.2, iceape 1.0.8 and xulrunner 1.8.0.10. In this case, I put: - iceweasel 2.0.0.2+dfsg-1 (low) - iceape 1.0.8-1 (low) - xulrunner 1.8.0.10-1 (low) Meaning those were the debian packages this was fixed in, please correct me if I am wrong. > I guess CVE-2007-1004 affects iceape, and *may* affect browsers based on > xulrunner. > CVE-2007-1084 may affect iceape and browsers based on xulrunner. Ok, I'll add iceape, let us know if you determine otherwise. Also, you say that it may affect browsers based on xulrunner, I guess I am noting that xulrunner is affected then? What other browsers use xulrunner embeded? > > I can't reproduce CVE-2006-4561 with xulrunner. Neither in 1.8.0.10-3 > nor in earlier (I tried 1.8.0.5-4) version... Anyways, if firefox indeed > got fixed in 1.5.0.7, then it means xulrunner was fixed in 1.8.0.7-1. > And if the fix was really done in mozilla code base 1.8.0.7, then iceape > was never exposed. Noted xulrunner as fixed in 1.8.0.7-1. Thanks for the updates! Micah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGBFXC9n4qXRzy1ioRAuSvAJ4um+e4+CaXCOmN5l0vudadxBL91wCgkMBI nVPAD4M5eKfQe+br6620qQM= =1g8Q -----END PGP SIGNATURE----- From fw at deneb.enyo.de Sat Mar 24 10:57:39 2007 From: fw at deneb.enyo.de (Florian Weimer) Date: Sat Mar 24 10:13:16 2007 Subject: [Secure-testing-team] Release sql-ledger as part of etch? Message-ID: <87ircr55gs.fsf@mid.deneb.enyo.de> Is it really a good idea to release this with etch, given excerpt from the README.Debian file below? (Sorry if this has been discussed before.) IMPORTANT SECURITY NOTICE ------------------------- SQL-Ledger is known to have many vulnerabilities that are exploitable by someone who has a user account on this web application. That's why you should *only* use that application if you trust the users that have access to it. Historically it also had some vulnerabilities that could be exploited even without having an account. So we advise to you to put this web application in an authenticated HTTP zone. Summary: SQL-Ledger is not suitable for public installations or for installations with untrusted users. Some pointers: http://bugs.debian.org/409703 http://www.securityfocus.com/archive/1/459264 http://www.securityfocus.com/archive/1/445817 From mh at glandium.org Sat Mar 24 15:06:05 2007 From: mh at glandium.org (Mike Hommey) Date: Sat Mar 24 14:07:11 2007 Subject: [Secure-testing-team] Some mozilla security bug updates In-Reply-To: <460455C3.5020900@riseup.net> References: <20070323185238.GA16619@glandium.org> <460455C3.5020900@riseup.net> Message-ID: <20070324140605.GA13258@glandium.org> On Fri, Mar 23, 2007 at 04:33:39PM -0600, Micah Anderson wrote: > > I guess CVE-2007-1004 affects iceape, and *may* affect browsers based on > > xulrunner. > > CVE-2007-1084 may affect iceape and browsers based on xulrunner. > > Ok, I'll add iceape, let us know if you determine otherwise. Also, you > say that it may affect browsers based on xulrunner, I guess I am noting > that xulrunner is affected then? What other browsers use xulrunner embeded? xulrunner by itself is not affected, it depends what browsers that use it allow to remove from their ui and how easy it may be to make something look like it with remote content. This can actually affect any browser. FWIW, xulrunner-using browsers are, AFAIK, epiphany, galeon and kazehakase. Mike From alec at thened.net Sat Mar 24 17:07:15 2007 From: alec at thened.net (Alec Berryman) Date: Sun Mar 25 00:35:19 2007 Subject: [Secure-testing-team] Release sql-ledger as part of etch? In-Reply-To: <87ircr55gs.fsf@mid.deneb.enyo.de> References: <87ircr55gs.fsf@mid.deneb.enyo.de> Message-ID: <20070324160715.GA31876@thened.net> Florian Weimer on 2007-03-24 10:57:39 +0100: > Is it really a good idea to release this with etch, given excerpt from > the README.Debian file below? (Sorry if this has been discussed > before.) > > IMPORTANT SECURITY NOTICE > ------------------------- > SQL-Ledger is known to have many vulnerabilities that are exploitable by > someone who has a user account on this web application. That's why you > should *only* use that application if you trust the users that have access > to it. > > Historically it also had some vulnerabilities that could be exploited even > without having an account. So we advise to you to put this web > application in an authenticated HTTP zone. debian/postinst unconditionally enables the application in apache (only apache, not apache2), but does not restart the web server to make it available. If it's a security risk and should only be run in an authenticated HTTP zone as the maintainer suggests, perhaps it should not be enabled by default. From micah at riseup.net Sun Mar 25 06:11:52 2007 From: micah at riseup.net (Micah Anderson) Date: Sun Mar 25 05:09:30 2007 Subject: [Fwd: [Secure-testing-team] Security issues in package ekg]] Message-ID: <46060498.6010203@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are the CVEs for the ekg package: > 2661: A memory leak in handling image messages, which may cause memory > exhaustion resulting in a DoS (ekg program crash). Exploitable by a > hostile GG user. Use CVE-2007-1663 > 2694: off-by-one in token OCR function, which may cause a null pointer > dereference resulting in a DoS (ekg program crash). Exploitable by MiTM > (hostile HTTP proxy or TCP stream injection) or a hostile GG server. Use CVE-2007-1664 > 2699: potential memory exhaust in token OCR function, which may cause > memory exhaustion resulting in a DoS (ekg program crash). Exploitability > same as in 2694. Use CVE-2007-1665 Micah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGBgSY9n4qXRzy1ioRArsbAJ9GkTnA37BNM+8Ft1dVDSghdPj2mACgk7B8 4AUdBbcpFcYCV+IVvRE9Vmc= =RsZY -----END PGP SIGNATURE----- From computervillage at yahoo.co.uk Sun Mar 25 10:44:31 2007 From: computervillage at yahoo.co.uk (CLOSEOUT OFFER) Date: Sun Mar 25 09:44:46 2007 Subject: [Secure-testing-team] BEST PRICES ON GSM PHONES/PDA AND PS3 Message-ID: <1140150615.28818@paypal.com> An HTML attachment was scrubbed... URL: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070325/cb37a9e2/attachment.htm From porridge at debian.org Sun Mar 25 12:37:25 2007 From: porridge at debian.org (Marcin Owsiany) Date: Sun Mar 25 11:38:23 2007 Subject: [Secure-testing-team] Re: Security issues in package ekg In-Reply-To: <20070321143742.GA16354@kufelek> References: <20070321143742.GA16354@kufelek> Message-ID: <20070325113725.GA12531@kufelek> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070325/8fe38bea/attachment.pgp From vorlon at debian.org Sun Mar 25 12:49:49 2007 From: vorlon at debian.org (Steve Langasek) Date: Sun Mar 25 11:50:00 2007 Subject: [Secure-testing-team] Re: Security issues in package ekg In-Reply-To: <20070325113725.GA12531@kufelek> References: <20070321143742.GA16354@kufelek> <20070325113725.GA12531@kufelek> Message-ID: <20070325114949.GB1215@mauritius.dodds.net> On Sun, Mar 25, 2007 at 12:37:25PM +0100, Marcin Owsiany wrote: > I would like to use 1:1.7~rc2-2 and upload to unstable with > urgency=high. Then, if the release team would let this propagate to > frozen, we would have a single upload taking care of both sid and etch > (there would be no other changes - see proposed interdiff attached). > Please let me know if this is acceptable. Yes, it is. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/ From jmm at inutil.org Sun Mar 25 22:45:01 2007 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Sun Mar 25 22:21:30 2007 Subject: [Secure-testing-team] Release sql-ledger as part of etch? In-Reply-To: <87ircr55gs.fsf@mid.deneb.enyo.de> References: <87ircr55gs.fsf@mid.deneb.enyo.de> Message-ID: <20070325214501.GH3143@galadriel.inutil.org> Florian Weimer wrote: > Is it really a good idea to release this with etch, given excerpt from > the README.Debian file below? (Sorry if this has been discussed > before.) > > IMPORTANT SECURITY NOTICE > ------------------------- > SQL-Ledger is known to have many vulnerabilities that are exploitable by > someone who has a user account on this web application. That's why you > should *only* use that application if you trust the users that have access > to it. > > Historically it also had some vulnerabilities that could be exploited even > without having an account. So we advise to you to put this web > application in an authenticated HTTP zone. > > Summary: SQL-Ledger is not suitable for public installations or for > installations with untrusted users. I recommended to add such a note, the alternative would have been to remove it altogether. Given the nature of the program it seems likely that there are still useful fields of application. BTW, for discussions not directly related to the Security Tracker we should rather use debian-security@ldo. Cheers, Moritz From porridge at debian.org Mon Mar 26 18:52:47 2007 From: porridge at debian.org (Marcin Owsiany) Date: Mon Mar 26 17:53:46 2007 Subject: [Secure-testing-team] Re: Security issues in package ekg In-Reply-To: <20070321143742.GA16354@kufelek> References: <20070321143742.GA16354@kufelek> Message-ID: <20070326175247.GA19695@kufelek> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070326/c47fb7b3/attachment.pgp From Info at web-seluschen.de Tue Mar 27 12:04:03 2007 From: Info at web-seluschen.de (Web-Seluschen) Date: Tue Mar 27 12:06:03 2007 Subject: [Secure-testing-team] Top Angebot Message-ID: <20070327110416.860903964B5@card.tuxtools.net> Web-Seluschen ist ein schneller und einfacher Weg f?r Website-werbung und Kunden Gewinnung aller Gr??enordnungen, relevante Link/banner oder Logos auf den Content-Seiten Unserer Websites bis zu 10.000 besucher pro tag zu erhalten. In der heutigen Zeit ist das Wissen um die M?rkte, Zielpersonen und Trends umfangreicher geworden. Wir verschaffen Ihnen einen ?berblick und nutzen unsere Erfahrungen und Erkenntnisse f?r Ihren Werbeauftritt. Unser Internetauftritt wird Ihnen einen Blick ?ber unsere Schultern erm?glichen und Ihnen unsere vielseitigen M?glichkeiten, anhand von Beispielen bisheriger Projekte n?her bringen. Wir hoffen Ihnen hiermit einen interessanten und ?berzeugenden ?berblick ?ber unsere Leistungen zu verschaffen. Unsere Kunden Bestehen aus Volgenen Gruppen: * 12.000 Newssletter Kunden * 6.000 Klick kunden * 8.000 Andre Kunden * 6.346 SMS/MMS Kunden * Das Hei?t f?r Sie eine Obtimale und K?nstige Werbung F?r Ihre Webseite (Unternehmen) Wir Garantieren Ihnen bis zu 15.000 Klick Pro Tag auf Ihrerer Webseite zum Angebot: http://www.web-seluschen.de/werbung/index.php4 -------------------------------- Web-Seluschen Alexanderstr. 2a 02943 Wei?wasser Tel.: 03576/217678 E-Mail.: Info@web-Seluschen.de USt.-IdNr.: DE252999184 From henrich at iijmio-mail.jp Tue Mar 27 15:14:37 2007 From: henrich at iijmio-mail.jp (Hideki Yamane) Date: Tue Mar 27 14:15:19 2007 Subject: [Secure-testing-team] CVE-2007-0981 does NOT affect icedove In-Reply-To: <20070323171242.1b541379.henrich@iijmio-mail.jp> References: <20070323171242.1b541379.henrich@iijmio-mail.jp> Message-ID: <20070327231437.62b87515.henrich@iijmio-mail.jp> On Fri, 23 Mar 2007 17:12:42 +0900 Hideki Yamane wrote: > CVE-2007-0981 (http://security-tracker.debian.net/tracker/CVE-2007-0981) > is tracked as icedove(mozilla-thunderbird)'s vulnerability, but it seems > that affect Firefox/Mozilla browser product (It's cross-domain cookie > stealing issue, so it is for browser, not mailer). ...and tracked Debian Bug #411192 is assigned to iceweasel (not icedove). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=411192 Please check it. -- Regards, Hideki Yamane From frx at firenze.linux.it Fri Mar 30 23:53:15 2007 From: frx at firenze.linux.it (Francesco Poli) Date: Fri Mar 30 23:37:53 2007 Subject: [Secure-testing-team] CVE-2007-0002, -0238, and -0239 are fixed in testing-security, aren't they? Message-ID: <20070331005315.77c0f882.frx@firenze.linux.it> Hi! I noticed something strange on the security bug tracker[1]. The testing status page still lists three openoffice.org vulnerabilities (CVE-2007-0002, -0238, and -0239) as "fixed in unstable". On the other hand, DSA 1270-2 claims[3] that those same vulnerabilities are fixed by version 2.0.4.dfsg.2-5etch1, which is currently provided by debian-security testing/updates. I think these three vulnerabilities should be listed as "fixed in testing-security". Or am I wrong? [1] http://security-tracker.debian.net/tracker/ [2] http://security-tracker.debian.net/tracker/status/release/testing [3] http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00029.html -- http://frx.netsons.org/doc/nanodocs/etch_workstation_install.html Need to read a Debian etch installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070331/eccbb595/attachment.pgp From frx at firenze.linux.it Fri Mar 30 23:55:21 2007 From: frx at firenze.linux.it (Francesco Poli) Date: Fri Mar 30 23:43:07 2007 Subject: [Secure-testing-team] Re: CVE-2007-0002, -0238, and -0239 are fixed in testing-security, aren't they? In-Reply-To: <20070331005315.77c0f882.frx@firenze.linux.it> References: <20070331005315.77c0f882.frx@firenze.linux.it> Message-ID: <20070331005521.19bc7b09.frx@firenze.linux.it> On Sat, 31 Mar 2007 00:53:15 +0200 Francesco Poli wrote: > Hi! [...] I forgot to say: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/doc/nanodocs/etch_workstation_install.html Need to read a Debian etch installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070331/8440a06d/attachment.pgp From tora42 at walla.co.il Sat Mar 31 17:15:22 2007 From: tora42 at walla.co.il (Tora) Date: Mon Apr 2 00:52:12 2007 Subject: [Secure-testing-team] =?windows-1255?b?+uni4eX46fot6/Tp+iDh+Ong?= =?windows-1255?b?5fog6eXu6fo=?= Message-ID: An HTML attachment was scrubbed... URL: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070331/244dab43/attachment.html From anyuan8 at tom.com Thu Mar 1 20:04:54 2007 From: anyuan8 at tom.com (=?GB2312?B?wfW98Mqk?=) Date: Thu, 01 Mar 2007 20:04:54 -0000 Subject: [Secure-testing-team] (no subject) Message-ID: ??????(??/?????? ??????????????????????????? ???????????????????????, ??? ???????????(6%??)????(3%??)???? ???????????????????????????? ???????????????0.8%?1%???????? ??????????????????????????? ??????????????????????????? ??????????????????????????? ????? ?? ????????????????????????? ???????????????? ?????????????? ???????????????: ?????013928413118 ? ? ?? ??? ? ????? ?????????????? ??????????? From anyuan8 at tom.com Fri Mar 9 16:22:54 2007 From: anyuan8 at tom.com (=?GB2312?B?wO7J2cP3?=) Date: Fri, 09 Mar 2007 16:22:54 -0000 Subject: [Secure-testing-team] (no subject) Message-ID: ??????(??/?????? ????????????????.???????? ????????????????.????????.?? ???????????(7%??)????(3%)?????? ????0.8-1%??????????.??.??????! ???????????????????????? ??????????????????????????? ??????????????? ? ???????????????????????? ?????????????????????????? ?????????????????? ????????????????????????? ??????????????????????????? ???????????????????? ????????????????????????? ??????????????????????????? ???????????????????? ???????????????: ??????? ???: 013798523038 ???: szxifa186 at 163.com ????? ???????????